-
-
Notifications
You must be signed in to change notification settings - Fork 987
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No setting to disable: download sends unique user tracking UUID & number of days since install #15058
Comments
This comment was marked as abuse.
This comment was marked as abuse.
Any follow up from the code maintainer? |
|
|
Some thing to add:
|
This comment was marked as abuse.
This comment was marked as abuse.
There is a strong disconnect between the tone and even some accusations and the actual issue being reported. First of all, connecting to the server is only something that happens during download. OSMAnd is an offline map and downloads happen rarely. For heavy users less than once a month, for many much less than that. Additionally, all such downloads are user-initiated, they have to explicitly press a download button. Nothing that would be useful to build a profile of any specific user. Allegations of travel data and such being leaked are thus really not in evidence. The data that is being shared is not possible to connect to any personally identifying information. Notice that google explains that since some 5 years the Does anyone actually have any real issues with the existing code? For the record, I don't have any relation to the company behind OSMAnd, never received anything from them (other than FOSS software) and I'm just an open source developer standing up for common sense. |
This comment was marked as abuse.
This comment was marked as abuse.
I think there are 2 direction of discussions: consent and identification.
It would be completely different case if program would send statistics in background that you're using the application and here is an IP. To summarize: it's probably needs to be more clarified in Terms of Service but it doesn't require a consent.
It's completely incorrect to say that app could view travel history, I would say it's total nonsense cause the server only views what and when maps were downloaded in contrast of other apps that provide Internet services. Last but not least. The websites require to ask consent only for information they gather for example if you search an address on website and website doesn't store these addresses or don't connect them to IP (address is essentially publicly available information), consent is not needed. If the website will start storing information in the table [IP, Search], then consent is needed. So it's all about how the data is processed and used and not only what's being transmitted. |
Just to provide another point of view on this topic. As a Service provider I need a unique identifier to predict the load on servers (especially once maps are updated), so in the end it would say: "Download maps won't be provided if user doesn't agree to create a random key for the installation". Does it makes sense then to implement at all ? Cause in the end it will end up, if you to download - you need a consent which to me is actually totally clear if you don't want to know what & when you downloaded - download or generate maps yourself and import to the app. App won't send to the server what you've imported yourself! |
you claimed that;
Considering that this is an offline-map which doesn't normally do downloads, how do you support your claims? If you continue to make big claims, please provide actual evidence. |
This comment was marked as abuse.
This comment was marked as abuse.
This comment was marked as abuse.
This comment was marked as abuse.
Il 14/08/22 13:57, Jeffrey Paul ha scritto:
No, this doesn't make sense at all, as I can distribute a forked client that sends no ID, or a random UUID on every single HTTP request
In which case the client will be blocked from downloading the datasets,
no? Sounds like the point.
|
Maybe the problem lies that nobody explained in technical details what it means for OSMAnd to be an offline map. It means that the application, when started, does not cause any network traffic at all. You can travel and use the map daily, including searches for point-of-interests and doing routing, without ever causing a single download. Without, specifically, leaking that uuid. OSMAnd, in other words, is perfectly useful and allows people to use the app for months or years without ever triggering the download you have noticed sends an UUID. People can download all their data at home or at work, regardless of where they travel later. Sneak: you are wrong. It is time to admit you came to wrong conclusions and time to publicly show you are able to learn when presented with new facts. Thank you. |
Let me summarize a bit.
Consent Concerns that come to mind Ideas for compromises
|
This comment was marked as abuse.
This comment was marked as abuse.
This is true. But it limits the average user case, where the user does not manipulate the request just to download some maps and I guess, this comprises almost 100% of all users. |
@saddy001 - agree that server has no control but practically it's unsolvable issue cause indeed anything could happen on the server side (i.e. hacked or rights transferred). In the end it would be a liable action or reputation loss.
I think these are doable actions and if we're fine with them, I will start planning implementation. Although it might not be too much development effort but I want to implement carefully so in summary reports it will be comparing "apple to apples". |
This comment was marked as abuse.
This comment was marked as abuse.
You can do this of course. However, how many users do you expect to use your fork? I bet the above number will still remain close to 100%.
Blocking via IP is still possible unless you intend to perform a DDOS... Let's go back to the topic, shall we? |
This comment was marked as abuse.
This comment was marked as abuse.
Do you really think anyone actually reads it?
A unique identifier that, in contrast to the IP address, can't be easily anonymised by the user and that also persists across IP addresses “preserves the privacy”? Surely, Google uses those Android ad IDs because they're so incredibly anonymous.
Besides the fact that privacy laws are a thing, this is incredibly detrimental to say, considering that OsmAnd has always presented itself as a privacy-friendly alternative to commercial services. Telling people not to use it if they care about privacy is something I'd only expect from Google or Microsoft.
This is not an option for probably 99% of users. I agree that this unique ID is not as bad as the issue's author claimed it to be. However, I also think that OsmAnd should not be designed in a way that could theoretically enable behavioural tracking. Would simply re-generating the ID at regular intervals really be too difficult? In my opinion, it would be such an easy way to improve everyone's privacy and to calm anyone who's worried. |
@sneak Yes, UUID is PII. But so is IP address itself according to GDPR. So even if there were no UUID at all, PII would still be transmitted and stored by OsmAnd servers. Thanks for pointing to this issue, but I think it is now time to stop beating a dead horse (we get it: current OsmAnd situation is not perfect, but they seem to recognize the problem and look willing to improve on it, so let's try to not paint them as villains worse than Google or Microsoft - for the time being, eh?) and concentrate on how to best address this issue - in an actionable way that is acceptable both to privacy-oriented users and OsmAnd server admins, while also following GDPR and other applicable laws. My suggestions:
|
This comment was marked as abuse.
This comment was marked as abuse.
Just a showerthought with my morning coffee in hand, as I bumped into this issue, but couldn't you hash the IP + UUID in similar way passwords are hashed? That way at least what's in the server logs would be useless to malicious hackers should they manage to obtain it. |
Since the client needs to be trusted anyway for this whole scheme to work, how about having the client itself keep track of the number of downloads? It could then either send this number to the server, which would use it to decide whether or not to allow the download, or just refuse to initiate the download itself. |
Can you elaborate a little on how that might be accomplished? |
Major actionable points:
Major information point:
That's my basic understanding for now. Please leave comments in the nearest future if I'm missing something and that issue will be frozen to not create any further never ending discussions! |
@vshcherb As far as I can tell, using a UUID does not provide any benefit for OsmAnd compared to the approach I mentioned above (simply storing a counter in the client). On the contrary, using a UUID seems to make things more difficult (regeneration, clearing logs, updating the privacy policy). It also makes tracking users at least theoretically more easy. Could you maybe clarify why this approach is not being considered? Am I missing something? |
Except that we couldn't count of how many unique users per month / quarter were active, exactly why uid was introduced to give a sum by day / month. |
I'm sorry for my ignorance but why do you need this information? I wonder how useful it is because, for example, I'm a very active user but almost never update my maps so I won't show up in these statistics. If you really want to know how many unique users download maps, couldn't the number of unique IP addresses be used as a decent approximation? Not that I necessarily like the idea of IP addresses being stored but at least this is information the servers get anyway. |
This comment was marked as abuse.
This comment was marked as abuse.
Just a quick additional information:
|
@sneak is correct here. See for example this Law SE question "Are auto-generated identifiers PII if they cannot be linked to an identity?" |
Especially noteworthy (regarding the Law SE question):
|
I agree that I need a proper legal advise and in the end consent or any other legally correct form of user getting informed. Completely another topic whether Map downloads Service could be provided without identifying how many users and potentially prevent out of service issues. In the end that needs to be decided by OsmAnd BV, so I'm not going to take decision on my onw, cause it has legal and business implications. Note: the issue will be frozen to stop message flooding and updates will be sent to it to get everybody informed. |
Summary The issue has bee fixed in Android / iOS and already available in nightly builds and will be released in 4.3. What's been done by sorted by priority:
As a result I'm closing the issue to make it completed. Thanks for reporting it so we could resolve that subject. |
Great! Thanks for this improvement, highly appreciated! 👍 |
This comment was marked as abuse.
This comment was marked as abuse.
Il 18/10/22 03:23, Jeffrey Paul ha scritto:
You simply can't send any sort of tracking identifier for a user unless the user consents to it
This is clearly false: for instance no specific explicit consent is
needed for the transmission of the IP address that comes along with
every TCP/IP request, when it's necessary to perform the action
requested by the user. Otherwise you'd end up in a catch 22 situation
where you need previous consent to allow the user to download the
privacy policy where they'll learn how to provide consent.
|
If you are able to opt out and the outcome of the request does not change compared to if you opted-in, it isn't necessary to perform said action. From how I understood the use of the uuid it is a non-essential ID this is exactly how it works and it means it is not technically required to provide the service which does indeed mean, it needs to be opt in, not opt out. |
As I understood the Summary above, the outcome does change. In particular, your download request (in times of heightened load) might be slowed down significantly (or maybe even delayed for some time or completely refused until retried later when load is lower). As s side note, there are other privacy-related options that can be enabled/disabled at that screen, that you might want to check, as well other related system-wide options (i.e. Google's "Improve Location Accuracy" setting, enabled by default on Android phones, leaks hugely bigger amount of privacy and location data, and has much worse privacy record than OsmAnd. Not to mention that if you used Google Play app store to download any of the apps, you are also leaking more privacy data daily than this UUID setting would if you left it in "on" position forever). Not to say this isn't important, but before starting worrying about default setting of this UUID setting, one at minimum should be running de-googlified ROM on their phone and using exclusively some privacy oriented app-store dedicated to providing non-proprietary free software only instead of Google one (or Apple's, but there is no way to avoid using IOS on iPhone devices AFAIK, so you are out of luck there in any case). Some people do, and thus they might want to suggest (to their app store!) to change that default (for that app store users), yes. For Google Play and (Apple store) crowd who (willingly or unknowingly, regardless) continues to surrender their privacy daily anyway, I do not see much point in changing the OsmAnd UUID default, as it only would result in their OsmAnd experience getting worse, with no noticeable privacy improvement at all. |
I think it's unfortunate to see the completely appropriate and respectful comments by @sneak that shed light on the importance of this issue are marked as abuse. As this issue is linked directly to the anti-features section on F-Droid and other repos, its at least poor optics. |
OsmAnd/OsmAnd/src/net/osmand/plus/download/DownloadOsmandIndexesHelper.java
Lines 273 to 281 in 22e40f1
This appears to send the number of days since install, as well as a unique identifier (
getUserAndroidId
), to the index server when fetching indices, without respect for the telemetry preference setting.This is a data leak that allows for a user's travel history to be tracked by the server, as these requests include client IP and a unique tracking identifier, and client IP is coarse (city-level) geolocation. This means the server can see the various cities the given userIosId travels to as the client IP changes over time.
This spyware feature also exists in the iOS version, and fails to respect the user's consent choice there as well. It seems unlikely that this is an accident.
osmandapp/OsmAnd-iOS#2115
The text was updated successfully, but these errors were encountered: