Fedora considers "privacy-preserving" telemetry

I wish they didn't use the name "telemetry" for this; it's going to produce a lot of instinctive reactions from people that don't lend themselves to a productive conversation. (See, for instance, the person objecting that Linux users culturally value their privacy, on a public and archived-forever mailing list, signed with their full name and long-term-persistent email address.)

We've had various forms of "telemetry" in FOSS for a long while. Debian has the "popularity contest," for instance, which is probably wildly inaccurate in this world of public cloud VMs and containers, but is still used when making development decisions. Lots of web services collect visitor logs, and most FOSS web servers default to recording access logs, including IP addresses. Pine (which, admittedly, went through a period where it didn't count as FOSS) prompted users to send an email counting them as a Pine user (https://staff.washington.edu/corey/pine-stats/), which the development team used to measure their impact and justify their continued funding - the same motivation Endless OS cites in their post (https://blogs.gnome.org/wjjt/2023/07/05/endless-oss-priva...). I found the post quite thoughtful, especially about what "privacy-preserving" means.

I suspect there are very few people who are okay with this sort of metrics collection who are going to be motivated to join a forum to argue passionately about how they don't find it objectionable.

> And in contrast to proprietary software operating systems, you can redirect the data collection to your own private metrics server instead of Fedora's to see precisely what data is being collected from you, because the server components are open source too.

That sounds good, but unfortunately they have to be a bit more specific: “client-server tracking software but it's self-hostable and open source” is a spectrum with things like Matomo on one end and Mozilla Weave on the other.

The post talks a lot about graphical settings and settings that differ from the graphical setting under the hood and user consent during installation.

What about installations performed in some automated way (e.g. for all desktops in a company or on a university campus)?

Given the purpose of the proposed data collection ("how its software is used"), why is the collected data not made anonymous? So....no machine specific data (MAC for example)...no network specific data (IP for example)....no user specific data (user details for paid-for licences for example)....and so on. It's all very well to talk the talk about "privacy"........when anonymity is really what is required.

And another thing.....if the "data upload" was truly anonymous, would that not be useful in persuading users (and law makers) about the propriety of the proposal? And finally, does the "data upload" have a stated lifetime.....or does the Fedora-stored data last forever?

> However, we also want to ensure that the data we collect is meaningful, so gnome-initial-setup will default to displaying the toggle as enabled, even though the underlying setting will initially be disabled. (The underlying setting will not actually be enabled until the user finishes the privacy page, to ensure users have the opportunity to disable the setting before any data is uploaded.)
> Metrics uploading will be opt-in for users who upgrade from previous versions of Fedora Workstation [...] but metrics collection will be opt-out. That is, your upgraded system will collect metrics locally but will never submit them to Fedora.

I think this is a reasonable compromise to the opt-out/opt-in situation, and an important one for anyone who skips reading the posting. I personally don't mind this kind of data collection for real-world use, but making it a checkable box available in the installer is a good move, instead of something that happens automatically and you have to go off and find in the settings later to remember to turn off if you don't want it. Slap it in as a kickstart option as well and I'm a happy camper.

I think if people really want to see Desktop Linux become more cohesive, user-friendly, and accessible in this age of Steam Decks and increased interest from non-Linux-y types, this is a good opportunity to tackle some of those fronts. I've always had a great experience in Desktop Linux for years, even with relatively recent hardware, but my friend gave Fedora a shot as a daily driver for a week and ran into a bunch of issues with his mixed set of 60Hz/144Hz displays, gaming peripherals, etc. which ultimately resulted in switching back to Windows (for a variety of those and other issues). Getting access to the real-world usage info to improve this experience is going to be - hopefully - a good thing, and I'm hoping Fedora can do this in a really user-privacy protected manner.

Announcing something like this without key information such as
- What is going to be collected
- How (technically) it is being collected
- How (technically) the information is going to be transmitted
- Where to (territory and legal entity) the information is going to be transmitted
- Where to (territory and legal entities) the information is going to be copied after it has been transmitted
- What the retention policy will be
- What the privacy policy will be
is making this announcement something that can neither be agreed upon nor rejected, so i choose to ignore it. At the time when it will be rolled out, please remind me again, so i can patch it out of our images. Thank you in advance.

Something like Go's proposed transparent telemetry could be good. I personally favour informed opt-out though something like a pre-ticked checkbox in the installer, as telemetry is really useful for making informed decisions.

Go Transparent Telemetry: https://research.swtch.com/telemetry

My argument against telemetry:

IBM has bought Red Hat, IBM is demonstrably evil, and look at what's happened at Red Hat since then. Fedora may be a "community project", but it's funded by Red Hat and many Red Hat employees are involved.

Even if the initial telemetry respects privacy, there is no ironclad guarantee that IBM will not exert pressure at a point in the near future to change that. I oppose this because Red Hat, and IBM especially, have exhausted all trust from me, and I've already been considering switching to a different distribution before they find ways to limit, corrupt, destroy, or otherwise molest Fedora.

If telemetry is enabled by default, even if it's easy to turn off, that could quite possibly be the last straw that pushes me to another distro.

Leaving aside individual privacy, is there a security issue?

If the telemetry includes enough information to construct a fingerprint that could be correlated by an external scan, then an attacker with access to the telemetry could conceivably learn a lot given the telemetry is privileged information gathered from inside any defences, e.g. whether critical patches have been applied.

$100 says this is IBM wanting to track who is using Fedora, so they can build a list of IP's of corporations they can then go try and sell RHEL to.