Expose the ability to mange Telemetry settings on first-time use

[fauust]

Checklist

• [X] I have used the search function to see if someone else has already submitted the same bug report.
• [X] I will describe the problem with as much detail as possible.

App version

8.0b1

Where did you get the app from?

Other

Android version

N/A

Device model

N/A

Steps to reproduce

Go to preferences -> data collection.

Expected behavior

Usage and technical data is unchecked by default

Actual behavior

Usage and technical data is checked by default

Logs

No response

[kewisch]

Unfortunately we cannot make this type of data collection opt-in because the limited data from voluntary reports wouldn’t provide enough insights to make informed product decisions. Opt-in data would come from a small, biased subset, leading to flawed conclusions.

Knowing the Android ecosystem covers a vast range of hardware and form factors, we need to have a mechanism to make better decisions on how features are being used, and have information in which environments user might be having trouble.

In line with Mozilla’s data practices, the default data collected contains no personal information. This helps us understand how features are used and where issues may occur, while minimizing data points and retaining only what's necessary. When we decide on new probes, we actively consider if we really need the information, and if there are ways we could reduce the needed retention time or scope.

While I can't offer an opt-in at this time, I understand your concerns and genuinely appreciate that you're thinking critically about privacy. You might also be interested in a recent talk about our need for privacy respecting telemetry. https://blog.thunderbird.net/2024/08/thunderbird-goes-to-guadec-2024/

---

Please find these links for an update. We're looking to see if we can provide more choice to users while still being able to make informed product decisions.

• An update from Ryan on our commitments
• An update from Alex on next steps
• The proposed new designs

[DocSniper]

Oh dear, what marketing nonsense. Why don't you or Mozilla just announce what data they collect?

By the way, this is illegal under EU and EEA law without the user's prior consent^1:

"Article 5, Paragraph 3 of the ePrivacy Regulation" refers to a specific section of the ePrivacy Regulation, formerly known as the "Telecoms Package." This regulation governs privacy and security of electronic communications.

Article 5, Paragraph 3 of the ePrivacy Regulation essentially states that:

"The processing of personal data necessary for the provision of electronic communications services may only be carried out with the explicit consent of the user, unless it is strictly necessary for other reasons."

This means that companies providing electronic communications services may only process their users' personal data if they have the explicit consent of the user. This rule aims to protect users' privacy and ensure that their data is only used with their permission.

The ePrivacy Regulation applies throughout the European Union (EU) and the European Economic Area (EEA). It is part of European data protection law and aims to protect the privacy and security of electronic communications within these regions.

Therefore, Article 5, Paragraph 3 of the ePrivacy Regulation applies in all EU and EEA member states, including Germany, France, Spain, Italy, Sweden, Norway, Iceland, and others.

You don't need to thank me for that, I'm happy to help publish what data is (currently) being transmitted[^2]:

POST https://incoming.telemetry.mozilla.org/submit/net-thunderbird-android-beta/metrics/1/7b7bb07a-9637-4d4e-8855-00356e0da535 HTTP/2.0
user-agent: MozacFetch/130.0
date: Wed, 01 Oct 2024 08:06:18 GMT
content-type: application/json; charset=utf-8
x-telemetry-agent: Glean/60.4.0 (Kotlin on Android)
content-encoding: gzip
content-length: 439
accept-encoding: gzip

{
  "client_info": {
    "android_sdk_version": "34",
    "app_build": "4",
    "app_channel": "beta",
    "app_display_version": "8.0b1",
    "architecture": "arm64-v8a",
    "build_date": "1970-01-01T00:00:00+01:00",
    "client_id": "172fd2c3-53af-46ed-aaae-e0ef99c480f6",
    "device_manufacturer": "Google",
    "device_model": "Pixel 6a",
    "first_run_date": "2024-10-01+02:00",
    "locale": "de-DE",
    "os": "Android",
    "os_version": "14",
    "telemetry_sdk_build": "60.4.0"
  },
  "metrics": {
    "timing_distribution": {
      "glean.database.write_time": {
        "sum": 499000,
        "values": {
          "27554": 7,
          "30048": 1,
          "32768": 3,
          "35733": 0,
          "38967": 0,
          "42494": 1,
          "46340": 0,
          "50535": 0,
          "55108": 1,
          "60096": 1,
          "65536": 0
        }
      }
    }
  },
  "ping_info": {
    "end_time": "2024-10-01T10:06:18.352+02:00",
    "reason": "upgrade",
    "seq": 0,
    "start_time": "2024-10-01T10:06:18.345+02:00"
  }
}

[^2]: Thunderbird for Android: Telemetry data is collected at startup

[fauust]

Thanks @DocSniper, also worth reading, https://github.com/uBlockOrigin/uBOL-home/issues/197#issuecomment-2329365796:

Our review found that your content violates the following Mozilla policy or policies:

Consent, specifically Nonexistent: For add-ons that collect or transmit user data, the user must be informed and provided with a clear and easy way to control this data collection. The control mechanism must be shown at first-run of the add-on. The control should contain a choice accompanied by the data collection summary. Depending on the type of data being collected, the choice to send cannot be enabled by default. If data collection starts or changes in an add-on update, or the consent and control is introduced in an update, it must be shown to all new and upgrading users.

So, for Mozilla it's OK, for third party add-ons, it's not.

[DocSniper]

Also thanks @fauust, I read about this a few days ago and just shook my head, especially since @gorhill explained that he doesn't take any data home, but that Mozilla only thinks or claims that.

The statement that also makes me shake my head is:

"Unfortunately, we cannot make this type of data collection opt-in..." (see post 2)

Well, Mozilla doesn't really have a choice. For the EU and EEA regions, they MUST make opt-in; they have no choice at all, otherwise, they are violating EU laws. Of course, this doesn't just apply to Thunderbird; Mozilla has to change this for Firefox too.

It may be that in the USA this doesn't matter at all and there are few or no data protection laws, but in the EU, everyone MUST make opt-in to send data home.

[ip6li]

You may consider that violations of DSGVO may end up into a fine of up to 20mio.€ against your organization. See https://gdpr-info.eu/art-83-gdpr/ number (5)

[martkol]

I think this will be the reason for some people not to install this application. Those who wouldn't be bothered by this are already using contaminated applications and have no interest in an alternative to the installed one. Nevertheless, good luck.

[MyIgel]

Imho this issue should be reopened and fixed asap @kewisch

[rzeta0]

Disgraceful. Mozilla is to be considered a malign entity.

[goshhhy]

I think this will be the reason for some people not to install this application. Those who wouldn't be bothered by this are already using contaminated applications and have no interest in an alternative to the installed one. Nevertheless, good luck.

indeed - i personally have just uninstalled this from my phone in favor of FairEmail, since it only shares crash report information, and only on an opt-in basis.

i am frankly somewhat baffled about Mozilla's insistence on anti-features like this one when they claim to be a champion of privacy, especially when this feature as currently implemented would seem to go against Mozilla's privacy policy (or at least my own reading of it), in addition to the aforementioned issues.

[uniquePWD]

Oh dear, what marketing nonsense. Why don't you or Mozilla just announce what data they collect?

By the way, this is illegal under EU and EEA law without the user's prior consent1:

"Article 5, Paragraph 3 of the ePrivacy Regulation" refers to a specific section of the ePrivacy Regulation, formerly known as the "Telecoms Package." This regulation governs privacy and security of electronic communications. Article 5, Paragraph 3 of the ePrivacy Regulation essentially states that: "The processing of personal data necessary for the provision of electronic communications services may only be carried out with the explicit consent of the user, unless it is strictly necessary for other reasons." This means that companies providing electronic communications services may only process their users' personal data if they have the explicit consent of the user. This rule aims to protect users' privacy and ensure that their data is only used with their permission. The ePrivacy Regulation applies throughout the European Union (EU) and the European Economic Area (EEA). It is part of European data protection law and aims to protect the privacy and security of electronic communications within these regions. Therefore, Article 5, Paragraph 3 of the ePrivacy Regulation applies in all EU and EEA member states, including Germany, France, Spain, Italy, Sweden, Norway, Iceland, and others.

You don't need to thank me for that, I'm happy to help publish what data is (currently) being transmitted2:

POST https://incoming.telemetry.mozilla.org/submit/net-thunderbird-android-beta/metrics/1/7b7bb07a-9637-4d4e-8855-00356e0da535 HTTP/2.0
user-agent: MozacFetch/130.0
date: Wed, 01 Oct 2024 08:06:18 GMT
content-type: application/json; charset=utf-8
x-telemetry-agent: Glean/60.4.0 (Kotlin on Android)
content-encoding: gzip
content-length: 439
accept-encoding: gzip

{
  "client_info": {
    "android_sdk_version": "34",
    "app_build": "4",
    "app_channel": "beta",
    "app_display_version": "8.0b1",
    "architecture": "arm64-v8a",
    "build_date": "1970-01-01T00:00:00+01:00",
    "client_id": "172fd2c3-53af-46ed-aaae-e0ef99c480f6",
    "device_manufacturer": "Google",
    "device_model": "Pixel 6a",
    "first_run_date": "2024-10-01+02:00",
    "locale": "de-DE",
    "os": "Android",
    "os_version": "14",
    "telemetry_sdk_build": "60.4.0"
  },
  "metrics": {
    "timing_distribution": {
      "glean.database.write_time": {
        "sum": 499000,
        "values": {
          "27554": 7,
          "30048": 1,
          "32768": 3,
          "35733": 0,
          "38967": 0,
          "42494": 1,
          "46340": 0,
          "50535": 0,
          "55108": 1,
          "60096": 1,
          "65536": 0
        }
      }
    }
  },
  "ping_info": {
    "end_time": "2024-10-01T10:06:18.352+02:00",
    "reason": "upgrade",
    "seq": 0,
    "start_time": "2024-10-01T10:06:18.345+02:00"
  }
}

Footnotes

1. Regulation (EU) 2017/1128, Art. 5, para. 3. Available at: [EUR-Lex - 32017R1128 - EN - EUR-Lex](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32017R1128) (Accessed on 2024-10-03) [↩](#user-content-fnref-1-4c4cfbdd8312b6fa35f1d6eaabcec725)

2. [Thunderbird for Android: Telemetry data is collected at startup](https://www.kuketz-blog.de/thunderbird-fuer-android-telemetrie-daten-werden-bereits-beim-start-erfasst/) [↩](#user-content-fnref-2-4c4cfbdd8312b6fa35f1d6eaabcec725)

In real terms, don't users consent by installing the app in the first place?

For the likes of you and me, Telemetry is likely blocked at the network level. I feel like people are arguing for sane defaults, but then want the defaults that only serve them. We have data to show that telemetry doesn't work well when it's opt in and it works extremely well when it's opt out because most people don't care. In turn, that data enables companies the ability to make more informed choices and better products. If you don't trust Mozilla to process that data in good faith, you shouldn't use Mozilla products. As per EU law, you're perfectly able to access the data, request it and even delete it.

To be more explicit, the upside of telemetry is that it provides data to support decisions, like supporting older and slower devices.

Now if you're asking for guarantees that the telemetry won't be made available for advertising insights, that's a whole other matter and I believe everyone would support that.

But this idea that Mozilla should cripple themselves in terms of development insights to appease a vocal minority who can easily opt out is assinine. Even sports players use analytics. Imagine getting in a plane and your pilot paints over their windows while all the other plane pilots use their windows and systems. People keep asking Mozilla to fight with both arms tied behind their backs while blindfolded and under the effect of a sedative. It's actually ridiculous at this point.

[nclm]

Instead of opt-out hidden in preferences, and as an alternative to opt-in, could this be added as a first-time set-up option? Ask people on their very first launch if they want or not to share this information, ideally with a small description of the information shared, as part of the set-up screens where you connect your email account, give permission to the app for contacts and notifications, etc.

[bohwaz]

@uniquePWD

If Mozilla adopts the same bad behaviour as Google, why would anyone use Mozilla products?

As for EU law, you don't know what you are talking about. GDPR requires informed consent, meaning installing an app is not enough, you have to ask explicitly for users consent.

[aeris]

We have data to show that telemetry doesn't work well when it's opt in and it works extremely well when it's opt out because most people don't care

That's exactly why consent exist, dude… Because people DON'T WANT such feature!!!! It's not they don't care telemetry, it's about they DON'T SEE the telemetry behind hidden opt-out… Show them opt-out telemetry, I bet you got the same result as opt-in…

[marek22k]

Mhh, somehow it used to work without spying on users - and it still does with many great FLOSS apps today.

[DocSniper]

@uniquePWD , you are welcome to argue and think whatever you like, but reading the laws would make more sense, and we would have to deal with less unnecessary discussion here.

As @bohwaz and @aeris have already stated very briefly and well, opt-in is required by law in the EU for telemetry data, period.

And here in detail, so you don't have to search any further... by the way, you're welcome:

Explanation regarding the necessity of informed consent and opt-in based on EU legislation:

1. General Data Protection Regulation (GDPR):

• Article 4: Defines "personal data" as any information relating to an identified or identifiable natural person.
• Article 6: Establishes the legal bases for processing personal data. One of the legal bases is the consent of the data subject (Article 6(1)(a)).
• Article 7: Specifies the requirements for consent. Consent must be freely given, specific, informed, and unambiguous. It must be provided in a clear and accessible form, using clear and plain language.
• Article 13 and 14: Oblige the controller to inform the data subject about the processing of their data, including the nature of the data, the purposes of the processing, and the rights of the data subject.

2. ePrivacy Regulation:

• Article 5: Regulates the processing of telemetry data and other electronic communication data. It requires the consent of the user for the processing of such data, unless the processing is strictly necessary for the provision of an electronic communication service.
• Article 7: Generally requires an active consent (opt-in) of the user before telemetry data or other electronic communication data are processed.

Summary:

• GDPR: Consent (informed consent) is required when the processing of personal data is based on the consent of the data subject (Article 6(1)(a)). Consent must be freely given, specific, informed, and unambiguous (Article 7).
• ePrivacy Regulation: Requires an active consent (opt-in) of the user for the processing of telemetry data and other electronic communication data, unless the processing is strictly necessary for the provision of an electronic communication service (Article 7).

Since the data in the given example are personal data and no other legal basis for processing is specified, informed consent (opt-in) is required under the GDPR and the ePrivacy Regulation.

And don't tell me that telemetry data wouldn't be personal data. At least in the EU, they are.

The data mentioned in the given example (see my post above) are considered personal data under the General Data Protection Regulation (GDPR) because they are capable of identifying a natural person directly or indirectly. Here is a detailed explanation of why these data are considered personal data:

1. Client-ID:

• UUID (172fd2c3-53af-46ed-aaae-e0ef99c480f6): This unique identifier is specific to a particular client and can be used directly to identify a person, especially when combined with other data.

2. Device Information:

• device_manufacturer, device_model, os, os_version, architecture, android_sdk_version: These pieces of information, when combined, can identify a person. For example, the combination of device manufacturer, model, and operating system version could uniquely identify a specific individual.

3. Timestamps:

• first_run_date, build_date, start_time, end_time: These timestamps can be used to track the usage patterns of a specific individual, especially when combined with other data.

4. Localization:

• locale (de-DE): The locale setting can be used to infer the geographical location and language preferences of a user, which can be used to identify a person when combined with other data.

Why These Data Are Personal Data:

• GDPR Definition: According to Article 4 of the GDPR, personal data is defined as any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• Identifiability: The data mentioned in the example can be used to identify a person either directly (e.g., through a unique identifier like the Client-ID) or indirectly (e.g., through the combination of device information, timestamps, and locale).
• Combination of Data: When these data points are combined, they can provide a comprehensive profile of a user, making it possible to identify that individual.

[Schoumi]

And https://blog.mozilla.org/en/mozilla/improving-online-advertising/ clearly doesn't make me feel confortable that mozilla will respect users privacy with telemetry when they cleary steps in advertisement industry, even if they claimed their goal (not their result) is to respect individuals rights.

The very first step to respect users individuals rights is to respect the rights to choose not to report any data to mozilla if they don't want to.

You want insight to improve your product, you're not an app with only 200 people using it, you make a survey, you make a place where people can propose feature and you'll have insight from people because you have thousands of users, you make a place where people can easily reports bugs,... I think you already have most of this so you don't need to force telemetry over people and as people said before you need consent to collect data!

[joepie91]

unless the processing is strictly necessary for the provision of an electronic communication service

To prevent any confusion ahead of time: "strictly necessary" does not mean "because it lets us make better decisions". It means "the requested service literally cannot be provided otherwise", which is clearly not the case here, especially given the history of the project. Read it as "when strictly necessary from the perspective of the user".

In short, the reason stated here is not a valid justification for non-consensual telemetry collection.

[kamazeuci]

Ok.I was planning on trying the new thunderbird for android but I'll just stick with FairEmail, which works great and respects your privacy.

[tobozo]

shouldn't this post discuss how anonymized the collected data is instead of assuming there is a privacy violation?

concerns should be directed to IP address retention on the telemetry server, who can see that data, or what does that client_id telemetry data field represent

I may be wrong, but apart from that client_id field, the collected data sample does not appear to contain any PII (Personally Identifiable Information) data, so unless the telemetry servers correlate PII data with that collected data, it's non-PII, and no consent is required

similar discussion: Mandatory telemetry does not break GDPR rules when the collected data is anonymous

conclusion that sucks: if that collected data is truly anonymized then most GDPR claims in this thread are invalid and we can condiser ourselves happy that there is an opt-out option in the first place

[aeris]

shouldn't this post discuss how anonymized the collected data is instead of assuming there is a privacy violation?

Anonymization is usually not possible for telemetry. By design you collect too much information to be able to consider data as anonymous.

Typically, vscode collect installed plugins. It's enough to desanonymize a user if the subset of installed plugins is unique. On the above example, we see client-id, which is not anonymous by design. Correlating device model, locale & OS version could re-identify the user. The IP address is in all cases sent to Mozilla, which is by itself a PII and can't be anonymized (TCP/IP connection), given in this case you transmit PII to a US entity and so hardly hit Schrems II CJEU case, strictly forbidden such international transfer. Even anomyzing after the telemetry technical data sending, with IP truncation server side, is too late (see CNIL decision against Google Analytics & Google Fonts).

Truly anonymous data is very hard to achieve and not possible in practice. Even "anonymized" data are in fact only pseudonymized and are still GDPR concerned. True anonymization supposed to be robust to individualization (not being able to isolate a single people from the mass), correlation (not being able to link 2 data set on a unique people) and inference (generating more data from 2 datasets of the same people). And it's quite hard to do in practice (yes, date/gender/city is a PII with 78% to 90% of reidentification)

[margaretjoanmiller]

Great job pushing away your core user base

[DocSniper]

... if that collected data is truly anonymized then most GDPR claims in this thread are invalid and we can condiser ourselves happy that there is an opt-out option in the first place

As I mentioned in one of my posts above, the data that Mozilla currently transmits to its servers constitutes personal data, at least under EU law. This is particularly relevant given the potential for fingerprinting, which can uniquely identify individuals even when certain data points appear anonymous.

