Re: Phoning home

To: debian-policy@lists.debian.org
Subject: Re: Phoning home
From: Steve Langasek <vorlon@debian.org>
Date: Wed, 27 Feb 2008 00:13:49 -0800
Message-id: <[🔎] 20080227081349.GB17249@dario.dodds.net>
Mail-followup-to: debian-policy@lists.debian.org
In-reply-to: <[🔎] 18372.30057.450729.388616@davenant.relativity.greenend.org.uk>
References: <[🔎] 18369.30467.829589.767166@davenant.relativity.greenend.org.uk> <[🔎] fpsrut$1l0$1@ger.gmane.org> <[🔎] 1203894332.6185.7.camel@dorfl.globalsuite.net> <[🔎] 47C2876D.40407@debian.org> <[🔎] 20080226002528.GA1735@dario.dodds.net> <[🔎] 18372.30057.450729.388616@davenant.relativity.greenend.org.uk>

On Tue, Feb 26, 2008 at 08:24:09PM +0000, Ian Jackson wrote:

> > "should" here would only mean that we've failed to correctly define "phoning
> > home".  There's no legitimate reason for Debian packages to phone home, and
> > it's always a bug if they do; if this is to be referenced in policy at all,
> > this should be made plain.

> I think you're twisting the definition here.  `Phoning home' means
> connecting to some central server defined by the software developers.
> It's value neutral.

FWIW, before this thread, I've never heard "phoning home" used in a
value-neutral way, and I don't believe this is the common usage.

> If you use `phoning home' to mean only bad things, then we need a new
> value-neutral phrase.

How about "contacting a server" for value-neutral? :-)

> > > apt

> > Not "phoning home":

> > - the requests don't contain identifying information about the client, with
> >   the exception of the source IP address.

> That is often enough to identify an individual user.

Yes, but it's not information exposure for its own sake, it's fundamental to
TCP/IP; and you can use whatever relay you want/trust in order to hide your
source IP.

> > - with the exception of security.d.o, there's no calling back to a central
> >   server.

> The mirrors are central servers.  I don't think it makes that much
> difference whether it's one or more.

The mirrors are not centrally controlled.  This is, in fact, a major factor
in Debian's *inability* to put together useful statistics about the number
of users, because anyone can run a mirror and any user can use any mirror
they wish.

> > - the requests must be initiated by the user.

> Ubuntu prompts desktop users with admin ability when updates are
> available.  I think this is a very good thing and we should do it too.

I think I agree, but that doesn't happen by default as part of the apt
package today.

> > > clamav-freshclam

> > - central to the functionality of the package; if you don't want to be
> >   trackable you don't install the package.
> > - statistics gathering is a side-effect of the main purpose of the package,
> >   and there's no way around this short of anonymizing your client access
> >   through tor or similar.

> Isn't this just an update downloader ?  What statistics are
> collected ?

I mean that the /opportunity/ for statistics-gathering is a side-effect of
the main purpose of the package, namely, retrieving updates from a
particular source.  I don't know whether or not statistics are actually
gathered.

> Do we direct our users to our servers, or to ones run by upstream ?

Upstream.

> If the latter, what privacy assurances do we have and why do we believe
> them ?

Why should we believe *any* privacy assurances?  If you want an assurance of
privacy, don't share any information that you consider private.

In the US, we now have a law that says any company that retains personal
information about you has to give you a privacy notice saying how they're
going to use the data.  None of these privacy notices are worth reading;
they all state that the companies will share your data with their associates
in order to offensively target you for their advertising, and otherwise do a
crappy job of safeguarding the information you give them.

European privacy laws notwithstanding, if you're communicating over the
Internet, you should expect any information you send to be stored and used
in the most nefarious manner imaginable.

We should therefore ensure that Debian packages do not, by default,
communicate any information to servers that is unrelated to the function
of those packages.  And if a program requires collecting personal data as a
condition of its operation, we should probably think twice about including
it in the archive.

> One of the key principles of data protection is that information
> gathered for one purpose should not be used for another.

> So information necessarily exposed to make the program work should not
> be collected and statistically analysed by our servers even if that is
> technically possible to do.

I don't agree that we have any obligation to not analyze the data that we've
come by legitimately.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Reply to:

Follow-Ups:
- Re: Phoning home
  - From: Ian Jackson <ian@davenant.greenend.org.uk>

References:
- Phoning home
  - From: Ian Jackson <ian@davenant.greenend.org.uk>
- Re: Phoning home
  - From: Raphael Geissert <atomo64+debian@gmail.com>
- Re: Phoning home
  - From: Lars Wirzenius <liw@liw.fi>
- Re: Phoning home
  - From: "Giacomo A. Catenazzi" <cate@debian.org>
- Re: Phoning home
  - From: Steve Langasek <vorlon@debian.org>
- Re: Phoning home
  - From: Ian Jackson <ian@davenant.greenend.org.uk>

Prev by Date: Re: Phoning home
Next by Date: Re: Phoning home
Previous by thread: Re: Phoning home
Next by thread: Re: Phoning home
Index(es):
- Date
- Thread