True - it looks as if Qubes gathers IP addresses, processes data
daily but does not retain that data. No indication that Qubes
gathers anything else.
GitHub? That’s a separate issue, outwith Qubes control.
@deeplow You changed the title from “Qubes Privacy Policy” to “Qubes Website Privacy Policy”, but I actually would like to know about both website and Qubes OS policy. Should I create another topic for that? As I mentioned above, in order to make this plot, one has to collect IP addresses and either generate hashes from them or store them for some time. What is being done and are those hashes(?) stored for a month or longer?
This should be mentioned here with a link to GitHub privacy policy. Currently it is very misleading. It’s far from clear to a typical person that qubes-os.org is powered by Github.
Also the following is very concerning. Is this really necessary? To me it looks like a ToS from Facebook or Google which is trying to mislead the users:
Personally identifiable information may include, but is not limited to:
* Usage Data
Are there any limits to data collection at all?
1 Like
Qubes OS is still breaking the GDPR by not saying how long (and which exactly) data is stored…
The text on the Statistics page was updated, it finally says that IP addresses and number of requests are collected. Thanks.
It still does not say for how long those are stored. According to GDPR they should not be stored for longer than reasonable, which I expect here would be a month.
Erm, that’s been there for over three years. Here’s the commit that first added it on 2018-05-12.
I’ll try emailing the relevant people directly to see if I can get an answer.
1 Like
Well, since no one else has stepped forward or volunteered to help with this, I’ve attempted to address the problem by adding some text, even though I have no idea what I’m doing when it comes to writing a privacy policy:
1 Like
That was part of the auto-generated text I got from PrivacyPolicies.com. It says may include, which means that it doesn’t necessarily occur. My impression is that this is a common thing with legal documents, but I really have no idea.
I think you’re giving us too much credit when it comes to the specific language inside the Privacy Policy. In case it’s not obvious, my steps were something along these lines:
- Be told we have no privacy policy and need one.
- Ask for help from someone who knows about that stuff.
- crickets
- more crickets
- Figure something is better than nothing. Might as well at least try, right?
- Enter “how to make a website privacy policy” into a search engine.
- Sort through a bunch of results.
- Try to find something that looks reasonably legit.
- Decide on PrivacyPolicies.com.
- Generate a privacy policy.
- Add it to the website.
I would love it if someone who actually knows what they’re doing would replace this auto-generated Privacy Policy with a better one, but my experience tells me that the odds of that happening round to zero.
3 Likes
Indeed, somehow I overlooked it.
Well, I was not speaking about Github here. Who is collecting the data and making this plot? Is this plot outside of the Qubes team control? I don’t think so. AFAIK it’s the Qubes collecting that data via the update server, processing it and deleting (I hope!). Is the update server also hosted on Github and under the control of Microsoft? That would be an important thing to know for any privacy-aware person! I would probably switch my updates to Whonix if I find out this is so. I was asking what the Qubes team was doing with the data.
The problem with the Github pages is a separate one. Thank you @adw for making it more clear, the addition looks good to me and should help people understand better possible threats.
This is not just about the credit. I have the impression that the Qubes team, although very security-oriented, does not value privacy as much as security. Nevertheless many users of Qubes value both and sometimes actually value privacy more. Such wording makes a bad look for Qubes, because every shady company uses it to hide from users what they are actually doing, while complying with the law. I (and probably many others) learned to read it as “we collect everything possible”.
Thank you for the explanations. This really helps to see that you are trying to be as transparent as possible, which is a huge selling point of Qubes.
2 Likes
The statistics plot is made by us. I sent out an email to the appropriate people. Already got one response so far. Just waiting for confirmation. Tentative answer: Data is kept for up to two months, just in case something goes wrong and the previous month has to be recalculated.
Can we just remove this part?
I don’t even know what “usage data” means. Sounds like the vaguest possible term. I’m guessing it refers to website analytics and stuff? We don’t use anything like that, so maybe it’d be accurate to remove this line? @marmarek, any opinion here?
1 Like
I mean, that’s true. Qubes is focused more on security than privacy, even though we do value both. There are other projects out that there prioritize privacy over security; we’re just not one of them. It takes all kinds of people to make the world go 'round. We can’t be everything to everyone.
I respect that. I do hope that those folks can still get some value out of Qubes, but in some cases Qubes will just not be the right tool for the job for them, and that’s okay.
Hm, yeah, I guess that’s true. I suppose I just hoped that people would know better than to assume that about us. We’re not a for-profit company. We’ve tried very hard to show through our actions, not just words, that we’re doing right by our users. And we’ve done that consistently for many, many years. Maybe it’s naive of me to think that our actions would speak for themselves and that we wouldn’t get lumped in with the bad guys since we never did anything to deserve that rep. I’d like to think that if you keep doing the right thing for long enough that it can amount to something, but maybe that’s just not the world we live in.
2 Likes
Isn’t this about updates server logs we use to estimate number of users?
We have explained the “Usage Data” term in the very next paragraph. It is a bit broad definition - specifically, we do not collect “time spent on those pages, unique device identifiers and other diagnostic data”. But otherwise seems to be exactly about the web server logs.
I think more clarification may be needed regarding the term “Service” - is the privacy policy applicable just to the website (www.qubes-os.org), or other qubes-related online services including update servers (yum.qubes-os.org, deb.qubes-os.org etc) too?
I’d like to think that if you keep doing the right thing for long
enough that it can amount to something
As a Qubes OS user that’s the one leap you have to make: trust the Qubes
OS team and by extension the Xen technology… because those are the
guardians of our compartments. A compromise of either destroys all else.
But please don’t take these questions personally. Even though at some
point or another we all made the decision to trust the Qubes OS team,
the focus of this project and the people using it is to question
everything, take nothing for granted and distrust everything and
everyone. It might not be healthy but it comes with the territory.
Thank you for all your work and dedication!
No, the “usage data” part is from our privacy policy for the website, which is different from those update server logs.
We don’t say anything about “usage data” on the statistics page.
I’ve always thought of the website privacy policy as only applying to the website, just like every other website on the web.
After all, it’s the output from a generic website privacy policy generator.
I have no idea whether or how it should apply to other stuff.
Thanks.
Still, it’s very strange for a Qubes user to distrust everything equally, including us, in the way exhibited here (and elsewhere on this forum). As you pointed out, deciding to trust Qubes entails a lot. It’s some form of cognitive dissonance to distrust us in this way after deciding to trust us.
It’s also just a bad intellectual habit in general to look at things in black and white and not to acknowledge the nuance in things.
Likewise, ignoring history and people’s actions is generally not a good way to maintain an accurate view of reality.
2 Likes
I fully agree with you.
@fsflover’s point though I think is that privacy conscious visitors to the website who do not have years of experience observing the team and the Qubes OS project might get a bad impression. Folks who have not (yet) trusted us in any way.
Also I acknowledge that any community member including myself could endeavor to improve that situation and no one except you has done a thing about it (yet).
3 Likes
Sure, that’s true. To be honest, I never read website privacy policies. Based on my understanding that I read the “fine print” in things far more than the average person, it seems likely that the vast majority of other people don’t read them either.
However, I do take notice of how many ads and trackers my browser extensions block when I visit a website, and my impression is that many other privacy-conscious people do, as well. After all, a shady company can say whatever it wants in its privacy policy, subject to whatever legal loopholes their lawyers can conjure up, whereas the actual ads and trackers are what really matter.
I would hope it’s obvious that when you see zero trackers and zero ads on qubes-os.org that it doesn’t much matter what the website privacy policy says. You can simply see with your own eyes that we’re respecting your privacy (more than almost every other site on the web). Actions over words.
(People often say actions matter more than words, but now I’m starting to question that. Maybe I’ve got it all wrong, and words actually matter more. I suppose the success of marketing and political “spin” is a testament to that.)
((Ironically, saying “actions matter more than words” is just a statement of words, whereas the action of rewarding words over actions is an action. So maybe this is, in a sense, self-proving.))
2 Likes
This is a manifestation of you not valuing your privacy very much. I (and many others who value it) read those policies. Not necessarily for every website, but for the OS one is using (or thinking of using) every day it is a must for any privacy conscious person.
Let’s talk only about the data for the statistics graph (for simplicity). Browser extensions will not help against OS that collects your private data. As @Sven explained, a new user exploring Qubes OS will not have any trust in you. Moreover, even if Qubes OS is perfectly secure, it does not mean that it is private or even respects privacy. Technically, it is possible that Qubes OS gets profit from selling personal info of security-conscious people to a highest bidder (not that I believe this!). Such personal info might be valuable for many three-letter agencies, and since it contains IP addresses and all connection history, it is pretty sensitive.
It would be very important for Qubes OS to demonstrate that it is not true if you want to win privacy-conscious people. For that, you could add to the privacy policy something like “We do not sell any personal data” and “We ensure that your personal data never leaves our servers, never give it to third partires, and securely delete it within [time]”.
I see that you also don’t believe in the legal system much. I disagree with you here. Even though it’s true that many companies try to find loopholes, it does not mean that it’s meaningless. This makes an additional barrier to break the privacy of people. If the company says “we do not sell your data, share it with anyone, or use for profit” their promise is AFAIK legally binding. Note that no shady company says that.
One could even have a threat model based on the legal system: “I do not try to defend myself from illegal activities”. It’s the same with physical security: Do you try to make the door in your apartment as heavy as possible or do you trust that police defends you from thieves?
The problem with this line of reasoning is that we offer to route all of your updates through Tor for you when you first install the OS. In other words, we go out of our way to help you hide your IP address from us (and everyone else), if you want to.
I get it. People will always assume the worst no matter what we do, and we have to wage a constant battle against people’s desire to believe the worst about us. That’s the sad reality, and it’s enough to make people give up and quit.
I’m just pointing out that anyone who looks objectively at all the facts can see that there’s no strong argument that we’re disrespecting users’ privacy. Our actions prove otherwise. But yes, people will still look at the facts selectively, conveniently ignore some of them, interpret things in weird ways, etc. It’s plausible that at least some of the people who do this are doing it intentionally in an attempt to derail or sabotage the project.
I’ll see about adding this.
That’s an illogical inference. Don’t presume to know what I do or don’t believe in.
Never said it’s meaningless.
I think you need to look at the history of shady companies (and people) being shady. Your argument assumes that no one has ever committed fraud.
By this reasoning, there is no reason for locks to exist.
I’m sorry, but these arguments are painfully bad. This discussion has outlived its usefulness.
No! The first thing a privacy-aware person would do with a new company is reading their privacy policy. It does not mean that people are trying to believe the worst. Although such people – haters – also exist and can do a lot of harm to the company/entity, so it’s useful to defend from them.
This is binary thinking. One should rely on both legal and technical protections. Often to varying degrees, depending on the person. Defense in depth.
Using Tor has its own problems. Sometimes people cannot do it for technical reasons or because their company does not allow that. It’s a different thing really. Most people will not do that anyway. It’s definitly a good look that Qubes provides such option. This is one of the reasons why I did not abandon Qubes despite the unclear privacy policy: because I follow the development and trust the Qubes team.