One could imagine a slightly more anonymized version of the data that Mozilla currently collects:

• Client-ID: random_id_1234567890
• Timestamps:
  • first_run_date: "First Run in Month X"
  • build_date: "Build in Quarter Y"
  • start_time: "Start Time in Interval X"
  • end_time: "End Time in Interval Y"
• Localization: "Language X"

As @aeris already wrote, the question is whether this is already anonymous enough to prevent any inferences to persons or fingerprinting and whether it would comply with EU laws.
Another question is whether Mozilla would even want to have this data in this or any other anonymized form (as it likely wouldn't be sufficient for whatever they want to track 😉).

Let's get down to brass tacks:
"Thus, I hereby request Mozilla to inform us all about the legal basis under EU law, specifically under Article 6[^1] of the GDPR, on which you collect and process the data that you currently transmit. Additionally, please provide information on how you ensure compliance with Article 5(2)[^2] of the GDPR, which stipulates that the data controller shall be responsible for, and be able to demonstrate, compliance with the principles of data protection."

[^1]: GDPR - Article 6. Lawfulness of processing [^2]: GDPR - Article 5. Principles relating to processing of personal data

[Neinei0k]

Unfortunately we cannot make this type of data collection opt-in because the limited data from voluntary reports wouldn’t provide enough insights to make informed product decisions. Opt-in data would come from a small, biased subset, leading to flawed conclusions.

This is not an excuse. There are plenty of great software that do not do ANY data collection.

Knowing the Android ecosystem covers a vast range of hardware and form factors, we need to have a mechanism to make better decisions on how features are being used, and have information in which environments user might be having trouble.

If a user is having trouble, ask them to send a report. So they would have a choice.

In line with Mozilla’s data practices, the default data collected contains no personal information. This helps us understand how features are used and where issues may occur, while minimizing data points and retaining only what's necessary. When we decide on new probes, we actively consider if we really need the information, and if there are ways we could reduce the needed retention time or scope.

Really? How am I supposed to believe this? Your excuses are not convincing. Real privacy respecting software do not send any telemetry without user knowledge. Thanks to you I'm not absolutely convinced that Mozilla does not respect privacy, and their talk about privacy is nothing but marketing garbage.

While I can't offer an opt-in at this time, I understand your concerns and genuinely appreciate that you're thinking critically about privacy. You might also be interested in a recent talk about our need for privacy respecting telemetry. https://blog.thunderbird.net/2024/08/thunderbird-goes-to-guadec-2024/

If user does not specifically choose to send data, this is not privacy respecting.

[uniquePWD]

This is not an excuse. There are plenty of great software that do not do ANY data collection.

Name them please, I'm curious.

[aeris]

In all cases, it wouldn't be relevant. Even if others software do crappy things (and there is really too many) don't mean you can do crappy things too. Those telemetry are clearly GDPR violation because telemetry MUST be under strict constent (and so, opt-in) and so such software are not usable on EU, and worse if using US system, which are forbidden in EU (Schrems I & II & future III)

[marek22k]

This is not an excuse. There are plenty of great software that do not do ANY data collection.

Name them please, I'm curious.

• Termux
• Tusky
• NewPipe
• FairMail
• Conversations
• KeePassDX
• Binary Eye
• UnCiv
• WG Tunnel
• Syncthing

NewPipe does not send any user data and errors can optionally be sent via e-mail, Syncthing asks when the web interface is started for the first time and UnCiv gives you a base64 error code, which you can send to the developers yourself via GitHub.

• Debian

In the Debian installation process you will also be asked if you want to tell the developers which package you are using. This is actually set to "No" by default.

[panzer-arc]

Closing the issue and shutting down discussion is just like YouTube removing the dislike button. Do better.

[uniquePWD]

This is not an excuse. There are plenty of great software that do not do ANY data collection.

Name them please, I'm curious.

* Termux

* Tusky

* NewPipe

* FairMail

* Conversations

* KeePassDX

* Binary Eye

* UnCiv

* WG Tunnel

* Syncthing

NewPipe does not send any user data and errors can optionally be sent via e-mail, Syncthing asks when the web interface is started for the first time and UnCiv gives you a base64 error code, which you can send to the developers yourself via GitHub.

* Debian

In the Debian installation process you will also be asked if you want to tell the developers which package you are using. This is actually set to "No" by default.

First off let me say, I'm not saying that Thunderbird shouldn't have a ticked box to inform users that they're collecting telemetry on installation. I'm arguing that collecting telemetry is part and parcel of building great software in these modern times.

As for your list

• Termux is a good by default, as there's no competitors
• Tusky is okay, there's better Mastodon apps and worse
• NewPipe is considered pretty bad by its own developers
• FairEmail implements the kitchen sink approach, that doesn't mean it's bad. I use it myself
• Conversations, never heard of it. Looks decent
• KeePass DX lives in the shadow of BitWarden
• Binary Eye good app
• UnCiv terrible UX, doesn't try to be good in that regard though
• WG Tunnel looks decent, can't say I've ever used it
• SyncThing decent app. I like it for what it is, but given the forks, others feel it can be improved.

I wouldn't say you named anything great or industry leading, it's functional at worst and decent at best, not including Debian which is obviously tremendous.

