SoylentNews

An Anonymous Coward writes:

A hot thread on openSUSE's forums titled "Does openSUSE track users?" started with the discovery of the OP that openSUSE creates a UUID (Universally Unique IDentifier - Wikipedia) for each installed system and that is automatically reported to SUSE "for statistical purposes" without even informing the installer that such feature exist. The OP raised valid concerns that the IP address is personal data and when combined with an UUID creates an even more distinguishable unique identifier, so he argued that this must be clarified during installation and be an opt-in, rather than silently enforced, because it creates a possibility for fingerprinting/profiling.

Admins explained that it can be disabled by deleting /var/lib/zypp/AnonymousUniqueId. Obviously this is a post-factum possibility as one cannot do it during installation. Or to avoid it - one must be disconnected and install from DVD, then delete the file before running any software update.

Forum users commented on the website itself too. The OP found that SUSE's terms and the site tools for personal data control are not GDPR (General Data Protection Regulation - https://eugdpr.org/, Wikipedia) compliant. He shared his observations that:

- too much data is required during account registration which is technically not necessary for just writing in the forums or reporting bugs (physical address, phone, job, zip etc). He reported that in a bug report which was closed as "RESOLVED DUPLICATE" of a similar bug which itself was closed earlier as INVALID. Although he reopened the referenced bug, so far it didn't catch anyone's attention.

- personal data is shared with multiple third party entities in a catch-all agreement without that being technically necessary which also contradicts the GDPR principle of data processing minimisation

- there is no possibility for granular opt-in/out for any of this but just one single catch-all forced consent which one must accept which in fact enforces one to accept multiple policies of third parties (Google, Live Chat, Facebook etc) because of the 3rd party resources the sites of SUSE use

- the privacy policy of SUSE is misleading as it justifies "legitimate interest" basing it on Article 6(1)(f) of GDPR while ignoring an essential part of the same article - that legitimate interest cannot overpower fundamental rights, one of which is the right to personal data protection

- there are no tools for one to control one's personal data as the GDPR mandates (download, erase, restrict processing etc)

The OP even filed a request for erasure as per Article 17 of GDPR but neither SUSE's privacy team, nor SUSE's DPO replied to him so far (for more than a week) although GDPR says that such requests must be handled "without undue delay". Meanwhile Microfocus replied to him that his data has been erased but it was not - he could still login and see all his profile data.

A mod locked the thread claiming that "further discussion is pointless" and "you have legal choices" missing the essential point - that SUSE failed to provide those choices as it must and leaves only one choice: to lodge a legal complaint against the data controller.

All this is quite similar to what most sites and companies do. Perhaps to make GDPR count we should all be more active in lodging complaints.

A link to the thread:

https://forums.opensuse.org/showthread.php/535322-Does-openSUSE-track-users

Original Submission