New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unauthorized analytics are running on a fresh install #10595
Comments
Hi @jake-tulip, The documentation you shared outlines the reasons it's enabled and what data is collected. This was forwarded to our product managers and they will take your feedback into consideration as we have plans to work on improving administrator on-boarding experience and our privacy policy. Let us know any questions, |
Hi @jake-tulip, I'll close this issue for now as there haven't been updates for a while. Please re-open this issue if you have any further questions. Thank you for the feedback, |
@amyblais do you know if this is an issue that is being considered by Mattermost Org at all, or is it abandoned as a possible change? |
Hi @jake-tulip, Yes, this will be taken into consideration as we have plans to work on improving administrator on-boarding experience and our privacy policy. I'll add some of our PMs to this thread if they have further details to add: @jasonblais @wiersgallak |
Thank you for your feedback on our telemetry opt-out processes @jake-tulip . All feedback is considered when making changes to the product. Even if we do not address directly in the near term, it is used for making future decisions on how we improve this specific feature and design other features that may include a decision around opt-in vs. opt-out. I also wanted to take the opportunity to clarify a few things.
|
Thanks for the response @wiersgallak I think the core issue is that this is an opt-out feature which has tracking spyware enabled in a fresh installation. Data gets sent to an unauthorized third-party (Segment and Mattermost-org). The data leaves a user's browser through a tracking script, and the servers it reaches have access to the user's IP address, a GUID, timestamp of messages, and user-agent. This information is very sufficient in pinning down a "profile" of a user. I'm not sure that Mattermost falls under the definition of "free open source software". I understand that Mattermost-org wants to have this tracking enabled by default to collect as much information about their users and activities as possible, but it seems not ideal that this is not obvious to first installers, it's opt-out (not opt-in), and the non-admin users don't have much of a choice. |
Yeah, this is totally unacceptable. I had no idea this software was spying on my server. This needs to be EXPLICIT opt-in. Proceeding as if you have consent when you've only assumed consent for spying is unethical. Why even publish a Privacy Policy if I'm going to be forcibly opted-in to it without my ever having been able to read it and decide first, or even been made aware of its existence? |
Turns out, as far as I can tell, the environment variables to change this setting (documented nowhere) is You can also do the following in a Dockerfile:
That should give you a clean image that doesn't phone home. |
From https://docs.mattermost.com/developer/manifesto.html :
Phoning home without consent is absolutely unexpected. |
The more you dig around the more shocking it gets. #9466 'MM Inc.' has been unethical for the majority of its existence. Another example: the persistent lying regarding data retention/maintenance options for the non-enterprise version. Instead of being honest and flat out declaring 'we are greedy, f*ck off', they wasted everyone's time. Various admins, incl. myself, bothered creating their own tools to achieve minimum usability (and GDPR compliance, if you care), but that's clearly not a sustainable option. Instead, we get new useless corpo buzzwords and bloat with every update. We want a simple, lightweight, reliable, and private messenger for Christ's sake, that was the whole point of leaving slack! If there were any other option I'd switch immediately. Rocketchat was extremely unstable and a black hole for server res last time I tried, though. Has anyone bothered digging into the latest updates? Anything new we ought to be aware of? I manually override their CSP now, as they whitelist a spy domain. ('rudderlabs', another one of those slapping the term 'privacy' around, while having the sole purpose of being invasive. No data collection is acceptable. Data collection that you weren't asked for first is even illegal!) But obviously, we have no control over the server side. Most of us will use their images, and who has time to set up a lab environment to sniff and audit every time? The basic tenet of open source for many many years was that your software won't betray you. Otherwise, you might as well just stick with slack or google or whatever. The 'desktop' apps try to connect all over the place too. On linux there is no reliable/lightweight afw as of today (opensnitch is getting there, but right now I found it's too fat and slow and more of a hack). On windows you can use at least simplewall to only whitelist your server, and deploy the config as xml. It hardly needs any res and has been reliable. Utilizing a network wide blacklist doesn't seem too helpful. Then you have to dig through the source to find what to blacklist again. Given the constant addition of new bloat, it's not sustainable to audit the entire code every time and build the image yourself. Fun fact: If you had simply been honest instead of playing these dumb games, and showed admins a small textbox occasionally with some human readable statistics like yaml, and asked nicely for permission, I bet most would send it. I've seen this concept before, and it's truly the common sense solution. Of course this only works if your intentions are pure. If you want to collect hundreds of datapoints no sane person will hit yes, as nobody can dedicate half a lifetime to auditing. Not to mention, the more datapoints, the more identifiable. Google does not even need any of your content to clearly track you in real life, and even your non-google using friends, just via brute force scale metadata. And these absurd lies are so unbelievable. Either clinically brain damaged, or deliberately misleading. Check this one out for example:
How did people produce high quality software before everything turned perma-online? Oh what mystery! And all this for a chat! What most modern techies wrote for fun at some point! |
Hi @elandorr Thank you for your feedback and thoughts on this matter. As mentioned before, we understand your concerns, but we would like to remind you that we expect our community to abide by our CoC (Code of Conduct) and communicate and collaborate guided by our Community expectations. Feel free to reach out if you have any other questions, concerns, or feedback. |
Summary
Hey guys, thanks so much for the hard work and effort you put into this open source project!
Mattermost server, has enabled segment.io analytics by default on a fresh install. There was no indication that I could see that gives the user warning or a choice. There is an opt-out feature post-installation, but it should be opt-in since it seems not obvious and not authorized. (note I did not use an absolute latest version, so this may have changed in the latest). The segment.io analytics go to to a third-party that users don't know who has access to the data.
I've read: https://docs.mattermost.com/administration/telemetry.html but this doesn't necessarily help.
It collects (among other pieces of obfuscated information) IP address of the user, time of messages sent, and user agent. All 3 of those are something neither the admins nor the users consented to sending to a 3rd party website.
Steps to reproduce
Install mattermost. Notice in console / network tab that there are constant pings to segment.io without enabling such analytics or installing a plugin for all users without their permission or consent.
Expected behaviour
For this feature to be opt-in or just not there.
Observed behaviour (that appears unintentional)
This feature seems to be opt-out / not obvious to the admin when installing MM.
Possible fixes
Make analytics an opt-in feature, not an opt-out feature.
The text was updated successfully, but these errors were encountered: