Re: More diagnostics data from desktop

[Jeremy Bicha]

(Keeping the full comment since the replied email hasn't shown up in
the ubuntu-devel archives yet.)

On Wed, Mar 7, 2018 at 2:42 PM, J Fernyhough  wrote:
> (cross-posting because ubuntu-devel is moderated and this may not reach
> that list)
>
> On 07/03/18 11:46, Jeremy Bicha wrote:
>> What proposed collected data do you think should be considered
>> personal data for GPDR purposes?
>>
>
> "What constitutes personal data?
>
> "Any information related to a natural person or ‘Data Subject’, that can
> be used to directly or indirectly identify the person. It can be
> anything from a name, a photo, an email address, bank details, posts on
> social networking websites, medical information, or a computer IP
> address." [1]
>
> And more specifically:
>
> "(26) The principles of data protection should apply to any information
> concerning an identified or identifiable natural person. Personal data
> which have undergone pseudonymisation, which could be attributed to a
> natural person by the use of additional information should be considered
> to be information on an identifiable natural person. ..."
>
> "(30) Natural persons may be associated with online identifiers provided
> by their devices, applications, tools and protocols, such as internet
> protocol addresses, cookie identifiers or other identifiers such as
> radio frequency identification tags. This may leave traces which, in
> particular when combined with unique identifiers and other information
> received by the servers, may be used to create profiles of the natural
> persons and identify them." [2]
>
> Hence, if you _ever_ record an IP address, you are recording "personal
> data" and must be able to demonstrate you are meeting the requirements
> of the GDPR **even if you pseudonymise that data**. Given the proposal
> extends to storing a full hardware specification it's very easy to see
> how that could be used as "additional information" or "other identifiers".
>
>
> Regarding consent:
>
> "(32) Consent should be given by a clear affirmative act establishing a
> freely given, specific, informed and unambiguous indication of the data
> subject's agreement to the processing of personal data relating to him
> or her, such as by a written statement, including by electronic means,
> or an oral statement.
>
> "This could include ticking a box when visiting an internet website,
> choosing technical settings for information society services or another
> statement or conduct which clearly indicates in this context the data
> subject's acceptance of the proposed processing of his or her personal
> data. Silence, pre-ticked boxes or inactivity should not therefore
> constitute consent.
>
> "Consent should cover all processing activities carried out for the same
> purpose or purposes. When the processing has multiple purposes, consent
> should be given for all of them. If the data subject's consent is to be
> given following a request by electronic means, the request must be
> clear, concise and not unnecessarily disruptive to the use of the
> service for which it is provided." [2] (Split to highlight central section)
>
>
> Given the discussion is about about large-scale systematic data
> collection Ubuntu/Canonical should also be aware of:
>
> "Does my business need to appoint a Data Protection Officer (DPO)?
>
> "DPOs must be appointed in the case of: (a) public authorities, (b)
> organizations that engage in large scale systematic monitoring, or (c)
> organizations that engage in large scale processing of sensitive
> personal data (Art. 37).  If your organization doesn’t fall into one of
> these categories, then you do not need to appoint a DPO." [1]
>
>
> Essentially, the onus here is on Ubuntu/Canonical to demonstrate any and
> all data collection meets the requirements of the GDPR. This is a bigger
> issue than most people realise.
>
>
>
> References
>
> [1] https://www.eugdpr.org/gdpr-faqs.html
> [2] http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

Notably, in the very first email in this thread, Will Cooke
specifically said IP addresses will never be stored with this data. A
Launchpad account is not needed for apport to send crash data for
stable Ubuntu releases (it works a bit differently while an Ubuntu
release is still in development.)

In my opinion, the basic hardware data collection being proposed is
completely insufficient to identify people.

Thanks,
Jeremy Bicha

-- 
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Re: More diagnostics data from desktop

[Jeremy Bicha]

On Thu, Feb 22, 2018 at 4:50 AM, Mark Rogers  wrote:
> But the issue of GDPR was mentioned earlier in the thread but seems to
> have fallen on deaf ears. If you are collecting this kind of data in
> the EU (and as far as I can tell telemetry data does get swept up into
> it indirectly if not directly) then opt-in isn't just advisable but
> legally enforceable.

What proposed collected data do you think should be considered
personal data for GPDR purposes?

Thanks,
Jeremy Bicha

-- 
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Re: More diagnostics data from desktop

[Mark Rogers]

On 21 February 2018 at 17:32, Jonty Gamao  wrote:
>
> Personally, I'll help out by giving you guys the data you're asking, but 
> there are others who are totally against this, especially the idea of opt-in.


"Me too".

But the issue of GDPR was mentioned earlier in the thread but seems to
have fallen on deaf ears. If you are collecting this kind of data in
the EU (and as far as I can tell telemetry data does get swept up into
it indirectly if not directly) then opt-in isn't just advisable but
legally enforceable.

Short of automatically ticking the opt-in box depending on location
(and how well can you know the location without a network
connection?), and potentially creating a documentation headache
because different people will see different things, and certainly
skewing the results, then surely the GDPR closes this part of the
debate down?

Going further: When the GDPR takes effect, will Ubuntu even be
compliant as it stands? Explicit and clearly defined consent on bug
reports, for example.

If someone has looked into this and determined that Ubuntu isn't
affected then I (and other EU) users would love to know more!

-- 
Mark Rogers // More Solutions Ltd (Peterborough Office) // 0844 251 1450
Registered in England (0456 0902) 21 Drakes Mews, Milton Keynes, MK8 0ER

-- 
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Re: More diagnostics data from desktop

[Colin Law]

On 14 February 2018 at 15:22, Will Cooke  wrote:

> Dear all,
>
> We want to be able to focus our engineering efforts on the things that
> matter most to our users, and in order to do that we need to get some more
> data about sort of setups our users have and which software they are
> running on it.
>
> We would like to add a checkbox to the installer, exact wording TBD, but
> along the lines of “Send diagnostics information to help improve Ubuntu”.
> This would be checked by default.
>

I think it has been suggested that a popup asking nicely whether it is ok
to send diagnositics, with buttons for yes/no might go down better than a
checkbox. I concur with that idea as pre-checked checkboxes do have a bad
reputation.

Colin
-- 
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Re: Mentors required for mentoring Linux Foundation GSoC Open Printing Projects.

[Jeremy Soller]

While people at the Linux Foundation continue to ignore desktop Linux, I
am completely uninterested in helping with your GSoC projects:
https://www.youtube.com/watch?v=3f8FPnAsIJ4&feature=youtu.be
--
  Jeremy Soller
  jer...@system76.com



On Wed, Feb 21, 2018, at 9:01 PM, Aveek Basu wrote:
> Hi All,
> 
> Like every year, this year also myself and Till  Kamppeter are
> organizing the Google Summer Of Code Projects for Linux Foundation.
> There are a couple of interesting project on this year's list with
> regards to Open Printing:> 
> https://wiki.linuxfoundation.org/gsoc/google-summer-code-2018-openprinting-projects>
>  
> 
> Already there is a bunch of talented students who are interested in
> working on these projects. We require your help in mentoring these
> students. It will be of great help if you could please help us in
> mentoring these students to deliver some great projects.> 
> 
> 
> Regards,
> Aveek
> 
> Org Admin 
> The Linux Foundation
> 
> --
> ubuntu-devel mailing list
> ubuntu-devel@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
-- 
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel