Public bug reported:
The systemd project is experimenting and working with various ideas that
have privacy ramifications. This includes the work in systemd-resolved
and systemd-timesyncd that creates a possibility for disclosure of
personal information to Google or similar providers through default code
paths. The data remitted such as client IP addresses, subdomains
containing usernames or unique IDs, banking domains and similar data may
be considered personal data under the GDPR and other EU law.
These components are currently in a state where it is legally dubious
whether they comply or can be made to comply. In particular, systemd's
default configuration unless otherwise configured and compiled discloses
personal information to Google without consent or methods to withdraw
consent and without plain-language privacy policy. This design overall
is considered flawed by the GDPR.
I had reported this concern upstream as it impacts all distributions,
but the systemd project has shown disinterest in working on "privacy by
design" and making their work compliant. This lack of concern and future
work by the systemd project may interfere with distributions' efforts to
make their distributions compliant.
As such, this work upstream and future work by upstream may interfere
with any compliance efforts by Ubuntu to ensure compliance with the GDPR
as systemd cannot be relied upon as "compliant out of the box" software.
** Affects: systemd (Ubuntu)
Importance: Undecided
Status: New
** Tags: compliance gdpr legal
** Description changed:
The systemd project is experimenting and working with various ideas that
have privacy ramifications. This includes the work in systemd-resolved
and systemd-timesyncd that creates a possibility for disclosure of
personal information to Google or similar providers through default code
paths. The data remitted such as client IP addresses, subdomains
containing usernames or unique IDs, banking domains and similar data may
be considered personal data under the GDPR and other EU law.
These components are currently in a state where it is legally dubious
whether they comply or can be made to comply. In particular, systemd's
default configuration unless otherwise configured and compiled discloses
personal information to Google without consent or methods to withdraw
- consent. This design overall is considered flawed by the GDPR.
+ consent and without plain-language privacy policy. This design overall
+ is considered flawed by the GDPR.
I had reported this concern upstream as it impacts all distributions,
but the systemd project has shown disinterest in working on "privacy by
design" and making their work compliant. This lack of concern and future
work by the systemd project may interfere with distributions' efforts to
make their distributions compliant.
- As such, this work upstream may interfere with any compliance efforts by
- Ubuntu to ensure compliance with the GDPR as systemd cannot be relied
- upon as "compliant out of the box" software.
+ As such, this work upstream and future work by upstream may interfere
+ with any compliance efforts by Ubuntu to ensure compliance with the GDPR
+ as systemd cannot be relied upon as "compliant out of the box" software.
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1779956
Title:
GDPR Compliance
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1779956/+subscriptions
--
desktop-bugs mailing list
desktop-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
