-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GDPR compliance] No way to disable sentry and segment tracking #7751
Comments
This is insane... 🤯 |
This is incorrect, we are not logging request and response data, as you can see above we are logging the error stack trace within the application that does not include request/response data. We are collecting stack traces so that we can improve the reliability of the application with bug fixes. For example, the following code will generate a const obj = {};
obj.hello = "world";
obj.secret = "this is an api key";
obj.circular = obj;
try {
JSON.stringify(obj)
} catch (error) {
console.log(error);
} The
|
@aeris yes, but Sentry would show the public code of the Now with that said, I am asking the team to review all the Sentry instructions. These have been there for a long time and some of them predate my direct engineering involvement into the project, so we are going to remove the unnecessary ones. |
For users of the desktop Insomnia app, we do not collect personal data about users, and the analytics does not contain any personal data. So, GDPR is not applicable. For users with an Insomnia account, the analytics similarly does not contain personal data, and the personal data we collect for purposes of the Insomnia account is subject to our privacy policy and terms of service, which we believe comply with GDPR. We just announced Insomnia 9.3.3 GA which removes that unnecessary Sentry logging in the We are currently tracking application usage - like how merge conflicts are being resolved - because we are about to revamp the Git collaboration flows in the application and this allows us to understand how you - the user of Insomnia - use the product so that we can build features that don't disrupt your workflow. This is standard industry practice and at the core of being able to make data-driven decisions. |
GDPR is not only collecting PII but processing PII. And processing PII includes transmitting PII. https://gdprhub.eu/index.php?title=DSB_(Austria)_-_2021-0.586.257
https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202306257
https://gdprhub.eu/index.php?title=LG_M%C3%BCnchen_-_3_O_17493/20
This is not because you don't understand the concept behind PII that you don't process PII. |
And so yes, the standard industry practice is just totally unlawful in Europe. EDPB, 2/2019, Processing for ‘service improvement’
|
An update here:
|
Once again, GDPR is not only collecting/storing PII but processing PII. Transmitting PII is such processing. https://github.com/Kong/insomnia/blob/develop/packages/insomnia/src/main/sentry.ts#L16
Opt-in/out is not active if user is logged in. This is a GDPR violation.
This is a pure GDPR infringment. EDPB 2/2019, point 48
So ToS are NOT a lawfull basis for such Sentry/Segment processing. You have to rely only on legitimate interest, most probably only on consent (you can't pass the triple test legimitate interest, because this processing is not necessary in all case, so 2nd test is KO in all cases).
Totally wrong position. From EUCJ decision (EUCJ, C-582/14, Breyer, 19 October 2016, point 43), identification must be considered not only from YOUR point of view, but from any other way to identify the data. So you, Segment, Sentry, Segment/Sentry subcontractor (Google & Amazon), any law enforcement, data leak reprocessing with other public database, etc.
And identification must not only be for real civil identity, the only fact it can be assign to a single people is enough. Data must be robust to individualization, correlation and inference to be real anonymous data. If not, there are PII.
Totally not. Same EDPB 2/2019, point 50
So once again, ToS are NOT a lawfull basis, and in such case legitimate interest are NOT valid, don't pass triple test and so requirements are NOT met. In all cases, using Segment and Sentry is a violation of CJUE Schrems II, and even if there is DPF after that since july 2023, currently there is FISA 502b, H.R. 7888 RISAA and other US legal text, and so US providers as NOT lawfull in Europe. Your posts just proof you have just no idea at all about GDPR. |
Update: We are currently looking into this with our lawyers.
The user ID has been removed in the PRs I linked earlier, this will go into action starting from the next release. |
Expected Behavior
Currently, Insomnia is full of tracking with Segment and Sentry call pretty everywhere in the code base.
Mostly any action from the user is tracked, down to very precise details like how you merged you conflict
Such tracking is purely unlawful in Europe because GDPR and there must be at least a way to totally disable such feature
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679
Actual Behavior
I'm tracked for pretty any action I realize inside Insomnia
Reproduction Steps
Is there an existing issue for this?
Additional Information
No response
Insomnia Version
9.3.2
What operating system are you using?
Other Linux
Operating System Version
Arch
Installation method
yay -S insomnia
Last Known Working Insomnia version
No response
The text was updated successfully, but these errors were encountered: