[hashkb]

It can just obtain the user's consent; and, if denied, the alternative is to not phone home at all.

[mirimir]

That's pretty much the norm in Linux.

One typically gets packages from the distro's repository. And traffic with modern repositories uses HTTPS. So third parties don't see what packages are being used. And unless one configures a developer repository, there's never any traffic to the developer.

Also, IP addresses are considered PII under GDPR.

Edit: Still, if one cares that much about ones IP address, it's prudent to use a VPN service or Tor.

[jdnenej]

IP addresses are only PII if attached to other information. I can generate a list of IP addresses and store/sell that data and it's all fine because its meaningless without associated data.

[mirimir]

The other information is "using Atom".

[jdnenej]

It's still impossible to link that to an individual unless they sold it to another company that has more info on the address.

[mirimir]

Or bought the data.

I'm like 99% sure that datasets are available that link IP addresses to all sorts of PII. And then there are third-party cookies and other trackers.

[joepie91_]

Yes, and that possibility is enough to make this fall under the GDPR.

[colejohnson66]

> Also, IP addresses are considered PII under GDPR.

Not true. They’re only PII if they can be used to connect something to a person. It’s a minor distinction, but it is one nonetheless.

[jdnenej]

In this case it would not be PII data if it was just an IP address in a webserver log saying someone checked for an update. It would be PII data if it was linked to your GitHub account.