Measuring success/failure in the installation

Colin Watson cjwatson at ubuntu.com
Thu May 26 17:46:11 UTC 2011 

On Tue, May 24, 2011 at 12:30:09PM -0700, Kees Cook wrote:
> I have no general objection to collecting this kind of information, so long
> as it provides actual value. For example[1], connman connects back to
> http://www.connman.net/online/status.html and reports its version every
> time it establishes a network connection. This provides direct value to the
> user because their software is able to better detect if it has actually
> found a "real" Internet connection or not, and do something about it.
> 
> What value does the installer connect-back actually provide the user? Why
> are raw counts of any value? It would seem that reporting a full set of
> hardware details in the connect-back would actually give you better
> before/after logs ("people with FooBar wifi are never seen again"), but it
> still doesn't provide the user with immediate direct useful improvement to
> their Ubuntu experience, so I'm not sure it's worth doing.

Some of my friends have been talking about the new European privacy
legislation recently, which particularly affects web sites implementing
cookies; but it occurred to me that it was probably general enough that
it might have some bearing on this, so I went and checked.  Here's the
text, Directive 2009/136/EC
(http://www.google.com/url?sa=t&source=web&cd=1&ved=0CBgQFjAA&url=http%3A%2F%2Feur-lex.europa.eu%2FLexUriServ%2FLexUriServ.do%3Furi%3DOJ%3AL%3A2009%3A337%3A0011%3A0036%3AEn%3APDF&rct=j&q=%22directive%202009%2F136%22&ei=vI3eTZSxD8PLswbsxbXFBQ&usg=AFQjCNFJiyqZ0udj1H8DhsjJ459e7BTGQA&sig2=CVOoklG1FoyFxjVpo_8vpQ&cad=rja),
paragraph 66, which is indeed not specific to cookies, and touches on
similar "value to the user" topics as Kees mentioned:

  Third parties may wish to store information on the equipment of a
  user, or gain access to information already stored, for a number of
  purposes, ranging from the legitimate (such as certain types of
  cookies) to those involving unwarranted intrusion into the private
  sphere (such as spyware or viruses).  It is therefore of paramount
  importance that users be provided with clear and comprehensive
  information when engaging in any activity which could result in such
  storage or gaining of access.  The methods of providing information
  and offering the right to refuse should be as user-friendly as
  possible.  Exceptions to the obligation to provide information and
  offer the right to refuse should be limited to those situations where
  the technical storage or access is strictly necessary for the
  legitimate purpose of enabling the use of a specific service
  explicitly requested by the subscriber or user.  Where it is
  technically possible and effective, in accordance with the relevant
  provisions of Directive 95/46/EC, the user’s consent to processing may
  be expressed by using the appropriate settings of a browser or other
  application.  The enforcement of these requirements should be made
  more effective by way of enhanced powers granted to the relevant
  national authorities.

Obviously IANAL, but this seems general enough that it could easily
cover this proposal (though I haven't looked up the ICO's guidance).
Note in particular that this directive is not restricted to
personally-identifying data, so it's not quite the same as traditional
data protection concerns.  I think we may well be obliged to obtain
explicit prior consent, not merely provide an opt-out that's hidden away
in preseeding.

It may well be possible to ask the Information Commissioner for guidance
on this, as I expect that it may turn on whether this kind of thing
counts as "information on the equipment of a user".  Given that we're
subject to UK law and that this is a high-profile issue right now, it
seems to me that asking for such guidance would be a good idea.

Cheers,

-- 
Colin Watson                                       [cjwatson at ubuntu.com]

More information about the technical-board mailing list