On 7/6/23 12:10, Aoife Moloney wrote:
Important process note: we are experimenting with using Fedora
Discussion as part of the Changes process. Change announcements (like
the one you are reading right now) will still be sent to the
devel-announce mailing list, but the conversation about each change
will take place on Fedora Discussion at
https://discussion.fedoraproject.org/t/f40-change-request-privacy-preserv...
This will follow the same process as before, just with discussion in a
different format
https://docs.fedoraproject.org/en-US/program_management/changes_policy/
You can subscribe to and interact with these conversations by email.
See
https://discussion.fedoraproject.org/t/guide-to-interacting-with-this-sit...
for detailed instructions. To make sure you do not miss anything, make
sure that you have the Change Proposal category set to “Watching” —
or, if you just want to get notified about new changes but not every
reply in the conversation, to “Watching First Post”. (Click on the
little bell icon at the top right of the category page.)
The below document represents a proposed Change. As part of the
Changes process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
The Red Hat Display Systems Team (which develops the desktop) proposes
to enable limited data collection of anonymous Fedora Workstation
usage metrics.
There are two problems here:
1. The GDPR and similar regulations are 100% clear that consent must
be opt-*in*. Opt-*out*, as is proposed here, is not consent.
Therefore, this change is proposing collecting telemetry *without
user’s consent*.
2. Irrespective of whether or not the metrics are personally
identifiable for the purposes of GDPR and other regulations,
I highly doubt you will be able to convince people that they are
in fact not personally identifiable. Techniques for correlating
metrics can only get better, never worse, and this means that what
information may become personally identifiable in the future even
if it was not in the past. Even Differential Privacy cannot solve
this problem because it works on aggregate statistics, not on the
raw data collected.
The only way I could be convinced that the raw data is in fact not
personally identifiable is if there was a mathematical proof to
that effect. Such a proof would probably be worthy of publication
in a peer-reviewed research paper.
Since this Change proposal comes from Red Hat, I have an alternative
to propose: Red Hat can ask its paying corporate customers for
this information, perhaps in exchange for a discount on their RHEL
subscriptions. This should be much less controversial.
--
Sincerely,
Demi Marie Obenour (she/her/hers)