Hacker News new | ask | show | jobs
by JohnFen 2717 days ago
You're right in general, of course. But here's the reason for my hardline stance on that: history shows that trusting promises or assertions made about things like unique identifiers is unwise, and so I have to take a strong defensive stance.

> you can design a unique identifier system that does not allow tracking

You can (sortof), but we run against that trust issue again. If I'm giving a unique identifier to someone, I have no way of knowing if their assertions about its use are accurate. Even if they are, there's no guarantee that won't change in the future.

> If all you want to do is get a good estimate of how many users use what types of configurations of your software (major and minor version)

You're talking about the perspective of the publisher. I'm talking about my perspective as a user. A company's "need" to collect metrics is their problem, not mine. If their solution results in more information disclosure than I'm comfortable with (and a unique identifier absolutely is), then I will avoid their software or block communications to their home base.
2 comments
kbenson 2717 days ago
> A company's "need" to collect metrics is their problem, not mine.

When it's couched in how to deliver software updated, it becomes your problem as well. That's a transaction, and they want to charge more for it now. You can decide it's too costly, as you indicate here, but it's not like they're giving nothing in return.

I think it's important to note the goals of those involved. In this case, it's the people that put together a free product for us to use and also supply free timely software updates looking for more information on who is using what so they can do a better job at delivering that free stuff to us.

And in this case, it's not adding tracking where it doesn't exist, it's making it better for the specific cases that are useful to them and that impact users the least (an accounting of software configurations). They already track through IP address, but that's inaccurate to a much larger degree for the information they want (but somewhat less so for the personal information you likely want to protect). Adding an additional system that allows better tracking of the useful information without increasing the personally identifying features of IP based tracking (which still exists) is laudable, in my eyes.

link
JohnFen 2717 days ago
> When it's couched in how to deliver software updated, it becomes your problem as well.

I honestly don't see how. If/when I'm ready to take an update, I can come get it myself. If they want to charge me (or charge me more) for it, then they can do so at that time. No tracking needed except for that associated with payment.

> Adding an additional system that allows better tracking of the useful information without increasing the personally identifying features of IP based tracking (which still exists) is laudable, in my eyes.

Not as laudable as not engaging in tracking in the first place. However, I don't see how this doesn't increase personally identifying features. On the contrary, it's adding one: a unique identifier.

link
kbenson 2717 days ago
> If they want to charge me (or charge me more) for it, then they can do so at that time. No tracking needed except for that associated with payment.

That's what's proposed? An identifier sent along with the request to see the current list of updates available?

> I don't see how this doesn't increase personally identifying features. On the contrary, it's adding one: a unique identifier.

An identifier that changes every week or so. At that point it is useless for identifying an individual, but can still be used statistically to determine how many systems are running what versions of Fedora, even behind NAT gateways. The only difference from before is now instead of "there's one IP with more than average check-ins, or check-ins from two or more different configurations", it's "there's one IP with X number of unique identifiers that randomize weekly seen over the last 28 days, so we can approximate X/4 different systems behind that IP".

link
JohnFen 2716 days ago
> The only difference from before is [...]

Yes, I understand, but your explanation isn't reassuring to me. It's confirming that I actually do understand the mechanism and its ramifications.

Red Hat can do whatever it likes (although my take on it is that they're not likely to do this unique identifier thing). I'm not saying otherwise -- that's their right, after all.

All I am saying is that software that does this sort of thing is unacceptable to me and I will avoid it to the best of my ability. As is my right.

link
jammygit 2716 days ago
You said free so many times that I had to share some news I learned earlier today: the 'free as in freedom' podcast is releasing new episodes again after 2-3 years hiatus!
link
derefr 2716 days ago
> A company's "need" to collect metrics is their problem, not mine.

And your need to run an OS on your computer is your problem, not theirs. What do you do if everyone on the sell side of the market uses telemetry? Just stop using computers?

link
JohnFen 2715 days ago
> What do you do if everyone on the sell side of the market uses telemetry? Just stop using computers?

Well, that's not going to happen. I doubt Slackware would go down that road, for example.

But lets say that what you assert happens -- all that means is that I won't use distros. It doesn't mean that I won't use computers.

It's entirely possible to install Linux without using a distro or prebuilt binaries at all. It's also possible to keep using an older version of the operating system.

But, being essentially lazy, what I'd most likely do is an extension of what I do with with most applications these days: firewall off the servers that the OS is trying to communicate with.

link
behringer 2716 days ago
That's the beauty of foss, you can just remove the offensive bits.
link
jammygit 2716 days ago
Yeah... its kind of amazing
link