#53 privacy policy should be updated to describe the privacy of Fedora installations, not participation in Fedora events
Closed: no action needed 2 years ago Opened 3 years ago by zbyszek.

== How the privacy policy is specified ==

/usr/lib/os-release contains PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy. PRIVACY_POLICY_URL is documented to "refer to the main privacy policy page for the operati[ng] system" [1]. This line was added to allow Gnome to display a link to the privacy policy without hardcoding the text or URL. It is currently shown by gnome-initial-setup [2].

[1] https://www.freedesktop.org/software/systemd/man/os-release.html#HOME_URL=
[2] https://in.waw.pl/~zbyszek/fedora/gnome-i-s-privacy-policy-screenshot.png

== Recent attempts at updating ==

There have been two drafts that I'm aware of:
- https://fedoraproject.org/wiki/User:Pfrields/PrivacyPolicyRedux discussed at [3]
- https://fedoraproject.org/wiki/User:Spot/PrivacyPolicyProposal discussed at [4]

[3] https://lists.fedoraproject.org/pipermail/desktop/2015-March/011700.html
[4] https://lists.fedoraproject.org/pipermail/council-discuss/2015-September/013633.html

Neither of those significantly address issues that have been raised in response to both proposals.

== What is wrong with current policy ==

[This part is subjective of course, please read it as prefixed with "IMO" everywhere]

As stated in $subject, it's a policy for a different purpose. The privacy policy used as "the privacy policy for the OS" should primarily and prominently describe what information is collected (or otherwise made public) when Fedora is installed, when a user account on the Fedora machine is created, and in normal use of Fedora.

Crafting a clear and simple policy will make a good impression that Fedora Project cares about it's users privacy, and is safe to use in situations where preserving personal information is important.

A general problem is that existing policy and proposed draft do not make a clear distinction between a) installing Fedora and downloading updates, b) creating accounts for Fedora development and using the bug tracker, c) participating in Fedora conferences and such. Those three broad categories have completely different privacy implications. Without being clear to which of those the policy pertains means that the policy greatly overstates the types of information being collected. In effect the policy is much more relaxed (i.e. bad for the users) than it could be.

Specific issues raised:

Should there be mention of NetworkManager-config-connectivity-fedora? (ie, checking http://fedoraproject.org/static/hotspot.txt for captive portal) [5]

In the section about 'Cookies and other Browser information', it might be useful to mention that the 'User Agent ID' of Browsers that are packaged in Fedora is configured to identify the system as running Fedora. [6]

For example, the list in "Publicly Available Personal Information" really isn't palatable. A better way of showing this might be to say: "the information you give when creating your account will be public by default. You can see what data is publicly visible <here> (link to the public page for the user), modify your privacy settings <here>, and request deletion of the account <here>" [7]

I also don't like the "Personal Information" vs. "Non-Personal Information". It might be how a lawyer works, but just because it pertains to a computer and not to a person doesn't make it less identifying. [7]

the privacy policy needs to refer to "user account" in such way that it'll be clear that it's talking about accounts for contributors (FAS) and not a user account on your system or an online account you add via GOA, to make it clear Fedora doesn't scrape your name (or other identifying details) from Google / Facebook accounts added via GOA, nor the "Full Name" field of user accounts on your computer. [8]

we may disclose personally identifiable information about you to third parties
in limited circumstances, including:
...
- for research activities, including the production of statistical reports (such
aggregated information is used to describe our services and is not used to
contact the subjects of the report).
""
AFAIK, in Germany, it's the laws that any such "passing on personal information" needs to be opt-in - "Opt-out" and "always-on" would be unlawful. [10]

What procedures are being put in place so that EU residents (and hopefully everyone) can contact Fedora or Red Hat to obtain/understand/verify/delete their machine data, beyond obviously personal data?

[5] https://lists.fedoraproject.org/pipermail/council-discuss/2015-September/013643.html
[6] https://lists.fedoraproject.org/pipermail/desktop/2015-March/011703.html
[7] https://lists.fedoraproject.org/pipermail/desktop/2015-March/011727.html
[8] https://lists.fedoraproject.org/pipermail/desktop/2015-March/011729.html
[9] https://lists.fedoraproject.org/pipermail/council-discuss/2015-September/013637.html
[10] https://lists.fedoraproject.org/pipermail/council-discuss/2015-September/013637.html
[11] https://lists.fedoraproject.org/pipermail/council-discuss/2015-September/013649.html

== tl; dr ==

The policy is too complicated, yet lacks detail and does not provide strong guarantees.
Statements like "The Information We Collect ... your Fedora Account password .. your SSH public key ... your affiliation" are not appropriate for a page linked to from the "Privacy Policy" link displayed during installation.

I hope the Council can help to push towards a better policy document. Currently things seem to be stuck in minimal edits over the last year and half. Maybe the document should be opened for public editing on a wiki somewhere so that people can rearrange the text and take it further from current form. If the Council accepted the general idea of providing strong privacy guarantees things could move forward.


Replying to [ticket:53 zbyszek]:

== tl; dr ==

The policy is too complicated, yet lacks detail and does not provide strong guarantees.
Statements like "The Information We Collect ... your Fedora Account password .. your SSH public key ... your affiliation" are not appropriate for a page linked to from the "Privacy Policy" link displayed during installation.

I hope the Council can help to push towards a better policy document. Currently things seem to be stuck in minimal edits over the last year and half. Maybe the document should be opened for public editing on a wiki somewhere so that people can rearrange the text and take it further from current form. If the Council accepted the general idea of providing strong privacy guarantees things could move forward.

You seem to have a good handle on the kinds of changes and overall document you wish to see. Perhaps it would be more expedient if you took the source of the current page (which is accessible) and modified it to match what you would like to see. Then the Council, along with Fedora Legal, could review the new document directly as a possible replacement.

As it stands, the Council has never explicitly addressed this issue and its former incarnation in the Fedora Board tended to lean on Fedora Legal to provide guidance. I won't speak for the Council, but I don't think you'll find anyone really opposed to protecting privacy, yet they may be hesitant to jump into a topic they are fairly unfamiliar with.

Adding Spot for Legal and Paul Frields for prior attempts.

I believe Spot reviewed, pulled in, and edited my earlier draft as in putting his together. So his is the latest draft I'm aware of.

Be that as it may, perhaps we simply need a document that describes the ways in which the Fedora OS uses data that might be identifying in some fashion. It could also include information that tells people how to alter their system or user configuration, if desired, to reduce egress of that data. That document would need to be owned by someone, and regularly reviewed for accuracy.

This is likely better than stuffing data that potentially changes each release cycle in a legal document that ''shouldn't'' often change, and whose purpose isn't to describe low level OS configuration details.

Well, one problem here is that we may not actually be aware of all the places where personally-identifying information could be gathered. We can't realistically audit every package in the Fedora collection to find out, either.

We might need to treat privacy policy as equivalent to our license policy and require each package maintainer to provide a privacy policy for that package. (This of course is a painful effort and will likely irritate our maintainers.)

Alternately, we provide a privacy policy like Facebook, where "all data are belong to us". That of course would be in poor taste and rub many of our users the wrong way.

A middle-ground might be to state that the policy applies only to those packages in the default install of the Editions, which would likely be a manageable set of content to work through.

Replying to [comment:4 sgallagh]:

Well, one problem here is that we may not actually be aware of all the places where personally-identifying information could be gathered. We can't realistically audit every package in the Fedora collection to find out, either.

We might need to treat privacy policy as equivalent to our license policy and require each package maintainer to provide a privacy policy for that package. (This of course is a painful effort and will likely irritate our maintainers.)

Not only painful, but error prone and it doesn't scale from an end user point of view. Now you have 16,000+ privacy policies that need to be created, audited, read by a user... it simply isn't feasible.

Alternately, we provide a privacy policy like Facebook, where "all data are belong to us". That of course would be in poor taste and rub many of our users the wrong way.

Kinda.

A middle-ground might be to state that the policy applies only to those packages in the default install of the Editions, which would likely be a manageable set of content to work through.

This isn't manageable either. It still suffers from the scale issues, both on creation/curation and end-user review. We don't need to take one problem and turn it into 200 or 2000.

A real middle ground is something similar to what we already have. That might not be fully complete or clear enough as zbyszek makes some decent points, but it is likely the best course of action here.

It's a good point that every application can expose data on it's own. Especially that we cannot expect users to see a clear distinction between "Fedora the os" and any package distributes in Fedora. And yes, going into to technical details would create an unmanageable mess. The way out, I think, is to distinguish between data that you expose to Fedora servers, i.e. data which is inherently exposed by installing and updating and running Fedora, and data which is exposed to other parties by use of applications. I think this latter part could be subject of a privacy guide, but falls outside of the scope of a Privacy Policy.

I think that current policy is dangerously close to "all data are belong to us", without needing to be. Fedora is pretty good about not collecting data so we are underselling ourselves here.

I'll have to put my money where my mouth is and come up with a draft as jwb suggested. I'm bound to get various details wrong, but maybe it can serve as a starting point for further discussion.

zbyszek, did you ever get a chance to try that draft?

Sorry, I didn't even start working on this so far.

That's okay.

Meanwhile, it's my understanding from Legal that the term "Privacy Policy" has some specific implications that they'd like us to stay away from meddling with. Not being a lawyer, I don't know precisely what that means, but I think it's basically that the privacy policy exists to make sure basic obligations and they don't want potential liability expanded beyond that.

Since as Fedora we can't really police what happens in every one of our packages and are just making a best effort, I can see a real concern. I do think it's in line with the Fedora mission to have aspirations towards an OS which is respectful of user privacy, though, so we should come up with something that is not a "privacy policy" but addresses our intentions. (Like the document Paul mentions in comment #3)

Closing due to lack of action and no draft forthcoming. If we want to continue work on this issue, please prepare a draft and open a new ticket.

Metadata Update from @bex:
- Issue close_status updated to: no action needed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata