On 7/6/23 12:10, Aoife Moloney wrote:
That said, Fedora Legal has determined that if we collect any
personally-identifiable data, the entire metrics system must be
opt-in. Since we are only interested in opt-out metrics due to the low
value of opt-in metrics, we must accordingly never collect any
personally-identifiable data.
I oppose any telemetry that is not opt-in, but I also do not think that
what this proposal is suggesting is possible to implement.
For metrics to not be personally identifiable, it is necessary that the
set of metrics collected have sufficiently low entropy that on average,
_many_ users will send _the exact same metrics_. It is very hard for me
to see any useful set of metrics having such low entropy.
If Fedora has 2 million users (possibly an overestimate) then the
metrics would need to have entropy much less than 2^21, which means
that the entire metrics set would need to be able to be represented
as a 20-bit integer. In practice, I suspect one would need to fit
the entire set in a 16-bit integer or less, and possibly
_significantly_ less.
--
Sincerely,
Demi Marie Obenour (she/her/hers)