"Distro Telemetry Watch"

By


Following article taken from:

https://github.com/summertimetech/website/blob/master/dtw.EN.html


Summertime Tech

Summary

As of March 2021 this page starts with headline "summary" about 10 most used distros.

Note:
→ #ranking based on DistroWatch {#}
→ Click for latest distro tweets on: {##}

Category 0 - No telemetry

Cat.0 is having no telemetry. A Linux distro with zero telemetry is the reason for companies, governments, organisations and users all over the world to adopt & migrate to "Privacy by Design" Linux desktop.
{#1} mxLinux Xfce; mxLinux KDE look & feel
{#6} Debian Cinnamon ; Debian LXDE ; Debian LXQt ; Debian MATE ; Debian Xfce

Category 1 - Usage statistics

Cat.1 software for location telemetry built-in. The "as is" downloadable .iso has Usage statistics telemetry and is not suitable for Production Environments & Personal use. Installation need change of settings or Command Line Interface CLI & privacy health check after Updates.
{#8} ElementarysOS;

Category 2 - Surveys

Cat.2 is Cat.1 & user survey telemetry built-in. The "as is" downloadable .iso has Survey telemetry and is not suitable for Production Environments & Personal use. Installation need change of settings or Command Line Interface CLI & privacy health check after Updates.
N/A

Category 3 - QI collect & analyze user data

Cat.3 is Cat.2 & QI collect & analyze user data telemetry built-in. Quality Improvement (QI) via collect & analyze user data built-in the "as is" downloadable .iso is not suitable for Production environment & Personal use. Installation need change of settings or Command Line Interface CLI & privacy health check after Updates.
{#3} Mint Cinnamon ; Mint MATE ; Mint Xfce
{#4} Pop!_OS GNOME
{#5} Ubuntu GNOME
{#6} Debian GNOME ; Debian KDE

Category 4 - track/trace user activity & content

Cat.4 above & track/trace user activity & content telemetry built-in. The distro "as is" downloadable .iso is not suitable for Production Environments & Personal use. Installation has sophisticated non deleteable non stoppable "spy on user" engine. Either built-in (Red) or in Repo (Grey).
{#2} Manjaro KDE ; Manjaro GNOME ; Xfce
{#7} Endeavour KDE ; EndeavourOS Xfce; MATE; GNOME; Cinnamon; Budgie; Deepin; i3-wm; LXQt
{#9} Fedora KDE ; Fedora Cinnamon ; Workstation/GNOME ; LXDE ; LXQt ; MATE ; Xfce
{#10} openSUSE Tumbleweed GNOME

Non-Linux OS with extensive telemetry:
MS Windows
Apple macOS - based on Unix
Apple iOS & derivites - based on Unix
Google Chromebook ChromeOS - based on Linux
Google Android - based on Linux

Linux

There is not one Linux but there are many different versions. This is because the operating system is free open source software , and everyone is free to download a copy from the internet, make changes and create their "own" version, and then publish that version as "distro" on the internet for others to use as free open source software.

All in all, many Linux distros have been created over the past decades, all with their own character, see further under distro & desktop characteristics.

Of course there are individuals with a very beautiful and solid distro, but over the years many distros have formed enthousiastic group of people around them. A series of these have been transformed into a foundation or a company (official distros), which is necessary to work as a legal entity in society. This includes involving an office, hiring employees, entering into contracts, etc.

Many official organizations around distros and desktops exist on the basis of donations from private persons, government, organizations or (large) companies. And other official organizations around distros and desktops are commercial: make money by providing business services with their free distro and desktop. There is also advertising income.

Traditionally within the Linux domain the "money" factor has not been the main driver. The driving force for developers is the enthusiasm for Linux itself and for the development of the GUI graphical user interface "desktop". Very important are therefore communities: groups of volunteers who contribute with software to an official distro or desktop in their spare time. Many distros and desktops could not exist without a community.

