Date: Sun, 15 Nov 2020 10:25:37 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 251152] sysutils/bsdstats violates POLA and data protection rules Message-ID: <bug-251152-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D251152 Bug ID: 251152 Summary: sysutils/bsdstats violates POLA and data protection rules Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: d8zNeCFG@aon.at CC: scrappy@hub.org CC: scrappy@hub.org Flags: maintainer-feedback?(scrappy@hub.org) Scenario: - FreeBSD 12.1 - lastest ports - running "portmaster sysutils/bsdstats" Result: - the port gets installed - during installation, without warning and without further user interaction: . it collects information and transmits it to a central site . it installs a tracking cookie/unique id in /var/db/bsdstats . it installs a setting in /etc/rc.conf making it run on every system sta= rtup . it installs periodic scripts making it run periodically . it never reveals which information is collected and sent to the central site This amounts to a violation of POLA - ports do not usually start the progra= ms they install immediately, and worse, to a violation of data privacy rules, = for example those valid in the European Union (GDPR). Expected result: - the port gets installed - no further changes to the system are made; specifically, none of the data collection programs the port installs are automatically run - the port message informs the user about . what this port does . which data it collects . where the data is sent, and for what purpose . how to actively give assent to the port's data collection and transmiss= ion properties . how to enable the data collection program to run at system startup . how to enable the data collection program to run periodically . how to retract one's permission for the data collection and transmission and disable all such collection and transmission . how to reach the operators of the central site and demand that all collected information be deleted - the program provides an option to inspect which information is collected without sending it anywhere Bonus: - the program provides an option to delete all the collected information on= the central site and then deletes the locally generated cookies/unique id. Note that the GDPR defines "personal data" as "any information relating to = an identified or identifiable natural person (=E2=80=98data subject=E2=80=99);= an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors speci= fic to the physical, physiological, genetic, mental, economic, cultural or soci= al identity of that natural person". -- Martin --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-251152-7788>