mgraesslin at kde.org
Sun Aug 13 10:56:27 UTC 2017
Am 2017-08-13 11:47, schrieb Volker Krause:
> during the KUserFeedback BoF at Akademy there was quite some interest
> collecting telemetry data in KDE applications. But before actually
> implementing that we agreed to define the rules under which we would
> want to
> do that. I've tried to put the input we collected during Akademy into
> wording below. What do you think? Did I miss anything?
To me it looks good!
I have some additional requests:
* the collected data must be made available to the public (mostly
thinking of research institutes here)
* data must be made available under a CC license (CC0?)
* maybe allow the user to delete the dataset again (difficult as that
conflicts with making the data public and would require authentication
which is the opposite to anonymity).
> # Telemetry Policy Draft
> Application telemetry data can be a valuable tool for tailoring our
> to the needs of our users. The following rules define how KDE collects
> uses such application telemetry data. As privacy is of utmost
> importance to
> us, the general rule of thumb is to err on the side of caution here.
> always trumps any need for telemetry data, no matter how legitimate.
> These rules apply to all products released by KDE.
> ## Transparency
> We provide detailed information about the data that is going to be
> shared, in
> a way that:
> - is easy to understand
> - is precise and complete
> - is available locally without network connectivity
> Any changes or additions to the telemetry functionality of an
> application will
> be highlighted in the corresponding release announcement.
> ## Control
> We give the user full control over what data they want to share with
> KDE. In
> - application telemetry is always opt-in, that is off by default
> - application telemetry settings can be changed at any time, and are
> as prominent in the application interface as other application settings
> - applications honor system-wide telemetry settings where they exist
> "kill switch")
> - we provide detailed documentation about how to control the
> telemetry system
> In order to ensure control over the data after it has been shared with
> applications will only transmit this data to KDE servers, that is
> under the full control of the KDE sysadmin team.
> We will provide a designated contact point for users who have concerns
> the data they have shared with KDE. While we are willing to delete data
> a user
> no longer wants to have shared, it should be understood that the below
> are designed to make identification of data of a specific user
> impossible, and
> thus a deletion request impractical.
> ## Anonymity
> We do not transmit data that could be used to identify a specific user.
> - we will not use any unique device, installation or user id
> - data is stripped of any unnecessary detail and downsampled
> before sharing to avoid fingerprinting
> - network addresses (which are exposed inevitably as part of the data
> transmission) are not stored together with the telemetry data, and must
> be stored or used to the extend necessary for abuse counter-measures
> ## Minimalism
> We only track the bare minimum of data necessary to answer specific
> we do not collect data preemptively or for exploratory research. In
> particular, this means:
> - collected data must have a clear purpose
> - data is downsampled to the maximum extend possible at the source
> - relevant correlations between individual bits of data should be
> computed at
> the source whenever possible
> - data collection is stopped once corresponding question has been
> ## Privacy
> We will never transmit anything containing user content, or even just
> hints at
> possible user content such as e.g. file names, URLs, etc.
> We will only ever track:
> - system information that are specific to the installation/environment,
> independent of how the application/machine/installation is actually
> - statistical usage data of an installation/application
> ## Compliance
> KDE only releases products capable of acquiring telemetry data if
> with these rules has been established by a public review on
> kde-community]@kde.org from at least two reviewers. The review has to
> repeated for every release if changes have been made to how/what data
> Received data is regularly reviewed for violations of these rules, in
> particular for data that is prone to fingerprinting. Should such
> violations be
> found, the affected data will be deleted, and data recording will be
> until compliance with these rules has been established again. In order
> enable reviewing of the data, every KDE contributor with a developer
> will have access to all telemetry data gathered by any KDE product.
More information about the kde-community