Expose the ability to mange Telemetry settings on first-time use #8199
Comments
fauust
added
type: bug
|
Unfortunately we cannot make this type of data collection opt-in because the limited data from voluntary reports wouldn’t provide enough insights to make informed product decisions. Opt-in data would come from a small, biased subset, leading to flawed conclusions. Knowing the Android ecosystem covers a vast range of hardware and form factors, we need to have a mechanism to make better decisions on how features are being used, and have information in which environments user might be having trouble. In line with Mozilla’s data practices, the default data collected contains no personal information. This helps us understand how features are used and where issues may occur, while minimizing data points and retaining only what's necessary. When we decide on new probes, we actively consider if we really need the information, and if there are ways we could reduce the needed retention time or scope. While I can't offer an opt-in at this time, I understand your concerns and genuinely appreciate that you're thinking critically about privacy. You might also be interested in a recent talk about our need for privacy respecting telemetry. https://blog.thunderbird.net/2024/08/thunderbird-goes-to-guadec-2024/ Please find these links for an update. We're looking to see if we can provide more choice to users while still being able to make informed product decisions. |
wmontwe
removed
the
unconfirmed
|
Oh dear, what marketing nonsense. By the way, this is illegal under EU and EEA law without the user's prior consent1:
You don't need to thank me for that, I'm happy to help publish what data is (currently) being transmitted2: POST https://incoming.telemetry.mozilla.org/submit/net-thunderbird-android-beta/metrics/1/7b7bb07a-9637-4d4e-8855-00356e0da535 HTTP/2.0
user-agent: MozacFetch/130.0
date: Wed, 01 Oct 2024 08:06:18 GMT
content-type: application/json; charset=utf-8
x-telemetry-agent: Glean/60.4.0 (Kotlin on Android)
content-encoding: gzip
content-length: 439
accept-encoding: gzip
{
"client_info": {
"android_sdk_version": "34",
"app_build": "4",
"app_channel": "beta",
"app_display_version": "8.0b1",
"architecture": "arm64-v8a",
"build_date": "1970-01-01T00:00:00+01:00",
"client_id": "172fd2c3-53af-46ed-aaae-e0ef99c480f6",
"device_manufacturer": "Google",
"device_model": "Pixel 6a",
"first_run_date": "2024-10-01+02:00",
"locale": "de-DE",
"os": "Android",
"os_version": "14",
"telemetry_sdk_build": "60.4.0"
},
"metrics": {
"timing_distribution": {
"glean.database.write_time": {
"sum": 499000,
"values": {
"27554": 7,
"30048": 1,
"32768": 3,
"35733": 0,
"38967": 0,
"42494": 1,
"46340": 0,
"50535": 0,
"55108": 1,
"60096": 1,
"65536": 0
}
}
}
},
"ping_info": {
"end_time": "2024-10-01T10:06:18.352+02:00",
"reason": "upgrade",
"seq": 0,
"start_time": "2024-10-01T10:06:18.345+02:00"
}
}Footnotes
|
|
Thanks @DocSniper, also worth reading, uBlockOrigin/uBOL-home#197 (comment):
So, for Mozilla it's OK, for third party add-ons, it's not. |
|
Also thanks @fauust, I read about this a few days ago and just shook my head, especially since @gorhill explained that he doesn't take any data home, but that Mozilla only thinks or claims that. The statement that also makes me shake my head is:
Well, Mozilla doesn't really have a choice. For the EU and EEA regions, they MUST make opt-in; they have no choice at all, otherwise, they are violating EU laws. Of course, this doesn't just apply to Thunderbird; Mozilla has to change this for Firefox too. It may be that in the USA this doesn't matter at all and there are few or no data protection laws, but in the EU, everyone MUST make opt-in to send data home. |
|
You may consider that violations of DSGVO may end up into a fine of up to 20mio.€ against your organization. See https://gdpr-info.eu/art-83-gdpr/ number (5) |
|
I think this will be the reason for some people not to install this application. Those who wouldn't be bothered by this are already using contaminated applications and have no interest in an alternative to the installed one. |
|
Imho this issue should be reopened and fixed asap @kewisch |
|
Disgraceful. Mozilla is to be considered a malign entity. |
indeed - i personally have just uninstalled this from my phone in favor of FairEmail, since it only shares crash report information, and only on an opt-in basis. i am frankly somewhat baffled about Mozilla's insistence on anti-features like this one when they claim to be a champion of privacy, especially when this feature as currently implemented would seem to go against Mozilla's privacy policy (or at least my own reading of it), in addition to the aforementioned issues. |
In real terms, don't users consent by installing the app in the first place? For the likes of you and me, Telemetry is likely blocked at the network level. I feel like people are arguing for sane defaults, but then want the defaults that only serve them. We have data to show that telemetry doesn't work well when it's opt in and it works extremely well when it's opt out because most people don't care. In turn, that data enables companies the ability to make more informed choices and better products. If you don't trust Mozilla to process that data in good faith, you shouldn't use Mozilla products. As per EU law, you're perfectly able to access the data, request it and even delete it. To be more explicit, the upside of telemetry is that it provides data to support decisions, like supporting older and slower devices. Now if you're asking for guarantees that the telemetry won't be made available for advertising insights, that's a whole other matter and I believe everyone would support that. But this idea that Mozilla should cripple themselves in terms of development insights to appease a vocal minority who can easily opt out is assinine. Even sports players use analytics. Imagine getting in a plane and your pilot paints over their windows while all the other plane pilots use their windows and systems. People keep asking Mozilla to fight with both arms tied behind their backs while blindfolded and under the effect of a sedative. It's actually ridiculous at this point. |
|
Instead of opt-out hidden in preferences, and as an alternative to opt-in, could this be added as a first-time set-up option? Ask people on their very first launch if they want or not to share this information, ideally with a small description of the information shared, as part of the set-up screens where you connect your email account, give permission to the app for contacts and notifications, etc. |
|
If Mozilla adopts the same bad behaviour as Google, why would anyone use Mozilla products? As for EU law, you don't know what you are talking about. GDPR requires informed consent, meaning installing an app is not enough, you have to ask explicitly for users consent. |
That's exactly why consent exist, dude… Because people DON'T WANT such feature!!!! |
|
Mhh, somehow it used to work without spying on users - and it still does with many great FLOSS apps today. |
|
@uniquePWD , you are welcome to argue and think whatever you like, but reading the laws would make more sense, and we would have to deal with less unnecessary discussion here. As @bohwaz and @aeris have already stated very briefly and well, opt-in is required by law in the EU for telemetry data, period. And here in detail, so you don't have to search any further... by the way, you're welcome:
And don't tell me that telemetry data wouldn't be personal data. At least in the EU, they are.
|
|
And https://blog.mozilla.org/en/mozilla/improving-online-advertising/ clearly doesn't make me feel confortable that mozilla will respect users privacy with telemetry when they cleary steps in advertisement industry, even if they claimed their goal (not their result) is to respect individuals rights. The very first step to respect users individuals rights is to respect the rights to choose not to report any data to mozilla if they don't want to. You want insight to improve your product, you're not an app with only 200 people using it, you make a survey, you make a place where people can propose feature and you'll have insight from people because you have thousands of users, you make a place where people can easily reports bugs,... I think you already have most of this so you don't need to force telemetry over people and as people said before you need consent to collect data! |
To prevent any confusion ahead of time: "strictly necessary" does not mean "because it lets us make better decisions". It means "the requested service literally cannot be provided otherwise", which is clearly not the case here, especially given the history of the project. Read it as "when strictly necessary from the perspective of the user". In short, the reason stated here is not a valid justification for non-consensual telemetry collection. |
|
Ok.I was planning on trying the new thunderbird for android but I'll just stick with FairEmail, which works great and respects your privacy. |
|
shouldn't this post discuss how anonymized the collected data is instead of assuming there is a privacy violation? concerns should be directed to IP address retention on the telemetry server, who can see that data, or what does that I may be wrong, but apart from that similar discussion: Mandatory telemetry does not break GDPR rules when the collected data is anonymous conclusion that sucks: if that collected data is truly anonymized then most GDPR claims in this thread are invalid and we can condiser ourselves happy that there is an opt-out option in the first place |
Anonymization is usually not possible for telemetry. By design you collect too much information to be able to consider data as anonymous. Typically, vscode collect installed plugins. It's enough to desanonymize a user if the subset of installed plugins is unique. Truly anonymous data is very hard to achieve and not possible in practice. Even "anonymized" data are in fact only pseudonymized and are still GDPR concerned. |
|
Great job pushing away your core user base |
As I mentioned in one of my posts above, the data that Mozilla currently transmits to its servers constitutes personal data, at least under EU law. This is particularly relevant given the potential for fingerprinting, which can uniquely identify individuals even when certain data points appear anonymous. One could imagine a slightly more anonymized version of the data that Mozilla currently collects:
As @aeris already wrote, the question is whether this is already anonymous enough to prevent any inferences to persons or fingerprinting and whether it would comply with EU laws. Let's get down to brass tacks: Footnotes |
This is not an excuse. There are plenty of great software that do not do ANY data collection.
If a user is having trouble, ask them to send a report. So they would have a choice.
Really? How am I supposed to believe this? Your excuses are not convincing. Real privacy respecting software do not send any telemetry without user knowledge. Thanks to you I'm not absolutely convinced that Mozilla does not respect privacy, and their talk about privacy is nothing but marketing garbage.
If user does not specifically choose to send data, this is not privacy respecting. |
Name them please, I'm curious. |
|
In all cases, it wouldn't be relevant. Even if others software do crappy things (and there is really too many) don't mean you can do crappy things too. |
NewPipe does not send any user data and errors can optionally be sent via e-mail, Syncthing asks when the web interface is started for the first time and UnCiv gives you a base64 error code, which you can send to the developers yourself via GitHub.
In the Debian installation process you will also be asked if you want to tell the developers which package you are using. This is actually set to "No" by default. |
|
thanks @sirtao for your clarification. |
GDPR Article 5 So not only
|
I guess you can just stop to look for such thing. So you are just looking for squaring the circle… |
Thank you, I missed that point in the guideline. Then there is absolutely no way to implement this outside making it opt-in. (On a side note I completely disagree on your interpretation of 5(b) and 5(c) but I'll stop here because the discussion is no longer relevant) |
|
Perhaps this will help you to better understand what “legitimate interest” means:12
Footnotes
|
|
Hi folks, we’re back with some updates. It took us a while longer, as we were focused on getting the release out of the door. If you haven’t had a chance to try it out please see https://f-droid.org/packages/net.thunderbird.android or https://play.google.com/store/apps/details?id=net.thunderbird.android (we turned telemetry off in both, don’t worry). We’ve gone through a few different iterations in both design and wording and we’d like to present a few for feedback. As a reminder, we need to be able to make sound product decisions based on the data we receive, which can be difficult if that data is not representative of our users. On the other hand, we’d like to give users the opportunity to make a choice. As you might expect, we do not want to send telemetry information before the user makes a choice. We would however like to find out if it is possible to get a simple measure on how many people decided for and against without breaking consent. This helps us understand how much we can rely on the information we are receiving. I will post these as separate comments so you can express your thoughts through emojis if you prefer. |
Option A: Provide Examples, Clearly Indicate Effects of not AcceptingThis option includes a few specific examples of the data we might collect, along with potential effects if users choose not to accept. While the message may feel slightly cautionary, we believe users may be more inclined to opt in, leading to more representative data. Without representative data, we won’t be able to make sound decisions. 
|
Option B: Provide Examples, Indicate Importance of AcceptingThis option focuses on the positive, sharing examples of data we might collect and the ways this information helps us improve Thunderbird. We think this approach is well-suited to highlight the value of opting in. 
|
Option C: Checkbox DecisionInstead of buttons, this option uses a checkbox for users to indicate their choice. No matter the default value of the checkbox, users can make a clear decision on their choice. We could use either the text from Option A or Option B with this setup. 
|
|
What do you think? Please note, this has not yet been reviewed by legal counsel; we wanted to gauge feedback within this group first. While we understand many of you are familiar with GDPR and related regulations, we’d like to prioritize the overall direction of the approach before getting into specific language. We’ll fine-tune the wording with legal input afterwards. The “Learn More” link will direct users to a revised Thunderbird Android Telemetry page. Let us know what additional information you’d find helpful here. I’m looking forward to learning how you perceive these options and appreciate the opportunity for a constructive discussion. |
|
I prefer Option B, but Option A is probably the most paletable. |
|
B seems better for me, less guilt-induicing and so more free consent. For the telemetry page, seems missing all legal information about right to access, right to erasure, DPO contact, etc. |
|
The learn more link points to https://support.mozilla.org/kb/thunderbird-android-telemetry which (once implemented) will also contain specific steps on how to disable/enable telemetry. We removed those steps to not mislead, because the options currently do not exist in Thunderbird for Android. We'll certainly confirm with our legal counsel if they also consider the data we send PII and if that wording needs adjustment. We certainly have no interest in personal information, and would like to make this clear in some way. For the privacy policy, we have a direct link "Thunderbird Privacy" on thunderbird.net, which is also included in the above support link. We'll be updating the policy again to match the new approach. I can't speak for Mozilla's broader approach. |
kewisch
removed
the
status: needs design
|
Variant C, although commonly used, seems to fall under dark patterns and comes with a range of issues. Due to the pre-selection of the data-sharing option and the additional steps required to opt-out compared to just tapping "Continue" for opt-in the selection is not equally weighed. Also Continue is problematic: users may tap it because they don't want to be bothered with long dialogs and continue to the client in order to do what they initially intended when opening Thunderbird. If option C is used, which I hope it won't due to lacking compliance with GDPR, I hope it would see some adjustments. Besides all that, there are software projects which manage to produce great software without telemetry. Just wanted to add this, as some statements sound as if that would technically not be possible, which is false (VLC, Iina, KeePassXC, LibreOffice, GPG Suite ...). |
Many legal counsel failed on this simple question and lost a lot in front of a DPA 🤣 |
|
My 2c about some text bits (from Option B):
should be "Thunderbird would like to send usage information", "Thunderbird can send usage information" or sth., right? Afterall, whether it actually does depends on which button the user clicks.
Feels more positive to write "features to improve or remove" (hopefully the former would be much more common? 😄).
You wanna do what with my inbox? 😜 |
|
I prefer Option C, but who thought of using such a passive-aggressive form as "Without this data we might remove things you like"? It doesn't matter it is true(though you might want to write very good pages explaining WHY that could happen), but it really Spin it around to be "With this data we can know better on what to focus" instead. And put the "Learn More" before the checkbox, the same font-size as the rest of the message: that way it feels less it's "hidden". This would give the users the impression you actually care they knows what's they are accepting o refusing, and are not hiding what you are collecting\doing behind legal-speak or whatnot. Oh, and in the pop-up inform the user they can stop telemetry at any time and request their data being deleted, if that's appliable. As of the dark patterns as warned by @foss- : I am no expert, but they might be fixed by labeling clarely the checkbox as (optional)? |
It depends of the legal basis. If Thunderbird think it could be under legitimate interest (6(1)f), it could be opt-out. If it's consent (6(1)a), it must be opt-in. IMO it must be consent (necessary and proportionate step for the IL triple test may be difficult to pass) and so opt-in, but perhaps Thunderbird can proof IL is possible (and so opt-out) |
|
@aeris in that case I think legitimate interest might be applied to the Beta version, but for sure not to the Stable. I also believe it's better to avoid opt-out checkboxes regardless: they only result in distract people accepting or people unckecing them out of principle\automatically because too many bad actors abuse them. Opt-In is the only way forward. |
|
I think we should avoid having the discussion of what is legally required here—even if you are right, we'd need to confirm with legal anyway before making a choice. Options A and B are more in opt-in territory, whereas option C can be either opt-in or opt-out depending on the checkbox value. If you have a preference there you can vote accordingly. For those of you arguing Option C should be unchecked by default, the equal weight can go both ways. If it is disabled by default, there is also not an equal weight. Remember please, it serves Thunderbird and users best if we make the data as representative as possible, not to make it less likely for people to decide in favor.
To be fair, the description of the app includes "Free Your Inbox" (this should have actually been your, I wrongly changed that to the last minute), so for someone who just installed it might not be too far away. https://play.google.com/store/apps/details?id=net.thunderbird.android :) I acknowledge your point though, it may seem awkward if that detail is lost.
