Matthew Miller wrote:
Since there is no personal information attached, I don't see how
on the
face of it this is a privacy violation. I want to take this concern
seriously, but I need more to go on than "this is inherent". Can you
elaborate?
I detailed it further down my message: my concern is that the UUID can
theoretically be used to track users, to build personas out of them from the
packages downloaded by the UUID, and in the extreme case even to identify
the person owning the UUID by name (e.g., if a package downloaded by the
UUID is downloaded only by 1 person and you find some bug report for it in
Bugzilla). I don't care that you promise that you won't do it, the fact is
that you *can*. And possibly others can too, depending on how exactly this
is implemented.
Like I said, tracking is a non-goal. And, we want a design that is
resistant to tracking -- but I don't think we need to go overboard.
If you take privacy seriously, you have to assume the worst. It is always
safer to send less data rather than more.
Kevin Kofler