Is telemetry legal in EU?

[why-this-code-works]

Is this new feature legal and in compliance with GDPR?

As I understand GDPR, the users' consent is needed to collect this kind of "marketing" data.

In other words, telemetry should be opt-in not opt-out.

Could you please clarify the legal aspects and compliance with the EU laws?

Thank you!

[jonniebigodes]

@why-this-code-works and @wojtekxtx to answer your question, it is. The question you've raised was initially addressed by the Storybook maintainers, as a great chunk of them are based in Europe, including myself. So with that in mind, the team spun up the project with that mind and took great lengths not to collect personal information. If both of you check the documentation, more specifically here you'll see no personal information is being collected.

Hope I was able to shed some light on the question. Hope both of you have a great weekend

[jonniebigodes]

@wojtekxtx no need to thank whatsoever. Sorry you feel that way, and to be clear and perfectly honest with you. What we have currently documented is far more encompassing than other companies out there. As an open-source project, we strive to have a clear and transparent policy and tell our users how and what we collect in this particular matter. The aim of the telemetry project is to gather information about pain points for Storybook users (e.g., frameworks and issues with our addon ecosystem) so that the team (i.e., maintainers) can have actionable information on where it should focus its efforts in helping out the community. And also, as per design, in no way, shape or form can we collect any personal information about the Storybook user that encountered an issue.

I'm aware that I might be biased as I'm currently a Storybook maintainer and it's entirely up to you to take my word for it or not. I'll leave it in your hands.

[justuswilhelm]

Seems like Storybook had a bit of an aw shucks, switch-and-bait telemetry play here? Why don't you make it optional, i.e., opt-out?

Yes, privacy laws are a big concern here, but also the moral integrity of software development as a whole. Can you imagine working behind a corporate firewall and explaining to your supervisor why your laptop is trying to phone home to an unknown third party every day?

Do you provide a privacy policy? How do you handle breaches? Where (physically) is the data stored? Which entities are involved in storing and processing this data? Will this data be shared with third parties? Why do I need to provide an extra environment variable to completely stop Storybook from phoning home and disregarding the intent of the user, setting disableTelemetry to true?

Re hashing IPv4 addresses: Since there's only 2^32 bit for them, it's not a lot of hashes there?

[Etheryte]

Since an IPv4 address is 4 bytes, 2^32 of them adds up to roughly 17.18 GB or so. Given that modern hardware can calculate SHA-256 at roughly 2.1 GB/s per block, it's entirely feasible for a motivated attacker to just plug in the salt and calculate away should the data ever leak. The same idea is discussed in depth here, hashing IPv4 addresses really doesn't do much just because the space is so small. The actual question is whether you consider the address in this context PII or not, you can forget about the hashing bit.

[Etheryte]

For context I gave it a go and calculated the salted hashes for the first 2^24 IPv4 addresses, a naive Node implementation that reuses the code used by Storybook took around 30 seconds to calculate those, so roughly extrapolating it would take a bit over two hours to cover the whole range. This is running serial on a regular laptop, so even less time if you throw parallelization and hardware at the problem.

[justuswilhelm]

Sounds like one for the birthday problem, doesn't it?

[xyzeva]

Hashed IPv4 addresses are not anonymous, they can be easily enumerated by checking the entire IPv4 space, and then hashing them, and then you have a full rainbow table.

This is, quite honestly stupid, the telemetry here cant be proven to not log IP addresses aswell, as the server code isn't opensource, and its also running on your own infrastructure rather then a serverless host with deploy from Git options.