Re: More diagnostics data from desktop

2018-03-08 Thread Robie Basak 
Please stop.

"Lawyering" on this list is pointless and will not get us anywhere. "I
think this would be compliant" and "I think this would not be compliant"
is meaningless when coming from a bunch of random engineers.

Give Canonical some credit. They're not going to go ahead with something
that they think will violate the GDPR, since that would obviously be bad
for Canonical, bad for Ubuntu, and bad for everyone else.

As a project, for legal matters, we defer to Canonical's legal staff to
make a final determination, because we have to make *a single
determination* in order to proceed with anything. This is the only
reasonable way to proceed.

I'm sure someone will disagree with any determination, because someone
always does. Law is subjective like that. But arguing on this list about
it is pointless.

Leave it to the implementors to check with Canonical legal and make sure
that the final implementation will be in compliance. The minutiae of
compliance is not a matter for this list. If you think the whole
principle would not be in compliance, then either they'll agree with you
and it won't happen, or they'll disagree with you and it will happen.
Whichever way, arguments amongst engineers on this list from a legal
perpsective will not make the slightest bit of difference.

Let's leave the legal stuff to the legal people, and focus on the
technical stuff here.


signature.asc
Description: PGP signature
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: More diagnostics data from desktop

2018-03-07 Thread J Fernyhough 
On 07/03/18 20:43, Jeremy Bicha wrote:
> Notably, in the very first email in this thread, Will Cooke
> specifically said IP addresses will never be stored with this data. 

That doesn't mean it's not collected and so can be ignored. The
"collected" data must be "processed" to remove the IP address (unless
you can access a TCP/IP-based web service without revealing your IP
address?).


> In my opinion, the basic hardware data collection being proposed is
> completely insufficient to identify people.

Respectfully, GDPR compliance isn't based on opinions. It needs to be
studied and processes implemented to ensure compliance, i.e. it needs to
be taken seriously, even for statistical data:

"(162) Where personal data are processed for statistical purposes, this
Regulation should apply to that processing. Union or Member State law
should, within the limits of this Regulation, determine statistical
content, control of access, specifications for the processing of
personal data for statistical purposes and appropriate measures to
safeguard the rights and freedoms of the data subject and for ensuring
statistical confidentiality. Statistical purposes mean any operation of
collection and the processing of personal data necessary for statistical
surveys or for the production of statistical results. Those statistical
results may further be used for different purposes, including a
scientific research purpose. The statistical purpose implies that the
result of processing for statistical purposes is not personal data, but
aggregate data, and that this result or the personal data are not used
in support of measures or decisions regarding any particular natural
person."

Note that this specifically mentions processing with the result of
aggregate non-personal data.

J



signature.asc
Description: OpenPGP digital signature
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: More diagnostics data from desktop

2018-03-07 Thread Jeremy Bicha 
(Keeping the full comment since the replied email hasn't shown up in
the ubuntu-devel archives yet.)

On Wed, Mar 7, 2018 at 2:42 PM, J Fernyhough  wrote:
> (cross-posting because ubuntu-devel is moderated and this may not reach
> that list)
>
> On 07/03/18 11:46, Jeremy Bicha wrote:
>> What proposed collected data do you think should be considered
>> personal data for GPDR purposes?
>>
>
> "What constitutes personal data?
>
> "Any information related to a natural person or ‘Data Subject’, that can
> be used to directly or indirectly identify the person. It can be
> anything from a name, a photo, an email address, bank details, posts on
> social networking websites, medical information, or a computer IP
> address." [1]
>
> And more specifically:
>
> "(26) The principles of data protection should apply to any information
> concerning an identified or identifiable natural person. Personal data
> which have undergone pseudonymisation, which could be attributed to a
> natural person by the use of additional information should be considered
> to be information on an identifiable natural person. ..."
>
> "(30) Natural persons may be associated with online identifiers provided
> by their devices, applications, tools and protocols, such as internet
> protocol addresses, cookie identifiers or other identifiers such as
> radio frequency identification tags. This may leave traces which, in
> particular when combined with unique identifiers and other information
> received by the servers, may be used to create profiles of the natural
> persons and identify them." [2]
>
> Hence, if you _ever_ record an IP address, you are recording "personal
> data" and must be able to demonstrate you are meeting the requirements
> of the GDPR **even if you pseudonymise that data**. Given the proposal
> extends to storing a full hardware specification it's very easy to see
> how that could be used as "additional information" or "other identifiers".
>
>
> Regarding consent:
>
> "(32) Consent should be given by a clear affirmative act establishing a
> freely given, specific, informed and unambiguous indication of the data
> subject's agreement to the processing of personal data relating to him
> or her, such as by a written statement, including by electronic means,
> or an oral statement.
>
> "This could include ticking a box when visiting an internet website,
> choosing technical settings for information society services or another
> statement or conduct which clearly indicates in this context the data
> subject's acceptance of the proposed processing of his or her personal
> data. Silence, pre-ticked boxes or inactivity should not therefore
> constitute consent.
>
> "Consent should cover all processing activities carried out for the same
> purpose or purposes. When the processing has multiple purposes, consent
> should be given for all of them. If the data subject's consent is to be
> given following a request by electronic means, the request must be
> clear, concise and not unnecessarily disruptive to the use of the
> service for which it is provided." [2] (Split to highlight central section)
>
>
> Given the discussion is about about large-scale systematic data
> collection Ubuntu/Canonical should also be aware of:
>
> "Does my business need to appoint a Data Protection Officer (DPO)?
>
> "DPOs must be appointed in the case of: (a) public authorities, (b)
> organizations that engage in large scale systematic monitoring, or (c)
> organizations that engage in large scale processing of sensitive
> personal data (Art. 37).  If your organization doesn’t fall into one of
> these categories, then you do not need to appoint a DPO." [1]
>
>
> Essentially, the onus here is on Ubuntu/Canonical to demonstrate any and
> all data collection meets the requirements of the GDPR. This is a bigger
> issue than most people realise.
>
>
>
> References
>
> [1] https://www.eugdpr.org/gdpr-faqs.html
> [2] http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

Notably, in the very first email in this thread, Will Cooke
specifically said IP addresses will never be stored with this data. A
Launchpad account is not needed for apport to send crash data for
stable Ubuntu releases (it works a bit differently while an Ubuntu
release is still in development.)

In my opinion, the basic hardware data collection being proposed is
completely insufficient to identify people.

Thanks,
Jeremy Bicha

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: More diagnostics data from desktop

2018-03-07 Thread J Fernyhough 
(cross-posting because ubuntu-devel is moderated and this may not reach
that list)

On 07/03/18 11:46, Jeremy Bicha wrote:
> What proposed collected data do you think should be considered
> personal data for GPDR purposes?
> 

"What constitutes personal data?

"Any information related to a natural person or ‘Data Subject’, that can
be used to directly or indirectly identify the person. It can be
anything from a name, a photo, an email address, bank details, posts on
social networking websites, medical information, or a computer IP
address." [1]

And more specifically:

"(26) The principles of data protection should apply to any information
concerning an identified or identifiable natural person. Personal data
which have undergone pseudonymisation, which could be attributed to a
natural person by the use of additional information should be considered
to be information on an identifiable natural person. ..."

"(30) Natural persons may be associated with online identifiers provided
by their devices, applications, tools and protocols, such as internet
protocol addresses, cookie identifiers or other identifiers such as
radio frequency identification tags. This may leave traces which, in
particular when combined with unique identifiers and other information
received by the servers, may be used to create profiles of the natural
persons and identify them." [2]

Hence, if you _ever_ record an IP address, you are recording "personal
data" and must be able to demonstrate you are meeting the requirements
of the GDPR **even if you pseudonymise that data**. Given the proposal
extends to storing a full hardware specification it's very easy to see
how that could be used as "additional information" or "other identifiers".


Regarding consent:

"(32) Consent should be given by a clear affirmative act establishing a
freely given, specific, informed and unambiguous indication of the data
subject's agreement to the processing of personal data relating to him
or her, such as by a written statement, including by electronic means,
or an oral statement.

"This could include ticking a box when visiting an internet website,
choosing technical settings for information society services or another
statement or conduct which clearly indicates in this context the data
subject's acceptance of the proposed processing of his or her personal
data. Silence, pre-ticked boxes or inactivity should not therefore
constitute consent.

"Consent should cover all processing activities carried out for the same
purpose or purposes. When the processing has multiple purposes, consent
should be given for all of them. If the data subject's consent is to be
given following a request by electronic means, the request must be
clear, concise and not unnecessarily disruptive to the use of the
service for which it is provided." [2] (Split to highlight central section)


Given the discussion is about about large-scale systematic data
collection Ubuntu/Canonical should also be aware of:

"Does my business need to appoint a Data Protection Officer (DPO)?

"DPOs must be appointed in the case of: (a) public authorities, (b)
organizations that engage in large scale systematic monitoring, or (c)
organizations that engage in large scale processing of sensitive
personal data (Art. 37).  If your organization doesn’t fall into one of
these categories, then you do not need to appoint a DPO." [1]


Essentially, the onus here is on Ubuntu/Canonical to demonstrate any and
all data collection meets the requirements of the GDPR. This is a bigger
issue than most people realise.



References

[1] https://www.eugdpr.org/gdpr-faqs.html
[2] http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679



signature.asc
Description: OpenPGP digital signature
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: More diagnostics data from desktop

2018-02-21 Thread Jonty Gamao 
Forwarding this because I sent it to the one only for developers

From: Jonty Gamao<mailto:techxga...@outlook.com>
Sent: Wednesday, February 21, 2018 12:32 PM
To: ubuntu-de...@lists.ubuntu.com<mailto:ubuntu-de...@lists.ubuntu.com>
Subject: Re: More diagnostics data from desktop

Hi,
I noticed in the mailing list that you guys only talked about users who are 
installing Ubuntu for the first time, not upgrading from a previous version 
(unless I totally missed it, or misunderstood it):
> We would like to add a checkbox to the installer, exact wording TBD, but 
> along the lines of “Send diagnostics information to help improve Ubuntu”. 
> This would be checked by default.

If I understood it right, then you guys haven't decided whether to leave it 
enabled or disabled by default for users who are upgrading, right?

In my opinion, I think you guys should make it an opt-in thing for users who 
are upgrading from a previous version of Ubuntu.  It leaves a sour thought in 
people's minds when they get drafted to something they're against, even though 
they have the option to leave (pretty sure you noticed how this move became 
controversial and a hot topic right now).  I suggest doing a pop up right after 
the upgrade and reboot, or during the upgrade process, that asks them whether 
they want to participate (with VERY detailed info on what you'll be collecting) 
or not.  And maybe leave it unticked.

Personally, I'll help out by giving you guys the data you're asking, but there 
are others who are totally against this, especially the idea of opt-in.

Take care,
Jonas


-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: More diagnostics data from desktop

2018-02-18 Thread J Fernyhough 
(Re-sending to devel-discuss as devel is moderated)

On 15/02/18 10:05, Will Cooke wrote:
> On 14 February 2018 at 18:37, Alistair Buxton  > wrote:
> 
> > * Information from the installation would be sent over HTTPS to a 
> service
> > run by Canonical’s IS team.  This would be saved to disk and sent on 
> first
> > boot once there is a network connection.  The file containing this data
> > would be available for the user to inspect.
> 
> So you ask the user during install. Then the data is sent on first
> boot. At what point can the user inspect the data, given that some of
> it can't be collected until after installation is finished? It seems
> like the first opportunity will be after it has been sent, unless you
> ask the user a second time. So why not just ask them on first boot,
> when you have already gathered all the data? That way user can inspect
> the data there and then before deciding how to answer.
> 
> 
> Yes, I think the first opportunity would be after it has been sent.  I'm
> generally against asking more questions on login though, I think it
> would be clunky.

Am I reading it correctly that you will allow the user to see what data
had been gathered from the system only _after_ it has been sent? That
comes across as needlessly sneaky.

Surely it could be deferred until the after the user has had the
opportunity to agree properly?

As an existing implementation, the Steam client has a perfectly good way
of doing this - it pops up a dialogue box, asks whether it can send
system data, shows the data that would be sent, and explains why it is
useful and why you should consider allowing it.


On 14/02/18 15:22, Will Cooke wrote:
> Any user can simply opt out by unchecking the box, which triggers one
> simple POST stating, “diagnostics=false”.

This doesn't scan right either - you're collecting data about someone
opting out of data collection?


I can see the reasons behind collecting data but let's not make the
collection process needlessly aggressive. That's just going to make
people defensive and find ways of disabling/avoiding it entirely (e.g.
network blocks) instead of considering how it can help Ubuntu in the
long-run.

An overly-aggressive approach also makes it much more difficult for
other projects to implement statistics collection without users equating
it with user tracking/telemetry/spying/etc. and complaining vociferously
(even without any real understanding of what the process means - just
the presence of the words "data collection" is enough to generate an
awful lot of noise).


J





signature.asc
Description: OpenPGP digital signature
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss