Disable telemetry per default as GDPR dictates #4598
Conversation
GDPR only applies to the collection of personal data, which the telemetry system doesn't not collect or process.
For even further proof of this, go look at other projects doing the exact same thing. https://nuxtjs.org/docs/configuration-glossary/configuration-telemetry/ So no, we don't need to change this to opt-out to comply with the GDPR. Nor does the telemetry system affect end-users of a Panel they use that is hosted by someone else.
That issue is about supplying information to people hosting the Panel for other users. That has nothing to do about Pterodactyl as a project as we don't collect or process user data. |
|
Thanks for getting back to me.
This is actually a pretty bad argument. You probably wouldn't jump off a bridge just because other people are doing it. Microsoft is doing this with VSCode as well. But just because they do it doesn't mean it's perfectly legal.
Well, we don't know. The telemetry backend is not open source AND there is no privacy policy or anything that explains what data is collected ("the code is public, go look it up yourself" is not a valid answer), where it is stored, for how long it is stored, for what it is used and who has access to it. You collect a unique UUID per installation, the IP address (probably, we don't know), all kind of version informations about systems, which may be a security risk if the telemetry data gets compromised. You also don't just track how many eggs are installed, you also track which specific eggs are installed. Please add a privacy policy ASAP, add the environment variable to control telemetry to the .env.example file. You should also ask the user if he wants to participate in sending telemetry data when running the setup commands (p:environment:setup). I can make a PR for this. I do understand why you want to collect telemetry data. But doing that without any clarification, without any privacy policy is not well thought out. |
You didn't read the new telemetry docs page, did you? |
If you read the documentation, you would know which data is collected, and where it is stored, as well as for what it's used for, and who has access to the data.
Again, if you read the documentation about the telemetry system, you would know that the IP isn't being collected. The other part with the eggs doesn't make any sense. Eggs are not a personal data, nor is the amount of specific eggs installed.
A privacy policy isn't needed. If you read the documentation, you would know that there already is an environment variable for enable/disabling the telemetry system, as well as there is no need for asking the user if they want to participate, when it's clearly stated in the docs that it's enabled by default.
The argument is a reasonable one, since these projects that Matthew mentioned are so big, there would have been a privacy policy if it was needed. |
There are also warnings with instructions in both the install and upgrade documentation, which explain in detail what's collected, why, the source code of the telemetry collection service, and how to disable it.
Privacy Policy is not required either, because no sensitive or private identifying information is collected from the Panel visitors. It's a collection of generic statistics about the Panel itself. |
|
I don't know why this is topic is so hard to get for non EU people...
Well, doesn't matter if you store it on purpose or not. The panel is sending an HTTP request. It's using the TCP/IP stack and that just simply doesn't work without sending the IP address. An IP address is already declared as personal data and there already have been lawsuits because of just that: https://thehackernews.com/2022/01/german-court-rules-websites-embedding.html Well, you might say "A server IP is not personal"... so you make sure that I do not run this software from home?
It is. At any moment you send data to somebody, whether it's by using cookies, sending telemetry data, making a web request to Google Fonts, embedding a Vimeo video: You need a Privacy Policy. It's just the law, it's free to read. And there's good reasons for it. This is also true for your website, as it embeds Cloudflare Insights -> GDPR needed. Not just because of this, but you collect IP addresses of all visitors at the moment they visit the website -> GDPR required. You cannot have a website available from within the EU without having a GDPR. It just doesn't work. Do you think all EU websites have a very long and (sometimes expensive) GDPR just because it's fun? No, because fines are in the millions. You basically have three options right now:
No. I obviously looked that up before making that claim: |
As a Danish person, I understand what GDPR is, and what is it affecting. In my job, I've encountered the same problem, wondering whether the software that I work on would need a Privacy Policy, if it were a telemetry system sending information about the software I consulted a law firm, which told me that it isn't needed.
It sounds like you have just read the telemetry feature, and just gone full-blown "privacy policy is needed". Foremost, yes an IP address is declared as personal data, however it isn't Pterodactyl's responsibility. It's your responsibility to have a privacy policy about it.
You've clearly not read up on how the fines work, most of the fines are calculated based on the specific circumstances of the case. And again it's not Pterodactyl responsibility to provide a Privacy policy, it's yours. Your claim about that it is impossible to have a website without having a privacy policy if the website is located within the EU, is inaccurate due to that you are allowed to have a website available within the EU without having a privacy policy. Also, the panel doesn't implement Cloudflare Insights, it's just posting to telemetry.pterodactyl.io.
You can compare Pterodactyl and Google at all. Google is a data-mining company that logs every single bit of information that they can, and Pterodactyl is only collecting non-personal information., which you can't use to identify a person. |
I think you misunderstood something. It is NOT my responsibility to have a privacy policy for YOUR SOFTWARE sending data to YOUR SERVERS. I have to have a privacy policy for data I collect from my users, including access to the panel itself, yes. But it's your responsibility to have a privacy policy for your services.
The panel doesn't, but I've clearly talked about the pterodactyl.io website itself. Just wanted to mention it. |
|
To put it simply, unfortunately our scenario isn't as common or very comparable to something like Microsoft because Pterodactyl does not actually run this software (which tracks and sends anonymous data) at all ourselves. I do still want to sincerely thank you for your concern, as we don't take privacy issues lightly. We would appreciate it if you could have a legal expert or attorney contact us to see our legal options. Please send us their information privately and we'll discuss it promptly with them. |
As per GDPR every collection of data, including telemetry data, is Opt In. As an example: There are lawsuits eg. against Microsoft for having an Opt Out. I unfortunately couldn't find the discussion about this, which was mentioned in #4564.
See:
https://gdpr.eu/gdpr-consent-requirements/
Also the project is missing information about what collection is collected where, used for what and for how long it is stored. There's an unresolved Privacy Policy ticket for 4 years now:
pterodactyl/documentation#4