Then there should be no point in creating one at all. Users should be able to decide entirely for themselves what the system collects and forwards.
Nothing should be defaulted to sending to someone elses computer or collecting data for this purpose. It should be entirely up to the end user. Its their computer. Let them decide fully how its used and what data is gathered/sent.
I am also just a user, I know this thread is long but hoping to contribute to the conversation a bit.
I am personally okay with telemetry IF it is either exclusively opt-in with the default being off, or opt-in with no assumed choice (both options presented, up to the user to explicitly select something).
Anything else and the intention is to clearly get more data simply because someone was rushing through the install process.
In my view consent in this context should be:
Assuming “yes” is not explicit consent no matter the level of detail given.
For the record, I would most likely click “Yes” if the data collected seemed reasonable, as I trust Fedora (otherwise I wouldn’t be using it as an OS). I have enabled telemetry for services I trust and care about, as long as it is clearly outlined what will be collected, and from an organization I trust already.
I propose that we implement this, but with a particular UI-focus. We have an unskippable installer screen that has exactly two buttons for “Yes” or “No” (or perhaps “Agree” or “Disagree”).
Disregard the notion of a single boolean-oriented checkbox or switch altogether until you get into GNOME Settings.
I think this is a healthy compromise, and no default behavior is given one way or the other.
Yeah, that’s a valid concern. I do think what’s proposed here is very different from Apple’s app tracking permission you’re referring to, though.
With iOS app tracking, the OS is asking you to opt into a most-likely proprietary third-party app and service doing “tracking” which often includes very invasive data collection and sharing. It’s presented in a pretty scary dialog asking to allow the app “to track you across other companies’ apps and websites” with the actions “Ask App Not to Track” and “Allow”. Given the premise of that choice, it seems pretty obvious people would hit the “don’t track” option. Notably, this is completely separate and distinct from Apple’s own OS- and service-wide analytics.
For Fedora and GNOME, the proposal is for open source, anonymized metrics shared with the OS vendor. It would be more similar to iOS’s initial setup screen which asks to enable analytics to “help improve” Apple products. Here, there is a clear default choice but it is still an active choice.
I think we could go even further and present something like a choice between:
Help Improve Fedora?
Optionally share anonymous data to be aggregated using privacy-preserving metrics. Fedora and the open source projects it depends on will learn about how people use Fedora broadly so they can make it work better for people like you—without ever collecting or seeing personal data.
Fedora Workstation always respects and actively defends your privacy. Learn more.
Help Improve Fedora
Enable privacy-preserving metrics
No Thanks
Do not enable privacy-preserving metrics
My forum-powered markdown mockup skills are imperfect, but that gives you a vague idea of what I’m picturing.
A post was split to a new topic: Some posts should not have been moved to the “opt-in/opt-out” breakout thread
2 posts were merged into an existing topic: Approaches to data handling, safety, and avoiding individual identification — a breakout topic for the F40 Change Request on Privacy-preserving telemetry for Fedora Workstation
I’m not against telemetry of limited scope. But it absolutely must be opt in.
Preferably with a slider, like in Plasma Settings.
I love Fedora, but making telemetry opt-out would go against what I thought we had.
That wouldn’t be ‘Friends’.
Let me understand what you are saying here, because I may be missing something. In the proposal you state
A new metrics collection setting will be added to the privacy page in gnome-initial-setup and also to the privacy page in gnome-control-center. This setting will be a toggle that will enable or disable metrics collection for the entire system.
So I assume there will be a single toggle for both collection and upload. You also say
Unlike gnome-initial-setup, the switch in gnome-control-center will default to off if the user has not seen the switch in gnome-initial-setup and has not previously selected a value for the setting.
Since you don’t have a mechanism for opting in or out during upgrade, collection is on by default, but upload is off by default. From this I desume that, after upgrading, the toggle will be off, while the system will locally collect data but not upload any. Thus I will need explicit instructions on how to stop collection and delete the data. Of course, toggling the setting on and off to disable both is not acceptable, since this will trigger a data upload before putting everything back to rest and clean up all data (which I assume it will do, right? Will it delete all data?)
All of the above is, unless there are actually two toggles, one for collection and one for upload, so that I can just untoggle the first. If this is so, it wasn’t clear to me from the proposal, and it could be satisfactory “enough” (read: if the proposal passes as-is – which I’m not happy with – I’d still rather collection be plainly off, but if not at least we are approaching a usable solution).
As for this
I’ll answer after getting a clearer idea of the toggle situation above.
I’m in the same boat, my stance is hard on the opt-in method.
I think opt-out can be interpreted as tricking less tech-savvy users into giving Fedora data, especially depending on the method used.
I agree with the idea Cassidy is proposing, forcing the user to decide what they want to do with their data and no preselected option on Fedora’s part.
Because I’m not a contributor, only a user, i will express how this affects me as a user practically.
It’s out of my league to talk here like I own the world, demanding it’s done the way i like, i joined the discourse today.
I’m outreaching, and it’s more logical to describe how this would affect me in a thought experiment scenario:
Let’s say the approved method is the following, a worst case scenario for me:
Installation goes normally, and you can find the opt-out setting inside gnome-settings (no option available during installation/upgrade), and the telemetry collected requires information I deem too sensitive.
I would still use Fedora, it’s the distribution that works the best on mine and my parents’ hardware. After the version upgrade completes, I’m unplugging the Wi-Fi before booting Fedora XX to uncheck the telemetry option (therefore, avoiding all telemetry). Then continuing our lives like normal.
What would change is that I would be more hesitant to recommend Fedora and that if future changes are also questionable it’s very likely we leave Fedora for good.
EDIT: Of course, if the decision reached is too far-reaching, we are leaving.
I’m hopeful, that a good decision that makes everybody happy is going to be taken.
Hi all,
I apologize that I haven’t been able to read all the feedback in this breakout topic yet. I intend to read every comment that has been posted here, but haven’t been able to yet due to the high number of comments.
That said, it’s obvious there is a very large number of you who are not happy with the opt-out consent toggle. I wasn’t expecting this to be the most controversial part of the proposal since it is one click to turn off the toggle, but, well, collecting feedback is what the change proposal process is for. I had been really hoping we wouldn’t need to do an explicit consent system where the user is forced to make a choice with no default value, but based on the large amount of negative feedback on this aspect of the plan, it looks like this is something we’ll need to consider. (This was originally proposed by Qwerty here, and refined by Cassidy here).
My original proposal was designed with the promise that no data is ever uploaded if the user does not consent. The problem with the explicit consent system is that we would need to collect one data point from users who not consent to data collection: a boolean to indicate they did not consent to data collection. That’s hardly very invasive (and I believe Ubuntu does this already, for example), but it’s one data point more than the zero I had been planning to collect from users who don’t consent. This is really important because without knowing the consent rate, we can’t know how good all the other data is. If half of users consent, that’s probably good enough. If 2% of users consent, that data is not useful and we shouldn’t rely on it. If there is a low consent rate, we would need to make changes to how the consent is presented in hopes increasing the number of users who consent, or give up and rip out the telemetry entirely. But we would never know if it’s working or not if we don’t collect data on how many users consent.
So despite my initial reluctance, that’s where I’m at now. I’m curious to see opinions on whether this would be acceptable. Responding to community feedback is very important to me, but please keep in mind we do need to ensure that the collected data is actually representative of Fedora users, as otherwise there’s no point to collecting data in the first place.
Yes, that would be acceptable. Both opt-in (off by default) and no-skip on/off are, in my opinion. I wouldn’t mind sending out that single data point out as I don’t consider it to be sensitive information (nor do I see why others would, but then, you never know…)
From my perspective, a neutral option where the user is forced to make a decision is much acceptable than an opt-out mechanism.
It gives the user a choice which they cannot miss or accidentally step by.
I really like this approach, and I’m sure there’s some way to know the consent rate while keeping things private.
Guaranteeing consent is key here, making the user read and being forced to answer yes/no.
Due to comments being moved here from the main topic, some of these comments are not in the order that they were originally posted. Bear with us please as we learn more about Discourse. 
It looks like comments appear here at the time they were moved from the original topic, which is e.g. why you see my post referencing a post by Cassidy shortly before it appears that he posted it. That’s also why it seems Noisy Coil is going crazy and forgetting what he just posted up above. The timestamps on the posts are still accurate, though.
I am okay with having that one point of data collected. This option requires an explicit decision.
Posts in this topic have ended up somewhat out of order. Sorry about that — there’s a Discourse issue (where posts older than the first post will replace that as the main post of the topic, which is … not what we want. I’m looking for a solution and will try to get everything reasonably chronologically-correct tomorrow.
I disagree on the data having to be sent back. If the user does not consent to providing data…then 0 data should be transferred. Even to let you know their selection imo.
Is there actually a reason to collect this? Fedora is tracking install statistics already. You will also know how many people are opting in because you will be receiving the data from them. Don’t these two data points together give you the same approximate information?
I understand objecting to “explicit choice” (neither opt-in nor opt-out) on the basis that excessive questions during the initial setup add friction. However, I will point you back to what Michael said about it.
I saw your example from iOS. If we do something like that, everybody will click “Don’t Share” and the data we do manage to collect from the 5% of users who share would be garbage.
If you believe that the result of an explicit choice is 95% no, then that is your best estimate of the users’ true preferences. If, then, you use an opt-out model in the hope of collecting data from substantially more than 5% of users, then you are using deception to violate what you believe those users’ preferences to be.
“But if I asked, the answer would be no.”
Then you already know the answer, don’t you?
This right here, glad it’s being mentioned again. This really feels like it flies in the face of Fedora’s ethos because of this point. If the owner themselves knows most people won’t want this, then it should be a no-go out of the gate. That’s a big reason this feels so utterly wrong to me.