Re: Phoning home
Julian Gilbey writes ("Re: Phoning home"):
> On Sun, Feb 24, 2008 at 01:54:11PM +0000, Ian Jackson wrote:
> > I think therefore that we should add some statement to policy about
> > phoning home.
>
> Agreed.
>
> > As a starting point:
> >
> > * Software in Debian should not communicate over the network except
> > - in order to, and as necessary to, perform their function
> > (which includes the established Debian software update
> > distribution infrastructure); or
>
> I'm not sure what the phrase in parentheses means.
That is, apt is allowed to phone home to check for and download the
updates.
> > - for other purposes with explicit permission from the user
>
> So what about visiting a website with a browser which then opens a
> popup? Not sure how best to word this, but I fundamentally agree with
> the sentiment.
I agree that unwanted popups are abusive and our browser should do its
best to stop them. Sadly this is a difficult and complex problem with
political, economic and technological aspects. I didn't intend to
stick my oar into the war between websites and browsers.
> > - Usually, our software should communicate only to servers we
> > control or which we have substantial reason to trust.
>
> "By default", our software should ...
> The user might be given an option to change this (see below).
Yes, but also `usually' because there might be reasons for it to do
something else.
For example, if you ask to visit http://www.lycqmitb.com (perhaps
because lycqmitb is a website password and you fumbled the
cut-and-paste), the system will necessarily send your DNS query to
your ISP and ultimately to the root nameservers and to the nameservers
for .com.
We already know that the nameservers for .com are not trustworthy;
they have in the past betrayed users trust quite egregiously. But we
don't have any practical choice to avoid this for our users.
So I wanted, unfortunately, to leave open the possibility that we
might send our users; data to untrusted servers if we don't have any
other sane options.
> We could have one question which asks "Some software authors like
> collecting anonymised data about the usage of their software in order
> to better optimise it. Would you be willing to participate in this?",
> and then the possibility of opting in/out of individual packages.
> Also, any package which does something essentially different could
> have its own question.
That was the kind of thing I was thinking about. We should aggregate
as well as anonymise, and possibly add some randomness to the figures
or blank out figures with very small sample sizes compared to their
magnitudes, to avoid recovery through sophisticated analysis.
So this would have to be configured and negotiated on a per-package
basis. I would be happy to write and operate the central laundering
service.
> This could be an option given to the user, I guess. I like the
> possibility of anonymising responses, as long as it does not
> negatively affect the benefits the phoning home provides. (For
> example, it could be that upstream wants to know about the habits of
> individual users and their patterns over time rather than just the sum
> total of this information. In such a case, Debian would have to track
> the individual users, then modify the info before sending it
> upstream.)
The per-user information could be tracked on the end user's system,
and only the summary transmitted to Debian.
It is always better not to collect the information than to collect it
and then throw it away.
Ian.
Reply to: