Help with KDE PIM and Google Privacy Policies needed

Ben Cooksley bcooksley at kde.org
Fri Mar 6 19:03:57 GMT 2020 

On Sat, Mar 7, 2020 at 1:14 AM Martin Flöser <mgraesslin at kde.org> wrote:
>
> Am 2020-03-06 08:20, schrieb Nicolás Alvarez:
> > Apple can give its million appstore apps access to Google calendar
> > data, and Mozilla can let addons access email data, but we can't? What
> > do they do differently?
>
> The only thing they do differently is that they have a permission system
> in place. Doesn't apply for Thunderbird of course which means we should
> look at their privacy policy. Though we should never ask Google "Why is
> Thunderbird allowed?" as we don't want that Thunderbird gets access
> revoked.
>
> >
> > Also, Linux desktop systems are usually not sandboxed. If we didn't
> > have Akonadi, and KOrganizer/KMail/etc used their own databases to
> > store data without intending to share them with other apps, other apps
> > could *still* access the data via the filesystem. Mozilla Thunderbird
> > is approved by Google, and KWin theoretically *could* access my email
> > because it can read ~/.mozilla. Sure, in practice it doesn't; but in
> > practice it also doesn't access Akonadi.
>
> Maybe we are just too open about what Akonadi can do in the privacy
> policy. Which I think is a good thing. On the other hand I'm sure that
> Mozilla doesn't state that any app could read the storage. Perhaps we
> need to sell Akonadi differently.

>From my reading of their objections, I concur that the problem is
mostly centered around how we are describing what is happening to
them.

Their principal concern from my understanding is making sure that
information which they are allowing applications to access is not
being transferred elsewhere and that applications are taking
appropriate measures to only retrieve the information needed to do
what the user has asked them to do.

Based upon what I read of the "PIM Privacy Policy" (which for some
reason has been started separately to
https://kde.org/privacypolicy-apps.php which is where this actually
belongs) it isn't clear what we are actually doing here and the
mention of third party services definitely looks out of place.

In this case I would suggest removing all references to third party
privacy policies - as those are out of scope for our policy. The user
has asked us / our software to interact with that service, so anything
that happens with that information after we send it is no longer our
concern - it is an issue between the user and that third party
service. Our policy should only concern itself with what our software
does with information it is handling.

The search indexing and caching should still be mentioned (as that is
what we are doing with the data on the users device), although I don't
think we need to include reference to Akonadi in there, as that is a
name for a technology framework and not supposed to be user facing.

>
> Cheers
> Martin

Cheers,
Ben

More information about the kde-community mailing list