Disable analytics by default - Respect EU/ECC laws (GDPR)

[0uep]

The get started page of flutter.dev says:

The flutter tool uses Google Analytics to anonymously report feature usage statistics and basic crash reports. [...]
To disable reporting, type flutter config --no-analytics. [...]
If you opt out of analytics, an opt-out event is sent, and then no further information is sent by the Flutter tool.

According to the GDPR and a recent German court decision, analytics are defined as non-necessary services and require explicit, voluntary consent before flutter can send any data. Providing a CLI flag or a first-run opt-out is illegal in the EU/EEC.

🙏 Please, make fluter never send an opt-out event when the user opts out of analytics.
🙏 Please disable analytics by default. You may fix that by adding a CLI flag:

flutter config --enable-analytics

🙏 Please, Alphabet employees, respect the law, don't be evil.

• 2020-03-10 Google Remains Atop List of GDPR Fines
• 2020-03-11 Sweden fines Google $8 million for right-to-be-forgotten violations
• 2020-06-19 French court slaps down Google's appeal against $57M GDPR fine
• 2020-07-14 Google’s failure to respect the « right to be forgotten » results in €600,000 fine
• 2020-12-10 France fines Google $120M and Amazon $42M for dropping tracking cookies without consent

User privacy matters, please better respect them.
I wish you a happy, respectful New Year 2021.

[iapicca]

@0uep

Providing a CLI flag or a first-run opt-out is illegal in the EU/EEC.

are you sure?
vscode (for example) does exactly that

• ctrl+,
• type "telemetry"
• un-flag

can you provide references for that?
all the articles you are referencing are about web / os, not really cli application

[0uep]

Hi @iapicca and Happy New Year

Thank you for reading this request carefully.

For clarification:

1. By default, Flutter enables analytics
2. GDPR defines analytics as not necessary, so analytics require explicit, voluntary consent before any data is sent.
3. Therefore, to comply with GDPR, Flutter shall disable analytics by default.

Also, if the user disables analytics, Flutter shall not send any analytics => Flutter shall not say "Hey, there is one flutter here, but analytics is disabled" every time the configuration is reset (multiple times when running in a fresh container).

I am sorry that I only listed articles about web/OS. My intention was to show that GDPR is serious (mandatory since 2018), but it seems to be hard to comply with for some companies.

VSCode has the same issue, and I should create a similar issue for VSCode.
But I do not care much about VSCode, because I am happy to use VSCodium instead.
I highly recommend you to use VSCodium. 👍 VSCodium is free as in freedom. VSCode is not open source. I also recommend you ungoogled-chromium in lieu of Google Chrome. For example, ungoogled-chromium respects the system's DNS settings (Chrome bypasses the system's DNS settings, maybe that changed recently, not sure). Google Chrome is not FLOSS.

I appreciate how Google helps FLOSS projects, I love what you guys at Google do for the open source community, but I do not want to be tracked by Google products anymore. I think more and more Flutter developers consider the user privacy. I would like to see the Flutter developers agree for voluntary consent before sending any data.

When I first start Firefox, a small banner allows me to explicitly enable analytics and automatic crash reporting. I voluntary enable it because I want to help the Firefox project, and because I appreciate having control over what goes out from my personal computer.

To better respect user privacy (and GDPR), we could implement something similar to the following idea:

1. Keep flag --no-analytics.
2. Add flag --enable-analytics to allow users to explicitly consent.
3. If neither flag --no-analytics nor --enable-analytics, and no configuration, Flutter asks:

   Enable analytics and automatic crash reporting in configuration?

4. Flutter never sends any data to remote servers if analytics is disabled.

[geira]

GDPR applies equally to websites, mobile apps and desktop applications. For an up-to-date analysis, I found these to be informative:

• https://www.kevel.co/blog/gdpr-google-analytics/
• https://www.mobiloud.com/blog/gdpr-compliant-mobile-app

[geira]

The Irish Data Protection Commision (which is Google's chosen authority for GDPR purposes) just published a report on cookies and related technologies, which states the matter quite clearly:

"The cookies most internet users are aware of are typically browser, or http, cookies.
However, other types of cookies and tracking technologies include local storage objects
(LSOs) or ‘flash’ cookies, software development kits (SDKs), pixel trackers (or pixel gifs),
‘like’ buttons and social sharing tools, and device fingerprinting technologies. The law on
cookies generally applies to all of these tools."

"Do analytics cookies require consent?
Yes. Analytics cookies are used as a measuring tool for websites, including to provide
information on the number of unique visitors and the pages they browse during their
visits."

"Consent
The ePrivacy Regulations require that you obtain consent in order to gain any access to
information stored in the terminal equipment of a subscriber or user, or to store any
information on the person’s device. This means you must get consent to store or set
cookies, regardless of whether the cookies or other tracking technologies you are using
contain personal data."

https://www.dataprotection.ie/sites/default/files/uploads/2020-04/Guidance%20note%20on%20cookies%20and%20other%20tracking%20technologies.pdf

[Hixie]

Thanks for raising this, we are investigating. We are committed to respecting people's privacy and, obviously, to following the law, and will update this issue once we have additional clarity on the situation.

[frank06]

I know this is rocket-science, @Hixie, and that 6 months is nothing.

People's privacy at Google is definitely top priority.

😜

Have you been able to disable analytics by default?

[Hixie]

Thanks again for your report. We are continuing to review our practices. Due to the sensitive nature of this topic, I'm going to close this bug for now and I won't make further updates here. Thanks for your understanding.

(I will proactively mark my own comment with a thumbs-down emoji since I would surely react the same way if I were you.)