Re: [kde-community] user stats for Neon
On Thursday 14 April 2016 16:18:30 Thomas Pfeiffer wrote: > On Donnerstag, 14. April 2016 15:26:10 CEST Mirko Boehm - KDE wrote: > > > On 14 Apr 2016, at 15:16, Jonathan Riddell> > > wrote: > > > relative metric of numbers of installs not absolute numbers. So > > > I added a machine-id to the URL it checks which is the unique > > > value set at install time by systemd (/etc/machine-id) so now it > > > has a good idea of being able to count the number of installs. > > > > > > But KDE cares about privacy and it's in our Vision and I don't > > > want to be accused of violating that. But currently I can't see > > > how this can violate users privacy any more than an IP address Storing IP addresses is controversial. Some people consider it personal information. That's why Google Analytics has a setting to set the last number of the IP addresses to 0. > > > can so I'm curious to hear what arguments might come up against > > > this. > > > > I believe that as long as we are transparent about it, this should > > be fine. Maybe, just maybe, there could be a way to turn it of for > > very privacy-sensitive users. > > Any potentially privacy-sensitive information transfer should be > opt-in, not opt-out. > I'd assume that the vast majority of users will allow it (given that > it's not personally identifiable and they trust their distro), but > opt-in puts you on the safe side. IMO it must be opt-in. One of my main reason for using Free Software is my (probably naïve) hope that Free Software does not phone home at all. At least not, unless I have explicitly allowed it to do so. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ kde-community mailing list kde-community@kde.org https://mail.kde.org/mailman/listinfo/kde-community
Re: [kde-community] user stats for Neon
On 14 April 2016 at 19:04, Kevin Krammerwrote: > On Thursday, 2016-04-14, 14:36:21, Jonathan Riddell wrote: > > On Thu, Apr 14, 2016 at 04:18:30PM +0200, Thomas Pfeiffer wrote: > > > Any potentially privacy-sensitive information transfer should be > opt-in, > > > not opt-out. > > > I'd assume that the vast majority of users will allow it (given that > it's > > > not personally identifiable and they trust their distro), but opt-in > puts > > > you on the safe side. > > > > What's privacy sensitive about it? It's a machine ID but not linked > > to any other information other than IP address and there's no personal > > information we can link it to. > > I am with Thomas. > > While individually pieces of information aren't personal, they can be in > combination. > > In this case the combination of a unique machine ID and IP address together > with geolocation would allows us to track movement of machines. > > Movement profiles can often quite easily be used to identify the moving > person. > > There was a huge scandal in the US a couple of years back in which a > telecom > company released fully anonymized (random unique IDs) mobile phone location > tracks. > Researchers who correlated positions with addresses were able to identify > more > than 80% of the telco customers with pretty good accuracy only shortly > after. > > Sure. But I think Jonathan only mentioned _access_ to the IP data as needed for an Internet service, not logging it for any purpose. In user stats only particular aspects are important, uniqueness is very useful to know the users better (to serve them better) but even without that, statistical information is handy too for us, who have to make informed decisions about further developments. A completely different discussion would start as soon as some kind of (FOSS) app store is involved where users can have their accounts. Stats are paired with them or existing IDs created for different reason, with, say, KDE identity IDs. There's definitely opt-in needed. At different level, any online capability of our native apps is potential means for tracking if users don't trust us that we're not logging IP numbers. Yet, the apps are typically downloaded and updated somehow via TCP/IP. At this level the access alone is an opt-in and manifestation of trust. Jonathan also said about machine ID because the software is maintained at system (machine-like) level. With container technologies such as Ubuntu Snaps (which I'd like to see working well with KDE software) it's possible to switch from a system to a user-account level. Yet, if the snap packages can be migrated with the account between machines, the connection between the user-identity and the machine/system becomes more blurry. In an interesting way for me this resonates with the ideas of form-factor-independence formulated within KDE. > -- > Kevin Krammer, KDE developer, xdg-utils developer > KDE user support, developer mentoring > > ___ > kde-community mailing list > kde-community@kde.org > https://mail.kde.org/mailman/listinfo/kde-community > -- regards, Jaroslaw Staniek KDE: : A world-wide network of software engineers, artists, writers, translators : and facilitators committed to Free Software development - http://kde.org Calligra Suite: : A graphic art and office suite - http://calligra.org Kexi: : A visual database apps builder - http://calligra.org/kexi Qt Certified Specialist: : http://www.linkedin.com/in/jstaniek ___ kde-community mailing list kde-community@kde.org https://mail.kde.org/mailman/listinfo/kde-community
Re: [kde-community] user stats for Neon
On Thursday, 2016-04-14, 14:36:21, Jonathan Riddell wrote: > On Thu, Apr 14, 2016 at 04:18:30PM +0200, Thomas Pfeiffer wrote: > > Any potentially privacy-sensitive information transfer should be opt-in, > > not opt-out. > > I'd assume that the vast majority of users will allow it (given that it's > > not personally identifiable and they trust their distro), but opt-in puts > > you on the safe side. > > What's privacy sensitive about it? It's a machine ID but not linked > to any other information other than IP address and there's no personal > information we can link it to. I am with Thomas. While individually pieces of information aren't personal, they can be in combination. In this case the combination of a unique machine ID and IP address together with geolocation would allows us to track movement of machines. Movement profiles can often quite easily be used to identify the moving person. There was a huge scandal in the US a couple of years back in which a telecom company released fully anonymized (random unique IDs) mobile phone location tracks. Researchers who correlated positions with addresses were able to identify more than 80% of the telco customers with pretty good accuracy only shortly after. Cheers, Kevni -- Kevin Krammer, KDE developer, xdg-utils developer KDE user support, developer mentoring signature.asc Description: This is a digitally signed message part. ___ kde-community mailing list kde-community@kde.org https://mail.kde.org/mailman/listinfo/kde-community
Re: [kde-community] user stats for Neon
On 14 April 2016 at 17:30, Thomas Pfeifferwrote: > On Donnerstag, 14. April 2016 14:36:21 CEST Jonathan Riddell wrote: > > On Thu, Apr 14, 2016 at 04:18:30PM +0200, Thomas Pfeiffer wrote: > > > Any potentially privacy-sensitive information transfer should be > opt-in, > > > not opt-out. > > > I'd assume that the vast majority of users will allow it (given that > it's > > > not personally identifiable and they trust their distro), but opt-in > puts > > > you on the safe side. > > > > What's privacy sensitive about it? It's a machine ID but not linked > > to any other information other than IP address and there's no personal > > information we can link it to. > > It's still a unique identifier which can be used to track the machine. We > might > then combine it with others who also only collect the machine ID to create > a > profile. > People can be very sensitive about these topics, especially since we've > made > privacy-aware users our main target audience. > > As I said: the vast majority would give us their consent anyway, but it > just > comes across as "nicer" if we ask. > > Martin's suggestion with "Make it explicit on the download page that we > collect these data, and allow users to switch it off in privacy settings if > they don't like us to do it" works as well, but then users would need to > have > a chance to turn it off /before/ the ID is sent the first time. > Sure. All depends how large is the population of our user base that is _this_ sensitive. Or not our but for specific project (Neon, {someappname}, {someservice}) Without any negative assumptions: As a software author I don't know many people in person who refuse to use browsers, refuse using e-shops and refuse visiting traditional shops that use video recording, using GSM/etc. I only heard about the stories with RMS and his secretary (I suppose he/she is tracked via browser instead of him -- even without cookies, tracking is possible). After thinking about that long ago; it's not even clear _who_ and at _what level_ someone makes the decision about defaults of privacy. Because the chain looks like: 1. Organization sets defaults for the org 2. Authors of the code in a subproject set the default for the code 3. Distributor decides about defaults set in the binaries One idea: KDE's tradition is integration of experience; how about a single "Do not track" setting