Distro

Features of a distro are:
Linux kernel suitable for x86 and a growing number also for ARM processor (Mobile)
App store - on user computer package manager to choose & download Apps
Repo - repository in the cloud where Apps are ready to download
Apps - user software, almost always free open source software
List of distros

→ View: YouTube Videotorial Package Manager & Repo's

Desktop

GUI - graphical interface on user computer:
Ambient, Budgie, CDE, Cinnamon, Deepin DE, EDE, Elokab, Enlightenment, Étoilé, GNOME, GNUstep, Innova, KDE **telemetry**, Liri Shell, Lomiri, Lumina, LXDE, LXQt, MATE, Maxx, Maynard, Mezzo, Moksha, Pantheon, Phosh, Project Looking Glass, Razor-qt, ROX Desktop, Sway WM, Sugar theShell, Trinity, twm, Unity, Vera, Window Maker, Weston, Xfce, Zorin OS.

Many distros support one or more desktops. User can choose distros official website with which desktops to download that distro. There are also distros that optionally have their Linux version downloaded without one specific desktop: the user selects during installation via a menu a desired desktop.

For example, distro Manjaro Architect allows the user to choose from a range of desktops during the installation process. There are also distros that, in addition to their officially supported desktops, allow users to optionally choose a (spin) community distro / desktop. So, a lot of choice, almost any combination of Linux distro with GUI desktop is possible.

Hardware & Linux out-of-the-box

For those familiar in the Linux domain, combining kernels with GUIs themselves, or choosing, downloading and installing a distro is familiar territory. But for new users it is all strange because people are used to buying a device that functions well after purchase without tinkering.

To give (potential) users that "out-of-the-box plug and play" experience, there are more and more suppliers who sell computers with a Linux distro / desktop "factory"-installed".

There is a growing supply, and growing demand for computers with Linux out-of the-box because more and more people want better privacy & security without bloatware, forced updates, etc.

And right now, very sad, while the demand for Linux "ready to use" computers grows, popular Linux desktop "KDE" has decided to reduce privacy by introducing telemetry.

What was not an issue before 2020, has now because of KDE, become necesarry to point out to consumers and users distinguishing between "good" and "red-flag bad".

The following is an overview of:
Hardware including out-of-the-box Linux distro / desktop without telemetry (= good).

Hardware with Linux & no telemetry

Product offering subject to change - check before purchase:
Dell Laptops: Linux distro Ubuntu + Gnome desktop
Dell Workstations: Linux distro Ubuntu + Gnome desktop
Juno Computers: Linux distro Ubuntu + Gnome desktop
Kubuntu Focus Laptop: Linux distro Kubuntu Ubuntu based + custom KDE desktop
Lenovo Personal Systems: Linux distro RedHat + Gnome desktop
Lenovo Personal Systems: Linux distro Ubuntu + Gnome desktop
Lenovo Personal Systems: Linux distro Suse + Gnome desktop
Purism Laptop: Linux distro PureOS + Gnome desktop
Purism Mini: Linux distro PureOS + Gnome desktop
Purism Phone Librem5: Linux distro PureOS + Gnome desktop
System76 Laptop: Linux distro Pop_OS! Ubuntu based + custom Gnome desktop
System76 Desktop: Linux distro Pop_OS! Ubuntu based + custom Gnome desktop
System76 Mini: Linux distro Pop_OS! Ubuntu based + custom Gnome desktop

Hardware with Linux & user can choose desktop & no telemetry

Product offering subject to change - check before purchase:
PinePhone: distro PostmarketOS Mobile + Gnome desktop
PinePhone: distro PostmarketOS Mobile + Lomiri desktop
PinePhone: distro PostmarketOS Mobile + Phosh desktop
PinePhone: distro Manjaro Mobile + Phosh desktop
PineTab: distro Ubuntu Touch by UBports + Qt desktop
Slimbook: Linux distro Kubuntu
Slimbook: Linux distro ElementaryOS + Pantheon desktop
Slimbook: Linux distro Debian
Slimbook: Linux distro Linux Mint + Cinnamon desktop
Slimbook: Linux distro MAX Ubuntu based + MATE desktop
Slimbook: Linux distro Manjaro + Xfce desktop
Tuxedo Computers: Linux distro Tuxedo_OS + Budgie desktop
Tuxedo Computers: Linux distro Ubuntu / openSUSE / Manjaro + Xfce desktop
Tuxedo Computers: Linux distro Ubuntu / openSUSE + Gnome desktop

