[Libreoffice-bugs] [Bug 128255] New: No data collection without express, informed, meaningful user consent.

Sat Oct 19 18:42:59 UTC 2019

https://bugs.documentfoundation.org/show_bug.cgi?id=128255

            Bug ID: 128255
           Summary: No data collection without express, informed,
                    meaningful user consent.
           Product: LibreOffice
           Version: 6.3.2.2 release
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: enhancement
          Priority: medium
         Component: LibreOffice
          Assignee: libreoffice-bugs at lists.freedesktop.org
          Reporter: libreoffice13 at sfina.com

Description:
This is a collateral to Bug 128232.  Bug 128232 is open source working at its
best, with a fix within less than 24 hours of the bug report.  However, in the
process of reporting the bug I learned that LibreOffice called home
(crashreport.libreoffice.org).  I understand it is with good intentions.  I am
still trying to figure out the details.  I believe that telemetry without
consent is not the Right Thing to do.

Please help me understand, and please help me help the Document Foundation /
LibreOffice become more respectful of data privacy.

Steps to Reproduce:
1. crash LibreOffice
2. monitor your internet connection

Actual Results:
LibreOffice calls home without warning.

Expected Results:
LibreOffice should ask for user consent, or crash silently.

Reproducible: Always

User Profile Reset: No

Additional Info:
User consent has to be (A) express; (B) informed; (C) meaningful.

(A) Express.  Put a dialogue in front of the user every time consent should be
sought.  Consent for telemetry at installation is good.  If consent was granted
the first time, repeating the request on significant changes and upgrades as a
reminder of the original consent is better.  For the user in a sensitive
environment (lawyers, dissident journalist, HR employees, any person that
requires confidentiality for whatever reasons) asking to reaffirm consent at
every start of the application makes sense.  Ideally, the express consent
should be time-limited and revert back to no data leak permitted, with the
choices: (a) until the next time the user restarts LibreOffice; (b) until the
next LibreOffice upgrade/change; (c) for a fixed (arbitrary) time period of a
year; or (d) forever.

(B) informed.  describe in clear words what triggers telemetry, and what kind
of information is sent.  To the user, a summary with links to documentation on
the Document Foundation's webpage should be sufficient.  From that webpage,
link further down into the exact points in the code / repository where the data
is collected and where the telemetry is triggered.  When I started researching
crashreport.libreoffice.org, I came across https://github.com/mmohrhard/crash
-- too much into details for me to understand what is going on.  I also came
across conspiracy theories that are even less useful.  The software publisher
should fill the void and prevent it from being filled by conspiracy theories.

(C) meaningful.  even after a user has expressly consented, there are
circumstances under which refreshing the consent makes sense.  For example,
when the data leaked out of the user's control contains information from the
documents being edited, the user may need to consider the nature of the
document being edited to arrive to a meaningful consent.  A user consenting to
telemetry while editing a party invitation can reasonably deny consent when
editing a list of employees with salaries and other confidential data.

Please build software that can be trusted.  Thanks for listening.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20191019/cc908696/attachment.html>