Re: [kde-community] user stats for Neon

2016-04-14 Thread Ingo Klöcker 
On Thursday 14 April 2016 16:18:30 Thomas Pfeiffer wrote:
> On Donnerstag, 14. April 2016 15:26:10 CEST Mirko Boehm - KDE wrote:
> > > On 14 Apr 2016, at 15:16, Jonathan Riddell 
> > > wrote:
> > > relative metric of numbers of installs not absolute numbers.  So
> > > I added a machine-id to the URL it checks which is the unique
> > > value set at install time by systemd (/etc/machine-id) so now it
> > > has a good idea of being able to count the number of installs.
> > > 
> > > But KDE cares about privacy and it's in our Vision and I don't
> > > want to be accused of violating that.  But currently I can't see
> > > how this can violate users privacy any more than an IP address

Storing IP addresses is controversial. Some people consider it personal 
information. That's why Google Analytics has a setting to set the last 
number of the IP addresses to 0.


> > > can so I'm curious to hear what arguments might come up against
> > > this.
> > 
> > I believe that as long as we are transparent about it, this should
> > be fine. Maybe, just maybe, there could be a way to turn it of for
> > very privacy-sensitive users.
> 
> Any potentially privacy-sensitive information transfer should be
> opt-in, not opt-out.
> I'd assume that the vast majority of users will allow it (given that
> it's not personally identifiable and they trust their distro), but
> opt-in puts you on the safe side.

IMO it must be opt-in. One of my main reason for using Free Software is 
my (probably naïve) hope that Free Software does not phone home at all. 
At least not, unless I have explicitly allowed it to do so.


Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
kde-community mailing list
kde-community@kde.org
https://mail.kde.org/mailman/listinfo/kde-community

Re: [kde-community] user stats for Neon

2016-04-14 Thread Jaroslaw Staniek 
On 14 April 2016 at 19:04, Kevin Krammer  wrote:

> On Thursday, 2016-04-14, 14:36:21, Jonathan Riddell wrote:
> > On Thu, Apr 14, 2016 at 04:18:30PM +0200, Thomas Pfeiffer wrote:
> > > Any potentially privacy-sensitive information transfer should be
> opt-in,
> > > not opt-out.
> > > I'd assume that the vast majority of users will allow it (given that
> it's
> > > not personally identifiable and they trust their distro), but opt-in
> puts
> > > you on the safe side.
> >
> > What's privacy sensitive about it?  It's a machine ID but not linked
> > to any other information other than IP address and there's no personal
> > information we can link it to.
>
> I am with Thomas.
>
> While individually pieces of information aren't personal, they can be in
> combination.
>
> In this case the combination of a unique machine ID and IP address together
> with geolocation would allows us to track movement of machines.
>
> Movement profiles can often quite easily be used to identify the moving
> person.
>
> There was a huge scandal in the US a couple of years back in which a
> telecom
> company released fully anonymized (random unique IDs) mobile phone location
> tracks.
> Researchers who correlated positions with addresses were able to identify
> more
> than 80% of the telco customers with pretty good accuracy only shortly
> after.
>
>
​Sure. But I think Jonathan only mentioned _access_ to the IP data as
needed for an Internet service, not logging it for any purpose.

In user stats only particular aspects are important, uniqueness is very
useful to know the users better (to serve them better) but even without
that, statistical information is handy too for us, who have to make
informed decisions about further developments.

A completely different discussion would start as soon as some kind of
(FOSS) app store is involved where users can have their accounts. Stats are
paired with them or existing IDs created for different reason, with, say,
KDE identity IDs. There's definitely opt-in needed.
​

​At different level, any online capability of our native apps is potential
means for tracking if users don't trust us that we're not logging IP
numbers. Yet, the apps are typically downloaded and updated somehow via
TCP/IP. At this level the access alone is an opt-in and manifestation of
trust.
​
Jonathan also said about machine ID because the software is maintained at
system (machine-like) level. With container technologies such as Ubuntu
Snaps (which I'd like to see working well with KDE software) it's possible
to switch from a system to a user-account level. Yet, if the snap packages
can be migrated with the account between machines, the connection between
the user-identity and the machine/system becomes more blurry.
In an interesting way for me this resonates with the ideas of
form-factor-independence formulated within KDE.



> --
> Kevin Krammer, KDE developer, xdg-utils developer
> KDE user support, developer mentoring
>
> ___
> kde-community mailing list
> kde-community@kde.org
> https://mail.kde.org/mailman/listinfo/kde-community
>



-- 
regards, Jaroslaw Staniek

KDE:
: A world-wide network of software engineers, artists, writers, translators
: and facilitators committed to Free Software development - http://kde.org
Calligra Suite:
: A graphic art and office suite - http://calligra.org
Kexi:
: A visual database apps builder - http://calligra.org/kexi
Qt Certified Specialist:
: http://www.linkedin.com/in/jstaniek
___
kde-community mailing list
kde-community@kde.org
https://mail.kde.org/mailman/listinfo/kde-community

Re: [kde-community] user stats for Neon

2016-04-14 Thread Kevin Krammer 
On Thursday, 2016-04-14, 14:36:21, Jonathan Riddell wrote:
> On Thu, Apr 14, 2016 at 04:18:30PM +0200, Thomas Pfeiffer wrote:
> > Any potentially privacy-sensitive information transfer should be opt-in,
> > not opt-out.
> > I'd assume that the vast majority of users will allow it (given that it's
> > not personally identifiable and they trust their distro), but opt-in puts
> > you on the safe side.
> 
> What's privacy sensitive about it?  It's a machine ID but not linked
> to any other information other than IP address and there's no personal
> information we can link it to.

I am with Thomas.

While individually pieces of information aren't personal, they can be in 
combination.

In this case the combination of a unique machine ID and IP address together 
with geolocation would allows us to track movement of machines.

Movement profiles can often quite easily be used to identify the moving person.

There was a huge scandal in the US a couple of years back in which a telecom 
company released fully anonymized (random unique IDs) mobile phone location 
tracks.
Researchers who correlated positions with addresses were able to identify more 
than 80% of the telco customers with pretty good accuracy only shortly after.

Cheers,
Kevni

-- 
Kevin Krammer, KDE developer, xdg-utils developer
KDE user support, developer mentoring


signature.asc
Description: This is a digitally signed message part.
___
kde-community mailing list
kde-community@kde.org
https://mail.kde.org/mailman/listinfo/kde-community

Re: [kde-community] user stats for Neon

2016-04-14 Thread Jaroslaw Staniek 
On 14 April 2016 at 17:30, Thomas Pfeiffer  wrote:

> On Donnerstag, 14. April 2016 14:36:21 CEST Jonathan Riddell wrote:
> > On Thu, Apr 14, 2016 at 04:18:30PM +0200, Thomas Pfeiffer wrote:
> > > Any potentially privacy-sensitive information transfer should be
> opt-in,
> > > not opt-out.
> > > I'd assume that the vast majority of users will allow it (given that
> it's
> > > not personally identifiable and they trust their distro), but opt-in
> puts
> > > you on the safe side.
> >
> > What's privacy sensitive about it?  It's a machine ID but not linked
> > to any other information other than IP address and there's no personal
> > information we can link it to.
>
> It's still a unique identifier which can be used to track the machine. We
> might
> then combine it with others who also only collect the machine ID to create
> a
> profile.
> People can be very sensitive about these topics, especially since we've
> made
> privacy-aware users our main target audience.
>
> As I said: the vast majority would give us their consent anyway, but it
> just
> comes across as "nicer" if we ask.
>
> Martin's suggestion with "Make it explicit on the download page that we
> collect these data, and allow users to switch it off in privacy settings if
> they don't like us to do it" works as well, but then users would need to
> have
> a chance to turn it off /before/ the ID is sent the first time.
>

Sure. All depends how large is the population of our user base that is
_this_ sensitive.
Or not our but for specific project (Neon, {someappname}, {someservice})

Without any negative assumptions: As a software author I don't know ​many
people in person who refuse to use browsers, refuse using e-shops and
refuse visiting traditional shops that use video recording, using GSM/etc.
I only heard about the stories with RMS and his secretary (I suppose he/she
is tracked via browser instead of him -- even without cookies, tracking is
possible).

After thinking about that long ago; it's not even clear _who_ and at _what
level_ someone makes the decision about defaults of privacy. Because the
chain looks like:

1. Organization sets defaults for the org
2. Authors of the code in a subproject set the default for the code
3. Distributor decides about defaults set in the binaries

One idea: KDE's tradition is integration of experience; how about a single
"Do not track" setting for apps (not just for the Plasma) like it's the
case for browsers? Questions about level of privacy could appear on the
first run of Plasma or first run of a KF5 app for given $HOME. It may be
that distributors that are very afraid of privacy, think Debian, may use
the feature; others may easily disable it.


> ___
> kde-community mailing list
> kde-community@kde.org
> https://mail.kde.org/mailman/listinfo/kde-community
>



-- 
regards, Jaroslaw Staniek

KDE:
: A world-wide network of software engineers, artists, writers, translators
: and facilitators committed to Free Software development - http://kde.org
Calligra Suite:
: A graphic art and office suite - http://calligra.org
Kexi:
: A visual database apps builder - http://calligra.org/kexi
Qt Certified Specialist:
: http://www.linkedin.com/in/jstaniek
___
kde-community mailing list
kde-community@kde.org
https://mail.kde.org/mailman/listinfo/kde-community

Re: [kde-community] user stats for Neon

2016-04-14 Thread Thomas Pfeiffer 
On Donnerstag, 14. April 2016 14:36:21 CEST Jonathan Riddell wrote:
> On Thu, Apr 14, 2016 at 04:18:30PM +0200, Thomas Pfeiffer wrote:
> > Any potentially privacy-sensitive information transfer should be opt-in,
> > not opt-out.
> > I'd assume that the vast majority of users will allow it (given that it's
> > not personally identifiable and they trust their distro), but opt-in puts
> > you on the safe side.
> 
> What's privacy sensitive about it?  It's a machine ID but not linked
> to any other information other than IP address and there's no personal
> information we can link it to.

It's still a unique identifier which can be used to track the machine. We might 
then combine it with others who also only collect the machine ID to create a 
profile.
People can be very sensitive about these topics, especially since we've made 
privacy-aware users our main target audience.

As I said: the vast majority would give us their consent anyway, but it just 
comes across as "nicer" if we ask.

Martin's suggestion with "Make it explicit on the download page that we 
collect these data, and allow users to switch it off in privacy settings if 
they don't like us to do it" works as well, but then users would need to have 
a chance to turn it off /before/ the ID is sent the first time.
___
kde-community mailing list
kde-community@kde.org
https://mail.kde.org/mailman/listinfo/kde-community

Re: [kde-community] user stats for Neon

2016-04-14 Thread Jonathan Riddell 
On Thu, Apr 14, 2016 at 04:18:30PM +0200, Thomas Pfeiffer wrote:
> Any potentially privacy-sensitive information transfer should be opt-in, not 
> opt-out.
> I'd assume that the vast majority of users will allow it (given that it's not 
> personally identifiable and they trust their distro), but opt-in puts you on 
> the safe side.

What's privacy sensitive about it?  It's a machine ID but not linked
to any other information other than IP address and there's no personal
information we can link it to.

Jonathan
___
kde-community mailing list
kde-community@kde.org
https://mail.kde.org/mailman/listinfo/kde-community

Re: [kde-community] user stats for Neon

2016-04-14 Thread Martin Graesslin 
On Thursday, April 14, 2016 2:16:03 PM CEST Jonathan Riddell wrote:
> A while ago Albert gave a talk at Akademy about collecting some data
> on our users.  This got me thinking and with Neon I wanted to see how
> many installs we had.  Our package install software will check for new
> versions being available and I could count the IPs of this check but
> that's very unreliable.  Canonical counts IPs from the NTP ping at
> boot up but of course it's only useful at best as a relative metric of
> numbers of installs not absolute numbers.  So I added a machine-id to
> the URL it checks which is the unique value set at install time by
> systemd (/etc/machine-id) so now it has a good idea of being able to
> count the number of installs.
> 
> But KDE cares about privacy and it's in our Vision and I don't want to
> be accused of violating that.  But currently I can't see how this can
> violate users privacy any more than an IP address can so I'm curious
> to hear what arguments might come up against this.

I think the very minimum is to inform the user about. That can also be on the 
download page where one downloads the iso. If the user knows about it and 
doesn't like it, he can just decide to not install, leave an angry message in 
forums and we get then also feedback :-P

Joke aside: I wanted to have a "privacy center" integrated in systemsettings 
for quite some time [1]. That's a thing which could go there.

Cheers
Martin

[1] We have the awesome location service which we don't properly use as we 
need users to acknowledge the privacy bits.


signature.asc
Description: This is a digitally signed message part.
___
kde-community mailing list
kde-community@kde.org
https://mail.kde.org/mailman/listinfo/kde-community

Re: [kde-community] user stats for Neon

2016-04-14 Thread Mirko Boehm - KDE 
Hi!

> On 14 Apr 2016, at 15:16, Jonathan Riddell  wrote:
> 
> A while ago Albert gave a talk at Akademy about collecting some data
> on our users.  This got me thinking and with Neon I wanted to see how
> many installs we had.  Our package install software will check for new
> versions being available and I could count the IPs of this check but
> that's very unreliable.  Canonical counts IPs from the NTP ping at
> boot up but of course it's only useful at best as a relative metric of
> numbers of installs not absolute numbers.  So I added a machine-id to
> the URL it checks which is the unique value set at install time by
> systemd (/etc/machine-id) so now it has a good idea of being able to
> count the number of installs.
> 
> But KDE cares about privacy and it's in our Vision and I don't want to
> be accused of violating that.  But currently I can't see how this can
> violate users privacy any more than an IP address can so I'm curious
> to hear what arguments might come up against this.

I believe that as long as we are transparent about it, this should be fine. 
Maybe, just maybe, there could be a way to turn it of for very 
privacy-sensitive users.

Cheers, 

Mirko.
-- 
Mirko Boehm | mi...@kde.org | KDE e.V.
FSFE Fellow, FSFE Team Germany
Qt Certified Specialist
Request a meeting: https://doodle.com/mirkoboehm



___
kde-community mailing list
kde-community@kde.org
https://mail.kde.org/mailman/listinfo/kde-community

Re: [kde-community] user stats for Neon

2016-04-14 Thread Jaroslaw Staniek 
On 14 April 2016 at 15:16, Jonathan Riddell  wrote:
> A while ago Albert gave a talk at Akademy about collecting some data
> on our users.  This got me thinking and with Neon I wanted to see how
> many installs we had.  Our package install software will check for new
> versions being available and I could count the IPs of this check but
> that's very unreliable.  Canonical counts IPs from the NTP ping at
> boot up but of course it's only useful at best as a relative metric of
> numbers of installs not absolute numbers.  So I added a machine-id to
> the URL it checks which is the unique value set at install time by
> systemd (/etc/machine-id) so now it has a good idea of being able to
> count the number of installs.
>
> But KDE cares about privacy and it's in our Vision and I don't want to
> be accused of violating that.  But currently I can't see how this can
> violate users privacy any more than an IP address can so I'm curious
> to hear what arguments might come up against this.

++1 for any such stats to serve users better. They do understand the
concept as it's used widely.

If this is interesting for you:
What I do in-app (Kexi - https://blogs.kde.org/2013/12/09/usage-stats)
when users agree is: generating an UID to track unique uses (including
full reinstalls as long as the $HOME dir stays.
This helps to avoid dynamic IP problems. I did not find IPs so useful.


> Jonathan
> ___
> kde-community mailing list
> kde-community@kde.org
> https://mail.kde.org/mailman/listinfo/kde-community



-- 
regards, Jaroslaw Staniek

KDE:
: A world-wide network of software engineers, artists, writers, translators
: and facilitators committed to Free Software development - http://kde.org
Calligra Suite:
: A graphic art and office suite - http://calligra.org
Kexi:
: A visual database apps builder - http://calligra.org/kexi
Qt Certified Specialist:
: http://www.linkedin.com/in/jstaniek
___
kde-community mailing list
kde-community@kde.org
https://mail.kde.org/mailman/listinfo/kde-community

[kde-community] user stats for Neon

2016-04-14 Thread Jonathan Riddell 
A while ago Albert gave a talk at Akademy about collecting some data
on our users.  This got me thinking and with Neon I wanted to see how
many installs we had.  Our package install software will check for new
versions being available and I could count the IPs of this check but
that's very unreliable.  Canonical counts IPs from the NTP ping at
boot up but of course it's only useful at best as a relative metric of
numbers of installs not absolute numbers.  So I added a machine-id to
the URL it checks which is the unique value set at install time by
systemd (/etc/machine-id) so now it has a good idea of being able to
count the number of installs.

But KDE cares about privacy and it's in our Vision and I don't want to
be accused of violating that.  But currently I can't see how this can
violate users privacy any more than an IP address can so I'm curious
to hear what arguments might come up against this.

Jonathan
___
kde-community mailing list
kde-community@kde.org
https://mail.kde.org/mailman/listinfo/kde-community