"Mobile" is Linux version suitable for ARM processor (instead of x86) because ARM is more or less standard for mobile devices. But there is a growing "non-specifically mobile devices" that are also equipped with an ARM processor because of increasingly faster and yet low power consumption (Apple Silicon = ARM). Anyway, for now: Mobile = ARM processor.

Buyer of a device with out-of-the-box Linux can of course decide to remove installation by installing a distro and desktop of his choice on it.

Telemetry

Well-known operating systems such as Windows, macOS, Android, iOS and ChromeOS all have built-in telemetry functions. While person uses his device, it sends all kinds of data about that usage to the supplier such as Microsoft, Apple and Google.

Not often but still, some hardware suppliers include proprietary telemetry software on the computer they sell.

In almost all cases it is not clear (no transparency) which data the operating system is senting. Telemetry includes a stream of data such as OS version, hardware components such as screen format, network, disks, wifi, IP address. But also user data like website visits, Apps installed, and also content of documents (!) Etc.

This massive invasion of privacy is shocking. And possession of private data by third parties can endanger personal security, like identity fraud, bank account, home visits, you name it.

Suppliers explain in great detail that they "protect your privacy" with pages full of text almost impossible to read. But all that bla bla bla is covering up what's actually taking place. It is almost always unclear what exactly happens with the user data. Much information is sold commercially and if requested made available to governments.

Linux
Privacy By Design

Linux is Privacy By Design and had no telemetry for decades. Traditionally, the Linux domain is populated by developers who are very committed privacy & security. This approach has led to Linux being the backbone of the internet.

Privacy by Design is:
1. Taking a user-centrix approach
2. Avoid false dichotomies like privacy vs revenue
3. Be transparent with users
4. Full lifecycle protection
5. Valuing privacy is the default setting
6. Proactive to prevent breach rather then just react to it
7. Embed privacy into design

Linux distros are also increasingly becoming the "go to" operating system for governments, companies, organizations and individuals, due to GDPR legislation or retention of sovereignty. According to AVG GDPR law, every organization must adhere to privacy around people. But organizations also want to protect their intellectual property. And Linux is free, which makes a huge difference in IT budget expenditure.

And Linux is the operating system for the Internet of Things (IoT): devices large and small are able to interact with users via (fiber optic) cable, WiFi, Internet, LoRa, etc.

Linux
Introduction of Telemetry

All good, but big money is slowly but surely penetrating the Linux domain. And there are misguided developers who don't care about global outcry to protect privacy and use their talents to taint one of the last remaining "safe havens" with telemetry.

These people have ensured that telemetry is now also implemented within Linux domain. They have not taken notice of the Linux Privacy By Design adage. They made software that is at odds with (see picture on this page) the 7x privacy principles.

Google is a co-financial donor of Linux desktop KDE and, coincidence or not, suddenly spring 2020 via a regular update there is telemetry in the software: the KDE telemetry software package called “KuserFeedback”.

Even if user did not opt-in, KDE KUserFeedback telemetry package registers the use of a whole series of Apps. For example, there is the texteditor App “Kate” and dozens of other Apps more, of which the package registers:
1) Number of times the user starts the Apps, and;
2) The duration of use of Apps.

And if not opt-in, KDE KUserFeedback telemetry package registers:
3) The number of times the user start (boot) the computer, and;
4) The time duration computer usage.

KDE UserFeedback telemetry package is built solidly and robustly, and can register much more, which contributor also describes (article recovered in pdf format). The chance that it will happen in the future is extremely high.

