Submits a message to a remote server even when "No, don't send any info" is selected

Right, note that it was described on the list topic
https://lists.ubuntu.com/archives/ubuntu-devel/2018-February/040139.html

"Any user can simply opt out by unchecking the box, which triggers one simple POST stating, “diagnostics=false”."

there was some questions/replies about that in the discussion

Agreed that we should be explicit about the behaviour and inform the users, unsure what options they have though if they disagree since you can't override/close the wizard

We should definitely make a design call ASAP on this.

I've confirmed with Jamie B that the ping still needs to be sent, so we need to work with design on improving the wording and making it clear than something will still be sent, perhaps showing the contents.

I'll email mpt and ask for info and CC the relevant parties.

Current screenshot for reference

Wording for this feels like it's going to be awkward. Here's one suggestion

"No, tell Canonical I don't want to send this information."

or slightly better:

"No, tell Canonical I don't want to send my system info."

Can we use this bug as a release bug to track that request then maybe?

One additional reason I'm a bit concerned is that there's (sensibly since otherwise you can end up with an incompletely configured machine) no way to quit gnome-initial-setup, so any wording will need to say that we're sending a ping regardless.

mpt's going to come up with something better, but it probably shouldn't be a yes/no question - rather a radio something like

 - Send full report containing system information (view)
 - Send basic report which only reveals your internet address and that you installed Ubuntu flavour version

…

To be clear - IP address are not being saved to the database. The data will of course have to come from an IP address, but we're not recording the data submitted against and IP address.

(This is probably being tracked elsewhere, but the linked privacy policy might need updating for this. Currently, it mentions *storing* IP addresses in relation to dash searches, and there's not really any other mention apart from

  Canonical may collect non-personally-identifying information of the sort that web browsers and servers typically make available, such as the browser type, referring site, and the date and time of each visitor’s request […]

which to me implies that it is going to be stored.)

I used "reveal" because it's not *in* the report but is metadata associated *with* the report. I think this is interesting to a submitter - although we're not giving them a choice to not submit so maybe it isn't.

I was looking at updating the "Show First Report" button to show the empty report content if you select "No" but I think that might be misleading. If you select "No", then "Show First Report" then "Yes" you might not notice the text has changed.

Perhaps we should change the design to show the text to be sent below the Yes/No selection, and we can update it automatically as you change your mind. You could hide the text below a GtkExpander or similar by default.

The wording has been changing to "No, don't send system info" which is less misleading since it's indeed not sending any system info, unsure if that's good enough to consider the issue as resolved?

My personal opinion is that saying "don't send" when we do send something is the misleading part. OK, maybe no system info is being sent - but something else is and we haven't said that.

If others disagree with me then they are free to close the bug, this is just my 2.

cents

> I've confirmed with Jamie B that the ping still needs to be sent

> mpt's going to come up with something better

I’m happy to come up with something better, if there’s a reason that I can explain. As I understand it, we let you decline data collection in case you are concerned about privacy. Given that, transmitting data either way is a strange thing to do, so we’d need a solid reason. A choice between “send system info” vs. “send … {something else}”, without a reason, would just make people angry.

I can’t say that it’s for counting users, since a one-time submission is no good for that, not tracking when machines are lost or destroyed or the user goes back to their Windows partition permanently. Weekly Active Device counts for default desktop snaps (currently within 0.9% of each other) would be more accurate for that, unless we have reason to believe that tens of thousands of users uninstall every snap after installation, or that hundreds of Snap Store Proxy users are wildly misreporting their deployments on setup.

And I can’t say it’s to ensure the validity of the sample, because at the magnitude we’re dealing with, the population size is irrelevant for that. (As I’ve calculated before, to get a 2% margin of error with 95% confidence from 500,000 Ubuntu users would require 2390 submissions, while from 100 million Ubuntu users it would require 2401 submissions. Hardly any difference, and we’ve already received massively more submissions than that.)

Note, with the current privacy regulations, if Canonical uses consent as the base for submitting this information for collection, I am quite sure it would be against the law to send IP address to a Canonical server when consent is missing. Sending IP address provides time, location and the fact that a given version of Ubuntu is being installed to Ubuntu, and every network sniffing entity on the way like NSA and GCHQ. This set of information is by definition personal information, and by combining the IP address with other sources it is often possible to identify the individual uniquely (for example if the user uses Facebook, log into her email etc). As consent is obviously missing if the user declined to submit the information about his machine, Canonical would have to come up with another basis for the collection. It would be hard to argue it is vital for the operation of the service provided, one of the other options for data collection. It is probably a good idea to check out the GDPR provisions available, to reduce the chance of a large fine.

There is no IP info being sent

Of course IP information is sent. Any HTTP connection will pass on the IP address of the other end during establishment of its TCP/IP connection. The fact that HTTP is used over TCP is enough to send the IP address. It could be avoided by enforcing the use of Tor or similar, but that is purely academic given that most people are not using a service to hide their IP address.

IP addresses are not logged or stored.

The fact that you claim to not log or store the IP address is beside my point, which is that the IP address is _transferred_ out of the machine even when the user said no to submitting any information. If consent is your legal basis for submitting information to Ubuntu, it is not valid for transferring the 'I do not want information to be submitted' message over HTTP, independent of what story you provide on what you do with the personal information once it arrive.