Bug 466888 - Violation of KDE Software Privacy Policy
Summary: Violation of KDE Software Privacy Policy
Status: RESOLVED FIXED
Alias: None
Product: frameworks-kuserfeedback
Classification: Frameworks and Libraries
Component: Telemetry Provider (show other bugs)
Version: unspecified
Platform: Other Other
: NOR normal
Target Milestone: ---
Assignee: Volker Krause
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-03-05 13:48 UTC by gvgeo
Modified: 2023-05-02 21:01 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description gvgeo 2023-03-05 13:48:48 UTC
New bug report because the previous one was locked. And did not address data that are send to server, which are part of the problem.
https://bugs.kde.org/show_bug.cgi?id=418981

Issue:
When telemetry switches on, sends data that were collected while telemetry was off.

Example:
After 3 years system has saved locally, that okular has been opened 1095 times. Enabling telemetry now, for the first upload will report all the 1095 starts, which were collected prior user action.

More details:
When enabled, Kuserfeedback uses previously locally saved data, collected in a period which telemetry was disabled, to assemble the telemetry data. This can happen each time a user enables telemetry, for most users the first time. The problem is not about the local data.
Currently the code does not differentiates the local function, and instead uses the same status collection mechanism (used for telemetry), to count for the encouragement message too. To do that it collects all the stats (even with telemetry set disabled) without ever stopping and uses the start count to time the encouragement. Up to this point data may be considered local, as have not been send anywhere and serve the encouragement mechanism. The issue arises the moment telemetry gets enabled and uses these already saved data to create and send the first report.

Privacy Policy statement:
"As a general rule, software produced by the KDE Community does not collect, transmit or otherwise transfer information from end-users devices except as a result of an explicit user action."
As it is according to this statement, the software should not collect telemetry data before a user action. Despite that, the data collected, while some of them serving a local function too, they clearly become telemetry data when the user enables telemetry; but were collected before the explicit user's action.

Some mentioned solutions:
1. Split telemetry and locally used data, only store locally used data when off.
2. Only show encouragement message the first time.
3. Change privacy policy. Eg. Removal of world "collect" will aline with the current behavior "As a general rule, software produced by the KDE Community does not transmit or otherwise transfer information from end-users devices except as a result of an explicit user action."
Comment 1 Nate Graham 2023-03-06 16:06:30 UTC
In this context, the word "collect" is clearly referring to the transmission of data to KDE, not its local storage. For example see this sentence:
> We collect personal information in order to provide you with services on our websites.
If "collect" is a synonym for "locally store", then the sentence could be re-worded like so:
> "We locally store personal information in order to provide you with services on our websites.
Which is clearly nonsensical in its proper context.

That leaves the issue of locally stored data that was locally stored prior to telemetry being turned on sent to KDE when telemetry is turned on. because telemetry is off by default, turning it on is clearly an "explicit user action" so I am failing to see the violation of the policy. Can you clarify?
Comment 2 gvgeo 2023-03-14 12:17:43 UTC
As long, 'Collect' refers to data transmitted to kde; that data, shall not be collected before the user's explicit action. 
The act of saving locally is irrelevant, in essence. It is like using a middle man to do the dirty job for you.

These data have the purpose to be send to kde, and were collected before user's action.
You may argue if it is okay to be saved, locally unused; but at very least, should be obvious, the transmission of them is against the policy.

As for the example above, does not match this case, as it refers to kde, instead of the software which the policy refers.
Comment 3 Nate Graham 2023-03-14 12:54:41 UTC
(In reply to gvgeo from comment #2)
> As long, 'Collect' refers to data transmitted to kde; that data, shall not
> be collected before the user's explicit action. 
That's currently the case. If we're going to define "collect" to refer to the act of transmitting, then no collection takes place before this is explicitly authorized.

> The act of saving locally is irrelevant, in essence. It is like using a
> middle man to do the dirty job for you.
> 
> These data have the purpose to be send to kde, and were collected before
> user's action.
> You may argue if it is okay to be saved, locally unused; but at very least,
> should be obvious, the transmission of them is against the policy.
If the user has explicitly authorized it, then I'm not seeing how it's against the policy.

