[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Further inquiry regarding data privacy (for packages installed in Debian)

Hi,
Would you recommend me or debian users to go through privacy policy for the default packages/softwares installed in Debian images/iso files.

An example would be the firefox-esr that has data collection policy: https://wiki.mozilla.org/Firefox/Data_Collection
The default is off for Web activity data and Highly Sensitive data so it should not be a problem.

But for other default packages should I go through their privacy policies?
 
Note: As for the packages installed manually by the user (not default packages), it would be the user's responsibity to make sure that they don't send any sensitive data.

Also, what ways can one check the privacy policy of the packages installed (by default or manually installed)?
- One way would be to open Synaptic Package Manager (for the packages installed from the repositories listed in sources.list), check for homepage (if there) for every package installed and then read the privacy policy on that homepage.
- For the packages downloaded from elsewhere, I think the user would have to check the source/homepage etc for its privacy policy.

Thank you.


---- On Wed, 27 Feb 2019 13:02:28 -0800 Joerg Jaspert <joerg@debian.org> wrote ----

On 15326 March 1977, npdflr@zoho.com wrote:

> I am posting an excerpt from the 'Data privacy' page
> (https://www.debian.org/legal/privacy):

> Service related logging

> In addition to the explicitly listed services above the Debian
> infrastructure logs details about system accesses for the purposes of
> ensuring service availability and reliability, and to enable debugging
> and diagnosis of issues when they arise. This logging includes details
> of mails sent/received through Debian infrastructure, web page access
> requests sent to Debian infrastructure, and login information for
> Debian systems (such as SSH logins to project machines). None of this
> information is used for any purposes other than operational
> requirements and it is only stored for 15 days in the case of web
> server logs, 10 days in the case of mail log and 4 weeks in the case
> of authentication/ssh logs.

> a) Does 'system' and 'Debian systems' in the above excerpt mean an
> installation of Debian OS?

No. It means a system installed and run by Debian admins providing a
service. Like the machine handling this list, or a machine handling a
webserver for www.debian.org.

> b) I am assuming that 'Debian infrastructure' means the 'Debian
> Security Infrastructure'
> (https://www.debian.org/doc/manuals/securing-debian-howto/ch7) which
> is used to handle security in the stable distribution. Please correct
> me, if wrong. 

No, it means the whole infrastructure. We have many machines.

> c) Details regarding non-personally identifiable data: Does Debian
> (Debian.org) collect any kind of 'telemetry' or 'monitoring data'
> other than required for operational requirements? I am asking this as
> from a company's or business point of view: one is concerned about
> intellectual property, company data etc.

As written, no we do not.

> d) (This is related to the above point) Does the statement in the
> above excerpt "This logging includes details.....    login information
> for Debian systems" mean that Debian stores username and passwords of
> users? In my case: A local login not a network based login.

Not in the sense you read into it, no. We do not, in any way, collect
users data of systems installed with Debian[1]. The above is for machines
running "inside" the debian.org domain and affects Debian Developers,
not any user who just happens to install Debian.


[1] There is one tool named popcon. That does actually send data our
way. That is opt-in and you can find more information at
https://popcon.debian.org/

--
bye, Joerg


Reply to: