Re: Help with KDE PIM and Google Privacy Policies needed
On venerdì 6 marzo 2020 07:40:49 CET Martin Flöser wrote: > And reading the screenshot I think that's the problem. We state in our > privacy policy about 3rd party plugins and Akonadi. Especially Akonadi > is a "transfer of data to others" and that allows all applications to > access the data. If KWin accesses the data it would be in violation of > the additional requirements of the requested scope. I'd take it one step further: What we call third party (a non KDE app) is not what lawyers would call third party (which is a legal third party, i.e. not the user). KWin is not a third party, as it's controlled entirely by the user and runs on his/her computer. Even if it would access the data, it would merely be a different tool that the user can install/use to manipulate her own data. In other words, I'd simply get rid of the following paragraph. It's an implementation detail (i.e. an internal name of a component/project) that has no place in a privacy policy and doesn't change the fact that we don't do anything with the user data: - Some user's personal information and data obtained from third party services are cached locally by a background service called Akonadi, which is part of Kontact. It is possible for any locally running software to interact with Akonadi and thus access, modify or delete any data stored there. The data are factically stored in a local database controlled by Akonadi. They may also be indexed for full-text search by Akonadi Indexing Agent. If we really wanted to, we could explicitly include some reference to the indexing that we do, but with clear indications that all of the indexing happens locally and that data never leaves the user machine. I am convinced that this too is an implementation detail and has no implication whatsoever on privacy. Maybe I'd add a sentence clarifying that all of the data stays on the user machine and only there, and that we have no access whatsoever to it. It's unfortunately not always obvious to everyone nowadays. Riccardo -- Pace Peace Paix Paz Frieden Pax Pokój Friður Fred Béke 和平 Hasiti Lapé Hetep Malu Mир Wolakota Santiphap Irini Peoch שלום Shanti Vrede Baris Rój Mír Taika Rongo Sulh Mir Py'guapy 평화
Re: Help with KDE PIM and Google Privacy Policies needed
On Sonntag, 22. März 2020 15:28:55 CET Alexander Potashev wrote: > For now there may be various cases where the user stays unaware about > how our software handles their data. Consider this scenario for > example: > 1. A user installs KMail and e.g. an E-mail notifier Plasma widget on > the same machine, > 2. The user runs KMail and grant access to their Gmail account, > expecting that it will only be used by KMail, > 3. The user enables the E-mail notifier widget. The widget will just > work without asking the user for permission to access their data from > Gmail account. This conflicts with Google’s API Services User Data > Policy. Quite frankly, that's exactly what I expect from an integrated desktop. I have the impression that Google’s API Services User Data Policy makes assumptions that are true on Android, but that fail completely on any desktop computer where any application can access the data of any other application running in the same user account. > In our https://community.kde.org/KDE_PIM/Privacy_Policy, the red flag > is clearly "It is possible for any locally running software to > interact with Akonadi and thus access, modify or delete any data > stored there." Simply drop "interact with Akonadi and thus" from this policy and you get the reality on desktop computer systems. Akonadi isn't needed. The data files can be accessed, modified and deleted by any application without the help of Akonadi. BTW, the same is true for Thunderbird's data. And for Google Chrome's data. And the data for any other application running in user space. (Probably unless SELinux or AppArmor is enforced in user space.) The same is also true on Windows and macOS. IOW, I don't see a problem that can be solved technically (without reinventing data handling on desktop systems). It's purely a policy issue. So, let's simply delete the above "red flag" from our policy. Why mention something which is obvious for any application storing data locally on a desktop computer. > Here are two approaches that in my opinion would (at least partially) > resolve the issue: > > [Approach #1]. Have all Akonadi clients create and use their own > Google API app IDs/keys. Isolate cached data in Akonadi per app, so > that e.g. an E-mail notifier widget cannot reach through Akonadi API > to access the data downloaded specially for Kmail. It will need to ask > Akonadi IMAP resource to request the same emails again. > This implies huge data duplication in Akonadi in some cases, however > it can probably be deduplicated inside Akonadi to save storage space. The whole point of Akonadi is to have a central hub for all PIM data to avoid unnecessary duplication. Regards, Ingo signature.asc Description: This is a digitally signed message part.
Re: Help with KDE PIM and Google Privacy Policies needed
пт, 6 мар. 2020 г. в 08:21, Nicolás Alvarez : > > El vie., 6 de mar. de 2020 a la(s) 03:41, Martin Flöser > (mgraess...@kde.org) escribió: > > Reading [0] I see "Your use of data obtained via the Restricted Scopes > > must comply with these requirements:" ... "Only transfer the data to > > others if necessary to provide or improve user-facing features that are > > prominent in the requesting application's user interface" > > > > And reading the screenshot I think that's the problem. We state in our > > privacy policy about 3rd party plugins and Akonadi. Especially Akonadi > > is a "transfer of data to others" and that allows all applications to > > access the data. If KWin accesses the data it would be in violation of > > the additional requirements of the requested scope. > > If I add my Google account to KDE PIM, it will sync my email and > calendar events with Akonadi. Third-party apps can then access my > email and calendar events via Akonadi. Hi, Thanks for the constructive discussion! I'm not an expert, and I only judged by the info from this email thread and from the linked documents, but tend to agree with Martin. We should clearly communicate the intent to the end user before accessing their data. For now there may be various cases where the user stays unaware about how our software handles their data. Consider this scenario for example: 1. A user installs KMail and e.g. an E-mail notifier Plasma widget on the same machine, 2. The user runs KMail and grant access to their Gmail account, expecting that it will only be used by KMail, 3. The user enables the E-mail notifier widget. The widget will just work without asking the user for permission to access their data from Gmail account. This conflicts with Google’s API Services User Data Policy. In our https://community.kde.org/KDE_PIM/Privacy_Policy, the red flag is clearly "It is possible for any locally running software to interact with Akonadi and thus access, modify or delete any data stored there." Here are two approaches that in my opinion would (at least partially) resolve the issue: [Approach #1]. Have all Akonadi clients create and use their own Google API app IDs/keys. Isolate cached data in Akonadi per app, so that e.g. an E-mail notifier widget cannot reach through Akonadi API to access the data downloaded specially for Kmail. It will need to ask Akonadi IMAP resource to request the same emails again. This implies huge data duplication in Akonadi in some cases, however it can probably be deduplicated inside Akonadi to save storage space. [Approach #2]. Apps still don't need to have their own API keys, just like today. Add metadata to Akonadi resources about which apps are "cleared" for data access by the end user. In this above mentioned scenario: - When starting KMail, Akonadi IMAP resource will request Gmail API token, - Akonadi will ask the user again if it's OK to hand their Gmail data over to Kmail, - When an Email notifier Plasma widget [1] is enabled, it requests access to Gmail from Akonadi. Before this access can be granted, Akonadi asks the user the same question - if it's OK to hand their Gmail data over to Email notifier Plasma widget. If the user says "yes", then it may be OK to reuse the same Gmail API key. Although this second approach still seems to me like walking on thin ice, I don't find it to be in a direct conflict with Google API Services User Data Policy and its first part [2] specifically. Not sure which of the approaches would be more desirable nor easiest to implement since I'm not familiar with Akonadi internals. I would suggest that KDEPIM developers first choose an approach, write a design doc, make a new draft of KDEPIM Privacy Policy and submit for additional review before putting effort in implementing any of these changes that might be large-scale. [1] *(or another software that wants to access the same Gmail account through Akonadi, e.g. Akonadi Indexing Agent) [2] https://developers.google.com/terms/api-services-user-data-policy#accurately_represent_your_identity_and_intent Disclaimer: My personal views, thoughts, and opinions expressed in the text above belong solely to me, and not necessarily my employer, organization, committee or other group or individual. -- Alexander Potashev
Re: Help with KDE PIM and Google Privacy Policies needed
Hi Martin, Le 2020-03-06 à 09:26, Martin Steigerwald a écrit : Hi, Martin Flöser - 06.03.20, 13:14:36 CET: Am 2020-03-06 08:20, schrieb Nicolás Alvarez: Apple can give its million appstore apps access to Google calendar data, and Mozilla can let addons access email data, but we can't? What do they do differently? The only thing they do differently is that they have a permission system in place. Doesn't apply for Thunderbird of course which means we should look at their privacy policy. Though we should never ask Google "Why is Thunderbird allowed?" as we don't want that Thunderbird gets access revoked. I ask a different question: Why – at all – rely on a provider who dictates on who gets access to it and who does not? Why – at all – rely on a provider who by doing so creates a walled garden? This whole thing KDEPIM / KMail not being permitted due to its privacy policy – by a company which collects more data than probably anyone else in the world, except other large companies like Facebook, Microsoft and co probably – seems utterly ridiculous to me. Sure, by all means, give a good, concise, clear privacy policy for KDEPIM, yet, already as it is I trust KDE + KDEPIM 10% more than Google, Facebook, Microsoft and Co with my data. Cause I have seen KDE project people value privacy *a lot*. That to the extent that I basically stopped writing mails with anything personal to Google mail accounts and accounts of some other very large providers whom I do not trust with privacy. You don't scan through my mail to find out what advertisement to sent my way for example. You do not generate profiles on me by urging webmasters to include your stuff into about every large website out there. You do not do all the nasty things. Sure, I get it. App developers for Android do all kinds of privacy violations all the time. And Google probably wants to protect users from the worst of that. But if its data they have about users I feel they practice a different standard. They want to protect data they store from being accessed by others, but, what would be way more important, not from themselves. KDE for sure is a lot more caring and proactive about privacy and it is one reason I am using Plasma and KDEPIM. So… I wonder… whether it would make sense for KDE to step up more for those decentralized alternatives that really care about privacy¹. And yeah, I know KDE, GNOME and a lot of other free software projects and communities benefit a lot from money given by Google – mostly given to Google for advertising. It is totally okay to be grateful for that… but does it mean someone who works for free and in his spare time on KDEPIM has to take care of satisfying Google's requirement for a privacy policy? No. I think KDEPIM could show a proper explanation if it has an incompatibility. But it is not clear what is the context for the issue discussed in this thread. [...] Best, -- Philippe Cloutier http://www.philippecloutier.com
Re: Help with KDE PIM and Google Privacy Policies needed
On Sat, Mar 7, 2020 at 1:14 AM Martin Flöser wrote: > > Am 2020-03-06 08:20, schrieb Nicolás Alvarez: > > Apple can give its million appstore apps access to Google calendar > > data, and Mozilla can let addons access email data, but we can't? What > > do they do differently? > > The only thing they do differently is that they have a permission system > in place. Doesn't apply for Thunderbird of course which means we should > look at their privacy policy. Though we should never ask Google "Why is > Thunderbird allowed?" as we don't want that Thunderbird gets access > revoked. > > > > > Also, Linux desktop systems are usually not sandboxed. If we didn't > > have Akonadi, and KOrganizer/KMail/etc used their own databases to > > store data without intending to share them with other apps, other apps > > could *still* access the data via the filesystem. Mozilla Thunderbird > > is approved by Google, and KWin theoretically *could* access my email > > because it can read ~/.mozilla. Sure, in practice it doesn't; but in > > practice it also doesn't access Akonadi. > > Maybe we are just too open about what Akonadi can do in the privacy > policy. Which I think is a good thing. On the other hand I'm sure that > Mozilla doesn't state that any app could read the storage. Perhaps we > need to sell Akonadi differently. >From my reading of their objections, I concur that the problem is mostly centered around how we are describing what is happening to them. Their principal concern from my understanding is making sure that information which they are allowing applications to access is not being transferred elsewhere and that applications are taking appropriate measures to only retrieve the information needed to do what the user has asked them to do. Based upon what I read of the "PIM Privacy Policy" (which for some reason has been started separately to https://kde.org/privacypolicy-apps.php which is where this actually belongs) it isn't clear what we are actually doing here and the mention of third party services definitely looks out of place. In this case I would suggest removing all references to third party privacy policies - as those are out of scope for our policy. The user has asked us / our software to interact with that service, so anything that happens with that information after we send it is no longer our concern - it is an issue between the user and that third party service. Our policy should only concern itself with what our software does with information it is handling. The search indexing and caching should still be mentioned (as that is what we are doing with the data on the users device), although I don't think we need to include reference to Akonadi in there, as that is a name for a technology framework and not supposed to be user facing. > > Cheers > Martin Cheers, Ben
Re: Help with KDE PIM and Google Privacy Policies needed
On Thursday, 5 March 2020 23:20:51 PST Nicolás Alvarez wrote: > If I add my Google account to KDE PIM, it will sync my email and > calendar events with Akonadi. Third-party apps can then access my > email and calendar events via Akonadi. > If I add my Google account to iPhone, it will sync my calendar events > with the system calendar database. Third-party apps can then access my > calendar events via EventKit. > If I add my Google account to Mozilla Thunderbird, it will sync my > email with its database. Third-party addons running inside Thunderbird > can then access email content. > > Apple can give its million appstore apps access to Google calendar > data, and Mozilla can let addons access email data, but we can't? What > do they do differently? > > Also, Linux desktop systems are usually not sandboxed. [cut] Given that last, should those third-party plugins be considered third party at all? Those plugins are running in the user's set up, installed and configured by the user, using the same permission domain as Akonadi. Shouldn't therefore they be considered "first party" -- that is, the same party as Akonadi itself? -- Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org Software Architect - Intel System Software Products
Re: Help with KDE PIM and Google Privacy Policies needed
Adam Szopa - 06.03.20, 16:23:43 CET: > Dnia piątek, 6 marca 2020 16:11:48 CET Martin Steigerwald pisze: > > Nicolás Alvarez - 06.03.20, 16:07:09 CET: > > > > On 6 Mar 2020, at 11:26, Martin Steigerwald > > > > > > > > wrote: > > > > > > > > Hi, > > > > > > > > Martin Flöser - 06.03.20, 13:14:36 CET: > > > >> Am 2020-03-06 08:20, schrieb Nicolás Alvarez: > > > >>> Apple can give its million appstore apps access to Google > > > >>> calendar > > > >>> data, and Mozilla can let addons access email data, but we > > > >>> can't? > > > >>> What do they do differently? > > > >> > > > >> The only thing they do differently is that they have a > > > >> permission > > > >> system in place. Doesn't apply for Thunderbird of course which > > > >> means > > > >> we should look at their privacy policy. Though we should never > > > >> ask > > > >> Google "Why is Thunderbird allowed?" as we don't want that > > > >> Thunderbird gets access revoked. > > > > > > > > I ask a different question: > > > > > > > > Why – at all – rely on a provider who dictates on who gets > > > > access to > > > > it and who does not? Why – at all – rely on a provider who by > > > > doing > > > > so creates a walled garden? > > > > > > That's something you should go ask the thousands of users > > > complaining > > > that they can't connect to GMail using KMail. They're the ones > > > relying on the provider. Go to the bug report and tell them the > > > solution to their KMail errors is to stop using Google services. > > > That > > > should go well > > > > See? > > I think the first step of moving users from a service such as gmail > into more decentrlized services, is to provide them a good tool that > can support both. > > It's already a challange to convince someone to move from their > current software to a different one, combine it with the need to > change their service provider as well and it becomed that much > harder. See the other mail I just said: I am not strictly against supporting GMail, but I do not like the complaining attitude displayed by at least some GMail users. If they rely on GMail as a walled garden then what happens now can happen anytime again. Do others appear to have less issues? Yeah, probably, but what can Daniel do if Google does not even bother to respond to him? Petition Google if you like KDEPIM to be supported again! -- Martin
Re: Help with KDE PIM and Google Privacy Policies needed
Dnia piątek, 6 marca 2020 16:11:48 CET Martin Steigerwald pisze: > Nicolás Alvarez - 06.03.20, 16:07:09 CET: > > > On 6 Mar 2020, at 11:26, Martin Steigerwald > > > wrote: > > > > > > Hi, > > > > > > Martin Flöser - 06.03.20, 13:14:36 CET: > > >> Am 2020-03-06 08:20, schrieb Nicolás Alvarez: > > >>> Apple can give its million appstore apps access to Google calendar > > >>> data, and Mozilla can let addons access email data, but we can't? > > >>> What do they do differently? > > >> > > >> The only thing they do differently is that they have a permission > > >> system in place. Doesn't apply for Thunderbird of course which > > >> means > > >> we should look at their privacy policy. Though we should never ask > > >> Google "Why is Thunderbird allowed?" as we don't want that > > >> Thunderbird gets access revoked. > > > > > > I ask a different question: > > > > > > Why – at all – rely on a provider who dictates on who gets access to > > > it and who does not? Why – at all – rely on a provider who by doing > > > so creates a walled garden? > > > > That's something you should go ask the thousands of users complaining > > that they can't connect to GMail using KMail. They're the ones > > relying on the provider. Go to the bug report and tell them the > > solution to their KMail errors is to stop using Google services. That > > should go well :) > > See? I think the first step of moving users from a service such as gmail into more decentrlized services, is to provide them a good tool that can support both. It's already a challange to convince someone to move from their current software to a different one, combine it with the need to change their service provider as well and it becomed that much harder.
Re: Help with KDE PIM and Google Privacy Policies needed
Nicolás Alvarez - 06.03.20, 16:07:09 CET: > > On 6 Mar 2020, at 11:26, Martin Steigerwald > > wrote: > > > > Hi, > > > > Martin Flöser - 06.03.20, 13:14:36 CET: > >> Am 2020-03-06 08:20, schrieb Nicolás Alvarez: > >>> Apple can give its million appstore apps access to Google calendar > >>> data, and Mozilla can let addons access email data, but we can't? > >>> What do they do differently? > >> > >> The only thing they do differently is that they have a permission > >> system in place. Doesn't apply for Thunderbird of course which > >> means > >> we should look at their privacy policy. Though we should never ask > >> Google "Why is Thunderbird allowed?" as we don't want that > >> Thunderbird gets access revoked. > > > > I ask a different question: > > > > Why – at all – rely on a provider who dictates on who gets access to > > it and who does not? Why – at all – rely on a provider who by doing > > so creates a walled garden? > > That's something you should go ask the thousands of users complaining > that they can't connect to GMail using KMail. They're the ones > relying on the provider. Go to the bug report and tell them the > solution to their KMail errors is to stop using Google services. That > should go well :) See? -- Martin
Re: Help with KDE PIM and Google Privacy Policies needed
> On 6 Mar 2020, at 11:26, Martin Steigerwald wrote: > > Hi, > > Martin Flöser - 06.03.20, 13:14:36 CET: >> Am 2020-03-06 08:20, schrieb Nicolás Alvarez: >>> Apple can give its million appstore apps access to Google calendar >>> data, and Mozilla can let addons access email data, but we can't? >>> What do they do differently? >> >> The only thing they do differently is that they have a permission >> system in place. Doesn't apply for Thunderbird of course which means >> we should look at their privacy policy. Though we should never ask >> Google "Why is Thunderbird allowed?" as we don't want that >> Thunderbird gets access revoked. > > I ask a different question: > > Why – at all – rely on a provider who dictates on who gets access to it > and who does not? Why – at all – rely on a provider who by doing so > creates a walled garden? That's something you should go ask the thousands of users complaining that they can't connect to GMail using KMail. They're the ones relying on the provider. Go to the bug report and tell them the solution to their KMail errors is to stop using Google services. That should go well :) -- Nicolás Sent from my GMail account ;)
Re: Help with KDE PIM and Google Privacy Policies needed
Hi, Martin Flöser - 06.03.20, 13:14:36 CET: > Am 2020-03-06 08:20, schrieb Nicolás Alvarez: > > Apple can give its million appstore apps access to Google calendar > > data, and Mozilla can let addons access email data, but we can't? > > What do they do differently? > > The only thing they do differently is that they have a permission > system in place. Doesn't apply for Thunderbird of course which means > we should look at their privacy policy. Though we should never ask > Google "Why is Thunderbird allowed?" as we don't want that > Thunderbird gets access revoked. I ask a different question: Why – at all – rely on a provider who dictates on who gets access to it and who does not? Why – at all – rely on a provider who by doing so creates a walled garden? This whole thing KDEPIM / KMail not being permitted due to its privacy policy – by a company which collects more data than probably anyone else in the world, except other large companies like Facebook, Microsoft and co probably – seems utterly ridiculous to me. Sure, by all means, give a good, concise, clear privacy policy for KDEPIM, yet, already as it is I trust KDE + KDEPIM 10% more than Google, Facebook, Microsoft and Co with my data. Cause I have seen KDE project people value privacy *a lot*. That to the extent that I basically stopped writing mails with anything personal to Google mail accounts and accounts of some other very large providers whom I do not trust with privacy. You don't scan through my mail to find out what advertisement to sent my way for example. You do