I think this may even require some broader discussion, perhaps on d-d, about which position Debian has towards privacy.
This case here of silently defaulting to a big greedy company who is well-known for being part of the US' world-wide surveillance program is just the tip of an ice-berg. Obviously, I don't say that every program that sends data over the network should need to ask first, especially not when it's obvious that it will do that (e.g. for a browser it's obvious that when you enter some URL, it will send data). But especially those cases where this is not obvious (e.g. several GNOME (and possibly other) programs that send my contact's addresses to gravatar, or when e.g. Firefox extensions like httpseverywhere would default to yes in sending the collected certs to the EFF) this shouldn't be the default and people should properly asked/informed before it happens. This is also especially the case when data is sent to specific companies or organisations (e.g. gravatar) in contrast to a common system (like the DNS when recursing via the root servers). Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature