Re: Further inquiry regarding data privacy

To: npdflr <npdflr@zoho.com>, debian-project <debian-project@lists.debian.org>, mwei <mwei@debian.org>
Subject: Re: Further inquiry regarding data privacy
From: Joerg Jaspert <joerg@debian.org>
Date: Wed, 27 Feb 2019 22:02:28 +0100
Message-id: <[🔎] 87r2bt3py3.fsf@delenn.ganneff.de>
Mail-followup-to: npdflr <npdflr@zoho.com>, debian-project <debian-project@lists.debian.org>, mwei <mwei@debian.org>
In-reply-to: <1692da626e8.d8f967ad14239.7759242174688145760@zoho.com>
References: <[🔎] 16923e0d3f5.11a519b0d30176.4482739876009281601@zoho.com> <[🔎] 874l8srxav.fsf@delenn.ganneff.de> <1692da626e8.d8f967ad14239.7759242174688145760@zoho.com>

On 15326 March 1977, npdflr@zoho.com wrote:

I am posting an excerpt from the 'Data privacy' page
(https://www.debian.org/legal/privacy):

Service related logging

In addition to the explicitly listed services above the Debian
infrastructure logs details about system accesses for the purposes of
ensuring service availability and reliability, and to enable debugging
and diagnosis of issues when they arise. This logging includes details
of mails sent/received through Debian infrastructure, web page access
requests sent to Debian infrastructure, and login information for
Debian systems (such as SSH logins to project machines). None of this
information is used for any purposes other than operational
requirements and it is only stored for 15 days in the case of web
server logs, 10 days in the case of mail log and 4 weeks in the case
of authentication/ssh logs.

a) Does 'system' and 'Debian systems' in the above excerpt mean an
installation of Debian OS?


No. It means a system installed and run by Debian admins providing a
service. Like the machine handling this list, or a machine handling a
webserver for www.debian.org.

b) I am assuming that 'Debian infrastructure' means the 'Debian
Security Infrastructure'
(https://www.debian.org/doc/manuals/securing-debian-howto/ch7) which
is used to handle security in the stable distribution. Please correct
me, if wrong.


No, it means the whole infrastructure. We have many machines.

c) Details regarding non-personally identifiable data: Does Debian
(Debian.org) collect any kind of 'telemetry' or 'monitoring data'
other than required for operational requirements? I am asking this as
from a company's or business point of view: one is concerned about
intellectual property, company data etc.


As written, no we do not.

d) (This is related to the above point) Does the statement in the
above excerpt "This logging includes details.....    login information
for Debian systems" mean that Debian stores username and passwords of
users? In my case: A local login not a network based login.


Not in the sense you read into it, no. We do not, in any way, collect
users data of systems installed with Debian[1]. The above is for machines
running "inside" the debian.org domain and affects Debian Developers,
not any user who just happens to install Debian.


[1] There is one tool named popcon. That does actually send data our
way. That is opt-in and you can find more information at
https://popcon.debian.org/

--
bye, Joerg

Reply to:

References:
- Inquiry regarding Debian's Main Archive
  - From: npdflr <npdflr@zoho.com>
- Re: Inquiry regarding Debian's Main Archive
  - From: Joerg Jaspert <joerg@debian.org>

Prev by Date: Debian Maintainers Keyring changes
Previous by thread: Re: Inquiry regarding Debian's Main Archive
Next by thread: Re: Inquiry regarding Debian's Main Archive
Index(es):
- Date
- Thread