Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Monday April 08 2019, @06:59PM   Printer-friendly
from the what-to-do? dept.

A hot thread on openSUSE's forums titled "Does openSUSE track users?" started with the discovery of the OP that openSUSE creates a UUID (Universally Unique IDentifier - Wikipedia) for each installed system and that is automatically reported to SUSE "for statistical purposes" without even informing the installer that such feature exist. The OP raised valid concerns that the IP address is personal data and when combined with an UUID creates an even more distinguishable unique identifier, so he argued that this must be clarified during installation and be an opt-in, rather than silently enforced, because it creates a possibility for fingerprinting/profiling.

Admins explained that it can be disabled by deleting /var/lib/zypp/AnonymousUniqueId. Obviously this is a post-factum possibility as one cannot do it during installation. Or to avoid it - one must be disconnected and install from DVD, then delete the file before running any software update.

Forum users commented on the website itself too. The OP found that SUSE's terms and the site tools for personal data control are not GDPR (General Data Protection Regulation - https://eugdpr.org/, Wikipedia) compliant. He shared his observations that:

- too much data is required during account registration which is technically not necessary for just writing in the forums or reporting bugs (physical address, phone, job, zip etc). He reported that in a bug report which was closed as "RESOLVED DUPLICATE" of a similar bug which itself was closed earlier as INVALID. Although he reopened the referenced bug, so far it didn't catch anyone's attention.

- personal data is shared with multiple third party entities in a catch-all agreement without that being technically necessary which also contradicts the GDPR principle of data processing minimisation

- there is no possibility for granular opt-in/out for any of this but just one single catch-all forced consent which one must accept which in fact enforces one to accept multiple policies of third parties (Google, Live Chat, Facebook etc) because of the 3rd party resources the sites of SUSE use

- the privacy policy of SUSE is misleading as it justifies "legitimate interest" basing it on Article 6(1)(f) of GDPR while ignoring an essential part of the same article - that legitimate interest cannot overpower fundamental rights, one of which is the right to personal data protection

- there are no tools for one to control one's personal data as the GDPR mandates (download, erase, restrict processing etc)

The OP even filed a request for erasure as per Article 17 of GDPR but neither SUSE's privacy team, nor SUSE's DPO replied to him so far (for more than a week) although GDPR says that such requests must be handled "without undue delay". Meanwhile Microfocus replied to him that his data has been erased but it was not - he could still login and see all his profile data.

A mod locked the thread claiming that "further discussion is pointless" and "you have legal choices" missing the essential point - that SUSE failed to provide those choices as it must and leaves only one choice: to lodge a legal complaint against the data controller.

All this is quite similar to what most sites and companies do. Perhaps to make GDPR count we should all be more active in lodging complaints.

A link to the thread:

https://forums.opensuse.org/showthread.php/535322-Does-openSUSE-track-users


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Interesting) by Anonymous Coward on Monday April 08 2019, @07:12PM (25 children)

    by Anonymous Coward on Monday April 08 2019, @07:12PM (#826330)

    Crazy source-based distro user here. Doesn't that GUID go in some file [man7.org] in /etc (looks like /etc/machine-id)? I just remember that because every time I boot up, some service OpenRC (fuck systemd) starts complains that file is blank.

    Seems to be fuck systemd related. Maybe it's eudev complaining about it? Whatever it is, my machine works fine without fuck systemd or a GUID there, so I just never looked into it.

    Starting Score:    0  points
    Moderation   +2  
       Interesting=2, Total=2
    Extra 'Interesting' Modifier   0  

    Total Score:   2  
  • (Score: 3, Funny) by Freeman on Monday April 08 2019, @07:39PM

    by Freeman (732) on Monday April 08 2019, @07:39PM (#826339) Journal

    For some reason, I am getting vibes that you may have some reservations with regards to systemd. Sounds like you found an alternative though. It also sounds like OpenSUSE users might be better off with something that doesn't create automated tracking data.

    --
    Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
  • (Score: 1, Interesting) by Anonymous Coward on Monday April 08 2019, @07:43PM (15 children)

    by Anonymous Coward on Monday April 08 2019, @07:43PM (#826341)

    And Windows or MacOS don't do this and much worse? Someone with an agenda is picking on a Linux distro based in the EU to damage them. The "money trail" is well obfuscated...

    • (Score: 2) by Lester on Monday April 08 2019, @08:49PM (13 children)

      by Lester (6231) on Monday April 08 2019, @08:49PM (#826360) Journal

      Probably, but they are not opensource.
      Just, it is sad. The concept that OSS gave total control to users about what they run is over.

      • (Score: 4, Interesting) by maxwell demon on Monday April 08 2019, @09:15PM (12 children)

        by maxwell demon (1608) on Monday April 08 2019, @09:15PM (#826367) Journal

        No, it is not. Everyone is free to take OpenSUSE, modify it to not include the unique ID, and distribute the modified version to anyone who cares. While you cannot do the same e.g. with Windows.

        --
        The Tao of math: The numbers you can count are not the real numbers.
        • (Score: 3, Insightful) by Lester on Tuesday April 09 2019, @10:23AM (10 children)

          by Lester (6231) on Tuesday April 09 2019, @10:23AM (#826644) Journal

          Everyone is free to take OpenSUSE

          No, you are not free if you don't know it. And most people didn't know it.
          Now OSS software has also fine print that must be carefully read, it is not anymore what it looks at first sight, in the surface.

          [s]Wonderful! OSS is now closer to proprietary software quality standard[/s]. That is my feelling.

          • (Score: 2) by Freeman on Tuesday April 09 2019, @03:12PM (7 children)

            by Freeman (732) on Tuesday April 09 2019, @03:12PM (#826807) Journal

            The fine print in Open Source Software, tells you a few things. Generally it answers the following questions. Do I have to distribute the source, if I modify it? Am I able to sell what I make with it? Who do I credit? It also usually includes a giant disclaimer telling you to use the software at your own risk and that the creators of said software shall not be held liable for anything. Including but not limited to, software fit for purpose, software making your hardware self-destruct, or blowing up the moon.

            --
            Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
            • (Score: 2) by Lester on Tuesday April 09 2019, @04:30PM (6 children)

              by Lester (6231) on Tuesday April 09 2019, @04:30PM (#826881) Journal

              Thank you for clarifying that the disclaimer includes their right to install a trojan.

              I, so far, had assumed that in OSS all the risks were related to bugs and/or misunderstanding. Now I have learned that there could be already malice and deceit, moreover there is nothing abnormal in such behavior.

              • (Score: 2) by maxwell demon on Tuesday April 09 2019, @06:02PM (2 children)

                by maxwell demon (1608) on Tuesday April 09 2019, @06:02PM (#826954) Journal

                Of course using Open Source doesn't mean you are absolved from any other legal or ethical constraints. For example, just because the license to my Linux system doesn't state anywhere that I'm not allowed to use that software to hack into a military base and explode a nuclear bomb there doesn't mean that I'm free to do that. However should anyone do that using his Linux system, it is not an issue with Open Source, it's an issue with whoever does that.

                Similarly, the Open Source license does not forbid whichever company distributes it to add tracking code to it. It still is immoral and possibly illegal, but that's not an issue with Open Source. It's an issue with that company.

                So if you want to blame the problem on the company, I'm all with you. But as soon as you try to blame the problem on Open Source, I'm not. Open Source was never about doing no questionable things at all; it was always and exclusively about the permission to use, change and redistribute the code in any way you see fit.

                Now this software distribution model has as side effect that things such as hidden tracking are easier to detect, because the source is open, and therefore you are less likely to encounter them with Open Source. But there is not and has never been any guarantee that you are absolutely safe from such stuff just because you are using Open Source. If you thought so, you were delusional.

                --
                The Tao of math: The numbers you can count are not the real numbers.
                • (Score: 2) by Freeman on Tuesday April 09 2019, @06:13PM

                  by Freeman (732) on Tuesday April 09 2019, @06:13PM (#826967) Journal

                  By definition, it wouldn't be hidden as it's Open Source, but it could definitely be obfuscated. The Open Source code will definitely make it a lot easier to prove and find exactly where the code is that's doing something.

                  --
                  Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
                • (Score: 1, Interesting) by Anonymous Coward on Thursday April 11 2019, @11:25PM

                  by Anonymous Coward on Thursday April 11 2019, @11:25PM (#828368)

                  Be aware that Firefox's Incognito/Private Mode, as well as platforms that rely on it (Tor Browser Bundle) doesn't allow deleting cookies during the course of a session, doesn't allow you to view cookies during the session, and hides said cookies from addons, even if addons can turn cookies on/off (see: uMatrix). The result is that if you browse any two sites which share a third party site with cookies, or if your tunnel changes after you have a session id/login assigned to you, your sessions can be tracked to the same user, and more than likely can be passively correlated to your location after a few 5 eyes circuit resets.

                  Be warned, Private Modes are not at all private while browsing, only when the browser is completely exited. And Tor Browser sessions are easily trackable if you don't have uMatrix with cookie and script blocking by default due to session ids and circuit resets. I shudder to think at the number of dissidents who have been caught because they had faith in the Tor Project.

                  In other news, I2P's LeaseSet model is compromised. 40 nodes can discover a hidden service location. LeaseSet 2 is supposed to fix it with an Onion v3 style leasing model, but we are now reach a technical single point of failure for anonymity networks. Assume privacy is dead, and either hope for the best, or bug out while you still can.

              • (Score: 2) by Freeman on Tuesday April 09 2019, @06:07PM

                by Freeman (732) on Tuesday April 09 2019, @06:07PM (#826960) Journal

                There's a reason for the disclaimer, cover their own backsides. While, I wouldn't qualify this as a Trojan. Oh, by the way, we track installs and know what IP sent it. Should have been presented to the user, not just the blanket disclaimer. Claiming what they're doing is akin to a Trojan, is disingenuous. It's a bit invasive, but assuming you have a smart phone. It's like comparing a mosquito bite to a shark bite.

                --
                Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
              • (Score: 0) by Anonymous Coward on Wednesday April 10 2019, @04:08PM (1 child)

                by Anonymous Coward on Wednesday April 10 2019, @04:08PM (#827486)

                their right to install a trojan

                I do not think that word means what you think it means.

                I suppose you could call what SUSE is doing (creating a unique machine-id and sending it, along with configuration data about the system) malware. But just because they don't tell you about it doesn't make it a trojan.

                And to further clarify SUSE's license [opensuse.org] it's the GNU General Public License Version 2 [gnu.org].

                • (Score: 2) by Lester on Friday April 12 2019, @12:23PM

                  by Lester (6231) on Friday April 12 2019, @12:23PM (#828560) Journal

                  But just because they don't tell you about it doesn't make it a trojan.

                  Yes it does.

                  According with wikipedia: Trojan is any malicious computer program which misleads users of its true intent.

                  Well, I think that if it hides things because it knows I may not like them, then it is misleading me. If not a Trojan, a close friend of a Trojan

          • (Score: 0) by Anonymous Coward on Wednesday April 10 2019, @06:57PM (1 child)

            by Anonymous Coward on Wednesday April 10 2019, @06:57PM (#827568)

            "knowing it" is your responsibility you lazy minded fuck. do you think a big penguin is going to be at the library to read you a book or something?

            • (Score: 3, Touché) by Lester on Friday April 12 2019, @12:33PM

              by Lester (6231) on Friday April 12 2019, @12:33PM (#828562) Journal

              And installing a good lock in my homes's door is my responsibility. Does it justify the thief?

        • (Score: 1, Interesting) by Anonymous Coward on Tuesday April 09 2019, @02:54PM

          by Anonymous Coward on Tuesday April 09 2019, @02:54PM (#826792)

          This comment is a symptom of the rot that exists within many of the linux elites: the freedom of choice and freedom of use only exists in what the priests allow you to know.

          Someone had to complain and go through legal channels to find all these issues, and they tried to do the right thing and ended up getting told to speak to the hand.

          Your comment seems to suggest that no one has to do that, they need to only have already done what he worked so hard to find out--which are tasks that fall under the moniker of "hacking" for most lay people.

          If there is absolutely no indication you are being ratted out unless someone is angry enough to unexpectedly report it, then you can't honestly claim that Microsoft is somehow worse.

          They are in fact better--it is clear what Microsoft is doing, and they don't hide it, and they are honest about the depths, scope, what they take and what they do with it. Suse didn't say anything until someone spread their secret--then they tried to suppress the conversation.

          Everyone is free to tell them to go shove it until they get a better handle on what users want, unless they don't care. I expect they are losing money and don't want to admit they are in trouble. You don't stoop so low unless it's your business model anyway, so these may be desperate measures that they don't want much attention drawn towards. All the same, fuck them if they can't compete honestly.

    • (Score: 5, Insightful) by maxwell demon on Monday April 08 2019, @09:12PM

      by maxwell demon (1608) on Monday April 08 2019, @09:12PM (#826364) Journal

      And Windows or MacOS don't do this and much worse?

      So it is OK to kill someone because Jack the Ripper killed more people? Because that's the form of argument you're using here.

      --
      The Tao of math: The numbers you can count are not the real numbers.
  • (Score: 2) by DannyB on Monday April 08 2019, @09:26PM (7 children)

    by DannyB (5839) Subscriber Badge on Monday April 08 2019, @09:26PM (#826374) Journal

    my machine works fine without fuck systemd

    My machine complains . . .

    danny@danny-mint19-vm02:~$ fsck systemd
    fsck from util-linux 2.31.1
    Usage: fsck.ext4 [-panyrcdfktvDFV] [-b superblock] [-B blocksize]
                    [-l|-L bad_blocks_file] [-C fd] [-j external_journal]
                    [-E extended-options] [-z undo_file] device