[aeris]

Like above: irrevelant. It's not because you create a "good" or "industry leading" product you can break the law. Even the best industry leading software MUST respect the GDPR and telemetry is NOT possible under legitimate interest but only consent (WP opinion 3/2013 WP203, page 16, EDPB guidelines 05/2020, page 14 & 18). And so a software CAN'T be a good and industry leading one without consent for telemetry, because such software is just UNUSABLE at least in UE because FORBIDDEN because UNLAWFULL.

[aeris]

If you need real decision with BAN decision at the end because of telemetry: https://gdprhub.eu/index.php?title=VG_Wiesbaden_-_6_L_738/21.WI https://gdprhub.eu/index.php?title=Datatilsynet_(Denmark)_-_2020-431-0061_(Helsingor_decision_no._3) <= Chromebook, "good enough leading industry" i guess https://www.edps.europa.eu/press-publications/press-news/press-releases/2024/european-commissions-use-microsoft-365-infringes-data-protection-law-eu-institutions-and-bodies_en <= Office 365 used by European Commission, banned by EDPS regulator, "good enough leading industry" i guess too

[uniquePWD]

Like above: irrevelant. It's not because you create a "good" or "industry leading" product you can break the law. Even the best industry leading software MUST respect the GDPR and telemetry is NOT possible under legitimate interest but only consent (WP opinion 3/2013 WP203, page 16, EDPB guidelines 05/2020, page 14 & 18). And so a software CAN'T be a good and industry leading one without consent for telemetry, because such software is just UNUSABLE at least in UE because FORBIDDEN because UNLAWFULL.

You've repeatedly made your point. If you feel that Mozilla aren't making the changes you're requesting (which to my understanding is a tick box at installation) in a timely manner, you're free to submit a pull request, they're welcomed on both Thunderbird and K9 Email.

Now can I get back to having a proper conversation about software design and Thunderbird please.

[aeris]

Correction. If Mozilla deploy such software in Europe, it's just UNLAWFULL. And so this is not our job to fix such LEGAL TROUBLES before release.

[ilikenwf]

Has anyone on F-Droid forked it yet?

For desktop there's already Librewolf and friends...and betterbird. For Android we have mull browser...so surely this will get forked?

[garfieldairlines]

This is not an excuse. There are plenty of great software that do not do ANY data collection.

Name them please, I'm curious.

* Termux

* Tusky

* NewPipe

* FairMail

* Conversations

* KeePassDX

* Binary Eye

* UnCiv

* WG Tunnel

* Syncthing

NewPipe does not send any user data and errors can optionally be sent via e-mail, Syncthing asks when the web interface is started for the first time and UnCiv gives you a base64 error code, which you can send to the developers yourself via GitHub.

* Debian

In the Debian installation process you will also be asked if you want to tell the developers which package you are using. This is actually set to "No" by default.

First off let me say, I'm not saying that Thunderbird shouldn't have a ticked box to inform users that they're collecting telemetry on installation. I'm arguing that collecting telemetry is part and parcel of building great software in these modern times.

As for your list

* Termux is a good by default, as there's no competitors

* Tusky is okay, there's better Mastodon apps and worse

* NewPipe is considered pretty bad by its own developers

* FairEmail implements the kitchen sink approach, that doesn't mean it's bad. I use it myself

* Conversations, never heard of it. Looks decent

* KeePass DX lives in the shadow of BitWarden

* Binary Eye good app

* UnCiv terrible UX, doesn't try to be good in that regard though

* WG Tunnel looks decent, can't say I've ever used it

* SyncThing decent app. I like it for what it is, but given the forks, others feel it can be improved.

I wouldn't say you named anything great or industry leading, it's functional at worst and decent at best, not including Debian which is obviously tremendous.

I'll make it short but I'm sorry this is not a problem of software stability, quality, security, UI or UX but it is a problem of legal matters. Being "industry leading" doesn't matter, having bigger people than you doing crimes is not a reason for you to do so as well.

[uniquePWD]

This is not an excuse. There are plenty of great software that do not do ANY data collection.

Name them please, I'm curious.

* Termux

* Tusky

* NewPipe

* FairMail

* Conversations

* KeePassDX

* Binary Eye

* UnCiv

* WG Tunnel

* Syncthing

NewPipe does not send any user data and errors can optionally be sent via e-mail, Syncthing asks when the web interface is started for the first time and UnCiv gives you a base64 error code, which you can send to the developers yourself via GitHub.

* Debian

In the Debian installation process you will also be asked if you want to tell the developers which package you are using. This is actually set to "No" by default.

