F40 Change Request: Privacy-preserving Telemetry for Fedora Workstation (System-Wide)

With this type of argument every accessibility features would be useless because the normal user doesn’t care and the minority is not representative.

I looked and do see the phrasing in the post, so I will acknowledge it does appear unintentional in this instance.

The main problem as pointed out is that you do not and cannot ensure that every user actually sees the option, but you are saying they will. It isn’t accurate. A more accurate wording would be that they are “presented with the option”. I recommend the phrasing be updated. Regardless, if you implement opt out you will be tricking some number of users. Just none of the proponents are willing to admit it, or apparently yourself. As I said I could rush through an install and click yes without realizing what I was clicking next to.

This is a tangent, but see here.

It’s too much work for very little benefit. Very few people are going to care whether telemetry packages are installed so long as they can disable data collection. You probably don’t access your workstation using ssh, but have you uninstalled sshd? Probably not. Is it a security risk to have it installed even though the service is not running and sshd is not listening on any socket? Most people would say no. You can remove it if you really want to, but this is optional.

It’s actually possible for anaconda to vary the set of packages that get installed when using the non-live installers, but the live installer is the only download offered for Fedora Workstation. This version of anaconda is image-based, not package based. It’s going to copy the entire image to the installed system. It doesn’t have the capability to install or remove particular packages.

Now, theoretically, we could ask the anaconda developers to add that capability. (In fact, we want them to, so that we can uninstall anaconda itself, which is currently installed simply because there is no way to remove it, even though anaconda is useless on installed systems.) But then we have to ask whether the user experience would be good. I think the best user experience is to put this choice in gnome-initial-setup. Having one privacy setting in anaconda and two in gnome-initial-setup seems non-ideal.

One more thing to note: if eos-event-recorder-daemon is not installed, then the option to enable/disable telemetry will disappear from gnome-initial-setup and gnome-control-center.

Here’s my take: I proposed that we move conversations about Changes from the devel list to this site. That raised the visibility enormously, and brought in a lot of new people — including long-time Fedora users who hadn’t previously been active in our Change discussions.

That’s great (even if the sheer volume has made it all a bit hard to keep up with). But, it feels like a lot of folks are showing up without understanding Fedora’s long-standing process. I’ve seen a lot of people saying they’ll never trust Fedora again because this was even proposed — I won’t put words in your mouth, but I think that’s what you’re implying with “not sure about that anymore”. I’m also seeing many people upset with Michael for defending the proposal. But that’s… how it works. It’s something he and his team want to do. So of course he’s going to advocate for it. (Some of his language could have been a lot more diplomatic. But not everyone should have to be a silver-tongued diplomat to suggest an idea! There isn’t a corporate PR team approving any of this.)

I’m going to link to my own post from earlier rather than repeating:

We need it to be safe for people to propose changes, even controversial ones. I hope, on reflection, people find that worthy of trust after all.

To much work to run an uninstall command after the install command? For this to be “to much work”, Anaconda has to be completely broken by design.

Only when stack variables are collected. That’s the difference between the automatic reporting (simple backtraces, no chance they contain personal data) vs. manual reporting (better backtraces, might sometimes contain personal data). It’s simply impossible for anything other that source code to show up in a backtrace without stack variables. That’s the only place that user input could appear.

You’re kinda just digging yourself a bigger hole here.

I assume this was already your intention (sincerely), but I want to say it explicitly as it’s really important. Regardless of whether any other condition is true such as a package being installed, if the telemetry option value is set to any value other than none the toggle, slider or whatnot should always be displayed.

I’ll probably add it to the workstation-product comps group, and also add Recommends: from gnome-initial-setup and gnome-control-center.

The UI to enable/disable would disappear if not installed.

Again, the screenshot of the proposed UI:

It’s quite a stretch to call this a “dark pattern” or say that people will be “tricked.” This toggle is very prominent, not hidden. It’s not impossible that users will click through without reading, but it’s pretty unlikely as gnome-initial-setup is kept short.

We’re probably not going to be able to agree on this.

I don’t think anyone is marginalized here. Michael is allowed to have and express that opinion. NB is allowed to have an express the opinion that a default “on” option with a next button is a “dark pattern”. There are plenty of other people who share those views or have ranges of other opinions. People with conflicting opinions are going to continue to argue for their own with (hopefully) the most convincing approach they can. Disagreement isn’t marginalization.

Anyway, I’m pretty sure I’ve read and considered every message.

I have not, however, seen a single post from anyone in the conversation who does not care about privacy. So I don’t think that’s a fair thing to say at all.

I don’t think so?

Let’s say I don’t trust the telemetry data and so I use a kickstart file to exclude the package at install. The telemetry data system/package/software is never installed on my laptop. When I go through the first boot, we don’t want to ask the users if they want it or not (it’s not installed, I don’t want it) so it never appears. Likewise if I go into settings, there’s nothing there to toggle because the required package isn’t on my system.

This is what I would want.

You are being very literal with the interpretation of my words.

I could instead say “I have to admit, it is frustrating that no matter how many people post, people who care more about privacy are being considered a vocal minority and continually marginalized.”

That being said, that comment wasn’t solely directed at @catanzaro. It has been a repeated comment from many others.

I have done my best to work hard to be as even and fair as I possibly can be while still sharing my opinions. However, I definitely feel marginalized by the conversation up to this point.

There is really no point in displaying a setting that won’t do anything? If it’s not installed, we can’t even check whether it’s enabled/disabled so displaying a toggle is not going to work.

Also, these code changes are going into GNOME, and other distros will not have the telemetry packages installed at all. We can’t display them unconditionally as that would not be right for other distros. So it has to be somehow conditional. Making it runtime conditional is much nicer than adding build guards.

What I’m referring to specifically with the digging yourself a bigger hole comment is the conditional hiding of the element which clearly denotes the current state of telemetry. We’re talking right now about this from a Fedora context, but we’re also essentially talking about adding telemetry to the GNOME desktop in general. That decision is going to cascade through the different distributions and manifest itself in different ways. Not having a well-known location where a user can clearly see the current status of telemetry, even if it’s disabled, is not a particularly good idea.

OK, amazingly I’m now caught up in this main topic. I am going to start focusing on the breakout topics now.

If there is a value that controls whether telemetry is collected and transmitted and it has a value set to anything other than to a “none” or “disabled” condition, I would in the strongest possible terms suggest there is an unambiguous indicator to the user that the condition is present. I’d even go so far as to say you’d probably want to explain the situation to legal and see what their official opinion is on the matter.

If there’s no package installed, there’s no telemetry. There’s no state because it cant. (Different than it can, but is turned off) But I think I get your point that it would be nice to know for sure. (Like it’s there but greyed out/unselectable). But the below part is a blocker for it.

This is an EXCELENT point. Personally, I think this should be submitted upstream before hitting us in fedora.

A post was merged into an existing topic: Decision-Making, Governance, Council, Red Hat — a breakout topic for the F40 Change Request on Privacy-preserving telemetry for Fedora Workstation

No we aren’t. Because you want to collect the data of the users that will be tricked into it and of those who would say no if you actually made them provide an answer. Clicking “next” is not an answer to anything except I want to go to the next screen. Part of the discussion was literally about how users don’t want to read anything and you are going to sit here and say it’s unlikely now? Same thing with click throughs. You aren’t interested in facts, you are only interested in getting the results you want.

“Pretty unlikely” is similar to a previous point of being less deceptive. Fedora should want 100% unquestionable consent and 0 deception. That isn’t what this proposal provides.

I support users in my job, they could easily be tricked by this. I’ve seen some tricked by less. I’ve had users who immediately clicked something right after I told them not to.

I wrote a ticketing system in between other work tickets over a couple of days. I manage my employers client computers, servers, OS’s, client server applications, phones, phones systems, smart switches, routers, firewalls, access points, security systems, do user support and more. I could easily be tricked by this rushing through an install. But I must be really stupid according to your logic.