Since this line of argumentation isn't making sense to me, can you maybe try another one, or try rephrasing it in a way that might help me understand your position?
Comment 4 Bug Janitor Service 2023-03-29 03:45:39 UTC
Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least
15 days. Please provide the requested information as soon as
possible and set the bug status as REPORTED. Due to regular bug
tracker maintenance, if the bug is still in NEEDSINFO status with
no change in 30 days the bug will be closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

If you have already provided the requested information, please
mark the bug as REPORTED so that the KDE team knows that the bug is
ready to be confirmed.

Thank you for helping us make KDE software even better for everyone!
Comment 5 gvgeo 2023-03-30 07:47:10 UTC
(In reply to Nate Graham from comment #3)
> (In reply to gvgeo from comment #2)
> > As long, 'Collect' refers to data transmitted to kde; that data, shall not
> > be collected before the user's explicit action.
> That's currently the case. If we're going to define "collect" to refer to the
> act of transmitting, then no collection takes place before this is explicitly
> authorized.
Can not imagine how 'collect' can be defined like that. The fitting definition for 'collect' is in lines of 'gathering together', 'transmit' has near opposite meaning of 'sending to'. Here, I was stating the kind of information, which the act of assembling together relates to, those that are transmitted to kde. And the collection of that data, as specified in the policy, must not be done before user's authorization.

> > The act of saving locally is irrelevant, in essence. It is like using a
> > middle man to do the dirty job for you.
> > 
> > These data have the purpose to be send to kde, and were collected before
> > user's action.
> > You may argue if it is okay to be saved, locally unused; but at very least,
> > should be obvious, the transmission of them is against the policy.
> If the user has explicitly authorized it, then I'm not seeing how it's against
> the policy.
He didn't authorized that data, that were collected previously, but only new ones. This comes from the policy's promise that no collection happen before. As a result, his action allows the start of the collection process, which will create (new) data to transmit.

> That leaves the issue of locally stored data that was locally stored prior to
> telemetry being turned on sent to KDE when telemetry is turned on. because
> telemetry is off by default, turning it on is clearly an "explicit user action"
> so I am failing to see the violation of the policy. Can you clarify?
That explicit action allows not only the transmission of data, but also the collection of them. And because that locally saved data, were collected before the explicit action, and should not be transmitted.
Comment 6 Nate Graham 2023-03-30 20:38:13 UTC
Since this effectively a legal document, you can't define "collect" in two different ways in different parts of it. If "collect" only means "gather together in one place", it must have that meaning everywhere.

But in the telemetry section, the word clearly being used as a synonym of "transmit". If that's the case, then earlier where it says "...does not collect, transmit or otherwise transfer information...", we're either saying that we don't transmit information twice, or else we're assigning a different meaning to the word "collect." That's not ideal and is worth fixing. I'll fix it.
Comment 7 Bug Janitor Service 2023-03-30 20:38:18 UTC
A possibly relevant merge request was started @ https://invent.kde.org/websites/kde-org/-/merge_requests/186
Comment 8 Nate Graham 2023-05-02 21:01:50 UTC
Git commit 71992cc8a177c959706088d02413c1a97f989749 by Nate Graham.
Committed on 02/05/2023 at 21:01.
Pushed by ngraham into branch 'master'.

Clarify "collection" vs "transmission" in apps privacy policy

A plain-English reading of the word "collection" suggests that it
refers to the local gathering of information, as opposed to its remote
transmission. However on the apps privacy policy page, it is currently 
used with two meanings. See for example this sentence in the "General 
Principle" section:

> As a general rule, software produced by the KDE Community does not
> collect, transmit or otherwise transfer information from end-users
> devices except as a result of an explicit user action.

Here "collect" is being used to describe saving local state data, such
as lists of recent documents. It is explicitly contrasted with 
the concept of transmission.

Now see this sentence in the "Telemetry" section:

> With regards to information collected, only details on the device
> itself (such as the software versions installed and its hardware
> specifications) along with details on how our software is used (such
> as whether certain features are enabled and what plugins have been
> installed) are collected.

Here "collect" is used as a synonym of the word "transmit", since 
telemetry is all about transmitting information to someone else.

Using the same word with two meanings isn't ideal, especially for a
document that needs technical precision to avoid confusing people. To
improve clarity, this commit tweaks the page to use the word
"transmission" instead of "collection" in any context where the thing 
being describes is in fact transmission and not saving data locally. 

@sysadmin @teams/kde-ev-board

M  +4    -4    content/privacypolicy-apps.md

https://invent.kde.org/websites/kde-org/commit/71992cc8a177c959706088d02413c1a97f989749