Re: Phoning home
- To: debian-policy@lists.debian.org
- Subject: Re: Phoning home
- From: Steve Langasek <vorlon@debian.org>
- Date: Sat, 8 Mar 2008 01:35:11 -0800
- Message-id: <[🔎] 20080308093511.GB31991@dario.dodds.net>
- Mail-followup-to: debian-policy@lists.debian.org
- In-reply-to: <18375.2434.807695.24408@davenant.relativity.greenend.org.uk>
- References: <18369.30467.829589.767166@davenant.relativity.greenend.org.uk> <fpsrut$1l0$1@ger.gmane.org> <1203894332.6185.7.camel@dorfl.globalsuite.net> <47C2876D.40407@debian.org> <20080226002528.GA1735@dario.dodds.net> <18372.30057.450729.388616@davenant.relativity.greenend.org.uk> <20080227081349.GB17249@dario.dodds.net> <18375.2434.807695.24408@davenant.relativity.greenend.org.uk>
On Thu, Feb 28, 2008 at 07:20:34PM +0000, Ian Jackson wrote:
> Steve Langasek writes ("Re: Phoning home"):
> > On Tue, Feb 26, 2008 at 08:24:09PM +0000, Ian Jackson wrote:
> > > If the latter, what privacy assurances do we have and why do we believe
> > > them ?
> > Why should we believe *any* privacy assurances? If you want an assurance of
> > privacy, don't share any information that you consider private.
> I think this is rather an absolutist approach.
Sure; this is the only part of the equation that the user really has control
over, and I think users should be prepared for the worst-case consequences
of the information they're leaking to the network.
> > I don't agree that we have any obligation to not analyze the data that we've
> > come by legitimately.
> I think we should be trustworthy. That is, when our users know that
> their computers send us information (for whatever legitimate reason),
> they should be confident that they wouldn't disapprove of the things
> we do with it.
This supposes that the set of things a user approves of is more or less
congruent for all users. Just out of a sample size of two, you and I
already have different opinions on the acceptability of aggregate analysis
of user requests; other users might consider it totally unacceptable for
requests to be logged at all.
Yet logging those requests doesn't mean we're untrustworthy; we've never
promised not to log them.
> The fact that the user is wholly at our mercy, and cannot (for
> example) verify whether we're doing bad things, does not make it any
> more right for us to process their information other than as strictly
> necessary.
> (This is one of the fundamental principles in EU data ethics and law
> which is not shared by the `all's fair in love and spying' US.)
Even if you believe that everyone Debian exposes data to by default is
trustworthy by this standard (or alternatively, is bound by EU law), what
happens if one of the servers involved is compromised? If we're doing
things right, the consequences of having those logs fall into the wrong
hands are minimal. If they're not, then it's the nature of the network
traffic we should be reconsidering, not what's done with it once it reaches
the server.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
Reply to: