Re: Bug#829494: chirpw phones home without informed consent
Hi,
On 03/07/16 21:27, Neil Van Dyke wrote:
> Package: chirp
> Version: 0.4.0-1
> Severity: serious
>
> A pop-up dialog from the "chirpw" program says that it reports some kind
> of usage information to some external party, and describes how to
> opt-out of this. There are at least two privacy problems:
>
> 1. It appears that some phoning home happens before the user has given
> informed consent. For example, when I received the pop-up dialogue, I
> immediately disabled reporting, but I found that "chirpw" had already
> contacted some server and informed me that I was not using the latest
> version. Therefore, the suggestion that one can opt-out of phoning-home
> is misleading, since some phoning-home has already occurred.
Yep, I plan to patch this out.
> 2. Also, the text suggests that this is anonymous, but that is
> misleading (due, e.g., to IP address traceability), so any consent would
> not be informed, even were it given prior to phoning-home occurring.
Entirely patching this out. All updates should happen through apt. No
phoning home or anywhere else.
> Note that I have not looked at what information is transmitted, so there
> might be a third problem, but I believe these two identified problems
> alone require action.
>
> I recommend and request that this reporting and any other "phoning home"
> either be disabled completely in the Debian "chirp" package, or changed
> to be an express *opt-in* (like opt-in is long used elsewhere in Debian,
> such as for package "popularity contest"). Thank you.
>
Thanks for reporting this. I was going to work on this this week anyway,
but it'll feel more satisfying when I close a bug doing it. (:
Thanks,
Iain.
Reply to: