krathjen / studiolibrary

Studio Library
https://www.studiolibrary.com
GNU Lesser General Public License v3.0
351 stars 138 forks source link

About hidden analytics collection. #169

Closed KelSolaar closed 6 years ago

KelSolaar commented 6 years ago

Hi,

I just came across this:

Nowhere it is stated clearly that you are collecting analytics, this is not very nice to say the least. The package should prompt user about that on initial startup with default value being False.

Cheers,

Thomas

krathjen commented 6 years ago

Hey Thomas,

Thanks for the comment.

The analytics are only used for knowing the Studio Library version, Maya version (Deprecated), and the type of OS (Deprecated). As a user/developer, I'm sure you would understand the benefits of this to the Studio Library project. Most software, apps, and websites are collecting a lot more data than this.

However, I do think that we should change the unique user ID (cid) to a uuid.uuid(). but again the information collected is very minimal and is only used for improving the Studio Library and monitoring its growth.

Cheers,

Kurt

KelSolaar commented 6 years ago

Hi,

Just to be clear, I have nothing against analytics collection provided it is a known and explicit behavior from an user perspective, not something happening under the hood silently.

Many companies collect data but the Golden Rule is to advertise it to the customer, e.g. Autodesk CIP/DAP

As an employee working to deploy your tool in my company, this puts me in a position where I need to double down on the security audit of your source to check nothing else malicious is happening. I also have to check all the legal ramifications for eventually changing your LGPL licensed source, as a matter of fact I sent a mail yesterday to the Free Software Foundation to clarify some points in that regard.

As a developer, I have collected crash reports for some of my applications, but the users were aware: a modal dialog was shown describing what would happen with a clear opt-out capability.

As an user, knowing that an application is sending data back home without my consent is infuriating.

Please consider making the behavior explicit with a modal dialog and option to opt-out.

Your tool is great by the way, keep up the good work!

Bests,

Thomas

krathjen commented 6 years ago

Hey Thomas,

Thanks again for the feedback!

There is only one event and it's an open source project (Meaning the code is transparent). This is why I haven't thought much about the analytics, as you can see it's nothing bad.

It would be interesting to know what percentage of websites, apps, and software use analytics without an opt-in/out? Obviously excluding any that require personal data/login.

Anyways, I do think that an option to turn on/off analytics from the settings would be a good, as well as changing the cid to uuid.uuid(). :)

Cheers,

Kurt

# Here is an example for anyone interested in turning off analytics via code.

import studiolibrary

studiolibrary.ANALYTICS_ENABLED = False

studiolibrary.main()
KelSolaar commented 6 years ago

Hi,

as you can see it's nothing bad.

I have not performed the full security auditing yet, so I can't assess it, and as I mentioned it already because I found out about analytics, it will have to be thorough.

By saying that I certainly don't want to imply that you are dishonest or anything related, we sincerely appreciate the work you have put into the tool.

The point I'm trying to raise is that because analytics are being collected without user consent, it raises the Security Danger Flag at its highest position in my company. In fact I have temporarilly deactivated usage of the tool yesterday.

It would be interesting to know what percentage of websites, apps, and software use analytics without an opt-in/out?

I think that Websites != Applications for most people, this is the reason AD prompts you about analytics in 3dsmax, Maya & Co. As a matter of fact the Cookie Law in EU has been created for that very reason: https://www.cookielaw.org/the-cookie-law/

Again, I appreciate your openness and discussing with you about that topic.

Cheers,

Thomas

krathjen commented 6 years ago

Hey Thomas,

I understand your concern. I guess open source software is easier to trust. It's harder to know what Autodesk is doing under the hood and we only have their words to trust. ;)

For good practice, we can use the "Cookie Law" as a way of measuring whether we need to consent the user or not. The Studio Library uses Google Analytics which might make it easier.

http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm

The one thing that will need to change is the cid (client ID) to use a uuid, as this will guarantee that the cid is fully anonymous. The current cid was a quick hack for getting a unique user ID. Implementing the uuid will require a bit more code.

Thanks again,

Kurt

KelSolaar commented 6 years ago

Hi,

In https://www.cookielaw.org/google-analytics-eu-cookie-law/ :

Google Analytics is covered by the requirements of the EU Cookie Law. This means the website owners must seek consent for the use of GA, using tools like Optanon.

Cheers,

Thomas

krathjen commented 6 years ago

LOL! Okay, I can have a look when I have more time. I think it's how you use GA that determines if a website requires consent. Also, isn't the following link the official website?

http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm

KelSolaar commented 6 years ago

Easily solved by putting a startup dialog ;) Hehe, sorry to bother you with that!

krathjen commented 6 years ago

haha... True! It just seems very silly for the type of data collected.

I'll start with changing the cid which should help with any concerns.

Thanks again! :)

krathjen commented 6 years ago

Closing this issue as we have changed the analytics cid to use uuid4 and you can now turn off analytics via the config.