[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#829494: chirpw phones home without informed consent

Package: chirp
Version: 0.4.0-1
Severity: serious
A pop-up dialog from the "chirpw" program says that it reports some kind of usage information to some external party, and describes how to opt-out of this. There are at least two privacy problems:
1. It appears that some phoning home happens before the user has given informed consent. For example, when I received the pop-up dialogue, I immediately disabled reporting, but I found that "chirpw" had already contacted some server and informed me that I was not using the latest version. Therefore, the suggestion that one can opt-out of phoning-home is misleading, since some phoning-home has already occurred.
2. Also, the text suggests that this is anonymous, but that is misleading (due, e.g., to IP address traceability), so any consent would not be informed, even were it given prior to phoning-home occurring.
Note that I have not looked at what information is transmitted, so there might be a third problem, but I believe these two identified problems alone require action.
I recommend and request that this reporting and any other "phoning home" either be disabled completely in the Debian "chirp" package, or changed to be an express *opt-in* (like opt-in is long used elsewhere in Debian, such as for package "popularity contest"). Thank you.
Reply to: