New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tracking in the iOS and Android Apps; GDPR #5799
Comments
Would be great |
@gerhardbeck please don't spam! your post adds nothing to the discussion and is sent to everyone watching this issue. use 👍 if you support this issue! |
Tracking code on meet.jit.si is also not covered by the current privacy policy. For instance, there is no information regarding Amplitude Analytics. Other missing points that are likely missing are listed here. Some of the issues are already discussed here (esp. here), likely by @emcho. |
I don't see tracking in the F-Droid version, maybe you can try to stop using the store of the tracking/ads company and/or compile your own, if you say you care about privacy now. |
Yes, this has been explained here by @saghul ("Android only, alas"). |
Yes, to use the F-Droid Appstore instead of the walled gardens of google, apple and so on is generally a good idea. |
use of googles STUN servers might also be a concern. |
STUN serves are configured at server side, so this is not an issue of the app. |
Hey all, Our privacy policy does mention use of analytics with the commitment that they are only used in order to provide the service: This is our basis. What this means is that we are not using them for anything else. We don’t do things like cross product tracking or demographics analytics or any marketing purposes (frankly I don’t see how we would be able to do that with someone’s crash data even if we had the inclination to). Please remember that we do not require any personal details from users. As mentioned in the privacy policy names are not stored beyond the duration of the conference and during the conference we only have them so that we can show them to others in the conference, or in other words: to provide the service. The only thing I can think of, that could he considered a personal detail and remains stored in backend beyond the short term is IP addresses and those are only used for things like infrastructure planning (again, to provide the service). We have been working with our legal team, who have them been working with specialized counsel, to make sure that we really are GDPR compliant. It is my understanding that we are. 100%. If you believe this is not the case, then I am obviously failing to properly relate your concerns, so I’d appreciate if you would drop them a note at dpo@8x8.com |
Looking at the OP, maybe there's not a concern for what you the app/server provider are using them for (yay if you are 100% GDPR and all that) but more that those are external analytics services that you depend on. At least I see that as more of a problem IMHO. Eg. In the other scandal (ahem-zoom-ahem) they got up in arms when Facebook entered the fray. Also
Ok, now I have to read those for Amplitude, Firebase, Crashlytics and on and on and on? |
Hello @emcho, thank you for your answer! Hmmm, there could be a misunderstanding regarding the collection of personal data. According to the Court Of Justice Of The European Union, the usage of third party tracking elements constitutes joint controllership between the app publisher and the third parties (see judgement of the court from 29 July 2019 in case C‑40/17 (several languages available), FashionID). This case concerned Facebook tracking pixels in a website, but this is transferable to this case here. The decision is very clear in paragraphs 78-79:
Thus, if an App Publisher includes third-party tracking SDKs in its App, it will need a legal basis for the collection and transmission of the information and there is joint control between the publisher and the tracking service. The only possible legal basis for such a processing is the users conent. The prior, voluntary, informed, active, separate and revocable consent! You can also read more about this in this FAQ about tracking in websites and apps by the german supervisory authority of Baden-Württemberg here: As mentioned above, the simplest and most privacy-friendly solution is therefore to completely remove all tracking code. It is a typical behavior of many proprietary applications to collect and transfer user data to third parties (I'm sure there will be many court decisions on this). But besides all the legal stuff, I think for privacy-friendly free and open source software it should be self-evident that users should not be snitched on to third parties! Thanks for your work and patience! |
Hey Alvar,
Well, this is simply not true:
Ref: https://gdpr-info.eu/issues/consent/ So in that sense it very much does matter what the data is being used for. As I already mentioned, all information that ends up being stored in analytics backends (things like crash dumps, or IP addresses and never things like names or e-mails) is only used to enable us to provide the service itself and fulfill the contract established by the terms of service.
To begin with, I do find terms like "snitching" to be an outrageously inappropriate misrepresentation of what's happening here. Let's please remain civil or this conversation is just a waste of time. If you want to talk about whether or not using modern tools to help chase down malfunctions in software is "the right thing to do", I think we can very easily agree to disagree: We have spent considerable amounts of effort to make sure that all our work is out there available for use under a permissive open source license and very easy for others to pick up, replicate in their own services and then maintain however they believe is appropriate. Please consider doing this. |
Not really no. In GDPR terms these are not random third parties that have access to your data. They are our GDPR article 28 data processors. They can't do what they want. We have Data Processing Agreements with them and they are bound to us to maintain GDPR compliance just as we are bound to our users. Hope this helps |
At this point, since there isn't much else we can constructively add, I'd like to close this. We (the people trying to help with these tickets) are not lawyers. If you'd like to argue the legal sides of our privacy policy please do reach out to 8x8's legal team at dpo@8x8.com |
Description
Jitsi Meet has the intention to be used as GDPR compliant and privacy friendly alternative to other video conferencing tools. Thanks a lot!
Nevertheless, the smartphone apps use tracking tools (e.g. Firebase, Crashlytics, Amplitude) which usage must be be compliant to the GDPR. As an highly recommended alternative it would even better to remove the tracking tools at all.
If the tracking is continued, the situation should be rectified in order to be GDPR compliant, in particular by:
A legal basis is required. Legal basis means that data processing must be carried out in accordance with article 6 GDPR. I assume that only consent is sufficient. There are high requirements for consent according to the GDPR - it must be a prior, voluntary, informed, active, separate and revocable consent. This means that the tracking can only begin once the user has given his or her consent to the collection of his or her data and its transfer e.g. to Google or Amplitude. This also means that the user must be able to use the app without giving his consent to the tracking.
Transparency must be given concerning the data processing in "privacy notices" (these must not be mixed with a legal basis which they are not). The current text available at https://jitsi.org/meet-jit-si-privacy/ does not meet the high requireements of article 13ff GDPR.
Article 25 GDPR requires "Data protection by design and by default" which means, that all not required processing must be disabled by default and adequate measures are in place. In most cases the chosen legal basis would also require that the user can influence the data processing (i.e. enable/disable the tracking) easily in the app, which is also not possible.
"8x8. Inc." must - as data controller for the tracking - also ensure that the necessary contracts have been concluded between itself as the data controller and the other persons involved (e.g. data processors according to art. 28 GDPR or joint data processors according to art. 26 GDPR).
As mentioned above, an easy alternative is to remove all the tracking code (including Firebase Analytics, Crashlytics and Amplitude). It would be more privacy friendly to not use any tracking at all.
Current behavior
When starting the iOS app (and before the user interacts with it), it sends tracking information about the user to several tracking services, e.g. Google and Aplitude.
The connected URLs include:
This can also be seen from the source code, p.ex.
jitsi-meet/ios/app/src/AppDelegate.m
Line 22 in 97e0303
Expected Behavior
There should be no connections to servers other than those configured by the user.
Possible Solution
Remove Firebase, Crashlytics, Amplitude SDK completely.
Steps to reproduce
Start the App and check network transfer with mitmproxy, Burp Suite or any other similar tool.
Environment details
Tested with iOS, but also the Android code contains tracking.
The text was updated successfully, but these errors were encountered: