Summary: | Violation of KDE Software Privacy Policy | ||
---|---|---|---|
Product: | [Frameworks and Libraries] frameworks-kuserfeedback | Reporter: | gvgeo <Gvgeo> |
Component: | Telemetry Provider | Assignee: | Volker Krause <vkrause> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | nate |
Priority: | NOR | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Platform: | Other | ||
OS: | Other | ||
Latest Commit: | https://invent.kde.org/websites/kde-org/commit/71992cc8a177c959706088d02413c1a97f989749 | Version Fixed In: |
Description
gvgeo
2023-03-05 13:48:48 UTC
In this context, the word "collect" is clearly referring to the transmission of data to KDE, not its local storage. For example see this sentence: > We collect personal information in order to provide you with services on our websites. If "collect" is a synonym for "locally store", then the sentence could be re-worded like so: > "We locally store personal information in order to provide you with services on our websites. Which is clearly nonsensical in its proper context. That leaves the issue of locally stored data that was locally stored prior to telemetry being turned on sent to KDE when telemetry is turned on. because telemetry is off by default, turning it on is clearly an "explicit user action" so I am failing to see the violation of the policy. Can you clarify? As long, 'Collect' refers to data transmitted to kde; that data, shall not be collected before the user's explicit action. The act of saving locally is irrelevant, in essence. It is like using a middle man to do the dirty job for you. These data have the purpose to be send to kde, and were collected before user's action. You may argue if it is okay to be saved, locally unused; but at very least, should be obvious, the transmission of them is against the policy. As for the example above, does not match this case, as it refers to kde, instead of the software which the policy refers. (In reply to gvgeo from comment #2) > As long, 'Collect' refers to data transmitted to kde; that data, shall not > be collected before the user's explicit action. That's currently the case. If we're going to define "collect" to refer to the act of transmitting, then no collection takes place before this is explicitly authorized. > The act of saving locally is irrelevant, in essence. It is like using a > middle man to do the dirty job for you. > > These data have the purpose to be send to kde, and were collected before > user's action. > You may argue if it is okay to be saved, locally unused; but at very least, > should be obvious, the transmission of them is against the policy. If the user has explicitly authorized it, then I'm not seeing how it's against the policy. Since this line of argumentation isn't making sense to me, can you maybe try another one, or try rephrasing it in a way that might help me understand your position? Dear Bug Submitter, This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information as soon as possible and set the bug status as REPORTED. Due to regular bug tracker maintenance, if the bug is still in NEEDSINFO status with no change in 30 days the bug will be closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging If you have already provided the requested information, please mark the bug as REPORTED so that the KDE team knows that the bug is ready to be confirmed. Thank you for helping us make KDE software even better for everyone! (In reply to Nate Graham from comment #3) > (In reply to gvgeo from comment #2) > > As long, 'Collect' refers to data transmitted to kde; that data, shall not > > be collected before the user's explicit action. > That's currently the case. If we're going to define "collect" to refer to the > act of transmitting, then no collection takes place before this is explicitly > authorized. Can not imagine how 'collect' can be defined like that. The fitting definition for 'collect' is in lines of 'gathering together', 'transmit' has near opposite meaning of 'sending to'. Here, I was stating the kind of information, which the act of assembling together relates to, those that are transmitted to kde. And the collection of that data, as specified in the policy, must not be done before user's authorization. > > The act of saving locally is irrelevant, in essence. It is like using a > > middle man to do the dirty job for you. > > > > These data have the purpose to be send to kde, and were collected before > > user's action. > > You may argue if it is okay to be saved, locally unused; but at very least, > > should be obvious, the transmission of them is against the policy. > If the user has explicitly authorized it, then I'm not seeing how it's against > the policy. He didn't authorized that data, that were collected previously, but only new ones. This comes from the policy's promise that no collection happen before. As a result, his action allows the start of the collection process, which will create (new) data to transmit. > That leaves the issue of locally stored data that was locally stored prior to > telemetry being turned on sent to KDE when telemetry is turned on. because > telemetry is off by default, turning it on is clearly an "explicit user action" > so I am failing to see the violation of the policy. Can you clarify? That explicit action allows not only the transmission of data, but also the collection of them. And because that locally saved data, were collected before the explicit action, and should not be transmitted. Since this effectively a legal document, you can't define "collect" in two different ways in different parts of it. If "collect" only means "gather together in one place", it must have that meaning everywhere. But in the telemetry section, the word clearly being used as a synonym of "transmit". If that's the case, then earlier where it says "...does not collect, transmit or otherwise transfer information...", we're either saying that we don't transmit information twice, or else we're assigning a different meaning to the word "collect." That's not ideal and is worth fixing. I'll fix it. A possibly relevant merge request was started @ https://invent.kde.org/websites/kde-org/-/merge_requests/186 Git commit 71992cc8a177c959706088d02413c1a97f989749 by Nate Graham. Committed on 02/05/2023 at 21:01. Pushed by ngraham into branch 'master'. Clarify "collection" vs "transmission" in apps privacy policy A plain-English reading of the word "collection" suggests that it refers to the local gathering of information, as opposed to its remote transmission. However on the apps privacy policy page, it is currently used with two meanings. See for example this sentence in the "General Principle" section: > As a general rule, software produced by the KDE Community does not > collect, transmit or otherwise transfer information from end-users > devices except as a result of an explicit user action. Here "collect" is being used to describe saving local state data, such as lists of recent documents. It is explicitly contrasted with the concept of transmission. Now see this sentence in the "Telemetry" section: > With regards to information collected, only details on the device > itself (such as the software versions installed and its hardware > specifications) along with details on how our software is used (such > as whether certain features are enabled and what plugins have been > installed) are collected. Here "collect" is used as a synonym of the word "transmit", since telemetry is all about transmitting information to someone else. Using the same word with two meanings isn't ideal, especially for a document that needs technical precision to avoid confusing people. To improve clarity, this commit tweaks the page to use the word "transmission" instead of "collection" in any context where the thing being describes is in fact transmission and not saving data locally. @sysadmin @teams/kde-ev-board M +4 -4 content/privacypolicy-apps.md https://invent.kde.org/websites/kde-org/commit/71992cc8a177c959706088d02413c1a97f989749 |