undefined | Better HN

0 pointsalkonaut2y ago0 comments

> There is no such thing as truly anonymous. in order to send any data you need to connect to a server. at that moment you are in violatation of GDPR because you are exposing the users's IP which is protected by GDPR.

This is misinformed. There is nothing in the GDPR that relates to "exposing" or "transmitting" anything (other than transmitting further from a processor to a third party). GDPR relates to how data is stored or processed. A program can make any number of http requests, for any reason no matter how unnecessary, so long as that PII (The IP, or similar) isn't stored or otherwise processed/transmitted to a third party in a way that the GDPR concerns. The download web server logs is such a storage (which is why you these days clear those every day, or never log IP at all in them).

> Telemetry is not functionaliy and VSCode can execute it's purpose without this connection so that makes it subject to user consent requirement.

No. It's required because the telemetry data is stored whereas the IP of the update request is not. Had microsoft wanted to store every IP of everyone downloading an update, then that database of IP's/downloads would of course have been subject to the GDPR too. The data isn't less sensitive just because it was from a necessary function. Microsoft's responsibility for that data is exactly the same.

But the easiest way of doing telemetry properly and not worry about GDPR is to not store anything that is PII at all. And it's pretty easy to do so too. Nothing is "Truly anonymous". Telemetry is usually pseudonymous. But it properly pseudonymous telemetry is normally not a privacy concern in any way. The true gripes about telemetry (there are a few valid ones) isn't about that, they are

- People getting a worse experience e.g. a slower product

- People not trusting the companies to adhere to the GDPR with the data transmitted, e.g. you might not trust the server to clear IP's from the transmission (basically the only piece of PII that can't be cleared on the client side because then the package never arrives). But if you don't trust the company to adhere to the GDPR then why would one trust their opt-out does anything? Running any kind of software basically means trust to some extent.

- People feeling cheated because of automatic or hidden opt-in

- People on paid internet connections spending money to send the telemetry.

0 comments

g-b-r2y ago

I last studied the gdpr years ago but that most definitely appears false, provide your sources.

The GDPR deals with "processing" and this is the definition of processing:

" ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; "

Note the "transmission, dissemination or otherwise making available".

alkonautOP2y ago

I could be mistaken but I think whether the http request makes anything ‘available by transmission’ is down to the definition of who is the data controller and which data processors exist. So in the case of telemetry where no PII changes hands, and no PII is stored, then I can’t see how it applies. That is, assuming that the Telemetry backend here belongs to the same entity that made the app. Such as if a microsoft product phones home to its own backend.

Apps that make http requests to other endpoints belonging to third parties are much murkier.

As far as consent is concerned: Whether consent is required for making a http request containing an IP in the header based on legitimate interest is also murky. Consent is only one way of permitting the processing. Whether Telemetry is legitimate interest I don’t think is established. But it’s important to remember that not only “absolutely essential” functionality that is a legitimate interest. That is: something isn’t automatically not legitimate because it could be removed and still deliver the functionality to the user. Online ads are contested (because profit can be a legitimate interest). The same for telemetry. It’s certainly of interest to the developer to get the data. I have not seen any rulings yet on that but Microsoft has made a pretty decent legal analysis when they conclude that they will never need consent here.

A web server owner can even store data for some time since preventing denial of service attacks could mean they need to store IPs for a short while before deleting. As that’s a legitimate interest, this would not require user consent from visitors.

g-b-r2y ago

So first of all you said "There is nothing in the GDPR that relates to "exposing" or "transmitting" anything (other than transmitting further from a processor to a third party). GDPR relates to how data is stored or processed." .

That was false, since the definition of processing explicitly includes transmitting.

VS Code requires accepting the all-encompassing Microsoft privacy statement, and I couldn't find quickly what legal reasons they use for telemetry.

"Legitimate reasons" can practically indeed mean almost anything, and the only limits to it are those placed by subsequent guidances or interpretations of the central or local privacy authorities. It's what largely makes the gdpr a joke. It's very likely that Microsoft relies on it, whether that's acceptable or not.

You seem to consider a local software as part of the software's copyright holder infrastructure, and that appears ludicrous, transmission of usage data from a local application to an other company's server is most definitely transmission.

If VS Studio's telemetry is legal or not I don't know and I'm not interested in delving into it right now, if I had to use it I'd block it and probably wouldn't use it if it became impossible.

j / k navigate · click thread line to collapse

0 pointsalkonaut2y ago0 comments

> Telemetry is not functionaliy and VSCode can execute it's purpose without this connection so that makes it subject to user consent requirement.

- People getting a worse experience e.g. a slower product

- People feeling cheated because of automatic or hidden opt-in

- People on paid internet connections spending money to send the telemetry.

0 comments

g-b-r2y ago

I last studied the gdpr years ago but that most definitely appears false, provide your sources.

The GDPR deals with "processing" and this is the definition of processing:

Note the "transmission, dissemination or otherwise making available".

alkonautOP2y ago

Apps that make http requests to other endpoints belonging to third parties are much murkier.

g-b-r2y ago

That was false, since the definition of processing explicitly includes transmitting.

VS Code requires accepting the all-encompassing Microsoft privacy statement, and I couldn't find quickly what legal reasons they use for telemetry.

If VS Studio's telemetry is legal or not I don't know and I'm not interested in delving into it right now, if I had to use it I'd block it and probably wouldn't use it if it became impossible.

j / k navigate · click thread line to collapse