On Tue, May 24, 2011 at 12:30:09PM -0700, Kees Cook wrote: > I have no general objection to collecting this kind of information, so long > as it provides actual value. For example[1], connman connects back to > http://www.connman.net/online/status.html and reports its version every > time it establishes a network connection. This provides direct value to the > user because their software is able to better detect if it has actually > found a "real" Internet connection or not, and do something about it. > > What value does the installer connect-back actually provide the user? Why > are raw counts of any value? It would seem that reporting a full set of > hardware details in the connect-back would actually give you better > before/after logs ("people with FooBar wifi are never seen again"), but it > still doesn't provide the user with immediate direct useful improvement to > their Ubuntu experience, so I'm not sure it's worth doing.
Some of my friends have been talking about the new European privacy legislation recently, which particularly affects web sites implementing cookies; but it occurred to me that it was probably general enough that it might have some bearing on this, so I went and checked. Here's the text, Directive 2009/136/EC (http://www.google.com/url?sa=t&source=web&cd=1&ved=0CBgQFjAA&url=http%3A%2F%2Feur-lex.europa.eu%2FLexUriServ%2FLexUriServ.do%3Furi%3DOJ%3AL%3A2009%3A337%3A0011%3A0036%3AEn%3APDF&rct=j&q=%22directive%202009%2F136%22&ei=vI3eTZSxD8PLswbsxbXFBQ&usg=AFQjCNFJiyqZ0udj1H8DhsjJ459e7BTGQA&sig2=CVOoklG1FoyFxjVpo_8vpQ&cad=rja), paragraph 66, which is indeed not specific to cookies, and touches on similar "value to the user" topics as Kees mentioned: Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities. Obviously IANAL, but this seems general enough that it could easily cover this proposal (though I haven't looked up the ICO's guidance). Note in particular that this directive is not restricted to personally-identifying data, so it's not quite the same as traditional data protection concerns. I think we may well be obliged to obtain explicit prior consent, not merely provide an opt-out that's hidden away in preseeding. It may well be possible to ask the Information Commissioner for guidance on this, as I expect that it may turn on whether this kind of thing counts as "information on the equipment of a user". Given that we're subject to UK law and that this is a high-profile issue right now, it seems to me that asking for such guidance would be a good idea. Cheers, -- Colin Watson [[email protected]] -- technical-board mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/technical-board
