Smolt: firsboot revisited

Ralf Corsepius rc040203 at freenet.de
Thu Feb 15 07:20:21 UTC 2007


On Thu, 2007-02-15 at 07:21 +0100, Thorsten Leemhuis wrote:
> On 15.02.2007 06:58, Ralf Corsepius wrote:
> > On Thu, 2007-02-15 at 00:34 -0500, seth vidal wrote:
> >> On Thu, 2007-02-15 at 05:48 +0100, Ralf Corsepius wrote:
> >>> On Wed, 2007-02-14 at 10:59 -0600, Mike McGrath wrote:
> >>>> So smolt is still setup in firstboot and still is opt in.  My question 
> >>>> is do we want to install smolt as part of a default configuration with 
> >>>> F7.  My vote is yes.
> >>> My vote is no.
> >>> * is legally questionable.
> >> If you have a concern here, please file a bug on it and I will make sure
> >> it gets passed into the legal queue for evaluation.
> > Everything that needed to be said had been communicated to Mr. McGrath.
> > It's up to him to decide on what to do with it.
> 
> Could you give a quick summary please? 

Firstly, please note that I said "questionable", i.e. would have to
carefully examined by a specialized lawyer.

Secondly you should be aware that is actually is about two separate
issue: "Legality and correctness"

On the legal side, it is "Schutz der Privatsphäre" (Protection of
private sphere") in general, a legally complicated matter with many
booby-traps hidden inside.


In Germany, even "collecting data without prior consent" in many cases
is considered illegal. E.g. there had been a precedence in which someone
having set up a webcam monitoring his house's front yard has been
considered illegal for breach of privacy. It's the reason why most shops
using camera supervision nowadays have signs explicitly notifying their
customers.


Things become further complicated when personalized data comes into play
(BDSG - Bundesdatenschutzgesetz - "Federal Law on Data Privacy").
The crucial points here would be "when to consider data personalized"
and "which data is allowed to be collected under which circumstances".

Rule of thumb: Any personalized data must not be collected unless it is
technically required for a transaction (Classic example: Any bill must
be removed from cashier systems after the customer has paid, within a
predefined timeframe).

I.e. from a German point of view. Smolt's "machine id" in connection
with the IP address needs to be legally reviewed if this qualifies as
"personalized data". I for one regard it as such.

> >>  Please list the
> >> country where you think the law might be violated.
> > Probably most parts of the world outside of the US, definitely in
> > Europe, definitely in Germany, probably also in some part of Asia. 
> 
> I'm not a lawyer, but I live in Germany, and I think this kind of 
> anonymous opt-in mechanism should be fine, as long as it's clearly 
> documented what kind of informations are send.
IANAL, too, but, yes this matches with my knowledge. I repeatedly said,
to be legally safe in Germany, any such transaction must be opt-in (I am
aware this not to be 100% legally correct, but it's the "rule of thumb
to be safe").


The other point is "is it correctlyness" to transmit such data:

Here apparently German perception is different from that in other
countries. Microsoft and other vendors had been flamed, Intel was flamed
for their CPU-Ids (they didn't even transmit anything, simply the fact
they implemented an option was enough), many other vendors followed, ...
Check heise's newticker for press notices concerning this, they are easy
to find ....

This touches security as well as privacy.

Ask yourself: If you were an administration/government/military
organisation, an enterprise's financial/development department, a bank,
simply a shop archiving your customer data or other entity dealing with
"secret"/"private" information, would you want details about your
systems to be exposed to the public?

Consider secret services/competitors spying the net, consider
man-in-the-middle attacks, consider intruders harvesting the
database, ...

I would not - I would take any measure to prevent and obsure such
transmission.

Ralf








More information about the fedora-devel-list mailing list