Privacy policy

  • Open
  • quality assurance status badge
Details
5 participants
  • Jelle Licht
  • Julien Lepiller
  • Ludovic Courtès
  • pelzflorian (Florian Pelz)
  • Tomás Ortín Fernández
Owner
unassigned
Submitted by
pelzflorian (Florian Pelz)
Severity
normal
P
P
pelzflorian (Florian Pelz) wrote on 4 Oct 2020 17:34
(address . bug-guix@gnu.org)
20201004153419.kyacfjdwmok6yybg@pelzflorian.localdomain
IANAL but I think Guix needs a privacy policy for both its website and
the Guix software in general.

Attached is a patch for the website that also documents data use by
Guix and Guix System. Maybe I’ve overdone some parts and probably
something important is missing.

In particular, the GDPR requires IP addresses to be deleted from logs
after a reasonable time. I think but am not sure the current process
for nginx is to delete only when the log files become too big. A more
suitable policy must be implemented and the users must be told about

In general I think it is better to have an incomplete policy than to
have none.

Comments?

Regards,
Florian
Attachment: 0001-website-Add-privacy-policy.patch
J
J
Julien Lepiller wrote on 4 Oct 2020 17:56
90C37536-BB8F-47D4-ABD8-BA8493E9485E@lepiller.eu
Looks nice, but:

The GDPR is not the only legislation that applies to us. For services hosted in France for instance, there is a legal obligation to keep logs for at least one year (not sure exactly who that applies to). There could be something similar in Germany where berlin is located.

I think some of the wording is vague. Does "can be used to identify" mean we will use the IP to identify the person (is it the reason we process this data?) Or is it something that we could technically do, but refuse to do?

Le 4 octobre 2020 11:34:19 GMT-04:00, "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> a écrit :
Toggle quote (20 lines)
>IANAL but I think Guix needs a privacy policy for both its website and
>the Guix software in general.
>
>Attached is a patch for the website that also documents data use by
>Guix and Guix System. Maybe I’ve overdone some parts and probably
>something important is missing.
>
>In particular, the GDPR requires IP addresses to be deleted from logs
>after a reasonable time. I think but am not sure the current process
>for nginx is to delete only when the log files become too big. A more
>suitable policy must be implemented and the users must be told about
>it, I think. See <https://gdpr-info.eu/art-13-gdpr/>.
>
>In general I think it is better to have an incomplete policy than to
>have none.
>
>Comments?
>
>Regards,
>Florian
Attachment: file
T
T
Tomás Ortín Fernández wrote on 5 Oct 2020 09:09
(no subject)
(address . 43796@debbugs.gnu.org)
56d1efad-6c9d-ce35-bca1-832609785cb0@mailbox.org
As I understand it, the Guix distribution is *not* a service but a piece of software. Neither the Guix community nor the GNU project have any responsibility over the third-party services you decide to use with the Guix system, your software in your computer; it's only responsible of what concerns their services: the website and the repositories.
For example, it's not that Guix shares your IP with your network provider, you share it yourself. It is indeed "your responsibility" (and your network provider's), but why would that be on the privacy policy for Guix?

Toggle quote (2 lines)
>During your use of Guix’ software in its default configuration, your IP address may be revealed to the network services you use.

What configuration doesn't reveal your IP to the network services you use? If you use Tor, your IP will be revealed at least to the Tor access node. It's not possible to use the Internet without revealing your IP to at least one service.

I understand that the point of mentioning all that is more as an advice than a policy. Wouldn't it be more useful in a section about privacy recommendations (or something similar) that in the privacy policy?
P
P
pelzflorian (Florian Pelz) wrote on 5 Oct 2020 11:54
Re: bug#43796: Privacy policy
(name . Julien Lepiller)(address . julien@lepiller.eu)
20201005095432.la7qsn3vilmu4a57@pelzflorian.localdomain
On Sun, Oct 04, 2020 at 11:56:04AM -0400, Julien Lepiller wrote:
Toggle quote (6 lines)
> The GDPR is not the only legislation that applies to us. For
> services hosted in France for instance, there is a legal obligation
> to keep logs for at least one year (not sure exactly who that
> applies to). There could be something similar in Germany where
> berlin is located.

A quick web search does not reveal any such obligation in Germany.
I also know people who don’t log. But again, IANAL.

The Debian Privacy Policy says they store web logs for 15 days.
But iplocation.net tells me their server is hosted in the Netherlands.

If the Guix admins do not intend to use such data to “respond to
excess usage or security attacks” on the website, logging should be
disabled and I will remove that wording from the proposed patch.

Toggle quote (5 lines)
> I think some of the wording is vague. Does "can be used to identify"
> mean we will use the IP to identify the person (is it the reason we
> process this data?) Or is it something that we could technically do,
> but refuse to do?

I changed it to

During your use of Guix’ software in its default configuration,
your IP address will be revealed to the network services you use.
From an IP address it may be possible to identify who uses the
service and from which internet connection. These services include

Attached is the complete patch with this single change.

Are there other things which are badly worded?

Regards,
Florian
Attachment: 0001-website-Add-privacy-policy.patch
J
J
Julien Lepiller wrote on 5 Oct 2020 13:14
(name . pelzflorian (Florian Pelz))(address . pelzflorian@pelzflorian.de)(address . 43796@debbugs.gnu.org)
A1A0F4BE-12DF-4A6C-B5BF-4BC8AF104DC3@lepiller.eu
I'm pretty sure we log the date anl time along with IP and requested page.

Le 5 octobre 2020 05:54:32 GMT-04:00, "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> a écrit :
Toggle quote (35 lines)
>On Sun, Oct 04, 2020 at 11:56:04AM -0400, Julien Lepiller wrote:
>> The GDPR is not the only legislation that applies to us. For
>> services hosted in France for instance, there is a legal obligation
>> to keep logs for at least one year (not sure exactly who that
>> applies to). There could be something similar in Germany where
>> berlin is located.
>
>A quick web search does not reveal any such obligation in Germany.
>I also know people who don’t log. But again, IANAL.
>
>The Debian Privacy Policy says they store web logs for 15 days.
>But iplocation.net tells me their server is hosted in the Netherlands.
>
>If the Guix admins do not intend to use such data to “respond to
>excess usage or security attacks” on the website, logging should be
>disabled and I will remove that wording from the proposed patch.
>
>> I think some of the wording is vague. Does "can be used to identify"
>> mean we will use the IP to identify the person (is it the reason we
>> process this data?) Or is it something that we could technically do,
>> but refuse to do?
>
>I changed it to
>
>During your use of Guix’ software in its default configuration,
>your IP address will be revealed to the network services you use.
>From an IP address it may be possible to identify who uses the
>service and from which internet connection. These services include
>
>Attached is the complete patch with this single change.
>
>Are there other things which are badly worded?
>
>Regards,
>Florian
Attachment: file
J
J
Jelle Licht wrote on 5 Oct 2020 12:57
868scl3ppr.fsf@posteo.net
Hello,

"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> writes:

Toggle quote (2 lines)
> IANAL but I think Guix needs a privacy policy for both its website and
> the Guix software in general.
Thanks for looking into this.

IANAL but I do not think it makes sense to have such a privacy policy at
this moment in time. I'd rather have a person with legal expertise look
at this situation and do the following:

1. Notice that we do need such a policy
2. Draft (or at least proof read) this policy.

The reason for this is two-fold: I think there are enough 'legal' texts
on the Internet of questionable enforcability/applicability, and doing
things this way creates a cargo-cult mentality.

Compare to the questionable habit of unconditionally adding the "The
content of this email is confidential ..."-esque spam outgoing email
(even if that mail is addressed to a public mailing list).

If others disagree in principle or in practice with me on this, that is
fine too of course :-)

- Jelle
P
P
pelzflorian (Florian Pelz) wrote on 5 Oct 2020 15:16
Re: bug#43796: (no subject)
(name . Tomás Ortín Fernández)(address . tomasortin@mailbox.org)
20201005131632.woiu5vaehnljebki@pelzflorian.localdomain
On Mon, Oct 05, 2020 at 09:09:20AM +0200, Tom�s Ort�n Fern�ndez via Bug reports for GNU Guix wrote:
Toggle quote (7 lines)
> As I understand it, the Guix distribution is *not* a service but a
> piece of software. Neither the Guix community nor the GNU project
> have any responsibility over the third-party services you decide to
> use with the Guix system, your software in your computer; it's only
> responsible of what concerns their services: the website and the
> repositories.

Actually I think we Guix contributors are responsible for the default
configuration. I would suppose we even should display the Terms of
Service of the default NTP pool https://www.ntppool.org/tos.html
during install.

Regards,
Florian
L
L
Ludovic Courtès wrote on 5 Oct 2020 16:14
Re: bug#43796: Privacy policy
(name . Julien Lepiller)(address . julien@lepiller.eu)
87lfgkwyj4.fsf@gnu.org
Hi,

Julien Lepiller <julien@lepiller.eu> skribis:

Toggle quote (2 lines)
> I'm pretty sure we log the date anl time along with IP and requested page.

I think we’ll have to work on the nginx and log rotation settings for
our machines (see maintenance.git under hydra/).

Ludo’.
T
T
Tomás Ortín Fernández wrote on 5 Oct 2020 17:29
(no subject)
(address . 43796@debbugs.gnu.org)
66b70f14-1670-93a5-4956-54e474d7bad7@mailbox.org
Toggle quote (4 lines)
> I would suppose we even should display the Terms of
> Service of the default NTP pool <https://www.ntppool.org/tos.html>
> during install.

I don't know of any distribution that does that (although maybe there are, or maybe they all should even if they don't). Still, it would make much more sense to display that kind of information during the install than as an standard privacy policy for Guix. Actually I think including easy access to the privacy policies and/or terms of service of the default services is a good idea, but IMO that shouldn't be included in Guix's privacy policy.
P
P
pelzflorian (Florian Pelz) wrote on 5 Oct 2020 21:53
(name . Tomás Ortín Fernández)(address . tomasortin@mailbox.org)(address . 43796@debbugs.gnu.org)
20201005195321.ffjogpqhhcgyguws@pelzflorian.localdomain
On Mon, Oct 05, 2020 at 09:09:20AM +0200, Tomás Ortín Fernández via Bug reports for GNU Guix wrote:
Toggle quote (5 lines)
> I understand that the point of mentioning all that is more as an
> advice than a policy. Wouldn't it be more useful in a section about
> privacy recommendations (or something similar) that in the privacy
> policy?

Do you mean that the part about Guix and Guix System should rather be
explained in the manual? Then I agree. The website’s privacy policy
(or whatever we shall call it) should reference the manual then.

Regards,
Florian
?