Approaches to data handling, safety, and avoiding individual identification — a breakout topic for the F40 Change Request on Privacy-preserving telemetry for Fedora Workstation

The design needs rethought I think, it’s underwhelming for something described as privacy-preserving: there’s little attempt to ensure that IP addresses aren’t stored because the nginx server and the server running azafea-metrics-proxy can be compromised. Open source or not, this system has no way to ensure that the code running on the servers discards IP addresses. Nor can we reasonably trust that this project will be appropriately resourced to ensure that the servers will be secure or that there will not be a misconfiguration causing IP addresses to be logged by some software or other after all. CPE already doesn’t have enough resources to maintain some parts of Fedora infrastructure, and with the passage of time a server that is up-to-date and secure and appropriately configured quickly becomes not up-to-date, not secure, and not appropriately configured.

The IP address issue needs fixed and that requires significantly more work than just using Azafea. Even without that, much more effort could be put usefully into making this system less non-privacy-preserving. There is low-hanging fruit like encrypting the metrics so that nginx and the metrics proxy cannot read them. Another low-hanging fruit is ensuring that the environments hosting the Redis and PostgreSQL databases and Azafea do not have Internet access, to make it harder for any data to be exfiltrated. That would still not be privacy-preserving at all, because of the IP addresses which are the most glaring problem, but it would be an improvement.

1 Like