The statistics plot is made by us. I sent out an email to the appropriate people. Already got one response so far. Just waiting for confirmation. Tentative answer: Data is kept for up to two months, just in case something goes wrong and the previous month has to be recalculated.
Can we just remove this part?
I don’t even know what “usage data” means. Sounds like the vaguest possible term. I’m guessing it refers to website analytics and stuff? We don’t use anything like that, so maybe it’d be accurate to remove this line? @marmarek, any opinion here?
I mean, that’s true. Qubes is focused more on security than privacy, even though we do value both. There are other projects out that there prioritize privacy over security; we’re just not one of them. It takes all kinds of people to make the world go 'round. We can’t be everything to everyone.
I respect that. I do hope that those folks can still get some value out of Qubes, but in some cases Qubes will just not be the right tool for the job for them, and that’s okay.
Hm, yeah, I guess that’s true. I suppose I just hoped that people would know better than to assume that about us. We’re not a for-profit company. We’ve tried very hard to show through our actions, not just words, that we’re doing right by our users. And we’ve done that consistently for many, many years. Maybe it’s naive of me to think that our actions would speak for themselves and that we wouldn’t get lumped in with the bad guys since we never did anything to deserve that rep. I’d like to think that if you keep doing the right thing for long enough that it can amount to something, but maybe that’s just not the world we live in.
Isn’t this about updates server logs we use to estimate number of users?
We have explained the “Usage Data” term in the very next paragraph. It is a bit broad definition - specifically, we do not collect “time spent on those pages, unique device identifiers and other diagnostic data”. But otherwise seems to be exactly about the web server logs.
I think more clarification may be needed regarding the term “Service” - is the privacy policy applicable just to the website (www.qubes-os.org), or other qubes-related online services including update servers (yum.qubes-os.org, deb.qubes-os.org etc) too?
I’d like to think that if you keep doing the right thing for long
enough that it can amount to something
As a Qubes OS user that’s the one leap you have to make: trust the Qubes
OS team and by extension the Xen technology… because those are the
guardians of our compartments. A compromise of either destroys all else.
But please don’t take these questions personally. Even though at some
point or another we all made the decision to trust the Qubes OS team,
the focus of this project and the people using it is to question
everything, take nothing for granted and distrust everything and
everyone. It might not be healthy but it comes with the territory.
Still, it’s very strange for a Qubes user to distrust everything equally, including us, in the way exhibited here (and elsewhere on this forum). As you pointed out, deciding to trust Qubes entails a lot. It’s some form of cognitive dissonance to distrust us in this way after deciding to trust us.
It’s also just a bad intellectual habit in general to look at things in black and white and not to acknowledge the nuance in things.
Likewise, ignoring history and people’s actions is generally not a good way to maintain an accurate view of reality.
@fsflover’s point though I think is that privacy conscious visitors to the website who do not have years of experience observing the team and the Qubes OS project might get a bad impression. Folks who have not (yet) trusted us in any way.
Also I acknowledge that any community member including myself could endeavor to improve that situation and no one except you has done a thing about it (yet).
Sure, that’s true. To be honest, I never read website privacy policies. Based on my understanding that I read the “fine print” in things far more than the average person, it seems likely that the vast majority of other people don’t read them either.
However, I do take notice of how many ads and trackers my browser extensions block when I visit a website, and my impression is that many other privacy-conscious people do, as well. After all, a shady company can say whatever it wants in its privacy policy, subject to whatever legal loopholes their lawyers can conjure up, whereas the actual ads and trackers are what really matter.
I would hope it’s obvious that when you see zero trackers and zero ads on qubes-os.org that it doesn’t much matter what the website privacy policy says. You can simply see with your own eyes that we’re respecting your privacy (more than almost every other site on the web). Actions over words.
(People often say actions matter more than words, but now I’m starting to question that. Maybe I’ve got it all wrong, and words actually matter more. I suppose the success of marketing and political “spin” is a testament to that.)
((Ironically, saying “actions matter more than words” is just a statement of words, whereas the action of rewarding words over actions is an action. So maybe this is, in a sense, self-proving.))
This is a manifestation of you not valuing your privacy very much. I (and many others who value it) read those policies. Not necessarily for every website, but for the OS one is using (or thinking of using) every day it is a must for any privacy conscious person.
Let’s talk only about the data for the statistics graph (for simplicity). Browser extensions will not help against OS that collects your private data. As @Sven explained, a new user exploring Qubes OS will not have any trust in you. Moreover, even if Qubes OS is perfectly secure, it does not mean that it is private or even respects privacy. Technically, it is possible that Qubes OS gets profit from selling personal info of security-conscious people to a highest bidder (not that I believe this!). Such personal info might be valuable for many three-letter agencies, and since it contains IP addresses and all connection history, it is pretty sensitive.
It would be very important for Qubes OS to demonstrate that it is not true if you want to win privacy-conscious people. For that, you could add to the privacy policy something like “We do not sell any personal data” and “We ensure that your personal data never leaves our servers, never give it to third partires, and securely delete it within [time]”.
I see that you also don’t believe in the legal system much. I disagree with you here. Even though it’s true that many companies try to find loopholes, it does not mean that it’s meaningless. This makes an additional barrier to break the privacy of people. If the company says “we do not sell your data, share it with anyone, or use for profit” their promise is AFAIK legally binding. Note that no shady company says that.
One could even have a threat model based on the legal system: “I do not try to defend myself from illegal activities”. It’s the same with physical security: Do you try to make the door in your apartment as heavy as possible or do you trust that police defends you from thieves?
The problem with this line of reasoning is that we offer to route all of your updates through Tor for you when you first install the OS. In other words, we go out of our way to help you hide your IP address from us (and everyone else), if you want to.
I get it. People will always assume the worst no matter what we do, and we have to wage a constant battle against people’s desire to believe the worst about us. That’s the sad reality, and it’s enough to make people give up and quit.
I’m just pointing out that anyone who looks objectively at all the facts can see that there’s no strong argument that we’re disrespecting users’ privacy. Our actions prove otherwise. But yes, people will still look at the facts selectively, conveniently ignore some of them, interpret things in weird ways, etc. It’s plausible that at least some of the people who do this are doing it intentionally in an attempt to derail or sabotage the project.
I’ll see about adding this.
That’s an illogical inference. Don’t presume to know what I do or don’t believe in.
Never said it’s meaningless.
I think you need to look at the history of shady companies (and people) being shady. Your argument assumes that no one has ever committed fraud.
By this reasoning, there is no reason for locks to exist.
I’m sorry, but these arguments are painfully bad. This discussion has outlived its usefulness.
No! The first thing a privacy-aware person would do with a new company is reading their privacy policy. It does not mean that people are trying to believe the worst. Although such people – haters – also exist and can do a lot of harm to the company/entity, so it’s useful to defend from them.
This is binary thinking. One should rely on both legal and technical protections. Often to varying degrees, depending on the person. Defense in depth.
Using Tor has its own problems. Sometimes people cannot do it for technical reasons or because their company does not allow that. It’s a different thing really. Most people will not do that anyway. It’s definitly a good look that Qubes provides such option. This is one of the reasons why I did not abandon Qubes despite the unclear privacy policy: because I follow the development and trust the Qubes team.
The website privacy policy is not very relevant for something not web-based. I’ll see about pointing this out in the privacy policy somehow.
Sigh. You’re not getting it. I’m pointing out a reductio ad absurdum of your argument. In other words, I’m showing that following your argument to its logical conclusion leads to an absurd result, which indicates a problem with your premises.
Arguably, “This is a manifestation of you not valuing your privacy very much” applies much more strongly to not using Tor than to not reading website privacy policies.
Andrew has done great work (again) in producing a privacy policy. Does
it need to be said that anyone could have done this work? Qubes is
collaborative, not just for consumption.
The only thing that needs to be added (as I see it) is a statement for
how long those IP addresses are kept, (and clarification that they refer
only to update servers at the main clearnet repository).
There should also be an explicit statement that the clearnet site is hosted at
GitHub, and that access will be governed by GitHub policies over which
we have no control: a link to the “GitHub Pages” section at https://docs.github.com/en/github/site-policy/github-privacy-statement
would be good.
I don’t think it makes sense to mention this in the website privacy policy, and it’s not a website thing. Instead, I’m adding a general note at the top pointing out that this website privacy applies only to the website and is not what the visitor is looking for if the visitor is interested in the privacy of Qubes OS.
Thank you so much for this update @adw! It looks amazing now. I believe you will now attract a lot of people who value privacy and who could be scared away before. It reads smoothly to me.