Telemetry Policy

[Ben Cooksley]

On Tue, Aug 15, 2017 at 8:11 AM, Ingo Klöcker <kloecker at kde.org> wrote:
> On Monday 14 August 2017 21:53:17 Ben Cooksley wrote:
>> On Sun, Aug 13, 2017 at 9:47 PM, Volker Krause <vkrause at kde.org>
> wrote:
>> > Hi,
>>
>> Hi Volker,
>>
>> > during the KUserFeedback BoF at Akademy there was quite some
>> > interest in collecting telemetry data in KDE applications. But
>> > before actually implementing that we agreed to define the rules
>> > under which we would want to do that. I've tried to put the input
>> > we collected during Akademy into proper wording below. What do you
>> > think? Did I miss anything?
>> >
>> > Regards,
>> > Volker
>> >
>> >
>> > # Telemetry Policy Draft
>> >
>> > Application telemetry data can be a valuable tool for tailoring our
>> > products to the needs of our users. The following rules define how
>> > KDE collects and uses such application telemetry data. As privacy
>> > is of utmost importance to us, the general rule of thumb is to err
>> > on the side of caution here. Privacy always trumps any need for
>> > telemetry data, no matter how legitimate.
>> >
>> > These rules apply to all products released by KDE.
>> >
>> > ## Transparency
>> >
>> > We provide detailed information about the data that is going to be
>> > shared, in a way that:
>> > - is easy to understand
>> > - is precise and complete
>> > - is available locally without network connectivity
>> >
>> > Any changes or additions to the telemetry functionality of an
>> > application will be highlighted in the corresponding release
>> > announcement.
>> >
>> > ## Control
>> >
>> > We give the user full control over what data they want to share with
>> > KDE. In particular:
>> > - application telemetry is always opt-in, that is off by default
>> > - application telemetry settings can be changed at any time, and are
>> > provided as prominent in the application interface as other
>> > application settings - applications honor system-wide telemetry
>> > settings where they exist (global "kill switch")
>> > - we provide detailed documentation about how to control the
>> > application telemetry system
>> >
>> > In order to ensure control over the data after it has been shared
>> > with KDE, applications will only transmit this data to KDE servers,
>> > that is servers under the full control of the KDE sysadmin team.
>> >
>> > We will provide a designated contact point for users who have
>> > concerns about the data they have shared with KDE. While we are
>> > willing to delete data a user no longer wants to have shared, it
>> > should be understood that the below rules are designed to make
>> > identification of data of a specific user impossible, and thus a
>> > deletion request impractical.
>>
>> Can we change "impractical" to "effectively impossible" here please?
>>
>> > ## Anonymity
>> >
>> > We do not transmit data that could be used to identify a specific
>> > user. In particular:
>> > - we will not use any unique device, installation or user id
>> > - data is stripped of any unnecessary detail and downsampled
>> > appropriately before sharing to avoid fingerprinting
>> > - network addresses (which are exposed inevitably as part of the
>> > data
>> > transmission) are not stored together with the telemetry data, and
>> > must only be stored or used to the extend necessary for abuse
>> > counter-measures
>> I'm wary that people might jump on the network addresses bit here.
>>
>> Can we please mention that all records that contain network addresses
>> and other similar information would be stored in such a form that they
>> could not be associated with telemetry records.
>>
>> In terms of the logs - as there are other uses for them, i'd prefer if
>> we widened that to also allow them to be kept to allow us to maintain
>> the proper and effective operation of the telemetry system and other
>> associated services. The time we retain those logs should also be at
>> our complete and total discretion and if need be should be
>> indefinite.
>
> I'm pretty sure that this would be a violation of the European General
> Data Protection Regulation.
>
> In Germany IP addresses are considered personal data (by rulings of the
> German constitutional court). Therefore, IP addresses must be
> anonymized, e.g. by zeroing the last part of the quadruplet (see for
> example the anonymizeIp setting of Google Analytics), if they are used
> for anything other than maintaining the security of a service. Even if
> used for maintaining the security of a service they must not be stored
> longer than absolutely necessary. Storing IP addresses indefinitely or
> at least for a long period of time is the "wet dream" of all national
> law enforcement intelligence institutions -> Vorratsdatenspeicherung
> (data retention). Luckily, so far those dreams have been stalled by the
> German constitutional court. The German Minister of the Interior would
> be delighted if KDE would provide such data.

This depends on your perspective I guess.
For me, we run into the "brick wall" that is these regulations far too
easily, just trying to do relatively simple, normal stuff which people
expect to do these days - like website statistics!

You have no idea how many times people asked for web statistics and we
(Sysadmin) had to tell people no you can't do that because the board
said so - and of course we got the heat for that.
It wasn't until recently, after much pushing, that we managed to get
the arrangements sorted out for that.

I'd be happy to see wholesale reform of those laws to make them
somewhat sane, instead of the byzantine, archaic and fascist setup
Europe has at the moment.

In any case, if that's what it says guess that's the purpose we keep
logs for then.

>
>
> Regards,
> Ingo

Cheers,
Ben