SoylentNews is people
SoylentNews
A hot thread on openSUSE's forums titled "Does openSUSE track users?" started with the discovery of the OP that openSUSE creates a UUID (Universally Unique IDentifier - Wikipedia) for each installed system and that is automatically reported to SUSE "for statistical purposes" without even informing the installer that such feature exist. The OP raised valid concerns that the IP address is personal data and when combined with an UUID creates an even more distinguishable unique identifier, so he argued that this must be clarified during installation and be an opt-in, rather than silently enforced, because it creates a possibility for fingerprinting/profiling.
Admins explained that it can be disabled by deleting /var/lib/zypp/AnonymousUniqueId. Obviously this is a post-factum possibility as one cannot do it during installation. Or to avoid it - one must be disconnected and install from DVD, then delete the file before running any software update.
Forum users commented on the website itself too. The OP found that SUSE's terms and the site tools for personal data control are not GDPR (General Data Protection Regulation - https://eugdpr.org/, Wikipedia) compliant. He shared his observations that:
- too much data is required during account registration which is technically not necessary for just writing in the forums or reporting bugs (physical address, phone, job, zip etc). He reported that in a bug report which was closed as "RESOLVED DUPLICATE" of a similar bug which itself was closed earlier as INVALID. Although he reopened the referenced bug, so far it didn't catch anyone's attention.
- personal data is shared with multiple third party entities in a catch-all agreement without that being technically necessary which also contradicts the GDPR principle of data processing minimisation
- there is no possibility for granular opt-in/out for any of this but just one single catch-all forced consent which one must accept which in fact enforces one to accept multiple policies of third parties (Google, Live Chat, Facebook etc) because of the 3rd party resources the sites of SUSE use
- the privacy policy of SUSE is misleading as it justifies "legitimate interest" basing it on Article 6(1)(f) of GDPR while ignoring an essential part of the same article - that legitimate interest cannot overpower fundamental rights, one of which is the right to personal data protection
- there are no tools for one to control one's personal data as the GDPR mandates (download, erase, restrict processing etc)
The OP even filed a request for erasure as per Article 17 of GDPR but neither SUSE's privacy team, nor SUSE's DPO replied to him so far (for more than a week) although GDPR says that such requests must be handled "without undue delay". Meanwhile Microfocus replied to him that his data has been erased but it was not - he could still login and see all his profile data.
A mod locked the thread claiming that "further discussion is pointless" and "you have legal choices" missing the essential point - that SUSE failed to provide those choices as it must and leaves only one choice: to lodge a legal complaint against the data controller.
All this is quite similar to what most sites and companies do. Perhaps to make GDPR count we should all be more active in lodging complaints.
A link to the thread:
https://forums.opensuse.org/showthread.php/535322-Does-openSUSE-track-users
(Score: 3, Insightful) by Lester on Tuesday April 09 2019, @10:23AM (10 children)
No, you are not free if you don't know it. And most people didn't know it.
Now OSS software has also fine print that must be carefully read, it is not anymore what it looks at first sight, in the surface.
[s]Wonderful! OSS is now closer to proprietary software quality standard[/s]. That is my feelling.
(Score: 2) by Freeman on Tuesday April 09 2019, @03:12PM (7 children)
The fine print in Open Source Software, tells you a few things. Generally it answers the following questions. Do I have to distribute the source, if I modify it? Am I able to sell what I make with it? Who do I credit? It also usually includes a giant disclaimer telling you to use the software at your own risk and that the creators of said software shall not be held liable for anything. Including but not limited to, software fit for purpose, software making your hardware self-destruct, or blowing up the moon.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by Lester on Tuesday April 09 2019, @04:30PM (6 children)
Thank you for clarifying that the disclaimer includes their right to install a trojan.
I, so far, had assumed that in OSS all the risks were related to bugs and/or misunderstanding. Now I have learned that there could be already malice and deceit, moreover there is nothing abnormal in such behavior.
(Score: 2) by maxwell demon on Tuesday April 09 2019, @06:02PM (2 children)
Of course using Open Source doesn't mean you are absolved from any other legal or ethical constraints. For example, just because the license to my Linux system doesn't state anywhere that I'm not allowed to use that software to hack into a military base and explode a nuclear bomb there doesn't mean that I'm free to do that. However should anyone do that using his Linux system, it is not an issue with Open Source, it's an issue with whoever does that.
Similarly, the Open Source license does not forbid whichever company distributes it to add tracking code to it. It still is immoral and possibly illegal, but that's not an issue with Open Source. It's an issue with that company.
So if you want to blame the problem on the company, I'm all with you. But as soon as you try to blame the problem on Open Source, I'm not. Open Source was never about doing no questionable things at all; it was always and exclusively about the permission to use, change and redistribute the code in any way you see fit.
Now this software distribution model has as side effect that things such as hidden tracking are easier to detect, because the source is open, and therefore you are less likely to encounter them with Open Source. But there is not and has never been any guarantee that you are absolutely safe from such stuff just because you are using Open Source. If you thought so, you were delusional.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Freeman on Tuesday April 09 2019, @06:13PM
By definition, it wouldn't be hidden as it's Open Source, but it could definitely be obfuscated. The Open Source code will definitely make it a lot easier to prove and find exactly where the code is that's doing something.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 1, Interesting) by Anonymous Coward on Thursday April 11 2019, @11:25PM
Be aware that Firefox's Incognito/Private Mode, as well as platforms that rely on it (Tor Browser Bundle) doesn't allow deleting cookies during the course of a session, doesn't allow you to view cookies during the session, and hides said cookies from addons, even if addons can turn cookies on/off (see: uMatrix). The result is that if you browse any two sites which share a third party site with cookies, or if your tunnel changes after you have a session id/login assigned to you, your sessions can be tracked to the same user, and more than likely can be passively correlated to your location after a few 5 eyes circuit resets.
Be warned, Private Modes are not at all private while browsing, only when the browser is completely exited. And Tor Browser sessions are easily trackable if you don't have uMatrix with cookie and script blocking by default due to session ids and circuit resets. I shudder to think at the number of dissidents who have been caught because they had faith in the Tor Project.
In other news, I2P's LeaseSet model is compromised. 40 nodes can discover a hidden service location. LeaseSet 2 is supposed to fix it with an Onion v3 style leasing model, but we are now reach a technical single point of failure for anonymity networks. Assume privacy is dead, and either hope for the best, or bug out while you still can.
(Score: 2) by Freeman on Tuesday April 09 2019, @06:07PM
There's a reason for the disclaimer, cover their own backsides. While, I wouldn't qualify this as a Trojan. Oh, by the way, we track installs and know what IP sent it. Should have been presented to the user, not just the blanket disclaimer. Claiming what they're doing is akin to a Trojan, is disingenuous. It's a bit invasive, but assuming you have a smart phone. It's like comparing a mosquito bite to a shark bite.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 0) by Anonymous Coward on Wednesday April 10 2019, @04:08PM (1 child)
I do not think that word means what you think it means.
I suppose you could call what SUSE is doing (creating a unique machine-id and sending it, along with configuration data about the system) malware. But just because they don't tell you about it doesn't make it a trojan.
And to further clarify SUSE's license [opensuse.org] it's the GNU General Public License Version 2 [gnu.org].
(Score: 2) by Lester on Friday April 12 2019, @12:23PM
Yes it does.
According with wikipedia: Trojan is any malicious computer program which misleads users of its true intent.
Well, I think that if it hides things because it knows I may not like them, then it is misleading me. If not a Trojan, a close friend of a Trojan
(Score: 0) by Anonymous Coward on Wednesday April 10 2019, @06:57PM (1 child)
"knowing it" is your responsibility you lazy minded fuck. do you think a big penguin is going to be at the library to read you a book or something?
(Score: 3, Touché) by Lester on Friday April 12 2019, @12:33PM
And installing a good lock in my homes's door is my responsibility. Does it justify the thief?