A hot thread on openSUSE's forums titled "Does openSUSE track users?" started with the discovery of the OP that openSUSE creates a UUID (Universally Unique IDentifier - Wikipedia) for each installed system and that is automatically reported to SUSE "for statistical purposes" without even informing the installer that such feature exist. The OP raised valid concerns that the IP address is personal data and when combined with an UUID creates an even more distinguishable unique identifier, so he argued that this must be clarified during installation and be an opt-in, rather than silently enforced, because it creates a possibility for fingerprinting/profiling.
Admins explained that it can be disabled by deleting /var/lib/zypp/AnonymousUniqueId. Obviously this is a post-factum possibility as one cannot do it during installation. Or to avoid it - one must be disconnected and install from DVD, then delete the file before running any software update.
Forum users commented on the website itself too. The OP found that SUSE's terms and the site tools for personal data control are not GDPR (General Data Protection Regulation - https://eugdpr.org/, Wikipedia) compliant. He shared his observations that:
- too much data is required during account registration which is technically not necessary for just writing in the forums or reporting bugs (physical address, phone, job, zip etc). He reported that in a bug report which was closed as "RESOLVED DUPLICATE" of a similar bug which itself was closed earlier as INVALID. Although he reopened the referenced bug, so far it didn't catch anyone's attention.
- personal data is shared with multiple third party entities in a catch-all agreement without that being technically necessary which also contradicts the GDPR principle of data processing minimisation
- there is no possibility for granular opt-in/out for any of this but just one single catch-all forced consent which one must accept which in fact enforces one to accept multiple policies of third parties (Google, Live Chat, Facebook etc) because of the 3rd party resources the sites of SUSE use
- the privacy policy of SUSE is misleading as it justifies "legitimate interest" basing it on Article 6(1)(f) of GDPR while ignoring an essential part of the same article - that legitimate interest cannot overpower fundamental rights, one of which is the right to personal data protection
- there are no tools for one to control one's personal data as the GDPR mandates (download, erase, restrict processing etc)
The OP even filed a request for erasure as per Article 17 of GDPR but neither SUSE's privacy team, nor SUSE's DPO replied to him so far (for more than a week) although GDPR says that such requests must be handled "without undue delay". Meanwhile Microfocus replied to him that his data has been erased but it was not - he could still login and see all his profile data.
A mod locked the thread claiming that "further discussion is pointless" and "you have legal choices" missing the essential point - that SUSE failed to provide those choices as it must and leaves only one choice: to lodge a legal complaint against the data controller.
All this is quite similar to what most sites and companies do. Perhaps to make GDPR count we should all be more active in lodging complaints.
A link to the thread:
https://forums.opensuse.org/showthread.php/535322-Does-openSUSE-track-users
(Score: 2, Interesting) by Anonymous Coward on Monday April 08 2019, @07:12PM (25 children)
Crazy source-based distro user here. Doesn't that GUID go in some file [man7.org] in /etc (looks like /etc/machine-id)? I just remember that because every time I boot up, some service OpenRC (fuck systemd) starts complains that file is blank.
Seems to be fuck systemd related. Maybe it's eudev complaining about it? Whatever it is, my machine works fine without fuck systemd or a GUID there, so I just never looked into it.
(Score: 3, Funny) by Freeman on Monday April 08 2019, @07:39PM
For some reason, I am getting vibes that you may have some reservations with regards to systemd. Sounds like you found an alternative though. It also sounds like OpenSUSE users might be better off with something that doesn't create automated tracking data.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 1, Interesting) by Anonymous Coward on Monday April 08 2019, @07:43PM (15 children)
And Windows or MacOS don't do this and much worse? Someone with an agenda is picking on a Linux distro based in the EU to damage them. The "money trail" is well obfuscated...
(Score: 2) by Lester on Monday April 08 2019, @08:49PM (13 children)
Probably, but they are not opensource.
Just, it is sad. The concept that OSS gave total control to users about what they run is over.
(Score: 4, Interesting) by maxwell demon on Monday April 08 2019, @09:15PM (12 children)
No, it is not. Everyone is free to take OpenSUSE, modify it to not include the unique ID, and distribute the modified version to anyone who cares. While you cannot do the same e.g. with Windows.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Insightful) by Lester on Tuesday April 09 2019, @10:23AM (10 children)
No, you are not free if you don't know it. And most people didn't know it.
Now OSS software has also fine print that must be carefully read, it is not anymore what it looks at first sight, in the surface.
[s]Wonderful! OSS is now closer to proprietary software quality standard[/s]. That is my feelling.
(Score: 2) by Freeman on Tuesday April 09 2019, @03:12PM (7 children)
The fine print in Open Source Software, tells you a few things. Generally it answers the following questions. Do I have to distribute the source, if I modify it? Am I able to sell what I make with it? Who do I credit? It also usually includes a giant disclaimer telling you to use the software at your own risk and that the creators of said software shall not be held liable for anything. Including but not limited to, software fit for purpose, software making your hardware self-destruct, or blowing up the moon.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by Lester on Tuesday April 09 2019, @04:30PM (6 children)
Thank you for clarifying that the disclaimer includes their right to install a trojan.
I, so far, had assumed that in OSS all the risks were related to bugs and/or misunderstanding. Now I have learned that there could be already malice and deceit, moreover there is nothing abnormal in such behavior.
(Score: 2) by maxwell demon on Tuesday April 09 2019, @06:02PM (2 children)
Of course using Open Source doesn't mean you are absolved from any other legal or ethical constraints. For example, just because the license to my Linux system doesn't state anywhere that I'm not allowed to use that software to hack into a military base and explode a nuclear bomb there doesn't mean that I'm free to do that. However should anyone do that using his Linux system, it is not an issue with Open Source, it's an issue with whoever does that.
Similarly, the Open Source license does not forbid whichever company distributes it to add tracking code to it. It still is immoral and possibly illegal, but that's not an issue with Open Source. It's an issue with that company.
So if you want to blame the problem on the company, I'm all with you. But as soon as you try to blame the problem on Open Source, I'm not. Open Source was never about doing no questionable things at all; it was always and exclusively about the permission to use, change and redistribute the code in any way you see fit.
Now this software distribution model has as side effect that things such as hidden tracking are easier to detect, because the source is open, and therefore you are less likely to encounter them with Open Source. But there is not and has never been any guarantee that you are absolutely safe from such stuff just because you are using Open Source. If you thought so, you were delusional.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Freeman on Tuesday April 09 2019, @06:13PM
By definition, it wouldn't be hidden as it's Open Source, but it could definitely be obfuscated. The Open Source code will definitely make it a lot easier to prove and find exactly where the code is that's doing something.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 1, Interesting) by Anonymous Coward on Thursday April 11 2019, @11:25PM
Be aware that Firefox's Incognito/Private Mode, as well as platforms that rely on it (Tor Browser Bundle) doesn't allow deleting cookies during the course of a session, doesn't allow you to view cookies during the session, and hides said cookies from addons, even if addons can turn cookies on/off (see: uMatrix). The result is that if you browse any two sites which share a third party site with cookies, or if your tunnel changes after you have a session id/login assigned to you, your sessions can be tracked to the same user, and more than likely can be passively correlated to your location after a few 5 eyes circuit resets.
Be warned, Private Modes are not at all private while browsing, only when the browser is completely exited. And Tor Browser sessions are easily trackable if you don't have uMatrix with cookie and script blocking by default due to session ids and circuit resets. I shudder to think at the number of dissidents who have been caught because they had faith in the Tor Project.
In other news, I2P's LeaseSet model is compromised. 40 nodes can discover a hidden service location. LeaseSet 2 is supposed to fix it with an Onion v3 style leasing model, but we are now reach a technical single point of failure for anonymity networks. Assume privacy is dead, and either hope for the best, or bug out while you still can.
(Score: 2) by Freeman on Tuesday April 09 2019, @06:07PM
There's a reason for the disclaimer, cover their own backsides. While, I wouldn't qualify this as a Trojan. Oh, by the way, we track installs and know what IP sent it. Should have been presented to the user, not just the blanket disclaimer. Claiming what they're doing is akin to a Trojan, is disingenuous. It's a bit invasive, but assuming you have a smart phone. It's like comparing a mosquito bite to a shark bite.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 0) by Anonymous Coward on Wednesday April 10 2019, @04:08PM (1 child)
I do not think that word means what you think it means.
I suppose you could call what SUSE is doing (creating a unique machine-id and sending it, along with configuration data about the system) malware. But just because they don't tell you about it doesn't make it a trojan.
And to further clarify SUSE's license [opensuse.org] it's the GNU General Public License Version 2 [gnu.org].
(Score: 2) by Lester on Friday April 12 2019, @12:23PM
Yes it does.
According with wikipedia: Trojan is any malicious computer program which misleads users of its true intent.
Well, I think that if it hides things because it knows I may not like them, then it is misleading me. If not a Trojan, a close friend of a Trojan
(Score: 0) by Anonymous Coward on Wednesday April 10 2019, @06:57PM (1 child)
"knowing it" is your responsibility you lazy minded fuck. do you think a big penguin is going to be at the library to read you a book or something?
(Score: 3, Touché) by Lester on Friday April 12 2019, @12:33PM
And installing a good lock in my homes's door is my responsibility. Does it justify the thief?
(Score: 1, Interesting) by Anonymous Coward on Tuesday April 09 2019, @02:54PM
This comment is a symptom of the rot that exists within many of the linux elites: the freedom of choice and freedom of use only exists in what the priests allow you to know.
Someone had to complain and go through legal channels to find all these issues, and they tried to do the right thing and ended up getting told to speak to the hand.
Your comment seems to suggest that no one has to do that, they need to only have already done what he worked so hard to find out--which are tasks that fall under the moniker of "hacking" for most lay people.
If there is absolutely no indication you are being ratted out unless someone is angry enough to unexpectedly report it, then you can't honestly claim that Microsoft is somehow worse.
They are in fact better--it is clear what Microsoft is doing, and they don't hide it, and they are honest about the depths, scope, what they take and what they do with it. Suse didn't say anything until someone spread their secret--then they tried to suppress the conversation.
Everyone is free to tell them to go shove it until they get a better handle on what users want, unless they don't care. I expect they are losing money and don't want to admit they are in trouble. You don't stoop so low unless it's your business model anyway, so these may be desperate measures that they don't want much attention drawn towards. All the same, fuck them if they can't compete honestly.
(Score: 5, Insightful) by maxwell demon on Monday April 08 2019, @09:12PM
So it is OK to kill someone because Jack the Ripper killed more people? Because that's the form of argument you're using here.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by DannyB on Monday April 08 2019, @09:26PM (7 children)
My machine complains . . .
danny@danny-mint19-vm02:~$ fsck systemd
fsck from util-linux 2.31.1
Usage: fsck.ext4 [-panyrcdfktvDFV] [-b superblock] [-B blocksize]
[-l|-L bad_blocks_file] [-C fd] [-j external_journal]
[-E extended-options] [-z undo_file] device
Emergency help:
-p Automatic repair (no questions)
-n Make no changes to the filesystem
-y Assume "yes" to all questions
-c Check for bad blocks and add them to the badblock list
-f Force checking even if filesystem is marked clean
-v Be verbose
-b superblock Use alternative superblock
-B blocksize Force blocksize when looking for superblock
-j external_journal Set location of the external journal
-l bad_blocks_file Add to badblocks list
-L bad_blocks_file Set badblocks list
-z undo_file Create an undo file
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 4, Funny) by NotSanguine on Tuesday April 09 2019, @12:53AM (6 children)
That's because you spelled it wrong:
[notsanguine@venkman ~]$ fuck systemd
Yeah! Fuck systemd!
Amen Brother!
[notsanguine@venkman ~]$
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by DannyB on Tuesday April 09 2019, @02:14PM (5 children)
Oh dear, I must be doing something wrong:
danny@danny-mint19-vm02:~$ fuck systemd
Command 'fuck' not found, did you mean:
command 'suck' from deb suck
command 'fsck' from deb util-linux
command 'duck' from deb duck
Try: sudo apt install
danny@danny-mint19-vm02:~$ sudo apt update && sudo apt upgrade -y && sudo apt install fuck
[sudo] password for danny:
Ign:1 http://mirrors. [mirrors.] . . . . blah blah blah . . ..
The following packages will be upgraded:
. . . blah blah . . .
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,111 kB of archives.
. . . blah blah . . .
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package fuck
danny@danny-mint19-vm02:~$
If that package cannot be found, then why is there a 'yes' command?
Especially when the yes command can generate an infinite number of 'no' by using:
$ yes no
no
no
no
. . . to infinity and beyond . . .
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2, Touché) by Debvgger on Tuesday April 09 2019, @02:41PM (1 child)
Sounds like you can't get laid then. Sorry.
(Score: 2) by DannyB on Tuesday April 09 2019, @03:14PM
I suppose I could develop a new 'no' command which can generate an infinite sequence of 'yes' outputs.
I'm going to patent this new technique I just invented!
sudo cp /usr/bin/yes /usr/bin/no
People will pay the patent license fee because it will cause 'no' to mean 'yes' again! Trump will be grateful.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by NotSanguine on Tuesday April 09 2019, @04:05PM (2 children)
What you really need is this bit:
[notsanguine@venkman ~]$ cat fuck
#!/bin/sh
echo "Yeah! Fuck "${1}"!"
echo "Amen Brother!"
[notsanguine@venkman ~]$
And you can fuck anything you want!
It'll be up on github shortly. Perhaps Debian will include it in a future release. :)
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by maxwell demon on Tuesday April 09 2019, @06:16PM (1 child)
I think you've got a bug here.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 4, Funny) by NotSanguine on Tuesday April 09 2019, @07:00PM
That's not a bug, that's a feature! I don't do threesomes (or more-somes). :)
But if you do swing that way, try the 'swinger' command:
#!/bin/sh
echo "Yeah! Fuck "${@}"!"
echo "Amen Brother!"
Output:
[notsanguine@venkman ~]$ swinger all the single ladies
Yeah! Fuck all the single ladies!
Amen Brother!
[notsanguine@venkman ~]$
Better now?
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by Runaway1956 on Monday April 08 2019, @07:44PM (1 child)
You, the Luser, should decide who has a "legitimate interest" in your data. That IS, after all, one of the many reasons Lusers turn to Linux, instead of Windows. If we enjoyed being raped for data, then many of us would have remained with Microsoft.
Suse must understand that, at some level.
(Score: 5, Touché) by DannyB on Monday April 08 2019, @09:29PM
Every company assures me they have a legitimate interest in my data.
It enables them to improve their
revenueproduct.To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 3, Interesting) by SomeGuy on Monday April 08 2019, @07:49PM
Yes, you should. Nobody else is going to do it for you. The big companies will be pushing back all the time.
In fact, in the US, the average consumertard is brainwashed to believe that tracking is in their best interest. Suggest otherwise and you will get laughed at. (And a $2 off coupon at your favorite restaurant as long as you fill out the on-line survey!)
EU companies must not have spent enough money on brainwashing and bribing lawmakers. Expect them to fix that oversight eventually.
(Score: 2, Interesting) by Anonymous Coward on Monday April 08 2019, @08:15PM (1 child)
Some users are more annoying than others. Maybe openSUSE should ban them, not just erase their ID data? Also, not sure what that dude is talking about. You only need to provide your Name and email. And you can even provide a fake name. But yes, definitely someone with too much time on their hands.
More seriously, there were people that complained about PGP because someone put a key in there with their email address.... it's nice that GDPR has a "legal loophole", we can't have legal cases and convictions where names are removed, right? So how does PGP keyservers work? People allowed to remove other's data or what?
https://medium.com/@mdrahony/are-pgp-key-servers-breaking-the-law-under-the-gdpr-a81ddd709d3e [medium.com]
(Score: 3, Informative) by Lester on Tuesday April 09 2019, @11:25AM
you need.. for what? From a technical point of view they need it for nothing, so it can't be compulsory. Period.
According with GDRP, If a company is selling a product, they may need customer's email to i.e. send the invoice. The company can use the email only for that. If they want to use it for other purposes, they have to tell to it the customer and with an opt-in, not just an opt-out (let alone a buried and hidden opt-out). Moreover, you cannot cancel the contract if customer do not opt-in. That is, it forbides that, i.e., customers can't complete the order if they don't check the opt-in checkbox. The price of the product can't include compulsorily using customer's data.
I completely support that draconian rule. Some people say, the company is free to sell or not to sell whom ever it wants and with the conditions it wants, and the customer is free of picking other company. And I say the company is free to sell in the UE or not , if you don't like you have a whole world out there. I want to be protected by laws not to depend on looking by myself the fine print a hundred times a day.
What about free products that are not sold for money? I don't why you are giving it for free. good will? principles? as a demo of a more advanced version? No matter why, you can't try to reduce cost of the free version forcing customers to give their data. You can opt-in just in case customers want to voluntarily support you, but it can't be compulsory.
According with this draconian rule, google, and facebook couldn't exists, at least shouldn't operate in EU. Yeah, I completely support it.
No loophole, that is part of the service, identifying publicly a key with an email, there are technical reasons to include the email. What the servers can't do is process the information, selling it, gathering information about who ask which keys etc.
(Score: 4, Interesting) by EvilSS on Monday April 08 2019, @09:00PM (2 children)
Well then, seems like OP should give them what they as asking for. GDPR seems to have some teeth, and Microfocus seems to be asking to be bitten in the ass by them.
(Score: 2) by NewNic on Monday April 08 2019, @09:50PM (1 child)
Microfocus hasn't owned SUSE for almost a month now.
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 1, Troll) by EvilSS on Tuesday April 09 2019, @02:23PM
(Score: 0) by Anonymous Coward on Monday April 08 2019, @09:40PM
The GDPR does no such thing. It merely mandates that the company must comply with such requests, but does not specify how to. If SuSE's overlords prefer to spend manhour power on such requests, that's perfectly valid.
Automated tools can be made available online. Most wetware tools are not, so you might need to request those services by (e-)mail.
(Score: 3, Funny) by realDonaldTrump on Tuesday April 09 2019, @05:34AM
My father was born in a great place in Germany, so I have great respect for Germany. And for German companies. But I'll tell you, if you want to build cyber in the world, then I wish you all the best. You can build cyber for the United States, but for every cyber that comes to the USA you will pay 35% tax. I would tell SUSE that if you are building a factory in Mexico and plan to sell cyber to the US without a 35% tax then you can forget that. SUSE prices may increase because of the massive Tariffs we may be imposing on Germany -- but there is an easy solution where there would be ZERO tax, and indeed a tax incentive. Make your products in the United States instead of Germany. Start building new plants now. Exciting!
(Score: 0) by Anonymous Coward on Wednesday April 10 2019, @06:54PM
people who think the GDPR is great are blind state socialists. wake up slave!