From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 5ZMqGVkeyWB7eQAAgWs5BA (envelope-from ) for ; Tue, 15 Jun 2021 23:40:41 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id mHD8E1keyWCoXAAAbx9fmQ (envelope-from ) for ; Tue, 15 Jun 2021 21:40:41 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 771DF192C4 for ; Tue, 15 Jun 2021 23:40:40 +0200 (CEST) Received: from localhost ([::1]:56640 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ltGnX-0006ow-AB for larch@yhetil.org; Tue, 15 Jun 2021 17:40:39 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38620) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ltGn7-0006ol-8u for guix-devel@gnu.org; Tue, 15 Jun 2021 17:40:13 -0400 Received: from mailrelay.tugraz.at ([129.27.2.202]:64845) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ltGn2-00062X-NQ for guix-devel@gnu.org; Tue, 15 Jun 2021 17:40:12 -0400 Received: from nijino.local (62-116-34-49.adsl.highway.telekom.at [62.116.34.49]) by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4G4MDK03kzz1LLyL; Tue, 15 Jun 2021 23:40:00 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 mailrelay.tugraz.at 4G4MDK03kzz1LLyL DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at; s=mailrelay; t=1623793201; bh=LK2n2TPz2x2PVkX92ku9hlUscsmxHPbQNh4RpgTXX6E=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=hF+rAJOypjRyh9f/mlFzu9P8RZw6R5Wp8YRtg1b3LxvMQolm4vdMR1UlmCdzWytht kGykxmp2ldYb6g1SD0+zGBXS9DyQtTI0dn73S7mECT6wCwnHRopEtAhDbKVhslOLjs BEhdTJXRk/tZtdjnGt/y6l7Jo6gZiuZ0CmE1uMcU= Message-ID: <9eb0df887ada7e2135206a4f6f6df40e37bc1ac4.camel@student.tugraz.at> Subject: Re: Telemetry on by default kitty From: Leo Prikler To: Giovanni Biscuolo , Leo Famulari Date: Tue, 15 Jun 2021 23:39:59 +0200 In-Reply-To: <87a6nrnirc.fsf@xelera.eu> References: <87fsxm7s69.fsf@disroot.org> <87eed695yb.fsf@nckx> <87czsq7oyl.fsf@disroot.org> <87bl8a92r4.fsf@nckx> <83e3ea6de4daa14a81c826d9200941719abe2f82.camel@student.tugraz.at> <877diy7c7w.fsf@disroot.org> <2e8ede06b4786e4604269b9a7a4a5f04b154040e.camel@student.tugraz.at> <05c05536dde5660ada17b9f4dc8dc041272c1a4a.camel@student.tugraz.at> <87a6nrnirc.fsf@xelera.eu> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TUG-Backscatter-control: bt4lQm5Tva3SBgCuw0EnZw X-Spam-Scanner: SpamAssassin 3.003001 X-Spam-Score-relay: -1.9 X-Scanned-By: MIMEDefang 2.74 on 129.27.10.117 Received-SPF: pass client-ip=129.27.2.202; envelope-from=leo.prikler@student.tugraz.at; helo=mailrelay.tugraz.at X-Spam_score_int: -42 X-Spam_score: -4.3 X-Spam_bar: ---- X-Spam_report: (-4.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1623793241; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=LK2n2TPz2x2PVkX92ku9hlUscsmxHPbQNh4RpgTXX6E=; b=MPQHsx8rGTJnKK5PgUADgJVv7LYx11hkwmljZWSJYFy+v7RHPs8LDBepP51GbGintrrtCv YgcB81pWMaf8s+Qgh5LiAa6hagGc64o3m9+4YvbO25Hg/U2Jxtttw1/kIR/Lh9x2njA/36 GX2JD0eeRPrGM4ooEgeAJveisH6fb6NJ++Mkg/oPlRAKN6W3Le09xCilTPQY7gvt6dMQpU uvcJhCQtJ1pn/WQl42xbghfeiDWxMuWxxmxzzWn4iNozdCbK9yGRpBPAVqbuTbBvVG9pKQ HsROznV/62oCQD7rPxGqlm7EfKz473pxzjV2vjzt0ljgSIw6Adis4Od4wP+5mw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1623793241; a=rsa-sha256; cv=none; b=RHSyTohAXWN3OCCXNcq5mLnOBmhwPgdlC7q4QSCZpJ4oMzBp4rNWwsG9xn92v3dUYrllL6 k1h+0IJsYPSUeFEAL85+jiwaH5hbfewcNnD7W1gB8hiPLIcIchcR/GMMEArmsgDmcBbf98 apgvQm2eBbj3l/zxbKdNlFCExIgNcsisKdgSG1/iRD5aCoCKSTMQY6NZp6RJeUef6WTccw YpmUaBhSaNwKiIpMenR7gjIjgNXGNnbW9nO60VNDcnAASX41k2jZAj4bMNQ019rWxIliGh GPkQKR9afhpsgPcSrIABO6Zw+9WIRCxfvpjumGqLBjwG+273fEOluq5ECmYQ4w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=tugraz.at header.s=mailrelay header.b=hF+rAJOy; dmarc=pass (policy=none) header.from=student.tugraz.at; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.12 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=tugraz.at header.s=mailrelay header.b=hF+rAJOy; dmarc=pass (policy=none) header.from=student.tugraz.at; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 771DF192C4 X-Spam-Score: -3.12 X-Migadu-Scanner: scn1.migadu.com X-TUID: K3UocHDcdlM/ Am Dienstag, den 15.06.2021, 19:24 +0200 schrieb Giovanni Biscuolo: > Hi Leo and Guix, Wrong Leo here, I hope you don't mind me responding. > sorry for this long message but I would like to add my point of view > to > the discussion about telemetry. > > I apreciated the laconic statement by Tobias Geerinckx-Rice on Sat, > 12 > Jun 2021 22:35:40 +0200 [1]: > > --8<---------------cut here---------------start------------->8--- > > This is not a point of discussion. Telemetry or ‘phoning home’ > for updates must be opt-in if possible or disabled entirely > otherwise. Would you care to submit a patch? > > --8<---------------cut here---------------end--------------->8--- > > AFAIU there is a general consensus above all GNU Guix maintainers > (and all FSDG compliant distros) on the above statement: am I wrong? This depends on how you interpret "The distro must contain no DRM, no back doors, and no spyware.". The consensus (at least among Guix and also when we consider EU law) is that you need to opt in to any collection of data. > I'm using Guix (and other distributions) primarily for this very > reason, for me this is the most important *feature* of a free > software distribution: no spyware ALSO means no opt-out telemetry. > > To be clear: if Guix "only" had the fantastic features it has but was > not FSDG compliant, I'd use something else (and be very very sad). > > Leo Famulari writes: > > > On Sun, Jun 13, 2021 at 08:35:18PM +0200, Leo Prikler wrote: > > > Perhaps it's valuable for developers, but as a user I often have > > > next > > > to no information about what data gets collected and for which > > > purpose, > > > both of which are important for *informed consent*. > > [...] > > > Yeah, I agree that telemetry is a problem in addition to being > > valuable > > for developers. > > No, telemetry is not just "a problem", it's A HUGE legal issue. > > I don't want to have a too long privacy related discussion here, but > please consider in EU (I live in Italy) we have the GDPR [2] and we > had > a LOT of issues with the "Privacy Shield", now invalidated by the > Schrems II [3] EU Court of Justice judgement, meaning that data > transfers abroad are... VERY problematic :-D Legally speaking, you might be able to claim legitimate interest according to §6.1.f for your telemetry (I really hate that one). It'd be interesting to see what happens in court if you do, but it's out there. As a EU citizen myself, I really wish the GDPR was stricter in statements. > Just to give you one recent example, in Italy we have a public > service > app called "IO App" (processing a lot of very sensitive data) that > was > recently surveied by the italian Privacy Authority and it was a > *disaster* [4]: > > --8<---------------cut here---------------start------------->8--- > > the Authority, on general criticisms on the functioning of the IO > App, > has ordered, with a urgent measure, to PagoPA to temporally block > the > personal data processing by this App which require the interaction > with > Google’s services and Mixpanel, and which involve a transference to > third countries (for example: USA, India, Australia) of personal > sensitive data (like: cash back transactions, payments instruments, > holydays bonus), carried out without the consent of the users. > > --8<---------------cut here---------------end--------------->8--- > > So, the italian goverment is (still) tranfering a lot of personal > data > to NOT (equivalent) GDPR compliant nations. > > Please consider that much, if not all, of the personal data > transferred > (and it's LOT of data) was allegedly for "telemetry" and "issue > tracking" purposes. Which is exactly why I said what I said about informed consent. > We are talking about this. This is not for sure a kitty issue, but > it > is a telemetry issue. > > > I think that making it opt-in doesn't really help very much. People > > use > > defaults. I read that Firefox struggles with software quality on > > GNU/Linux because almost nobody enables the telemetry. > > This is freedom n. 0 :-D You could equivalently say, that freedom 0 is guaranteed through an opt-out mechanism. Opt-in vs. opt-out is a different ethical conundrum, I fear. > > I feel that, ultimately, we already trust most software authors > > implicitly and totally, because we are not auditing their > > programs. So, I am personally happy to enable the telemetry for > > most > > software I use — especially if it is free software and especially > > for > > software that deals with the network. I don't personally see the > > point > > of treating telemetry as a special case in terms of trust or > > consent. > > I'm sorry you don't see the point, but Might be just me, but this phrasing appears a little aggressive given the overall tone of the message being… a little less so. > Please remember that in some countries providing personal data to > data processors needs informed consent on what, why, by whom and > where the data is processed (please consider this as an executive- > summary, it's a complex matter). > > Please also consider I'm not willing to provide data to the > developers of software I use simply because I don't want to exchange > data for the permission to use the software... and I'm not the only > one: this is the most important reason telemetry must be disabled by > default (opt-in) if possible or completely disabled otherwhise. > > Privacy is valuable, developers must respect their users. Agree completely. > [1] Message-Id:87eed695yb.fsf@nckx > > [2] https://en.wikipedia.org/wiki/GDPR > > [3] https://en.wikipedia.org/wiki/Max_Schrems#Schrems_II > > [4] > https://www.privacy365.eu/en/by-the-italian-data-protection-authority-green-certification-the-green-light-of-the-authority-but-with-specific-guarantees-it-has-been-disposed-the-block-of-io-app/ > > https://www.privacy365.eu/en/by-the-italian-data-protection-authority-app-io-the-authority-implements-the-technical-relation/ > (unfortunately the relation is in italian only, it's very very > interesting!) The green certification is another ethic conundrum, not only on the basis of it being a data protection nightmare. But alas, politicians will take any reason they can get to weaken restrictions so that "the economy may prosper".