KDE telemetry and Triskel (Trisquel KDE)

57 replies [Last post]
kusarigama
Offline
Joined: 08/23/2021

I was recently investigating telemetry in KDE, and found a few pages about it in the official documentation:
Telemetry Policies https://community.kde.org/Policies/Telemetry_Policy
A list of applications collecting data https://community.kde.org/Telemetry_Use

This looks like very sad news for the free software community. As far as I understand KDE collects some data about its users.
These options can be disabled in KDE but telemetry is not completely turned off, data is still collected and stored locally by the user.
Do you now need a version of Trisquel (I mean Triskel), with DE which has gone the way of telementry?

eric23
Offline
Joined: 06/30/2017

KDE is free software, if there something in it the community does not want, the community can have it removed without the KDE organization's approval. It sounds like it is a recent addition so Etiona probably does not have it.

I still like KDE.

kusarigama
Offline
Joined: 08/23/2021

It's all about the kUserFeedback package. Yes indeed, this was added recently and has not affected Triskel yet. Yet...
This package can be removed, but then it breaks Kate and Plasma-workspace. There is a way to rebuild these parts without depending on kUserFeedback.

The community doesn't seem to be able to influence it.

lanun
Offline
Joined: 04/01/2021

> There is a way to rebuild these parts without depending on kUserFeedback.

That sounds like good news for Triskel users.

> The community doesn't seem to be able to influence it.

That sounds contradictory. What would prevent, say, the Triskel maintainers from rebuilding these parts without depending on kUserFeedback? Is this not the very benefit of having people screen all sorts of packages before release, instead of blindly following upstream changes?

Legimet
Offline
Joined: 12/10/2013

> application telemetry is always opt-in. That means off by default and only activated by the explicit action of the user (inaction is not good enough).

If this is true, I don't see an issue.

EDIT: I have a recent installation of Plasma and Kate and I can confirm that telemetry is disabled by default.

gaseousness
Offline
Joined: 08/25/2020

"I can confirm that telemetry is disabled by default."

Can you please confirm that you have kate and plasma workspaces without the kUserFeedback spyware package?

Legimet
Offline
Joined: 12/10/2013

It's not spyware. You have to go into the settings and enable telemetry for any data to be sent to the KDE servers. Since it is free software, you can also verify that it doesn't send any data without the user's consent.

kusarigama
Offline
Joined: 08/23/2021

Now listen again to your phrase - "You have to go into the settings and enable telemetry for any data to be sent to the KDE servers" Nothing confuses you?) In open and free software (and KDE seems to be positioning itself like that ) there is a telemetry component. Maybe then go straight to Windows 10? :)

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

Telemetry can benefit both developers and users. See https://alexgaynor.net/2015/sep/03/telemetry-for-open-source/ for a few use cases.

What is obviously unacceptable is profiling, or even simply collecting personal data. Start-up times, counts of used features, usage times, versions of libraries, locale information, ..., sent without anything identifying the user or her system is not collecting personal data.

KDE's telemetry policy clearly explains that the collected data do not allow to identify the user. For instance:

While we are willing to delete data a user no longer wants to have shared, it should be understood that the below rules are designed to make identification of data of a specific user impossible, and thus a deletion request effectively impossible.
https://community.kde.org/Policies/Telemetry_Policy

The collected pieces information https://community.kde.org/Telemetry_Use lists are not user-identifying.

Finally, thanks to freedom 1, anybody is allowed to check down to the source code that KDE's telemetry does not indeed collects other pieces of information.

kusarigama
Offline
Joined: 08/23/2021

Okay, but they implemented it in such a way that it is impossible to disable it completely (even if the slider is in the leftmost position, the data continues to be collected and stored locally by the user). If you try to remove the kUserFeedback package, you will get crash of our environment. Is this freedom according to you?

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

It is, according to the FSF. Indeed, this has nothing to do with the free software definition: https://www.gnu.org/philosophy/free-sw.html

Legimet
Offline
Joined: 12/10/2013

The majority of applications store data locally anyway (such as which applications are used, for the "recently used" feature), whether there is any telemetry feature or not. Again, no data is sent to the KDE servers unless you specifically enable it.

Legimet
Offline
Joined: 12/10/2013

By the way, this is the best implementation of telemetry that I've ever seen in any application. It is disabled by default, and if you enable it, there's a slider that allows you to control how much data is being sent, and it tells you exactly what pieces of data are being sent.

Screenshot_20210905_233820.png Screenshot_20210905_233851.png
gaseousness
Offline
Joined: 08/25/2020

"By the way, this is the best implementation of telemetry that I've ever seen in any application"

I have to respectfully disagree, from my understanding

https://bugs.launchpad.net/ubuntu/+source/unity-lens-shopping/+bug/1055952

^ This could have been easily be removed. apt remove unity-lens-shopping, no sneaky dependency issues.

Debian's popcon (popularity contest) you have to go out of your way to install and if I recall correctly, it's not enabled even after installation. I don't some useless slider, at all, KDE seemed to work well enough for like what 20 years, and other DE, graphical programs, without needing to start these games. Ubuntu's way of having it already installed was wrong, but if it was just one totally separate package the users could easily install or remove that's fine, not like cmake compile stuff, you see what I mean? Audacity, tried playing it all smooth at first, hopefully tenacity will be able to fork it well?

https://www.gnu.org/philosophy/ubuntu-spyware.en.html

gaseousness
Offline
Joined: 08/25/2020

"Finally, thanks to freedom 1, anybody is allowed to check down to the source code that KDE's telemetry does not indeed collects other pieces of information."

Not everyone is a programmer, not everyone wants to put up with the effort of having to check to see if they are being spied on, a DE doesn't need it, if they make it completely optional, and no sneaky dependencies, I won't call it spyware.

Non-free is getting worse and worse, so much more bloated over time with their buzzwords "telemetry" and "user feedback", bug reports and completely optional work fine in my honest opinion.

gaseousness
Offline
Joined: 08/25/2020

Alex Gaynor is a biased and deceptive "source" in my honest opinion

https://alexgaynor.net/2019/mar/07/chrome-windows-exploit-security-beyond-bugfixes/

"The combination of these mitigations and sandboxing improvements makes exploiting bugs in Windows 10 much harder than in Windows 7. Users still on Windows 7 should be upgrading. "

"Upgrading" to slowdows 10 commericals.

gaseousness
Offline
Joined: 08/25/2020

https://packages.ubuntu.com/hirsute/kate

Some interesting sounding dependencies appearing in the latest Ubuntu right now for kate

libkf5crash5
libkuserfeedbackcore1
libkuserfeedbackwidgets1

trisquel devs have cleaned out firefox from it's unneeded spyware "user feedback", but a desktop environment could be much more difficult? Not good, that others will be spied on, even if we aren't? I don't need extra bloat or additional security issues due to unnneeded spyware "telemetry", what a shame.

Legimet
Offline
Joined: 12/10/2013

> Not everyone is a programmer, not everyone wants to put up with the effort of having to check to see if they are being spied on

Again, this is an *opt-in* feature. Just like the crash reporting feature that KDE has had for over a decade and I never heard any complaints about.
If you can't read the code, and you don't trust anyone else that has read the code, then that should apply to all other software that you use. How can you trust any package on your computer?

> "The combination of these mitigations and sandboxing improvements makes exploiting bugs in Windows 10 much harder than in Windows 7.

And once again, you pivot to unrelated topics. If someone talks about nonfree software, that makes everything they write deceptive? Is it really that hard to imagine why developers would want some data about how users use their information?

> but a desktop environment could be much more difficult?

It's almost trivial to compile kate and plasma without kuserfeedback.

gaseousness
Offline
Joined: 08/25/2020

"The majority of applications store data locally anyway, whether there is any telemetry feature or not."

yes, but firefox for examples vanilla version stores it's snoopiness in various locations. It can add up to lot of disk usage, non-free google play apps with many trackers, can equate to quite excessive "app data", over time. Do we really want more and more programs to have unneeded spyware included?

"Again, no data is sent to the KDE servers unless you specifically enable it."

I couldn't find where the data was gonna be sent to from those original links.

1984, spooky?
https://github.com/KDE/kuserfeedback/search?q=1984&type=

"Is it really that hard to imagine why developers would want some data about how users use their information?"

Is it really that hard to imagine why the wrong people would want our data? something like bug reports, and 100% completely optional are the more safer and ethical ways I know of so far.

"It's almost trivial to compile kate and plasma without kuserfeedback."

Maybe for you, but maybe not for the average user, and hopefully that means that the kde version of trisquel, triskel, will be supported and won't be that hard?

"you pivot to unrelated topics"

I also mentioned how everything has been fine without "telemetry" and "user feedback", so I didn't just neglect his opinion that "telemetry" or "user feedback" would be a good thing for us?

" If someone talks about nonfree software, that makes everything they write deceptive?"

Alex Gaynor writes a lot more deception, but slowdows 10, example is perhaps the epitome and crosses that line. If someone promotes it either they were fooled by markeeting, paid a few bucks by microsoft, or have used it and are 100 percent lying, in my opinion.

slowdows 10, I have personally experienced, and from my honest opinion it is is complete garbage quality wise and privacy wise, they installed adobe flash, and couldn't find it and uninstall it with the regular way using appwiz.cpl. Haven't seen a more trustworthy person show me proof yet that they can fireup a slowdows command prompt and netstat command without connections. It uses so much ram

Apparently, even when people have gone to extreme lengths to try and debloat it for non-free gaming, haven't tried something like this myself, but quite the amusing video.

https://tube.cadence.moe/watch?v=TlMqdSiGcOg

And some details about some steps, never tried this myself so can't personally vouch, but appears people have tried loading up gnu/linux live cds to delete a lot of the garbage, probably some more serious gamers?

"Windows 10 AME aims at delivering a stable, non-intrusive yet fully functional build of Windows 10 to anyone, who requires the Windows operating system natively. Spyware systems, which are abundant in Windows 10 by default, have not been disabled using group policy, registry entries or various other workarounds – they have been entirely removed and deleted from the system, on an executable-level."
https://ameliorated.info/
"Run Ameliorate Script (Linux Required)"
https://wiki.ameliorated.info/doku.php?id=documentation_20H2

"If you can't read the code, and you don't trust anyone else that has read the code, then that should apply to all other software that you use."

It's great that that's possible with free software, but doesn't mean that enough people will, and even an expert could miss something.

"How can you trust any package on your computer"

That would probably wayyy too long and off topic rant for me to get into :).

Legimet
Offline
Joined: 12/10/2013

"something like bug reports, and 100% completely optional is the ways I know of so far. "

It is 100% optional, just like the crash report system that KDE has had for many years.

The Windows security stuff is irrelevant to this discussion. Security != privacy.

> It's great that that's possible with free software, but doesn't mean that enough people will, and even an expert could miss something.

OK, but then why single out KDE? This is true for every package that you use.

gaseousness
Offline
Joined: 08/25/2020

"It is 100% optional, just like the crash report system that KDE has had for many years."

But, from what kde users and developers of a gnu\linux distro are saying things which appear to not be that case.

"Sorry, this post has been removed by the moderators of r/kde.
Moderators remove posts from feeds for a variety of reasons, including keeping communities safe, civil, and true to their purpose."
https://www.reddit.com/r/kde/comments/f7ojg9/kde_plasma_kuserfeedback_collecting_telemetry/

"I didn't read the reddit thread, and I understand some users can feel strongly against this kind of practices I also value my privacy, if KDE is gonna follow this path from now on, I would suggest to move to something else, even if we end maintaining our own packages for it"
"I'm no fan of tracking either, but apart from the suggestions above (and until/unless a dev takes over the offending packages or the entire kde group), you can use the symlink and/or hosts tricks. BTW, our community ISOs create a random machine-id of the box at every boot. "
https://forum.artixlinux.org/index.php/topic,1412.0.html

Hopefully we aren't heading down the route of slowdows 10, where one has to do things to try and stop bloated connections and absurd things.

gaseousness
Offline
Joined: 08/25/2020

"The Windows security stuff is irrelevant to this discussion. Security != privacy."

I disagree, has to be some overlap? And the mainstream media is claiming non-free security disasters time and time again with slowdows, so...

gaseousness
Offline
Joined: 08/25/2020

And also, highly, unlikely microsoft would invite anyone to come look at all their source code to verify any of their marketing, vendored rigged studies is not terminology I have made up. Why would Microsoft even care about us?

Legimet
Offline
Joined: 12/10/2013

Read the bug report. The data is stored locally unless you opt-in to sharing it with KDE developers. Now, looking at Kate, here is a list of data that it collects, if you opt-in to the maximum telemetry possible:

The version of the application.
The Qt version used by this application.
Type and version of the operating system.
How often the application has been started.
The total amount of time the application has been used.
Size and resolution of the connected screens.

This is the type of data that is stored locally on your system for other reasons anyway. The telemetry feature just allows you to *opt-in* to sending this data to the KDE servers. By the way, as someone pointed out in the bug report, you can find much more locally stored data in /var/log.

gaseousness
Offline
Joined: 08/25/2020

"OK, but then why single out KDE? This is true for every package that you use."

Not every package I use has "telemetry" from upstream. Upstream firefox, does sadly have "telemetry", welcome to the modern web.

Legimet
Offline
Joined: 12/10/2013

The KDE telemetry is opt-in. But you don't trust that it is actually opt-in, am I right?

Similarly, XFCE doesn't have telemetry. But how do you know that is actually the case?

gaseousness
Offline
Joined: 08/25/2020

"The KDE telemetry is opt-in. But you don't trust that it is actually opt-in, am I right?"

If they already had some sort of crash reporter system going on, that might of been not so bad, because "people didn't complain about it?", makes no sense that now there's some "opt-in" way that could collect data, that's leaving surveillance junk files in the user's home folder, "disabled" with compilation workarounds. A text editor, kate, depending on both feedback and crash libs?

Legimet
Offline
Joined: 12/10/2013

OK, so the default behavior (if you don't opt-in) is that Kate stores some data locally on your system about the application/OS/Qt version and how often/how long you use the application. I fail to see a problem with this. This data is stored on your system anyway. MATE also locally tracks your most recently used files: https://github.com/mate-desktop/caja/issues/684

If you don't want a desktop environment that stores such information anywhere on your system, you will have to use a window manager, as well as disable all logging functionality.

gaseousness
Offline
Joined: 08/25/2020

"

OK, so the default behavior (if you don't opt-in) is that Kate stores some data locally on your system about the application/OS/Qt version and how often/how long you use the application. I fail to see a problem with this. This data is stored on your system anyway. MATE also locally tracks your most recently used files: https://github.com/mate-desktop/caja/issues/684

If you don't want a desktop environment that stores such information anywhere on your system, you will have to use a window manager, as well as disable all logging functionality.
"

The last post by a mate member explains a possible workaround for those who want to do that. https://github.com/mate-desktop/caja/issues/684#issuecomment-471133138 . There's a graphical clear history option in mate and also in caja?

Some people may prefer caja remembering past folder preferences, history file list?

Legimet
Offline
Joined: 12/10/2013

> Some people may prefer caja remembering past folder preferences, history file list?

Exactly, so storing such data locally isn't a problem. And that's the default behavior of KDE telemetry, when you haven't opted in to sending the data to KDE servers.

gaseousness
Offline
Joined: 08/25/2020

That's still quite different to compare KDE's buggy privacy scandals "which they didn't seem to care much to respond about with?", in my opinion, does mate even have spyware "telemetry" servers, with crash and feedback as dependencies? Appears one could figure out how to do stuff in mate, that doesn't deal with something like the annoying windows registry, have you ever experienced that?

Legimet
Offline
Joined: 12/10/2013

By the way, there was a discussion about telemetry on the Guix mailing list and the consensus was that telemetry that is disabled by default (opt-in) is acceptable.

https://mail.gnu.org/archive/html/guix-devel/2021-05/msg00246.html

gaseousness
Offline
Joined: 08/25/2020

"But how do you know that is actually the case?"

trust, reputation, can help one "know" as much as possible

https://bestpractices.coreinfrastructure.org/en/projects/323
^ Some things one might want to consider, note has linux foundation at the end, but overall, might add some things one may want to consider to look out for when choosing software for paranoia?

But, isn't that kinda off topic from KDE's controversial privacy practices?

gaseousness
Offline
Joined: 08/25/2020

"

By the way, there was a discussion about telemetry on the Guix mailing list and the consensus was that telemetry that is disabled by default (opt-in) is acceptable.

https://mail.gnu.org/archive/html/guix-devel/2021-05/msg00246.html
"

That was before the shady contributor license agreement and how one has to be at least 13 years of age to even use audacity? Hopefully that was just about audacity and not the overal general consensus, don't need more bloat and security issues with more and more applications? welp

gaseousness
Offline
Joined: 08/25/2020

What i'm saying is if there is an audacity package works fine, then if they make a package called audacity-telemetry, and none of the actual packages needs anything from the risky one that sends out user data that'd be the more reasonable "solution" to some "problem"?

gaseousness
Offline
Joined: 08/25/2020
gaseousness
Offline
Joined: 08/25/2020

On a second look I noticed, *orwell*

"tests/orwell.qml"
"tests/orwell.cpp"
https://github.com/KDE/kuserfeedback/search?q=1984&type=

"Nineteen Eighty-Four, often referred to as 1984, is a dystopian social science fiction novel by the English novelist George Orwell. It was published on 8 June 1949 by Secker & Warburg as Orwell's ninth and final book completed in his lifetime. Thematically, Nineteen Eighty-Four centres on the consequences of totalitarianism, mass surveillance, and repressive regimentation of persons and behaviours within society."
https://en.wikipedia.org/wiki/Nineteen_Eighty-Four

Suspicious?

Legimet
Offline
Joined: 12/10/2013

That's not part of the library, it's a test.

gaseousness
Offline
Joined: 08/25/2020

Multiple test's with filename orwell and 1984 in the test, too much of a coincidence, but sneaking in user"feedback" libs as dependencies is a different issue?

"Application telemetry data can be a valuable tool for tailoring our products to the needs of our users. The following rules define how KDE collects and uses such application telemetry data. As privacy is of utmost importance to us, the general rule of thumb is to err on the side of caution here. Privacy always trumps any need for telemetry data, no matter how legitimate. "
https://community.kde.org/Policies/Telemetry_Policy

Usually "telemetry" from what I've seen just makes it worse, spyware for developer inspiration? One of the main reasons I use more free software is to avoid "telemetry" "crashlytics" "analytics" "metrics" "user feedback" from snoopy applications that crash a lot?

If memory serves me correct, KDE neon was one of the distros that came with ubuntu snap by default, looks like snap might be coming to slowdows? https://snapcraft.io/blog/snapcraft-for-windows-preview

I don't like it.

lanun
Offline
Joined: 04/01/2021

> One of the main reasons I use more free software is to avoid "telemetry" [...] "user feedback"

The botched attempt to introduce telemetry in Audacity, earlier this year, triggered a healthy discussion on the topic. This part of the ensuing redemptive discussion sums it up pretty well [1].

They seem to have decided to keep it away from source and include it in the upstream binaries only [2], which seems to satisfy more people. Interestingly, they did not need telemetry to take that step towards improvement. User feedback is arguably best collected through...asking users for feedback.

The power of the GPL here is that there already is a completely telemetry-free fork, Tenacity [3], out of the admittedly greedy hands of Muse Group [4]. Although Audacity made a somewhat better choice than KDE by not including the telemetry in the source at all, thus not adding any extra work for downstream maintainers.

[1] https://github.com/audacity/audacity/discussions/889#discussioncomment-735120
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990737
[3] https://github.com/tenacityteam/tenacity
[4] https://github.com/audacity/audacity/discussions/932#discussioncomment-781679

kusarigama
Offline
Joined: 08/23/2021

In conclusion, what will happen to the Triskel version now? The current version has no telemetry in KDE, as I understand it. But in the next version such as Triskel 10, there is no way to avoid running into this package in KDE. What will be the strategy in this case?

lanun
Offline
Joined: 04/01/2021

That is a good question. If you get no answer here, you might want to ask it live on the IRC: #trisquel on irc.libera.chat or https://web.libera.chat.

eric23
Offline
Joined: 06/30/2017

I should have said that PCLinuxOS seems to have avoided it by removing the package you are talking about. If it is free software and not collecting personal information how is this any different then the popcon package.

gaseousness
Offline
Joined: 08/25/2020

Well the popcon was a completely separate package that didn't seem to have sneaked in dependencies, and more clear why data is being collected, and perhaps expressed in a less controversial way?

"The library li64kuserfeedbackcore1 is installed, though"
https://www.pclinuxos.com/forum/index.php?topic=155897.0

"Popular packages should generally receive a higher priority, since any problems in them will affect a greater number of users.

The Debian Popularity Contest keeps a running survey to show what packages are most popular among the volunteers in the survey."
https://www.debian.org/security/audit/packages

Mentioned earlier, but the proceeding article by rms, I thought was good, although not specific for popcon or kde's "user feedback"
https://www.gnu.org/philosophy/ubuntu-spyware.en.html

gaseousness
Offline
Joined: 08/25/2020

"SECURITY NOTE: it's impossible to make a submission completely anonymous, since Internet servers tend to add headers and log messages along the way. Our receiver program at debian throws away this information as soon as
possible so no one will see it, but if you're really paranoid you might not want to participate."

https://popcon.debian.org/README

eric23
Offline
Joined: 06/30/2017

I guess that's the way of the Internet, if you were really paranoid, you probably wouldn't be posting here.

*Edit* But I guess you could use tor with the torbrowser and post here. I just realized there is torbrowser-launcher package in the repository!

kusarigama
Offline
Joined: 08/23/2021

Why is it that when someone starts to raise issues of privacy and anonymity, there are words in response - paranoid, fanatic, etc.? :D

gaseousness
Offline
Joined: 08/25/2020

Well I use the term paranoid a bit more, because it's used quite a bit in Debian's documentation to be honest, maybe other people against us would use terminology to make someone seeking more privacy or security as a crazy person, typical propaganda style?

"It's good to be paranoid in security, but verifying things from here is harder."
https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html

gaseousness
Offline
Joined: 08/25/2020

" That JSON is then submitted to https://metrics.cleaninsights.org, respecting network preferences like requiring Tor."
https://f-droid.org/en/2021/03/01/fdroid-metrics-and-clean-insights.html

Says where the data could be sent, unlike KDE? More honest sounding than KDE? Clean "insights", ethical "metrics" some buzzword dealing with? Totally separate package might be better, but if f-droid already connects to the internet? Firefox wasn't that bad at first?

gaseousness
Offline
Joined: 08/25/2020

"I just looked and it is not amongst the 20,000 repo items AFAI can see!
Besides as of today, with > - Trisquel 9.0 LTS Etiona"

http://mirror.fsf.org/trisquel/pool/main/p/popularity-contest/

"Trisquel has an easy to find, short, clear statement last time I looked to quote from - does Debian..? "

https://www.debian.org/legal/privacy

"Where is your evidence for throwing away user's data "as soon as possible""

Where's your evidence or argument of the contrary? Could one even prove that? Would it be likely they'd risk their reputation lying about that?

Why are you partially quoting from the man page?

"SECURITY NOTE: it's impossible to make a submission completely anonymous, since Internet servers tend to add headers and log messages along the way."..."but if you're really paranoid you might not want to participate."
https://popcon.debian.org/README

"Who needs some cheesy infantile popularity contest anyway "

I believe I mentioned other reasons, which have been used for why, previously, but appears there's another in Debian's privacy policy.

"This provides useful guidance about where to devote developer resources, for example when migrating to newer library versions and having to spend effort on porting older applications."
https://www.debian.org/legal/privacy

"why are you so elusive about Debian's "privacy statement"...? "

First time you claimed that Debian may have not had a privacy statement, don't see how I could of been elusive?

"Are you in favour of censorship on this forum?"

Quite the random question to ask, are you claiming there is censorship on these forums?

"Are you currently a TrisquelOS user? Or just Debian - which version..?"

I've used\use versions.

"are you on facebook by any chance..?"

There's more suitable options, that beat be being spied on by stuff like facebook?

jahoti
Offline
Joined: 07/31/2021

I have contacted the moderators about this and other recent threads in the main Trisquel forum. Intervention is well overdue.