Hi, On 03/07/16 21:27, Neil Van Dyke wrote: > Package: chirp > Version: 0.4.0-1 > Severity: serious > > A pop-up dialog from the "chirpw" program says that it reports some kind > of usage information to some external party, and describes how to > opt-out of this. There are at least two privacy problems: > > 1. It appears that some phoning home happens before the user has given > informed consent. For example, when I received the pop-up dialogue, I > immediately disabled reporting, but I found that "chirpw" had already > contacted some server and informed me that I was not using the latest > version. Therefore, the suggestion that one can opt-out of phoning-home > is misleading, since some phoning-home has already occurred.
Yep, I plan to patch this out. > 2. Also, the text suggests that this is anonymous, but that is > misleading (due, e.g., to IP address traceability), so any consent would > not be informed, even were it given prior to phoning-home occurring. Entirely patching this out. All updates should happen through apt. No phoning home or anywhere else. > Note that I have not looked at what information is transmitted, so there > might be a third problem, but I believe these two identified problems > alone require action. > > I recommend and request that this reporting and any other "phoning home" > either be disabled completely in the Debian "chirp" package, or changed > to be an express *opt-in* (like opt-in is long used elsewhere in Debian, > such as for package "popularity contest"). Thank you. > Thanks for reporting this. I was going to work on this this week anyway, but it'll feel more satisfying when I close a bug doing it. (: Thanks, Iain.
