On Sat, Mar 7, 2020 at 1:14 AM Martin Flöser <[email protected]> wrote: > > Am 2020-03-06 08:20, schrieb Nicolás Alvarez: > > Apple can give its million appstore apps access to Google calendar > > data, and Mozilla can let addons access email data, but we can't? What > > do they do differently? > > The only thing they do differently is that they have a permission system > in place. Doesn't apply for Thunderbird of course which means we should > look at their privacy policy. Though we should never ask Google "Why is > Thunderbird allowed?" as we don't want that Thunderbird gets access > revoked. > > > > > Also, Linux desktop systems are usually not sandboxed. If we didn't > > have Akonadi, and KOrganizer/KMail/etc used their own databases to > > store data without intending to share them with other apps, other apps > > could *still* access the data via the filesystem. Mozilla Thunderbird > > is approved by Google, and KWin theoretically *could* access my email > > because it can read ~/.mozilla. Sure, in practice it doesn't; but in > > practice it also doesn't access Akonadi. > > Maybe we are just too open about what Akonadi can do in the privacy > policy. Which I think is a good thing. On the other hand I'm sure that > Mozilla doesn't state that any app could read the storage. Perhaps we > need to sell Akonadi differently.
>From my reading of their objections, I concur that the problem is mostly centered around how we are describing what is happening to them. Their principal concern from my understanding is making sure that information which they are allowing applications to access is not being transferred elsewhere and that applications are taking appropriate measures to only retrieve the information needed to do what the user has asked them to do. Based upon what I read of the "PIM Privacy Policy" (which for some reason has been started separately to https://kde.org/privacypolicy-apps.php which is where this actually belongs) it isn't clear what we are actually doing here and the mention of third party services definitely looks out of place. In this case I would suggest removing all references to third party privacy policies - as those are out of scope for our policy. The user has asked us / our software to interact with that service, so anything that happens with that information after we send it is no longer our concern - it is an issue between the user and that third party service. Our policy should only concern itself with what our software does with information it is handling. The search indexing and caching should still be mentioned (as that is what we are doing with the data on the users device), although I don't think we need to include reference to Akonadi in there, as that is a name for a technology framework and not supposed to be user facing. > > Cheers > Martin Cheers, Ben
