Opt-in / Opt-Out? A breakout topic for the F40 Change Request on Privacy-preserving telemetry for Fedora Workstation

if the default was “no” id be ok with it. keeping it as “yes” and not compromising feels like youre trying to trick the click-throughs into handing over data they might not have.

when an org asks for data and simply lays out why while showing me the exact data, i often oblige.


I’m not sure I would equate a single system report with the type and level of telemetry that is included in the proposal even as it stands now. By definition from the proposal the telemetry collected is not static, like Microsoft Windows, every single update installed will potentially change what is collected from a user. Otherwise, sure, they’re both examples of “opt-out” mechanisms.

1 Like

Canonical is a really bad example here.
If you opt out, it will still send a request (but with OptOut: true flag) to their servers leaking IP and every User has to opt out manually. There is no global option.


That would work for me tbh. Depends on how it works in the background, whether it only installs if you say “Yes”.

1 Like

Opt-Out is not going to fly with 80% of the Linux community. If the proposal is kept as-is, it will almost certainly be rejected.

A reasonable solution for both parties might be to do it like the iOS setup, where the user specifically has to select yes or no:

(Note that this example is just an example, obviously this implementation has issues (namely the dark pattern where the “Yes” option is heavily emphasized, while the “No” option is very de-emphasized).


That solution is a little better than the Ubuntu example, but it’s a dark pattern, as Share with App Developers is highlighted.


I’m very aware of that, obviously the iOS implementation is not perfect, but it does represent a starting point for a potentially-reasonable middle-ground between opt-in (not that useful) and opt-out (very problematic).


Even the iOS example is pushing the users via the button colour to press the Share with App Developers button. It’s awful.


Obviously this example shouldn’t be copied verbatim, I added an edit to my post to clarify the intent of my suggestion.

1 Like

Do you have a source for that assertion? I think the Ubuntu example demonstrates definitively otherwise — the general result, as far as I can see, has been a collective shrug.

(And this proposal seems a lot more transparent and careful than what they’re doing.)


I will NOT consider modifying this proposal such that the data collection is opt-in. I’m open to feedback on everything else, but not that, because there is no use for garbage data. If the Fedora community requires that this be opt-in, then I would give up on the proposal and we’ll just not have any telemetry.

1 Like

Much of the Linux community is very anti-Ubuntu/anti-Canonical already for a variety of reasons (some legit, some less so). Likely, most of the people who are against stuff like opt-out telemetry have already sworn off Ubuntu for other reasons.

For avoidance of doubt, as not everyone will have read the “User control” section of the change proposal: the system is opt-out for everyone who sees the Privacy page in gnome-initial-setup, which is mandatory when installing Fedora Workstation. There you have to flip the switch to off or else data will be sent to Fedora. This switch is pretty prominent at the top of the dedicated Privacy page and it’s one click to disable, so I don’t think it’s a “dark pattern.” If you don’t like telemetry, just flip the switch and we’ll never collect anything (not even a report saying you flipped the switch, which is a bit of a shame, because it sure would be nice to know how many users disable the telemetry, like Ubuntu does).

Users will always be presented with this choice before any data is sent. E.g. if you are upgrading from a previous version of Fedora, then you don’t see gnome-initial-setup, and the system is opt-in, because we must not collect anything without user consent. To enable, you’d need to navigate to the Privacy page in gnome-control-center and flip the switch from off to on.

Fedora Legal says the switch has to be off by default if we collect any personal data. Therefore, we MUST NOT collect any personal data.


I think you didn’t see the example image I posted (or image embedding is broken? Show fine on my system FWIW), because the example certainly isn’t opt-in. There is no default, the user has to select “Share” or “Don’t Share”. IMHO it would be a reasonable compromise, likely giving much higher quality data than opt-in, but avoiding the pitfalls of opt-out.


First of all, if people decide to help and send telemetry it’s always useful and not garbage data!!!

Here’s my idea how to do it, a more user friendly way.
Why not use radio buttons instead of a switch, so no option is per default set and you can’t click next until you decide for one.
Solves multiple problems, if not all. I can’t click next next next and miss the option. It’s not an opt-in nor an opt-out. Everybody has to actively decide for one option. If people still don’t want to send telemetry, it’s their right to do so. (Fedora, It’s your OS)
This approach will trick nobody in either direction.


All telemetry collection MUST be an opt-in feature (disabled by default). I’m strongly against enabling it by default.

Then the statement “Privacy-preserving Telemetry” is not true. We want privacy - that is, no telemetry at all.

Please add the ability to completely get rid of it by removing the telemetry collector package.

The most popular GNOME Shell extension is system tray icons support. The GNOME developers have removed the legacy tray support, but end users are suffering.

Did they bring back tray support after looking at the number of downloads? Of course not.


Part of the problem is that you can’t collect aggregated data without collecting non-aggregated data. Even if you don’t intend to store the non-aggregated data, there are many ways it can be stored inadvertently via logging or some other method.

Even if someone were to audit this process to ensure that it was clean, it wouldn’t be unthinkable to make an inadvertent change in the future that would break this anonymity.


I saw your example from iOS. If we do something like that, everybody will click “Don’t Share” and the data we do manage to collect from the 5% of users who share would be garbage. This project is only useful if we can collect quality data.

If we believe that given an honest choice with no default, most people will actively choose not to share then we are absolutely doing the wrong thing for the community by making it opt-out.

We are basically saying, “We understand most people don’t want to share this information so we will make it the default and hope they don’t notice”

To me, forcing people to make an active choice instead defaulting to either “yes” or “no” is a reasonable compromise.


I don’t mind opt-out telemetry as longs as:

  • gnome-inital-setup clearly explains what is being collected and has a prominent toggle to disable telemetry
  • All the collected data would be published publicly and not just available to Red Hat.
  • The various types of data that gets collected doesn’t change within a Fedora release and and collecting new data shouldn’t be possible without a proper Change Proposal.

(just my 2 cents)