On Thu, 2007-02-15 at 07:21 +0100, Thorsten Leemhuis wrote: > On 15.02.2007 06:58, Ralf Corsepius wrote: > > On Thu, 2007-02-15 at 00:34 -0500, seth vidal wrote: > >> On Thu, 2007-02-15 at 05:48 +0100, Ralf Corsepius wrote: > >>> On Wed, 2007-02-14 at 10:59 -0600, Mike McGrath wrote: > >>>> So smolt is still setup in firstboot and still is opt in. My question > >>>> is do we want to install smolt as part of a default configuration with > >>>> F7. My vote is yes. > >>> My vote is no. > >>> * is legally questionable. > >> If you have a concern here, please file a bug on it and I will make sure > >> it gets passed into the legal queue for evaluation. > > Everything that needed to be said had been communicated to Mr. McGrath. > > It's up to him to decide on what to do with it. > > Could you give a quick summary please? Firstly, please note that I said "questionable", i.e. would have to carefully examined by a specialized lawyer. Secondly you should be aware that is actually is about two separate issue: "Legality and correctness" On the legal side, it is "Schutz der Privatsphäre" (Protection of private sphere") in general, a legally complicated matter with many booby-traps hidden inside. In Germany, even "collecting data without prior consent" in many cases is considered illegal. E.g. there had been a precedence in which someone having set up a webcam monitoring his house's front yard has been considered illegal for breach of privacy. It's the reason why most shops using camera supervision nowadays have signs explicitly notifying their customers. Things become further complicated when personalized data comes into play (BDSG - Bundesdatenschutzgesetz - "Federal Law on Data Privacy"). The crucial points here would be "when to consider data personalized" and "which data is allowed to be collected under which circumstances". Rule of thumb: Any personalized data must not be collected unless it is technically required for a transaction (Classic example: Any bill must be removed from cashier systems after the customer has paid, within a predefined timeframe). I.e. from a German point of view. Smolt's "machine id" in connection with the IP address needs to be legally reviewed if this qualifies as "personalized data". I for one regard it as such. > >> Please list the > >> country where you think the law might be violated. > > Probably most parts of the world outside of the US, definitely in > > Europe, definitely in Germany, probably also in some part of Asia. > > I'm not a lawyer, but I live in Germany, and I think this kind of > anonymous opt-in mechanism should be fine, as long as it's clearly > documented what kind of informations are send. IANAL, too, but, yes this matches with my knowledge. I repeatedly said, to be legally safe in Germany, any such transaction must be opt-in (I am aware this not to be 100% legally correct, but it's the "rule of thumb to be safe"). The other point is "is it correctlyness" to transmit such data: Here apparently German perception is different from that in other countries. Microsoft and other vendors had been flamed, Intel was flamed for their CPU-Ids (they didn't even transmit anything, simply the fact they implemented an option was enough), many other vendors followed, ... Check heise's newticker for press notices concerning this, they are easy to find .... This touches security as well as privacy. Ask yourself: If you were an administration/government/military organisation, an enterprise's financial/development department, a bank, simply a shop archiving your customer data or other entity dealing with "secret"/"private" information, would you want details about your systems to be exposed to the public? Consider secret services/competitors spying the net, consider man-in-the-middle attacks, consider intruders harvesting the database, ... I would not - I would take any measure to prevent and obsure such transmission. Ralf -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
