Hi. I asked on #debian-devel for input on this issue, and the general consensus as I read it is that the default should be to not send out anything, and this should only be changed when the user make an active choice to change it.
Here is the IRC thread. <pere> hi. I'm trying to locate a good reference on debians policy on spyware and software that 'call home', without any luck so far. anyone know if there are any good explanation on Debians stance on this? <nthykier> pere: I am not aware that we have a written policy on this. We got some lintian tags for finding "privacy-braches" (e.g. facebook javascript load requests), which is the most structured thing I am aware of in this field. <ron> yeah, there's probably a rough informal "kill it with fire" consensus - but then we also ship chrome, so ... <pere> the background is trying to explain to upstream why its 'collect stats from users' mechanism should default to 'no' in Debian. * pabs guesses the social contract is the closest thing to a policy we have on this <ron> might be easier better to explain why it should default to no everywhere, and only be enabled with explicit consent :) <pere> doing it upstream would reduce the translation burden in Debian, as the texts need to be changed to reflect the new default. <pere> ron: nah, proved to not be very simple. :) <pabs> which package is this about? <wRAR> no, we don't have anything that you can send to the upstream, only ad-hoc lintian tags without a justification <pere> see <URL: https://github.com/Ultimaker/Cura/issues/2810#issuecomment-359250182 > for the upstream discussion. we simply disabled it in debian, but find it perfectly fine to ask the user on first use, as long as the default is 'no'. <ron> if they don't see/accept the principle, then "Debian says you should" probably won't be convincing either <ron> which really leaves 1. don't include it in debian, 2. else publicise it does this and patch it out. <pere> I suspect the 'some random guy say so' have less weight than 'the debian project as a whole say so'. <pere> ron: we did 2 so far. <wRAR> well, the debian project as a whole doesn't say anything on this <wRAR> ron: 3. leave it as is <ron> yeah, but anyone convinced by "appeal to authority" rather than the merits of the argument is on the losing side of logic to begin with ;) <wRAR> indeed <pere> my understanding of our culture, is that we do not accept 'phone home' software to enable the spyware feature by default. <wRAR> it's not written anywhere <pabs> I'd say leave it up to the user, first start should have buttons "spy on me" and "don't spy on me" <wRAR> the lintian tags are not autoreject AFAIK <pere> ron: feel free to chime in on the upstream bug, perhaps you have more success than me. :) <pere> pabs: I'm fine with asking the user, as long as the casual user failing to read the question properly get 'no' as the default. <pabs> I suggest not including yes/no buttons, because users never read those <pabs> "spy on me" and "don't spy on me" buttons mean they don't have to read the question, just the button they click <ron> the question doesn't need to be that loaded if it's really "anonymous" stats which help guide dev work or find bugs. <ron> we don't ask "do you want debian to spy on you" for the popcon question :) <wRAR> yup <ron> but it definitely shouldn't be sending anything out without informed consent <pabs> sure, I'm not saying to literally use that text :) <pere> thank you. I'm updating the Debian bug with this conversation. -- Happy hacking Petter Reinholdtsen
