I’m blocking Google Analytics with “noscript” in “firefox”. I have not seen a downside to that.
Tracking with UUID is not necessary for having an up to date OS.
When I was running a web server, I logged the IP address of all client connections. When I was running a DNS server, I logged the IP address of all client queries.
It would be irresponsible to not log those. That’s data needed for investigating problems. Logs were only kept for a short time (a week).
Using a UUID for purposes of counting does not seem a problem to me – as long as it is only used for counting.
In my case, as an openSUSE user, it probably doesn’t work too well. I setup my systems to keep a package cache for downloaded packages. And that cache is on an NFS server. So only one of my systems has to download that package in order for it to be available to all. So the counts being kept are probably off.
Checked against what? I.e. - does zypper have what it compares to hard coded in itself or does it still need to contact opensuse for an original key to compare to?
The gpg key used to sign packages – well, more correctly, used to verify signatures – was installed on your system when you installed openSUSE. The “packman” key for verifying signatures was installed when you first configured the “packman” repo, and you were asked to trust that signatures.
The mirrors do not have the signing key. The signing is done on the main repo, and the signed packages are then copied to the mirror. Unless a hacker gets hold of the signing key, he cannot forge signatures on packages. (Well, okay, if he manages to break encryption …). So the checking is pretty secure, unless there are unknown holes in “gpg” crypto.
I always browse the web with JS disabled in browser settings and never use FF for reasons shared here. But that doesn’t mean that the site follows principle of data protection by design and by default (as it should, according to GDPR). I would even say that such workarounds confirm the opposite.
Of course.
Using a UUID for purposes of counting does not seem a problem to me – as long as it is only used for counting.
But GDPR is not about what seems to be or not to be a problem for a particular person. It is about what is legal and what not.
The essential principle of GDPR is that ‘personal data’ must be processed according based on the knowledge and directions the ‘data subject’ (given through appropriate technical tools provided to him by the data controller). Even more - he must show explicit agreement before processing happens and must have the ability to withdraw the consent or request the limitation of processing. So far I haven’t seen (neither during installation of the OS nor after it) any information that SUSE will create a UUID for my machine, how it will be transmitted and stored, what it will be used for, how it will be combined (or not) with other data, how that data will be retained, etc. And obviously there is no checkbox to opt-IN about all that. I just found an article that Fedora wants to do what SUSE does and from that learned that openSUSE is doing it. Hence this thread.
The gpg key used to sign packages – well, more correctly, used to verify signatures – was installed on your system when you installed openSUSE.
Thanks for explaining. I understand that. What I don’t understand is: How is the signature verified?
BTW (OT): suddenly I stopped receiving email notifications about new posts in this thread, although I am subscribed for “Instant” ones. What might be the reason? (I have never seen this happening so far).
BTW (OT): suddenly I stopped receiving email notifications about new posts in this thread, although I am subscribed for “Instant” ones. What might be the reason? (I have never seen this happening so far).
Forum moderators are aware of this problem, and it is being investigated.
When the package is built, it is signed using the private key known only to the people who manage OBS. And this amounts to computing a hash of the package, and then encrypting that hash with the private key.
When zypper reads the package, it decrypts that using the public key. And it compares the decrypted hash with the hash that it computes directly from the package. These are required to be the same. For more detail, try a google search for “public key cryptography” or “digital signature”.
And, to repeat, the public and private keys are a matched pair. The public key is installed on your system during install of the operating system or when you agree to trust the key of a repo. The weakest link in that chain is you having to trust the repo key when you setup the repo.
keyserver.opensuse.org gone forever
a month ago Until further notice, due to the possible GDPR incompatibility of sks-keyserver software, we took down our part of the pool.
If you configure the first three DNS servers on that list in your router with DNS over TLS you have non-logging DNS that can’t be messed up by your provider etc. Using LibreSSL with latest unbound might be a problem, but it’s solvable (hopefully).
Google, Facebook and alike don’t stop exploiting data collected illegally (according to European data protection laws), but US newspapers don’t allow access for European IPs and keyservers fear to break laws.
How many perverted lawyers do you need for something like that? The constant monitoring of internet users (e.g. via cookies, supercookies, browser fingerprints and UUIDs) has to end. There is no reason for all this. And it’s illegal in the EU without explicit opt-in and the right to know, which data is stored.
By this I want to know, which data has been stored by opensuse regarding my forum account and any opensuse installation using the same IP. I will wait some 30 days otherwise other options should be considered…
“Personal Data” is: Name, Address, Citizenship ID, Finger Print, DNA, Face recognition, Location, Family, Tax Number, Bank Account, (Medical) Insurance IDs, Driver Licence, Telephone Number(s), Employer.
UUID:
The device’s manufacturer may, possibly, correlate the UUID to the device’s Serial Number.
The device’s Supply Chain may, possibly, maintain Shipping Records of the device’s Serial Number.
The device’s Seller may, possibly, maintain Serial Number records of when and, to whom, the device was sold.
IP Address:
Depends on your ISP – my ISP resets my IPv6 address at least once every 24 hours … (My IPv4 address is tunnelled and, it also seems to be regularly changed … )
IP address location services such as <https://www.iplocation.net/> (and Google, and Microsoft) suspect that, I’m either located in München or in Düsseldorf (both German Cities), which I’m not … And, my ISP seems to access “the Internet” either in München or, in Düsseldorf …
Timestamp:
And, so what? Depends on the accuracy of the clock … The only information a timestamp provides is, “at around about tea-time someone who possibly may have been located somewhere (they’re most probably somewhere else) with a UUID which may, possibly, be traceable to a Manufacturer, updated an openSUSE system – somewhere … ”
[HR][/HR]**Bottom line:**AFAICS, there is absolutely no correlation between a device’s UUID and someone’s Personal Data.
If you’re really worried that, somehow, the device’s Supply Chain could be used to correlate, via your purchase of the device, the device’s Serial Number to your Personal Data, be very careful to only purchase devices with a UUID with physical money: physical Bank Notes, physical Coins …
[HR][/HR]**Bottom, bottom line:**A device’s UUID is an identifier which a Manufacturer has placed on a device at the time of manufacturer – it is Data which is the property of the Manufacturer …
When someone purchases the device, they purchase the right to use the device’s UUID – the UUID is Data which can be used to identify the Manufacturer …
But the UUID is comparable to a number plate for your car. This IS personal data, if you are tracked.
Same applies for IPs as the ISPs log the leases for a non-specified time. Matching of IPs with UUID is particularly evil, as you combine a non-permanent (IP, normally for private use) with a permanent info (UUID), so the whole “i change my IP every day” is levered out
And all of a sudden this UUID forced into my opensuse installs start to make sense…
Have you ever monitored your internet traffic when plugging in an USB-stick (at least with Windows, have not checked with other OSs)?
Fine, but, it ain’t equivalent to the Number Plate on an motor vehicle:
When you register your motor vehicle you have to present yourself to the responsible Government Authority, identify yourself, the Civil Servant then registers your personal data and assigns a Number Plate to that vehicle …
Since when, have you been registering the UUID of devices you have purchased with an Authority which maintains a database correlating UUID values to citizens?
Yes, Windows 10 seems to want to tell “Mother Redmond” everything it can about your machine …
And?
Yes, Redmond are aware that someone with my name (at least I’m that
honest with Redmond) and an Outlook e-Mail address which is forwarded to an e-Mail address setup at my ISP has Windows 10 licences – nothing more than that … «The e-Mail addresses are account names which are only used for my Microsoft licences – they’re not used for my “normal” e-Mail traffic.»
BTW, I do the same to Google WRT the Android mobile telephones …
And, the e-Mail account I use for this Forum, bug reporting (please read the KDE Bugzilla recommendations … ), other Forums and whatever, is also different and, is not the personalised e-Mail account I use for my private correspondence …
Boy, am I lucky that, my ISP not only offers personalised Internet Domains and, also, as part of the monthly Bill, up to 100 e-Mail accounts on their Domain …
“When you register your motor vehicle you have to present yourself to the responsible Government Authority, identify yourself, the Civil Servant then registers your personal data and assigns a Number Plate to that vehicle …”
First time you send an email from your computer with a fixed UUID including your email header the computer and God knows who else know your full identity. Same with IP at ISP level. Or you log in to a “verified account” at one of the asocial media. Or or or. The UUID is a defacto number plate and even worse. My car doesn’T shout his number plate every few minutes/hours out to the rest of the world (as long as I don’t buy one of these brain dead e-cars or a navigation system paired with a smart phone via bluetooth).
On Thu, 21 Mar 2019 11:46:03 +0000, suse rasputin wrote:
> First time you send an email from your computer with a fixed UUID
> including your email header the computer and God knows who else know
> your full identity.
Only if you include the UUID in the e-mail. I’ve never seen one
automatically included, and I’ve spent a fair bit of time looking at e-
mail headers over the years.
[QUOTE=nrickert;2897668]
The public key is installed on your system during install of the operating system or when you agree to trust the key of a repo. The weakest link in that chain is you having to trust the repo key when you setup the repo.[/QUOTE]
The mirror has signed packages with the rouge private key matching the rouge public key (so zypper won’t complain)
The user continues using some subverted software without even knowing
Is that possible or am I totally wrong in what I understand? The whole question is really: how is the authenticity of the mirrors guaranteed without connecting to download.opensuse.org?
[HR][/HR]
[QUOTE=malcolmlewis;2897669]Hi
It’s also kind of ironic that GDPR put a spanner in the works for this…
The communication on the second link you shared shows an interesting thing:
> Mr Hughes has complained that the keyservers share
> and make personal details publically available, such as his name and
> email addresses.
Similarly one can complain that mailing lists and bug trackers make personal details (name and email) public. Shutting down such systems is an overkill. However it is possible to:
keep private data non-public
use pseudonymization
make it possible to exercise the GDPR rights
Maybe someone can add this for another board discussion?
Everything that you listed (in whole or partially) is data which can be used to identify a person indirectly and be used further for profiling (in combination with other data). That is something which requires explicit consent and should be optional, not enforced.
**Bottom line:**AFAICS, there is absolutely no correlation between a device’s UUID and someone’s Personal Data.
But you can’t say that without having verified how the system processes the data. That’s the whole point of GDPR: that the controller must be transparent regarding all this and that everything that is ‘personal data’ and that the ‘data subject’ is the owner who is in control to say how his data should be processed or not.
Right now, regarding UUID, I don’t see any even info. This is the only factual bottom line.
**Bottom, bottom line:**A device’s UUID is …] Data which is the property of the Manufacturer …
Anything that matches the definition of ‘personal data’ belongs to the ‘data subject’. The ‘legitimate interest’ of the ‘data controller’ cannot override the fundamental rights, one of of which is the right to protection of personal data (EU Charter of Fundamental Rights, Article 8).
[HR][/HR]
[QUOTE=malcolmlewis;2897705]Hi
I think it’s time for the thread to slip away into the ether
As indicated one can remove the random identifier, anything else would need to be followed up elsewhere ;)[/QUOTE]
But there is still no info - neither on that mailing list, nor here. I don’t still know how the identifier can be removed or how one can exercise his fundamental (and GDPR) rights in regards to it. Am I missing something?