for apps (not just for the Plasma) like it's the case for browsers? Questions about level of privacy could appear on the first run of Plasma or first run of a KF5 app for given $HOME. It may be that distributors that are very afraid of privacy, think Debian, may use the feature; others may easily disable it. > ___ > kde-community mailing list > kde-community@kde.org > https://mail.kde.org/mailman/listinfo/kde-community > -- regards, Jaroslaw Staniek KDE: : A world-wide network of software engineers, artists, writers, translators : and facilitators committed to Free Software development - http://kde.org Calligra Suite: : A graphic art and office suite - http://calligra.org Kexi: : A visual database apps builder - http://calligra.org/kexi Qt Certified Specialist: : http://www.linkedin.com/in/jstaniek ___ kde-community mailing list kde-community@kde.org https://mail.kde.org/mailman/listinfo/kde-community
Re: [kde-community] user stats for Neon
On Donnerstag, 14. April 2016 14:36:21 CEST Jonathan Riddell wrote: > On Thu, Apr 14, 2016 at 04:18:30PM +0200, Thomas Pfeiffer wrote: > > Any potentially privacy-sensitive information transfer should be opt-in, > > not opt-out. > > I'd assume that the vast majority of users will allow it (given that it's > > not personally identifiable and they trust their distro), but opt-in puts > > you on the safe side. > > What's privacy sensitive about it? It's a machine ID but not linked > to any other information other than IP address and there's no personal > information we can link it to. It's still a unique identifier which can be used to track the machine. We might then combine it with others who also only collect the machine ID to create a profile. People can be very sensitive about these topics, especially since we've made privacy-aware users our main target audience. As I said: the vast majority would give us their consent anyway, but it just comes across as "nicer" if we ask. Martin's suggestion with "Make it explicit on the download page that we collect these data, and allow users to switch it off in privacy settings if they don't like us to do it" works as well, but then users would need to have a chance to turn it off /before/ the ID is sent the first time. ___ kde-community mailing list kde-community@kde.org https://mail.kde.org/mailman/listinfo/kde-community
Re: [kde-community] user stats for Neon
On Thu, Apr 14, 2016 at 04:18:30PM +0200, Thomas Pfeiffer wrote: > Any potentially privacy-sensitive information transfer should be opt-in, not > opt-out. > I'd assume that the vast majority of users will allow it (given that it's not > personally identifiable and they trust their distro), but opt-in puts you on > the safe side. What's privacy sensitive about it? It's a machine ID but not linked to any other information other than IP address and there's no personal information we can link it to. Jonathan ___ kde-community mailing list kde-community@kde.org https://mail.kde.org/mailman/listinfo/kde-community
Re: [kde-community] user stats for Neon
On Thursday, April 14, 2016 2:16:03 PM CEST Jonathan Riddell wrote: > A while ago Albert gave a talk at Akademy about collecting some data > on our users. This got me thinking and with Neon I wanted to see how > many installs we had. Our package install software will check for new > versions being available and I could count the IPs of this check but > that's very unreliable. Canonical counts IPs from the NTP ping at > boot up but of course it's only useful at best as a relative metric of > numbers of installs not absolute numbers. So I added a machine-id to > the URL it checks which is the unique value set at install time by > systemd (/etc/machine-id) so now it has a good idea of being able to > count the number of installs. > > But KDE cares about privacy and it's in our Vision and I don't want to > be accused of violating that. But currently I can't see how this can > violate users privacy any more than an IP address can so I'm curious > to hear what arguments might come up against this. I think the very minimum is to inform the user about. That can also be on the download page where one downloads the iso. If the user knows about it and doesn't like it, he can just decide to not install, leave an angry message in forums and we get then also feedback :-P Joke aside: I wanted to have a "privacy center" integrated in systemsettings for quite some time [1]. That's a thing which could go there. Cheers Martin [1] We have the awesome location service which we don't properly use as we need users to acknowledge the privacy bits. signature.asc Description: This is a digitally signed message part. ___ kde-community mailing list kde-community@kde.org https://mail.kde.org/mailman/listinfo/kde-community
Re: [kde-community] user stats for Neon
Hi! > On 14 Apr 2016, at 15:16, Jonathan Riddellwrote: > > A while ago Albert gave a talk at Akademy about collecting some data > on our users. This got me thinking and with Neon I wanted to see how > many installs we had. Our package install software will check for new > versions being available and I could count the IPs of this check but > that's very unreliable. Canonical counts IPs from the NTP ping at > boot up but of course it's only useful at best as a relative metric of > numbers of installs not absolute numbers. So I added a machine-id to > the URL it checks which is the unique value set at install time by > systemd (/etc/machine-id) so now it has a good idea of being able to > count the number of installs. > > But KDE cares about privacy and it's in our Vision and I don't want to > be accused of violating that. But currently I can't see how this can > violate users privacy any more than an IP address can so I'm curious > to hear what arguments might come up against this. I believe that as long as we are transparent about it, this should be fine. Maybe, just maybe, there could be a way to turn it of for very privacy-sensitive users. Cheers, Mirko. -- Mirko Boehm | mi...@kde.org | KDE e.V. FSFE Fellow, FSFE Team Germany Qt Certified Specialist Request a meeting: https://doodle.com/mirkoboehm ___ kde-community mailing list kde-community@kde.org https://mail.kde.org/mailman/listinfo/kde-community
Re: [kde-community] user stats for Neon
On 14 April 2016 at 15:16, Jonathan Riddellwrote: > A while ago Albert gave a talk at Akademy about collecting some data > on our users. This got me thinking and with Neon I wanted to see how > many installs we had. Our package install software will check for new > versions being available and I could count the IPs of this check but > that's very unreliable. Canonical counts IPs from the NTP ping at > boot up but of course it's only useful at best as a relative metric of > numbers of installs not absolute numbers. So I added a machine-id to > the URL it checks which is the unique value set at install time by > systemd (/etc/machine-id) so now it has a good idea of being able to > count the number of installs. > > But KDE cares about privacy and it's in our Vision and I don't want to > be accused of violating that. But currently I can't see how this can > violate users privacy any more than an IP address can so I'm curious > to hear what arguments might come up against this. ++1 for any such stats to serve users better. They do understand the concept as it's used widely. If this is interesting for you: What I do in-app (Kexi - https://blogs.kde.org/2013/12/09/usage-stats) when users agree is: generating an UID to track unique uses (including full reinstalls as long as the $HOME dir stays. This helps to avoid dynamic IP problems. I did not find IPs so useful. > Jonathan > ___ > kde-community mailing list > kde-community@kde.org > https://mail.kde.org/mailman/listinfo/kde-community -- regards, Jaroslaw Staniek KDE: : A world-wide network of software engineers, artists, writers, translators : and facilitators committed to Free Software development - http://kde.org Calligra Suite: : A graphic art and office suite - http://calligra.org Kexi: : A visual database apps builder - http://calligra.org/kexi Qt Certified Specialist: : http://www.linkedin.com/in/jstaniek ___ kde-community mailing list kde-community@kde.org https://mail.kde.org/mailman/listinfo/kde-community
[kde-community] user stats for Neon
A while ago Albert gave a talk at Akademy about collecting some data on our users. This got me thinking and with Neon I wanted to see how many installs we had. Our package install software will check for new versions being available and I could count the IPs of this check but that's very unreliable. Canonical counts IPs from the NTP ping at boot up but of course it's only useful at best as a relative metric of numbers of installs not absolute numbers. So I added a machine-id to the URL it checks which is the unique value set at install time by systemd (/etc/machine-id) so now it has a good idea of being able to count the number of installs. But KDE cares about privacy and it's in our Vision and I don't want to be accused of violating that. But currently I can't see how this can violate users privacy any more than an IP address can so I'm curious to hear what arguments might come up against this. Jonathan ___ kde-community mailing list kde-community@kde.org https://mail.kde.org/mailman/listinfo/kde-community