On Mon, Jan 07, 2019 at 10:00:25PM -0500, Matthew Miller wrote: > On Mon, Jan 07, 2019 at 11:09:48PM +0100, Kevin Kofler wrote: > > Please no! This is an inherent privacy violation. I hate software doing this > > and I always opt out of it. I find it especially worrying that Free Software > > is now doing this more and more often, this used to be something only > > privacy-violating proprietary software would do. > > Since there is no personal information attached, I don't see how on the face > of it this is a privacy violation. I want to take this concern seriously, > but I need more to go on than "this is inherent". Can you elaborate? I'm not a lawyer, but GDPR is something that affects all of use. Going by the wiki page and GDPR announcements from European Commission: Scope: > The regulation applies if ... the data subject (person) is based in the EU So Fedora obviously falls under the scope of GDPR. > personal data is any information relating to an individual ... a computer's IP address. I an IP address qualifies as "personal data", then an installation UUID does too. Lawful basis for processing: > Unless a data subject has provided informed consent to data > processing for one or more purposes, personal data may not be > processed unless there is at least one legal basis to do > so. According to Article 6, the lawful purposes are: > (a) If the data subject has given consent to the processing of his > or her personal data; (b)-(e) obviously don't apply > (f) For the legitimate interests of a data controller or a third > party, unless these interests are overridden by interests of the > data subject We could argue [1] that reliably collecting the number of individual installations is a "legitimate interest", for example because it allows us to decide what parts of Fedora are most used and direct our efforts there. I think it's pretty obvious that knowing the number of users is a valid interest for any software project. Then we could use point (f). Otherwise, we have to use point (a) which is only satisfied by an clearly worded, and specific, opt-*in* dialogue. [1] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/ Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