    Emergency help:
      -p Automatic repair (no questions)
      -n Make no changes to the filesystem
      -y Assume "yes" to all questions
      -c Check for bad blocks and add them to the badblock list
      -f Force checking even if filesystem is marked clean
      -v Be verbose
      -b superblock Use alternative superblock
      -B blocksize Force blocksize when looking for superblock
      -j external_journal Set location of the external journal
      -l bad_blocks_file Add to badblocks list
      -L bad_blocks_file Set badblocks list
      -z undo_file Create an undo file

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 4, Funny) by NotSanguine on Tuesday April 09 2019, @12:53AM (6 children)

      danny@danny-mint19-vm02:~$ fsck systemd

      That's because you spelled it wrong:
      [notsanguine@venkman ~]$ fuck systemd
      Yeah! Fuck systemd!
      Amen Brother!
      [notsanguine@venkman ~]$

      --
      No, no, you're not thinking; you're just being logical. --Niels Bohr
      • (Score: 2) by DannyB on Tuesday April 09 2019, @02:14PM (5 children)

        by DannyB (5839) Subscriber Badge on Tuesday April 09 2019, @02:14PM (#826751) Journal

        Oh dear, I must be doing something wrong:

        danny@danny-mint19-vm02:~$ fuck systemd

        Command 'fuck' not found, did you mean:

            command 'suck' from deb suck
            command 'fsck' from deb util-linux
            command 'duck' from deb duck

        Try: sudo apt install

        danny@danny-mint19-vm02:~$ sudo apt update && sudo apt upgrade -y && sudo apt install fuck
        [sudo] password for danny:
        Ign:1 http://mirrors. [mirrors.] . . . . blah blah blah . . ..
        The following packages will be upgraded:
        . . . blah blah . . .
        1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
        Need to get 1,111 kB of archives.
        . . . blah blah . . .
        Reading package lists... Done
        Building dependency tree
        Reading state information... Done
        E: Unable to locate package fuck
        danny@danny-mint19-vm02:~$

        If that package cannot be found, then why is there a 'yes' command?
        Especially when the yes command can generate an infinite number of 'no' by using:
        $ yes no
        no
        no
        no
        . . . to infinity and beyond . . .

        --
        People today are educated enough to repeat what they are taught but not to question what they are taught.
        • (Score: 2, Touché) by Debvgger on Tuesday April 09 2019, @02:41PM (1 child)

          by Debvgger (545) on Tuesday April 09 2019, @02:41PM (#826776)

          Sounds like you can't get laid then. Sorry.

          • (Score: 2) by DannyB on Tuesday April 09 2019, @03:14PM

            by DannyB (5839) Subscriber Badge on Tuesday April 09 2019, @03:14PM (#826809) Journal

            I suppose I could develop a new 'no' command which can generate an infinite sequence of 'yes' outputs.

            I'm going to patent this new technique I just invented!

            sudo cp /usr/bin/yes /usr/bin/no

            People will pay the patent license fee because it will cause 'no' to mean 'yes' again! Trump will be grateful.

            --
            People today are educated enough to repeat what they are taught but not to question what they are taught.
        • (Score: 2) by NotSanguine on Tuesday April 09 2019, @04:05PM (2 children)

          What you really need is this bit:

          [notsanguine@venkman ~]$ cat fuck
          #!/bin/sh
          echo "Yeah! Fuck "${1}"!"
          echo "Amen Brother!"
          [notsanguine@venkman ~]$

          And you can fuck anything you want!

          It'll be up on github shortly. Perhaps Debian will include it in a future release. :)

          --
          No, no, you're not thinking; you're just being logical. --Niels Bohr
          • (Score: 2) by maxwell demon on Tuesday April 09 2019, @06:16PM (1 child)

            by maxwell demon (1608) on Tuesday April 09 2019, @06:16PM (#826969) Journal

            I think you've got a bug here.

            $ fuck the advertisers
            Yeah! Fuck the!
            Amen Brother!
            $

            --
            The Tao of math: The numbers you can count are not the real numbers.
            • (Score: 4, Funny) by NotSanguine on Tuesday April 09 2019, @07:00PM

              I think you've got a bug here.

              $ fuck the advertisers
                      Yeah! Fuck the!
                      Amen Brother!
                      $

              That's not a bug, that's a feature! I don't do threesomes (or more-somes). :)

              But if you do swing that way, try the 'swinger' command:
              #!/bin/sh
              echo "Yeah! Fuck "${@}"!"
              echo "Amen Brother!"

              Output:
              [notsanguine@venkman ~]$ swinger all the single ladies
              Yeah! Fuck all the single ladies!
              Amen Brother!
              [notsanguine@venkman ~]$

              Better now?

              --
              No, no, you're not thinking; you're just being logical. --Niels Bohr