#2027 HTTP request to Combodo servers after iTop installation
Hello,
I noticed that iTop send statistics about iTop installation after the progress bar ends ("Done" page).
I believe it isn't following GDPR and LGPD (Brazil) laws, because there's no checkbox asking explicitly for user consent to send those data. I know, probably there isn't sensible information being sent and I'm not that kind of guy that like to bother developers with those details, but it may compromise Combodo operations into the future, so I believe that Combodo should check it's lawyers about this.
I just noticed that it was sending those kind of statistics because it was sending it through HTTP protocol. Maybe changing the source code to detect if the page was loaded using HTTP or HTTPS before sending the statistics should be enough to these warnings do not show up into Chrome console.
Hello Eduardo,
Thanks for the feedback, I just forward it internally to have more information on this. Will keep you posted.
Cheers,
Guillaume
Hi, thanks for informing about this, I didn't know as well..
We are talking about the following section in the code: wizardsteps.class.inc.php#L2637-L2674
I agree it should be a confirmation option wether the user agrees to send these stats. The option can stay enabled by default IMO. But at least if there's an option or users are made aware that this happens that would be better.
GDPR is mostly about personally identifiable information; so I think in worst case it only exposes the IP address (which is a heavy point of discussion but it seems to count). In theory, if it's just one person (like me) running an iTop instance in a non-professional environment, it might be an issue if it's not clearly communicated or optional.
I think the most important aspect would be if IPs are logged or not (but let's face it: on most web servers they're already logged in access logs, even if a website visitor didn't consent to this, so this still makes it a very gray area)
Hello guys,
The information reported at the end of the setup are just some telemetry about the installation of iTop. They do not contain any personal information.
The block of information sent to iTop Hub contain the following "pieces":
The information sent via the tiny image to combodo/stats is a subset of the one above.
That's it.
Since there is no personal information here it is not subject to the GDPR, but I admit that I don't know about the LGPD (Brazil) laws.
One can argue that the IP of the browser is also transmitted to the iTop Hub server, but this information is not recorded by Combodo.
Hope this helps,
I agree its no personal information, but informing the users would be best practice. Giving the users the option to not send these stats would even be better.
But further thinking on it, selected modules also includes custom modules in the extensions folder, and those names might include personal info.
I wasn't aware of this fact as well, so thanks for ponting that out Eduardo.
iTop version and those meta information for are no personal information. But I absolutly agree with Hipska: Best practice would be at least inform users about that fact.
When thinking about private custom modules, like Thomas wrote: I could imagine not everybody would like to share which custom modules he has installed. Esspacially if he is not aware of the fact, that those information are transfered to Combodo.
Hello Guys,
Thank you for your feedback.
The send of telemetry data can't be enabled by default by LGPD (Brazil) laws, the user consent must be explicity requested and accepted by the user. I believe that GDPR follows the same approach, because the law explicity states about User Consent - as the name states, the user must Consent with the send of telemetry data, and checking it by default isn't asking the user for consent and most users just continue the installation without changing the default options. I know, it would decrease the number of telemetry data being sent to Combodo and may affect it's services, but that's it.
I'll bring the topic internally next week, to see which options we could go with.
Cheers,
Guillaume
THanks for the feedback, Guillaume.
I believe it's also important to put the "(optional)" after the "Send installation statistics for Combodo" checkbox. The user must know that send of statistical data isn't mandatory and checking this checkbox isn't obligatory. Thats what dictates the GPDR and LGPD laws. The user must know exactly which data are being sent and for what reason. It must be stated at Privacy Policy from Combodo.
Bom dia Eduardo, hi all,
First of all let me introduce myself, I am Delphine, the new Product Marketing manager at Combodo.
I wanted to update you quickly about this topic.
Guillaume raised it internally and we are currently working on the action plan. We want to make sure we are aligned with all personal data protection laws and be transparent with the community about data collection and usage.
I'll keep you posted before the next maintenance release iTop 3.0.1.
Delphine
Hi guys, a quick update on this.
To be compliant we are going to remove from the data collection all identifiable data (instance_friendly_name and instance_host)
Non sensitive telemetrics data is still sent to iTop Hub to help us improve the product.
Nevertheless, we will add a related disclaimer on install with a link to our FAQ listing all data that is retrieved. By clicking on the disclaimer check box, users will explicitely consent and will then be able to install iTop.
This update will be first implemented on our LTS version iTop 2.7.7 (release planned in June) and then on iTop 3.0.2 (release planned in September)
Delphine
Last edit: Delphine COILLE 2022-04-07
So one will not be able to install iTop if they not consent to sharing telemetrics data with Combodo?
Hello everyone,
We just checked with Delphine, the checkbox seems / consent seems to be mandatory only if personal data are send. As there will ne longer be personal data in the telemetrics data, we won't add the checkbox to ease setup workflow and avoid an unnecessary click.
That being said, basic telemetrics data will remain and a disclaimer will be added above the final setup buttons. As Delphine said, a link (in the disclaimer) will allow you to see what will be transmitted.
We discussed this a lot internally and we came to the conclusion that getting some non sensitive / non intrusive data and having a disclaimer about it, seems like a fair balance to us, especially when we don't transfer data to anyone, it is only used so Combodo can know better about the various platforms used by the community, which helps us plan the compatibility with PHP, MySQL, ... Also know better which iTop versions are actually used to help us with the extensions maintenance.
Cheers,
Guillaume
So no collection of installed extensions will be done anymore?
The information we are going to remove are the instance's hostname (domain or IP depending on your setup) as it can be considered as personal data.
For now, installed extensions / setup choices will still be collected as it is no personal information from what we understand.
Regarding the point you raised about the modules' name, having a "guillaume-lajarige-extension" module on your iTop doesn't mean that your are "Guillaume Lajarige". But again, we are still learning about the scope of the GDPR, for example the "Inaccurate information" section of this page makes me wonder.
So for us the question is more to establish if for the data we still collect, an explicit consent (checkbox) is necessary or not. In any case the disclaimer will be added for more transparency with the end-user.
Cheers,
Guillaume
Last edit: Guillaume Lajarige 2022-04-09
Initial work on this seems to be started: https://github.com/Combodo/iTop/commit/c2607c42233843045d020a560d214f94a72a3ded
Indeed, the rest should be done for 2.7.7 release which is planned for mid-July. Will keep you posted.
Cheers,
Guillaume
Fix iTop 2.7.7 will be delivered next week