I thought some of the ideas in the "middle ground" section discussing opt-in versus opt-out being the default depending on how you obtained the software were sort of interesting, hadn't heard that compromise suggested before.
Reading that it really feels like he only posed the question for discussion so that he can say that he got input. It doesn't seem like the feedback is going to sway him an inch.
I'm really not a fan of default telemetry (and other aspects of Caddy), but some of the feedback in that thread is really bad and I can totally understand mholts reactions to it. Which is a shame, since it risks to drown out more detailed comments.
Skimming through that discussion, it seems like the developer is also somewhat naively optimistic and possibly underinformed regarding how much of his own and his customers/users' effort will be required to comply with the GDPR while gathering this data.
A server-installation data is not data about a particular user. It’s a information about a piece of running software.
GDPR does not regulate information you can store about software components. It merely ensures that companies can only store information about people which the person has given explicit and implicit consent for, and that they can account for this consent.
Log-data from a running service disconnected from any identifiable personal data is in no way covered by GDPR.
That identifies browser version and operating system combinations in a way which is aggregated and 100% decoupled in a irreversible way from the actual browsing session as conducted by the user(s), given by the browser, automatically, to everyone by default on every request.
You won’t find a single lawyer anywhere who considers this to be privacy sensitive and definitely not covered by the GDPR.
My assumption was that the GDPR was attempting to be sufficiently broad such as to cover these kind of fingerprinting techniques but I guess not?
At least the second link makes it sound like at least some portion of people are likely to turn more towards device fingerprinting techniques specifically because they are GDPR-safe.
I think trying to frame something you give away to everyone, always, without anyone asking for it can legally be framed as privacy sensitive information. That would simply be absurd.
The GDPR regulations largely represents common sense and decensy and this über-paranoid consideration about what “may” be covered or not is not really productive use of time.
Example: if you explicitly email someone, according to the GDPR the recipient has been given an implicit right to store your email and email-address. Because there’s no way for them not to. Because that’s just how email and computers works.
I can’t imagine a fucking user-agent string shared by billion of other users enjoys higher protection.
IANAL, but I could set my own completely custom user agent - I don't even need much technical expertise, a simple browser add-on would suffice - and by logging that string, I could be (depending on how unique I made my own user agent) uniquely identified.
Out of all the metrics Caddy plans to collect, it's the only one I think has some merit to its complainants. It might be simpler to only keep user agents that conform to common browser standards. But this has all been discussed in the Caddy forum thread itself, and we'd welcome your input there!