Version B's wording focuses more on the positive, so it sounds like that text might be appealing to you? We want to be realistic, if we simply use a variant of "this data is used to improve our product" and phrase it too positively, then we're not setting the right expectations. There is a lot of code that needs updating in Thunderbird for Android, at times it may make more sense to remove a feature rather than to rewrite and continue maintaining it. Knowing how many people use the feature in different ways helps to make that decision. side note - there are real people who thought of these things, and we are genuinely trying to find a good path here. You may not agree or question how it came to be, but no need to be...passive aggressive about it 😉 (re "should have never even got close to your keyboard" and "who thought of using...")
The prompt would be both in Beta and Release. If we were to focus just on the beta population, we'd be catering to a group that is maybe more proficient in testing software and may have different preferences than a general user.
Personally I would perceive instructions to read a link before I make a decision as if there is something hiding even more so. To explain the though process: We were aiming for an onion approach, because explaining data choices can be overwhelming given the amount of text necessary accurately describe it in detail. Folks may start with the summary you see in the screenshots. If that is not enough for them to make a decision, they will be eager to learn more and find a way to do that. If even that is not enough, they'll be willing to head to the privacy policy and other links from there. This way each level of interest has a way to proceed without overloading information. We can certainly consider some tweaks on the text and placement though, I appreciate the suggestion! |
|
I have a small favor to ask: I don't see a lot of emojis on the options, though there were a lot of reactions to the initial posts. I'd appreciate if folks could take a moment to look at the three options and decide which ones they like or dislike. It only takes a few minutes! |
Yes, that's better, though I still think it's better to avoid suggesting potential removal of functions, at least in the pop-up. Basically the structure should be limited to 4 paragraphs:
...i'd say "of course worded better" but I'm thinking it's pretty much fine like this: it's simple, straight to the point, neutral and actually tells everything a User would need to know, with a useful, not hidden link to more information before the choosing part which is written in a way it doesn't implies it's deep technical stuff... which is not, because your page is pretty well written without being too technical and with links to the actually technical docs. Being very concise should also help with translations. Also: I refuse the notion I'm in any way passive aggressive! I'm full-on aggressive, thankyouverymuch!
Yeah, I thought so.
I see we perceive things differently, this is good :) |
At least you see it clearly ;-)
If a site tells me "read this before you accept" and I don't actually care to read it, then I will assume later someone will tell me "but we specifically instructed you to read this before you accept, so you must have known we did shady-thing". So I will go on and read the thing if I want to or not. It is certainly all perception, your approach is valid as well. |
This is the whole point. You have no right to be using such data to make decisions, without user consent. |
First, you need to STOP doing legally and morally questionable things. THEN, you can figure out what's legally and morally OK. |
could you put them in three different issues so it is clear the vote, please? |
|
Option C is the best of those presented, but is still misleading because metadata can be aggregated to reveal personal information in ways that you are hiding. None of this data collection is necessary. Presenting the option is not necessary. Including the code to do this is not necessary. Option A: this is vague about what the problems are, and there should not BE any problems. The software should function without requiring privacy compromising telemetry (including metadata about how many accounts someone sets up, or when they set them up, for example). One simply needs to inform users in the changelog if one removes features, so that users can decide whether to continue or seek out an alternative; that's the traditional approach, and doesn't require invading privacy. One can also request that users fill in surveys now and then, which doesn't require frequent, automated, behind-the-scenes data collection. Option B: Virtually identical to option A, useless for the same reasons. The "focus on the positive" idea also goes against the very concept of users consenting to negative things like data collection about their use of their personal devices/software. |
It does. The telemetry is optional and doesn't impact on functionality. It's strictly for future development and bug hunting, and ASKING for optional telemetry is perfectly legit... as long it's done correctly, which is the current point of discussion. |
and others
Checklist
App version
8.0b1
Where did you get the app from?
Other
Android version
N/A
Device model
N/A
Steps to reproduce
Go to preferences -> data collection.
Expected behavior
Usage and technical data is unchecked by default
Actual behavior
Usage and technical data is checked by default
Logs
No response
The text was updated successfully, but these errors were encountered: