#53: privacy policy should be updated to describe the privacy of Fedora installations, not participation in Fedora events ---------------------+------------------- Reporter: zbyszek | Owner: Status: new | Priority: normal Component: General | Keywords: ---------------------+------------------- == How the privacy policy is specified == /usr/lib/os-release contains PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy. PRIVACY_POLICY_URL is documented to "refer to the main privacy policy page for the operati[ng] system" [1]. This line was added to allow Gnome to display a link to the privacy policy without hardcoding the text or URL. It is currently shown by gnome-initial-setup [2]. [1] https://www.freedesktop.org/software/systemd/man/os- release.html#HOME_URL= [2] https://in.waw.pl/~zbyszek/fedora/gnome-i-s-privacy-policy- screenshot.png == Recent attempts at updating == There have been two drafts that I'm aware of: - https://fedoraproject.org/wiki/User:Pfrields/PrivacyPolicyRedux discussed at [3] - https://fedoraproject.org/wiki/User:Spot/PrivacyPolicyProposal discussed at [4] [3] https://lists.fedoraproject.org/pipermail/desktop/2015-March/011700.html [4] https://lists.fedoraproject.org/pipermail/council- discuss/2015-September/013633.html Neither of those significantly address issues that have been raised in response to both proposals. == What is wrong with current policy == [This part is subjective of course, please read it as prefixed with "IMO" everywhere] As stated in $subject, it's a policy for a different purpose. The privacy policy used as "the privacy policy for the OS" should primarily and prominently describe what information is collected (or otherwise made public) when Fedora is installed, when a user account on the Fedora machine is created, and in normal use of Fedora. Crafting a clear and simple policy will make a good impression that Fedora Project cares about it's users privacy, and is safe to use in situations where preserving personal information is important. A general problem is that existing policy and proposed draft do not make a clear distinction between a) installing Fedora and downloading updates, b) creating accounts for Fedora development and using the bug tracker, c) participating in Fedora conferences and such. Those three broad categories have completely different privacy implications. Without being clear to which of those the policy pertains means that the policy greatly overstates the types of information being collected. In effect the policy is much more relaxed (i.e. bad for the users) than it could be. Specific issues raised: Should there be mention of NetworkManager-config-connectivity-fedora? (ie, checking http://fedoraproject.org/static/hotspot.txt for captive portal) [5] In the section about 'Cookies and other Browser information', it might be useful to mention that the 'User Agent ID' of Browsers that are packaged in Fedora is configured to identify the system as running Fedora. [6] For example, the list in "Publicly Available Personal Information" really isn't palatable. A better way of showing this might be to say: "the information you give when creating your account will be public by default. You can see what data is publicly visible <here> (link to the public page for the user), modify your privacy settings <here>, and request deletion of the account <here>" [7] I also don't like the "Personal Information" vs. "Non-Personal Information". It might be how a lawyer works, but just because it pertains to a computer and not to a person doesn't make it less identifying. [7] the privacy policy needs to refer to "user account" in such way that it'll be clear that it's talking about accounts for contributors (FAS) and not a user account on your system or an online account you add via GOA, to make it clear Fedora doesn't scrape your name (or other identifying details) from Google / Facebook accounts added via GOA, nor the "Full Name" field of user accounts on your computer. [8] parties reports (such to AFAIK, in Germany, it's the laws that any such "passing on personal information" needs to be opt-in - "Opt-out" and "always-on" would be unlawful. [10] What procedures are being put in place so that EU residents (and hopefully everyone) can contact Fedora or Red Hat to obtain/understand/verify/delete their machine data, beyond obviously personal data? [5] https://lists.fedoraproject.org/pipermail/council- discuss/2015-September/013643.html [6] https://lists.fedoraproject.org/pipermail/desktop/2015-March/011703.html [7] https://lists.fedoraproject.org/pipermail/desktop/2015-March/011727.html [8] https://lists.fedoraproject.org/pipermail/desktop/2015-March/011729.html [9] https://lists.fedoraproject.org/pipermail/council- discuss/2015-September/013637.html [10] https://lists.fedoraproject.org/pipermail/council- discuss/2015-September/013637.html [11] https://lists.fedoraproject.org/pipermail/council- discuss/2015-September/013649.html == tl; dr == The policy is too complicated, yet lacks detail and does not provide strong guarantees. Statements like "The Information We Collect ... your Fedora Account password .. your SSH public key ... your affiliation" are not appropriate for a page linked to from the "Privacy Policy" link displayed during installation. I hope the Council can help to push towards a better policy document. Currently things seem to be stuck in minimal edits over the last year and half. Maybe the document should be opened for public editing on a wiki somewhere so that people can rearrange the text and take it further from current form. If the Council accepted the general idea of providing strong privacy guarantees things could move forward. -- Ticket URL: <https://fedorahosted.org/council/ticket/53> council <https://fedorahosted.org/council> Fedora Council Public Tickets