Re: Further inquiry regarding data privacy (for packages installed in Debian)

To: debian-project@lists.debian.org
Subject: Re: Further inquiry regarding data privacy (for packages installed in Debian)
From: John Scott <jscott@posteo.net>
Date: Tue, 21 May 2019 18:16:09 -0400
Message-id: <[🔎] 6DE1F59A-B091-4206-8DFB-86AF0EB36CBF@posteo.net>
In-reply-to: <[🔎] 16ada899f00.f304e33819492.5905273023717367966@zoho.com>
References: <16923e0d3f5.11a519b0d30176.4482739876009281601@zoho.com> <874l8srxav.fsf@delenn.ganneff.de> <1692da626e8.d8f967ad14239.7759242174688145760@zoho.com> <87r2bt3py3.fsf@delenn.ganneff.de> <[🔎] 16ada899f00.f304e33819492.5905273023717367966@zoho.com>

I don't know if many packages have them, but there is a privacy:: debtag that for potential privacy concerns and other anti-features. Synaptic should be able to show them.

On May 21, 2019 9:16:53 AM EDT, npdflr <npdflr@zoho.com> wrote:
>Hi,
>
>Would you recommend me or debian users to go through privacy policy for
>the default packages/softwares installed in Debian images/iso files.
>
>
>
>An example would be the firefox-esr that has data collection
>policy: https://wiki.mozilla.org/Firefox/Data_Collection
>
>The default is off for Web activity data and Highly Sensitive data so
>it should not be a problem.
>
>
>
>But for other default packages should I go through their privacy
>policies?
>
> 
>Note: As for the packages installed manually by the user (not default
>packages), it would be the user's responsibity to make sure that they
>don't send any sensitive data.
>
>
>
>Also, what ways can one check the privacy policy of the packages
>installed (by default or manually installed)?
>
>- One way  would be to open Synaptic Package Manager (for the packages
>installed from the repositories listed in sources.list), check for
>homepage (if there) for every package installed and then read the
>privacy policy on that homepage.
>
>- For the packages downloaded from elsewhere, I think the user would
>have to check the source/homepage etc for its privacy policy.
>
>
>Thank you.
>
>
>
>
>
>---- On Wed, 27 Feb 2019 13:02:28 -0800 Joerg Jaspert
><joerg@debian.org> wrote ----
>
>
>
>On 15326 March 1977, mailto:npdflr@zoho.com wrote: 
> 
>> I am posting an excerpt from the 'Data privacy' page 
>> (https://www.debian.org/legal/privacy): 
> 
>> Service related logging 
> 
>> In addition to the explicitly listed services above the Debian 
>> infrastructure logs details about system accesses for the purposes of
>
>> ensuring service availability and reliability, and to enable
>debugging 
>> and diagnosis of issues when they arise. This logging includes
>details 
>> of mails sent/received through Debian infrastructure, web page access
>
>> requests sent to Debian infrastructure, and login information for 
>> Debian systems (such as SSH logins to project machines). None of this
>
>> information is used for any purposes other than operational 
>> requirements and it is only stored for 15 days in the case of web 
>> server logs, 10 days in the case of mail log and 4 weeks in the case 
>> of authentication/ssh logs. 
> 
>> a) Does 'system' and 'Debian systems' in the above excerpt mean an 
>> installation of Debian OS? 
> 
>No. It means a system installed and run by Debian admins providing a 
>service. Like the machine handling this list, or a machine handling a 
>webserver for www.debian.org. 
> 
>> b) I am assuming that 'Debian infrastructure' means the 'Debian 
>> Security Infrastructure' 
>> (https://www.debian.org/doc/manuals/securing-debian-howto/ch7) which 
>> is used to handle security in the stable distribution. Please correct
>
>> me, if wrong.  
> 
>No, it means the whole infrastructure. We have many machines. 
> 
>> c) Details regarding non-personally identifiable data: Does Debian 
>> (Debian.org) collect any kind of 'telemetry' or 'monitoring data' 
>> other than required for operational requirements? I am asking this as
>
>> from a company's or business point of view: one is concerned about 
>> intellectual property, company data etc. 
> 
>As written, no we do not. 
> 
>> d) (This is related to the above point) Does the statement in the 
>> above excerpt "This logging includes details.....    login
>information 
>> for Debian systems" mean that Debian stores username and passwords of
>
>> users? In my case: A local login not a network based login. 
> 
>Not in the sense you read into it, no. We do not, in any way, collect 
>users data of systems installed with Debian[1]. The above is for
>machines 
>running "inside" the debian.org domain and affects Debian Developers, 
>not any user who just happens to install Debian. 
> 
> 
>[1] There is one tool named popcon. That does actually send data our 
>way. That is opt-in and you can find more information at 
>https://popcon.debian.org/ 
>

Reply to:

References:
- Re: Further inquiry regarding data privacy (for packages installed in Debian)
  - From: npdflr <npdflr@zoho.com>

Prev by Date: Re: Question for Planet Admins: What Should I do if another Developer Removes my Blog
Next by Date: Re: Question for Planet Admins: What Should I do if another Developer Removes my Blog
Previous by thread: Re: Further inquiry regarding data privacy (for packages installed in Debian)
Next by thread: Bug#929516: [project] Please provide onion services using next-gen (v3) onion addresses
Index(es):
- Date
- Thread