not generate profiles on me by urging webmasters to include your stuff into about every large website out there. You do not do all the nasty things. Sure, I get it. App developers for Android do all kinds of privacy violations all the time. And Google probably wants to protect users from the worst of that. But if its data they have about users I feel they practice a different standard. They want to protect data they store from being accessed by others, but, what would be way more important, not from themselves. KDE for sure is a lot more caring and proactive about privacy and it is one reason I am using Plasma and KDEPIM. So… I wonder… whether it would make sense for KDE to step up more for those decentralized alternatives that really care about privacy¹. And yeah, I know KDE, GNOME and a lot of other free software projects and communities benefit a lot from money given by Google – mostly given to Google for advertising. It is totally okay to be grateful for that… but does it mean someone who works for free and in his spare time on KDEPIM has to take care of satisfying Google's requirement for a privacy policy? If I would be Daniel and would see myself having to deal with that kind of stuff, I would be highly highly frustrated about it by now. Probably quite some are not going to agree with this. But for me Google just again disqualifies itself and I am happy to have closed down my gmail account a long time ago. It is not free of cost. Not at all. Users of it pay with their data. I feel maybe it is time to make a stand about that. And not just run whenever Google feels like changing something regarding their service. Seriously I feel it is important to ask different questions. [1] I am not listing them here to avoid any impression of doing advertisement. Best, -- Martin
Re: Help with KDE PIM and Google Privacy Policies needed
Am 2020-03-06 08:20, schrieb Nicolás Alvarez: Apple can give its million appstore apps access to Google calendar data, and Mozilla can let addons access email data, but we can't? What do they do differently? The only thing they do differently is that they have a permission system in place. Doesn't apply for Thunderbird of course which means we should look at their privacy policy. Though we should never ask Google "Why is Thunderbird allowed?" as we don't want that Thunderbird gets access revoked. Also, Linux desktop systems are usually not sandboxed. If we didn't have Akonadi, and KOrganizer/KMail/etc used their own databases to store data without intending to share them with other apps, other apps could *still* access the data via the filesystem. Mozilla Thunderbird is approved by Google, and KWin theoretically *could* access my email because it can read ~/.mozilla. Sure, in practice it doesn't; but in practice it also doesn't access Akonadi. Maybe we are just too open about what Akonadi can do in the privacy policy. Which I think is a good thing. On the other hand I'm sure that Mozilla doesn't state that any app could read the storage. Perhaps we need to sell Akonadi differently. Cheers Martin
Re: Help with KDE PIM and Google Privacy Policies needed
Am 2020-03-05 21:19, schrieb Daniel Vrátil: Hi all, I would appreciate any hints and pointers at where exactly the KDE PIM Privacy Policy might be in violation of the requirements from Google. I may have been looking into those documents for so long I can no longer see anything :/ Reading [0] I see "Your use of data obtained via the Restricted Scopes must comply with these requirements:" ... "Only transfer the data to others if necessary to provide or improve user-facing features that are prominent in the requesting application's user interface" And reading the screenshot I think that's the problem. We state in our privacy policy about 3rd party plugins and Akonadi. Especially Akonadi is a "transfer of data to others" and that allows all applications to access the data. If KWin accesses the data it would be in violation of the additional requirements of the requested scope. Cheers Martin [0] https://developers.google.com/terms/api-services-user-data-policy#additional-requirements-for-specific-api-scopes