2 posts were merged into an existing topic: Opt-in / Opt-Out? A breakout topic for the F40 Change Request on Privacy-preserving telemetry for Fedora Workstation
A post was merged into an existing topic: Opt-in / Opt-Out? A breakout topic for the F40 Change Request on Privacy-preserving telemetry for Fedora Workstation
I think I replied to this a few other places, but to re-iterate, other spins are free to opt-in to this if they are interested, but they would need to take on the work needed to make it work. That work would be a lot less than what is required to get this going from nothing, but at the same time there is little value in making other spins doing the work needed to opt-in a blocker for the proposal.
A lot of the data collected is likely to be quite desktop specific, ie which extensions people like to use or what terminal application they use etc.
Data like for instance what percentage of systems are using the binary NVidia driver is likely quite representative, but even that might be different, maybe for instance GPU capabilities influence peoples desktop choice.
But since we are actively trying to avoid collecting the data in the form of user profiles as a way to address privacy concerns we don’t want to distort the Workstation data with data from the other spins since we have no way of making the connection between the spins and the data (ref proposals mention of “each metric that we collect will be considered individual, non-correlatable data by default”). On the other hand if all Fedora Workstations users use konsole then that would be useful data, while knowing that KDE spin users use konsole is not that useful for Fedora Workstation (but it might be a useful thing to confirm for the KDE spin WG).
1 Like
Well, it would be representative of Fedora Workstation users. 
But this is a good point. Spin maintainers really ought to consider whether telemetry might be useful for them too. But that would really be a decision for spin maintainers to make.
And what about the Users running Fedora Workstation that install KDE and only use KDE at this point?
Yes that is true, but what we seen from other major changes is that users over time do tend to re-install eventually, so the data collection will improve over time, but yes, the first time period after this go live the data will initially be of lower quality.
Trust and optics have been mentioned repeatedly in this thread, and for good reason. Unless handled with sensitivity in rather a different league than this thread, the optics will be “IBM subsidiary RedHat wants in on user data in its free version of RHEL!” or something similarly incorrect, but plausible for people “who just want a nice desktop”. They don’t really know, or want to know, about the exact nature of the relationship between RH, dev teams inside RH, IBM, and Fedora.
A class of user which I’m a member of seems to have been overlooked, those who don’t use Gnome as a DE, but just happen to use some Gnome programs. A fair deal of the Gnome ecosystem is therefore live on their systems. These users fall between two stools from what I can tell from many posts here. Yes, it has been clearly said how it will work for them, but it becomes yet another thing to care about, or ignore, for them (us).
My own, personal perspective is that for myself, it’s easier, and far more enjoyable, simply to switch distro than having to waste time learning about yet another telemetry subsystem. I’m taking a wait and see approach for now, and as a single user I’m of course not statistically relevant anyway. But, again, optics; us weird Europeans have healthy skepticism of data harvesting, however well-intended it is.
Reading the thread, user churn has been anticipated, and while most people of course shout they will switch distro and then do nothing, actual churn will only be known in the months following an implementation. Yet another question telemetry will answer, albeit indirectly.
3 Likes
A post was merged into an existing topic: Opt-in / Opt-Out? A breakout topic for the F40 Change Request on Privacy-preserving telemetry for Fedora Workstation
A post was merged into an existing topic: Opt-in / Opt-Out? A breakout topic for the F40 Change Request on Privacy-preserving telemetry for Fedora Workstation
I assume that if you are not using GNOME as a DE you are not using Fedora Workstation and thus there is a high probability that this proposal will change nothing for you.
Correct.
I’m going to add this suggestion to the feedback section of the change proposal. (Your other points – radical transparency and differential privacy – are already on my list because they were suggested by others.)
So although I’m certainly open to feedback on all aspects of this design (except the need for telemetry to be opt-out), I am nervous about the explicit choice approach because that is the approach Apple has taken with iOS, and those users have overwhelmingly opted out of data collection (something like 95% refuse to share).
Maybe it would work better for us since we are Fedora rather that Facebook (or whatever) and are presumably more trusted (although, based on the feedback we’ve received thus far, I am starting to question even that much). I suppose I shouldn’t put my foot in the sand here and reject the idea outright, but it makes me nervous that not enough users will choose enable.
3 Likes
I think right now Fedora is much more trusted than Facebook, but Red Hat’s recent actions have affected that and this undeniably would too
1 Like
My intention is that everything will be implemented in GNOME. I don’t want to do this via downstream patching. GNOME developers complain pretty regularly about lack of telemetry, so I don’t expect it to be very controversial for upstream. (It’s possible that particular upstream developers may block us from adding telemetry to particular components, though, which is OK.)
We even considered having a GNOME telemetry server rather than a Fedora one, but ultimately, having the distros run the telemetry servers seemed most practical. Some distros will not want to do this at all, for example. Others will want to collect more or fewer or just different metrics. I’m assuming the Fedora community will be pretty strict about approving new metrics, whereas Endless is more flexible because their users do not care so much about telemetry. Each distro will be different here.
2 Likes
We even considered having a GNOME telemetry server rather than a Fedora one, but ultimately, having the distros run the telemetry servers seemed most practical. Some distros will not want to do this at all, for example. Others will want to collect more or fewer or just different metrics.
This could still be done/approved by upstream. The metrics we want may be met by their needs already.
GNOME developers complain pretty regularly about lack of telemetry, so I don’t expect it to be very controversial for upstream.
My experience in packaging for fedora stuff is a little old, but I thought we were always to try to patch upstream first. No? It seems like we didn’t engage upstream GNOME and are making assumptions about what we might think is best vs actually asking them first? Maybe I’m not understanding and you can clarify.
1 Like
Since @catanzaro has made clear that an opt-in alternative will not be taken into consideration, this proposal receives a straight no from my part.
If the proposal eventually gets accepted by the community, my decision on whether to keep using Fedora Workstation after F39 will depend on either of the following changes being implemented:
-
Local data collection after upgrades from earlier releases (as well as – preferably – the installation of any telemetry-related package) is made opt-in rather than opt-out
-
An advisory is presented either before or after each OS upgrade that clearly explains (possibly by linking to an offline resource) how to stop local data collection and delete all collected data
- The process to delete all locally collected data is made as simple as pushing a button in GNOME Settings or deleting a single directory (i.e. not a directory per user, or a plethora of different directories scattered all around the filesystem, for instance)
This is in reference to this part of the proposal:
Metrics uploading will be opt-in for users who upgrade from previous versions of Fedora Workstation, because we don’t yet have a mechanism to ask the user to consent to data collection after a system upgrade like we do for new installations, but metrics collection will be opt-out. That is, your upgraded system will collect metrics locally but will never submit them to Fedora. If you visit the privacy page in gnome-control-center, then both collection and uploading will be either enabled or disabled depending on the user’s selection. Unlike gnome-initial-setup, the switch in gnome-control-center will default to off if the user has not seen the switch in gnome-initial-setup and has not previously selected a value for the setting.
This might sound complicated, but it is consistent. If the user has not yet made a decision whether to allow telemetry, we collect it locally so that it’s ready to submit if the user approves telemetry in the future, but we never upload it. Once the user makes a decision, then we either upload it or delete it and stop collecting.
I understand why collection and upload are kept separate from the perspective of this proposal, but if I don’t want telemetry to be collected on my system, I see no reason why I should go along with the proponents’ wishes. If I want to opt out, I need to be able to truly opt out of all data collection, even if only locally. This seems to be granted on new installs,
a newly-installed Fedora system will always collect metrics locally at first, but the collected metrics will be deleted [emphasis mine] and never submitted to Fedora if the user disables the metrics collection toggle on the privacy page.
but not on upgrades. While untoggling a preference during either installation or first configuration may not be a huge deal (though, to be clear, I’m still not at all happy with it), having Fedora collect my usage data by default on upgrade with no sufficient explaination on how to disable the feature and delete the collected data is 100% a no-go for me.
Going forward, if the community accepts this proposal – even with the aforementioned changes being implemented – I will be looking for alternative spins of Fedora which do not include telemetry (or that include it opt-in). If I can’t find any that satisfy my needs, I will seriously consider whether using Fedora is worth the burden to manually have to track how telemetry is used on my system.
I would like to end with a few comments. First of all, I’d like to point out that asking users not to be emotional about these types of proposals is extremely disrespectful. While I do acknowledge that the proposal has been drafted with good intentions, the comments that try to pass this as merely a technical discussion do forget that it is the private lives of people we’re talking about here. If you don’t like them being mad when opt-out telemetry is proposed to be installed on their systems, take their answer as a no and move on. They have the right to be mad.
Second, I would suggest the proponents to stop calling the kind of data collection they are considering “non-invasive”. This list contains a frightening amount of system usage and configuration detail. I understand that (probably?) not all the items in the list will be collected, and that the collection of each will (probably?) need separate approval. I also understand that the implementation of the telemetry system may (probably?) be able to preserves the privacy of the user at the level of the database. Nonetheless, the perspective of this kind of data already being collected locally, let alone being sent out to the internet, is invasive enough in and of itself, as far as I’m concerned.
Finally, at the risk of going off-topic, I will say that yes, I would accept opt-in telemetry on my system. I would still opt out, given that I value my privacy far more than having better software on my Fedora installation. But at least I could cope with the idea of my system not doing or storing funny stuff by default. Let me be very clear: it’s not that I don’t trust Fedora. But you know what they say, shit happens, and in order to minimize the chances of that happening an opt-in is the very least one can ask for. This may not be of interest to the proponents, but I believe it is important that the reason of my no be clear.
9 Likes
My thoughts exactly. I believe these exact thoughts are probably shared by most users here.
4 Likes
the people wanting to keep firefox is a lot more motivated to participate than the people who don’t care.
Again, the core of the idea is that users would not know that the poll was about Firefox before agreeing to participate. So you get data back whether they’re motivated or not.
if people have considered the tradeoffs possible. Ie. could the investment in Firefox be moved to VS Code for example.
Now talking about Firefox specifically at the object level and not just as a hypothetical of something you might poll about, it seems to me the most important factors are 1) whether the Flatpak package is an adequate substitute and 2) whether the “investment” in Firefox is inclined be invested in VS Code instead.
I don’t think telemetry is going to get you either of those. (#2 is obvious.) I use the web with flatpak Firefox, but making it usable required significant tweaking to get RGB font antialiasing to work, and I still use rpm Firefox for viewing svg files, because the flatpak doesn’t work with drag-and-drop.
The telemetry would say that I have the flatpak running 24/7 and use the rpm once a month. That pattern looks exactly the same as someone clicking the native launcher by accident, or checking up to see if there are any differences.
A less technical user might ditch the flatpak the first time they hit a problem instead of sticking with it due to enthusiasm for new tech. Or, they might never notice the ugly text or try to drag/drop a local file.
As for VS Code, I use it, but the .desktop application name is “VSCodium (on fedora_38_distrobox)”. That wouldn’t cluster correctly in summary data without someone explicitly choosing to look for possible name variants of popular applications.
The more I think about it, the more I come to appreciate @johnandmegh’s point about telemetry being useful mainly for things like hardware, where it’s hard to misinterpret and offers clear direction. Unless you’re a single-minded conversion rate optimizer like Amazon or Google, knowing what a user does is not useful without knowing why they’re doing it.
1 Like
A post was merged into an existing topic: Approaches to data handling, safety, and avoiding individual identification — a breakout topic for the F40 Change Request on Privacy-preserving telemetry for Fedora Workstation
2 posts were merged into an existing topic: Opt-in / Opt-Out? A breakout topic for the F40 Change Request on Privacy-preserving telemetry for Fedora Workstation
You’re being too strict. You’re complaining about the case where the setting is in the initial state (user has neither consented nor rejected data collection) and data is collected locally but never uploaded to Fedora. (I know you understand this, but I want to be crystal clear for everybody else who may be skimming this discussion rather than reading your post in detail.) You want us to prominently explaining this level of complexity to users and instruct them how to remove all components from the system, even though they are not uploading any data to Fedora, and even though they can be deactivated by flipping a simple switch. It doesn’t seem like a serious request to me.
What I am more willing to do is present the simple switch to users when upgrading from previous versions of Fedora, using gnome-tour. (I had been hoping we could save this for later, though, or even not do it at all and only collect data from fresh installs.)
I mean, you know where the disable switch will be. View it in gnome-control-center and the local collection will be disabled. You won’t even have to flip the switch, since in gnome-control-center the switch will be off by default and just viewing the page will be enough to disable local collection. Switching to another distro to avoid flipping a toggle switch seems pretty extreme.