[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#829494: chirpw phones home without informed consent



Hi,

On 03/07/16 21:27, Neil Van Dyke wrote:
> Package: chirp
> Version: 0.4.0-1
> Severity: serious
> 
> A pop-up dialog from the "chirpw" program says that it reports some kind
> of usage information to some external party, and describes how to
> opt-out of this.  There are at least two privacy problems:
> 
> 1. It appears that some phoning home happens before the user has given
> informed consent.  For example, when I received the pop-up dialogue, I
> immediately disabled reporting, but I found that "chirpw" had already
> contacted some server and informed me that I was not using the latest
> version.  Therefore, the suggestion that one can opt-out of phoning-home
> is misleading, since some phoning-home has already occurred.

Yep, I plan to patch this out.

> 2. Also, the text suggests that this is anonymous, but that is
> misleading (due, e.g., to IP address traceability), so any consent would
> not be informed, even were it given prior to phoning-home occurring.

Entirely patching this out. All updates should happen through apt. No
phoning home or anywhere else.

> Note that I have not looked at what information is transmitted, so there
> might be a third problem, but I believe these two identified problems
> alone require action.
> 
> I recommend and request that this reporting and any other "phoning home"
> either be disabled completely in the Debian "chirp" package, or changed
> to be an express *opt-in* (like opt-in is long used elsewhere in Debian,
> such as for package "popularity contest"). Thank you.
> 

Thanks for reporting this. I was going to work on this this week anyway,
but it'll feel more satisfying when I close a bug doing it. (:

Thanks,
Iain.


Reply to: