Package: chirp
Version: 0.4.0-1
Severity: serious
A pop-up dialog from the "chirpw" program says that it reports some kind
of usage information to some external party, and describes how to
opt-out of this. There are at least two privacy problems:
1. It appears that some phoning home happens before the user has given
informed consent. For example, when I received the pop-up dialogue, I
immediately disabled reporting, but I found that "chirpw" had already
contacted some server and informed me that I was not using the latest
version. Therefore, the suggestion that one can opt-out of phoning-home
is misleading, since some phoning-home has already occurred.
2. Also, the text suggests that this is anonymous, but that is
misleading (due, e.g., to IP address traceability), so any consent would
not be informed, even were it given prior to phoning-home occurring.
Note that I have not looked at what information is transmitted, so there
might be a third problem, but I believe these two identified problems
alone require action.
I recommend and request that this reporting and any other "phoning home"
either be disabled completely in the Debian "chirp" package, or changed
to be an express *opt-in* (like opt-in is long used elsewhere in Debian,
such as for package "popularity contest"). Thank you.