First off let me say, I'm not saying that Thunderbird shouldn't have a ticked box to inform users that they're collecting telemetry on installation. I'm arguing that collecting telemetry is part and parcel of building great software in these modern times. As for your list

* Termux is a good by default, as there's no competitors

* Tusky is okay, there's better Mastodon apps and worse

* NewPipe is considered pretty bad by its own developers

* FairEmail implements the kitchen sink approach, that doesn't mean it's bad. I use it myself

* Conversations, never heard of it. Looks decent

* KeePass DX lives in the shadow of BitWarden

* Binary Eye good app

* UnCiv terrible UX, doesn't try to be good in that regard though

* WG Tunnel looks decent, can't say I've ever used it

* SyncThing decent app. I like it for what it is, but given the forks, others feel it can be improved.

I wouldn't say you named anything great or industry leading, it's functional at worst and decent at best, not including Debian which is obviously tremendous.

I'll make it short but I'm sorry this is not a problem of software stability, quality, security, UI or UX but it is a problem of legal matters. Being "industry leading" doesn't matter, having bigger people than you doing crimes is not a reason for you to do so as well.

IANAL, but did just install Firefox Beta to check and it doesn't ask about telemetry at installation either, so maybe it's more nuanced than has been suggested here. It's worth noting that Thunderbird was delayed by a matter of weeks while they checked a bunch of stuff with lawyers.

[DocSniper]

IANAL, but did just install Firefox Beta to check and it doesn't ask about telemetry at installation either, so maybe it's more nuanced than has been suggested here. It's worth noting that Thunderbird was delayed by a matter of weeks while they checked a bunch of stuff with lawyers.

Yes, all of this applies to Firefox as well, both for the desktop and Android versions. Similarly, for Thunderbird, it applies to both the Android version discussed here and the desktop version. They are sending telemetry data home without prior informed consent from the user. Therefore, both programs and all variants are affected.

It's interesting to hear that Mozilla is working on something with lawyers. Do you have any details or links regarding this? Thanks in advance for that.

[ryanleesipes]

Thank you for all the feedback, I want to let you know that we hear you.

Privacy is at the core of what we do. All our telemetry is anonymous and is only used for improving the product and no other purpose. Additionally, we do not collect any personal data.

But we understand that some folks do not want any data collected, under any circumstances.

In acknowledgement of this, we are going to begin work on a way to put this front-and-center for the user so that everyone can make a decision about what they want to share when they set up the app (after set up, you can change this setting already).

Additionally, K-9, will continue to be supported and does not have Telemetry enabled - and will not have it enabled. (I've seen some folks misunderstand and assuming that we have turned it on in K-9).

Thunderbird is truly an open source project and we rely on our community to help us make it alongside us. So I thank everyone here for engaging on this topic and hope that you all will continue to help us build something that provides the utmost privacy and the best email experience. I hope everyone in this issue realizes that we are here to engage in good faith and truly want to do what's right on this topic, I hope everyone who participates here also wants to engage in good faith and help us find the right solution.

Thank you for your feedback and I look forward to showing you what we do to address these concerns.

[joepie91]

In acknowledgement of this, we are going to begin work on a way to put this front-and-center for the user so that everyone can make a decision about what they want to share when they set up the app

Just to confirm my understanding explicitly (a yes/no is enough for me): does this mean that there will be a dialog or other consent interface shown prior to sending telemetry, and that it will present both options on equal footing without the use of dark patterns, in compliance with the GDPR?

[aeris]

Privacy is at the core of what we do. All our telemetry is anonymous and is only used for improving the product and no other purpose. Additionally, we do not collect any personal data.

Sorry to say that but : 🇧​​🇺​​🇱​​🇱​​🇸​​🇭​​🇮​​🇹

"Privacy is at the core of what we do" is the same shit every cookie banner user prints on the first line. We all know what is just after : "us and our 3897 partners want to collect, share and resell your data".

Your telemetry is NOT AT ALL anonymous data. Like said just before, just the only fact we need a TCP/IP connection to send data to your telemetry server IS PII processing, and worse covered by FISA and so Schrems II CJUE case and so BANNED from Europe (see https://gdprhub.eu/index.php?title=DSB_(Austria)_-_2021-0.586.257). Even inside the telemetry data, you got a client-id, with is BY DEFINITION a PII. You also collect tons of data which can be used for correlation to fingerprint a user and desanonymizing.

"Improving solution" is explicitly classified as "consent required" on all EDPB/WP29 guidelines, like the WP217 and 05/2020 cited above. You CAN'T LEGALLY use legitimate interest on such processing and MUST use consent only and so opt-in, with full transparency in all cases (GDPR article 5 & article 12), a way for access request (article 15), etc. Any other legal basis is UNLAWFULL whatever you say.

The only fact I have to explain GDPR to you is the illustration privacy is NOT on core of your product.

[ryanleesipes]

@aeris are you talking about Thunderbird for Android or something else? We literally strip out and anonymize our telemetry data and we don't share any data with partners. The data is entirely usage based "How many times is this button clicked". I think you have us confused for Microsoft and Outlook. The place this rolled out is with our beta release and we are looking at how to give the user a choice on whether they want to share telemetry on first use.

I know there are a lot of bad actors out there, but you are pointing the gun in the wrong direction. We are listening and trying to do something good here.

[ryanleesipes]

@joepie91 we will not send any data before someone has indicated their Telemetry preferences.

I appreciate that folks want us to take action on this, but our telemetry collection has been legally reviewed and does not run afoul of the GDPR. However, we can do better and that is what we are promising to do.

[alphaleadership]

aeris is european gpdr expert dont try to play with her

[alphaleadership]

and leggally reviewed ==bullshit

[aeris]

@ryanleesipes

We literally strip out and anonymize our telemetry data and we don't share any data with partners. The data is entirely usage based "How many times is this button clicked

If https://github.com/thunderbird/thunderbird-android/issues/8199#issuecomment-2390679493 is what you currently send, I confirm, this is NOT anonymous. At all. Not even closed to be anonymous. And as I say, just using a US provider for telemetry server (even if physically UE located) is not anonymous and banned from UE (cause FISA/Schrems II)

We are listening and trying to do something good here.

It's very scary such feature was even planned at all in opt-out only. GDPR REQUIRE privacy by design (article 25), and so legal basis choice, PII processing, US transfer trouble (article 50, FISA/Schrems II), formal review with a formal DPIA, DPO opinion… were expected before even a real single line of code. Such content is very well documented in long standing guidelines from UE regulator (WP217 is 10 years old…), and having your team/legal team not aware of this kind of trouble is a very huge and concerning problem… It's litteraly the B.A-BA of the privacy in Europe.

[DocSniper]

@ryanleesipes

In acknowledgement of this, we are going to begin work on a way to put this front-and-center for the user so that everyone can make a decision about what they want to share when they set up the app (after set up, you can change this setting already).

Thank you for responding to the community. We will see what you actually do with this in the future and are looking forward to the results.

But you should not only implement this "decision dialog" in the upcoming Thunderbird for Android, but also in the Desktop Thunderbird and likewise in Firefox for Android and Firefox for Desktop. What is the situation here? Are you willing to implement this in other Mozilla programs or only in Thunderbird for Android because there is a public outcry? Thank you in advance for an honest answer.

[aeris]

and leggally reviewed ==bullshit

Surely. If any layers on your side allow/validate such processing under legitimate interest, just fire them… At least they are 10 years late on privacy law in Europe, such telemetry processing is explicitly listed in dozens if not more guidelines from regulators, all requiring strict consent.

[uniquePWD]

@ryanleesipes

We literally strip out and anonymize our telemetry data and we don't share any data with partners. The data is entirely usage based "How many times is this button clicked

If #8199 (comment) is what you currently send, I confirm, this is NOT anonymous. At all. Not even closed to be anonymous. And as I say, just using a US provider for telemetry server (even if physically UE located) is not anonymous and banned from UE (cause FISA/Schrems II)

We are listening and trying to do something good here.

It's very scary such feature was even planned at all in opt-out only. GDPR REQUIRE privacy by design (article 25), and so legal basis choice, PII processing, US transfer trouble (article 50, FISA/Schrems II), formal review with a formal DPIA, DPO opinion… were expected before even a real single line of code. Such content is very well documented in long standing guidelines from UE regulator (WP217 is 10 years old…), and having your team/legal team not aware of this kind of trouble is a very huge and concerning problem… It's litteraly the B.A-BA of the privacy in Europe.

Ryan said they strip out data to make it anonymous. It's not anonymous in transit so they can ensure they're getting unique data. Just taking a second of critical thinking will tell you that. If you have any other issues, like server location, please file new bugs and don't spam this one.

[ryanleesipes]

A reminder that Thunderbird is a community project, spun out from the Mozilla Corporation (notice we aren't having this discussion in the "Mozilla" GH org). As I said before, I'm trying to engage in good faith and understand where we need to adjust. @aeris if you want to share your insights so we can review, I've just sent an email your way.

Instead of assuming bad faith, if you care about this - my door is open and I want to hear how we can improve this. We'll review the GDPR compliance, as said before, we've heard your arguments and are trying to put together a patch to give users the options up-front for data privacy. I'm not sure what else we can do at this point?

[alphaleadership]

you have one of the only specialist in gpdr if your layers say the opposite of aeris fire immédiatly them

and leggally reviewed ==bullshit

Surely. If any layers on your side allow/validate such processing under legitimate interest, just fire them… At least they are 10 years late on privacy law in Europe, such telemetry processing is explicitly listed in dozens if not more guidelines from regulators, all requiring strict consent.

[aeris]

Ryan said they strip out data to make it anonymous. It's not anonymous in transit so they can ensure they're getting unique data

If it's not anonymous in transit, so it's not anonymous

GDPR Article 4(2) https://www.privacy-regulation.eu/en/4.htm#a4_nr2

"processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

That's exactly the point which hit Google Analytics. Anonymization is to late, PII was already transmitted on TCP/IP to Google server and so anonymisation server side is ALREADY PII processing covered by GDPR. https://gdprhub.eu/index.php?title=CNIL_(France)_-_Google_Analytics_(no_case_number)