etetoolkit
GDPR Compliance - Setup Script Calling Home
Hello!
I'm certainly not an expert in GDPR compliance but the "call home" function in the setup script is concerning:
- There isn't any disclosure whatsoever that the program will, by default, call home (either on http://etetoolkit.org/download/ or otherwise, that I can find)
- I thought that collections of data such as this have to be explicitly opt-in? In other words, the default setting has to be "no collection" and the user must take an action to choose to share data?
Again, I'm not an expert, and even though the data collected appears to be relatively simple, I was troubled by the fact that it was "hidden" (I had to open the source of setup.py to get any info on it.)
The absolute easiest fix would be to remove this altogether ... I am guessing that the primary reason for collecting data on installations is to have data to include in reports/grants/funding requests? (Given the academic nature?) If so, perhaps alternate statistics such as times downloaded from Conda/PyPI would be sufficient?
Alternatively, perhaps a confirmation prompt? ("Do you consent to sharing installation data with XYZ? Here is the exact data that will be sent:")
Again, I'm not an expert but it seems like this might be a potential violation (and considering that the project is run/maintained by entities in the EU, this would seem to be extra important ...)
https://github.com/etetoolkit/ete/blob/97e0ce9fab2f2286c69fb31577df75684613e769/setup.py#L191-L195
Very true. I forgot completely about this, which was originally meant as an innocent installation stats system and Easter egg, back in... 2010 (?).
I would say that we could just delete the code and avoid any trouble with the GDPR. We have better stats now with conda, etc...
For the sake of clarity, this was tracking new installations, keeping only the info shown here: http://etetoolkit.org/static/et_phone_home.php
