On Mon, Jan 07, 2019 at 10:00:25PM -0500, Matthew Miller wrote:
On Mon, Jan 07, 2019 at 11:09:48PM +0100, Kevin Kofler wrote:
> Please no! This is an inherent privacy violation. I hate software doing this
> and I always opt out of it. I find it especially worrying that Free Software
> is now doing this more and more often, this used to be something only
> privacy-violating proprietary software would do.
Since there is no personal information attached, I don't see how on the face
of it this is a privacy violation. I want to take this concern seriously,
but I need more to go on than "this is inherent". Can you elaborate?
I'm not a lawyer, but GDPR is something that affects all of use. Going
by the wiki page and GDPR announcements from European Commission:
The regulation applies if ... the data subject (person) is based in
So Fedora obviously falls under the scope of GDPR.
personal data is any information relating to an individual ... a
computer's IP address.
I an IP address qualifies as "personal data",
then an installation UUID does too.
Lawful basis for processing:
Unless a data subject has provided informed consent to data
processing for one or more purposes, personal data may not be
processed unless there is at least one legal basis to do
so. According to Article 6, the lawful purposes are:
(a) If the data subject has given consent to the processing of his
or her personal data;
(b)-(e) obviously don't apply
(f) For the legitimate interests of a data controller or a third
party, unless these interests are overridden by interests of the
We could argue  that reliably collecting the number of individual
installations is a "legitimate interest", for example because it
allows us to decide what parts of Fedora are most used and direct our
efforts there. I think it's pretty obvious that knowing the number of
users is a valid interest for any software project. Then we could use
Otherwise, we have to use point (a) which is only satisfied by an clearly
worded, and specific, opt-*in* dialogue.