Public bug reported:
The systemd project is experimenting and working with various ideas that
have privacy ramifications. This includes the work in systemd-resolved
and systemd-timesyncd that creates a possibility for disclosure of
personal information to Google or similar providers through default code
paths. The data remitted such as client IP addresses, subdomains
containing usernames or unique IDs, banking domains and similar data may
be considered personal data under the GDPR and other EU law.
These components are currently in a state where it is legally dubious
whether they comply or can be made to comply. In particular, systemd's
default configuration unless otherwise configured and compiled discloses
personal information to Google without consent or methods to withdraw
consent and without plain-language privacy policy. This design overall
is considered flawed by the GDPR.
I had reported this concern upstream as it impacts all distributions,
but the systemd project has shown disinterest in working on "privacy by
design" and making their work compliant. This lack of concern and future
work by the systemd project may interfere with distributions' efforts to
make their distributions compliant.
As such, this work upstream and future work by upstream may interfere
with any compliance efforts by Ubuntu to ensure compliance with the GDPR
as systemd cannot be relied upon as "compliant out of the box" software.
** Affects: systemd (Ubuntu)
Importance: Undecided
Status: New
** Tags: compliance gdpr legal
** Description changed:
The systemd project is experimenting and working with various ideas that
have privacy ramifications. This includes the work in systemd-resolved
and systemd-timesyncd that creates a possibility for disclosure of
personal information to Google or similar providers through default code
paths. The data remitted such as client IP addresses, subdomains
containing usernames or unique IDs, banking domains and similar data may
be considered personal data under the GDPR and other EU law.
These components are currently in a state where it is legally dubious
whether they comply or can be made to comply. In particular, systemd's
default configuration unless otherwise configured and compiled discloses
personal information to Google without consent or methods to withdraw
- consent. This design overall is considered flawed by the GDPR.
+ consent and without plain-language privacy policy. This design overall
+ is considered flawed by the GDPR.
I had reported this concern upstream as it impacts all distributions,
but the systemd project has shown disinterest in working on "privacy by
design" and making their work compliant. This lack of concern and future
work by the systemd project may interfere with distributions' efforts to
make their distributions compliant.
- As such, this work upstream may interfere with any compliance efforts by
- Ubuntu to ensure compliance with the GDPR as systemd cannot be relied
- upon as "compliant out of the box" software.
+ As such, this work upstream and future work by upstream may interfere
+ with any compliance efforts by Ubuntu to ensure compliance with the GDPR
+ as systemd cannot be relied upon as "compliant out of the box" software.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1779956
Title:
GDPR Compliance
Status in systemd package in Ubuntu:
New
Bug description:
The systemd project is experimenting and working with various ideas
that have privacy ramifications. This includes the work in systemd-
resolved and systemd-timesyncd that creates a possibility for
disclosure of personal information to Google or similar providers
through default code paths. The data remitted such as client IP
addresses, subdomains containing usernames or unique IDs, banking
domains and similar data may be considered personal data under the
GDPR and other EU law.
These components are currently in a state where it is legally dubious
whether they comply or can be made to comply. In particular, systemd's
default configuration unless otherwise configured and compiled
discloses personal information to Google without consent or methods to
withdraw consent and without plain-language privacy policy. This
design overall is considered flawed by the GDPR.
I had reported this concern upstream as it impacts all distributions,
but the systemd project has shown disinterest in working on "privacy
by design" and making their work compliant. This lack of concern and
future work by the systemd project may interfere with distributions'
efforts to make their distributions compliant.
As such, this work upstream and future work by upstream may interfere
with any compliance efforts by Ubuntu to ensure compliance with the
GDPR as systemd cannot be relied upon as "compliant