→ zie: YouTube KUserFeedback telemetry in KDE desktop

Opt-in
on/off disabled/enabled

KDE states that their KUserFeedback telemetry package is disabled by default during installation and that the user can choose his / her cooperation via opt-in. And keen supporters of KDE desktop, in response to critical comments, reiterate each time that "disabled by default" position, as in "don't worry, it's okay".

However, KDE uses the word "disabled" incorrectly. Because, when status of KUserFeedback is disabled, the package will nevertheless continue to function and use computer resources, it will continue to register Apps and boot, number of times used and duration in /home/user/ telemetry folder.

The only thing that doesn't happen when disabled is that user data is actively sent to KDE. But later, if user would set the telemetry to "on" (enabled), the user historical data will be sent to KDE.

Privacy issue

As mentioned, the KDE KUserFeedback telemetry logging files are located in user home folder. And because of how Linux file permissions work, any App can access those log files. And this setup is not private.

GitHub FAQ of KUserFeedback telemetry package:
1) KUserFeedback is designed to comply with KDE Telemetry Policy, which prohibits the use of unique identifiers.
2) If you use KUserFeedback outside the scope of that policy, it is of course possible to add a custom data source that will generate and send a unique ID.

Enthusiastic KDE users point to the 1st FAQ sentence in defense of telemetry usage, posting in media comments "See, don't worry, we're doing everything in accordance to our privacy policy". But (see picture on this page) both the 1st and certainly the 2nd FAQ are against the 7x principles for privacy.

The ID function as described in FAQ 2nd sentence is indefensible. KDE has chosen to introduce this engine with the potential for extensive privacy violation, which can be deployed by third parties. It needs little imagination to realize that KDE KUserFeedback telemetry package can be used for nefarious projects.

By the way, never say never: currently KDE KUserFeedback telemetry package is spreading around the world in all kinds of distros and also on Linux out-of-the-box devices. What if the privacy policy would suddenly be 'less stringent'? Is everyone going to install another distro on the computer or mobile? Probably not.

KDE has introduced a privacy threat currently rolling out all over the world. It can evolve into an irreversible problem at an unknown point in time.

Free Open Source Software(FOSS)

The word "free" within the domain of free open source software is not only gratis! Free also means Freedom! Most certainly freedom to (un)install software on your own device.

The promotion of privacy & security is central within the FOSS domain. This is achieved by openness of source code so everyone can see exactly what the program does, and therefore no mysterious or dubious functionalities.

But KDE KUserFeedback telemetry package does not meet all FOSS criteria because, although the software is gratis, the source code made readable, but if installed then user is not free to remove the package via GUI, or make it "really" stop working.

And if user removes the KDE KUserFeedback telemetry package via GUI from system, the packagemanager removes the entire (!) desktop. After that, an average user won't be able to get computer working again (no login).

Developers have intentionally chosen for having "not necessary dependencies" to make sure removal of KDE KUserFeedback telemetry package is practically impossible. This software design is at odds with striving for 7x FOSS Privacy By Design principles.

Keep in mind, more mainstream hardware vendors are selling Linux with KDE desktop out-of-the-box to "regular" (zie: no Linux expert) users. These regular users are unable to recover from fatal error after removing KDE KUserFeedback telemetry package.

The KDE KUserFeedback telemetry package is not FOSS compliant, because new package logs what user is doing on computer, and how much time spent on it. Introducing new user behaviour logging is incompatible with FOSS strive for better privacy.

In short, KDE with their forced KUserFeedback telemetry package is wrongly using the quality assurance "free open source software (FOSS)".

Terminology

Developers of KDE KUserFeedback telemetry package use the term "User Feedback" for their package name, because user feedback sounds positive. Spicing up language use is what many organizations do: naming something negative differently. Consider, for example, the word "reorganization" which is nowadays "transition", or a "setback" has become a "challenge".

So also KDE with the name of their telemetry package. The term "telemetry" rightly has a negative connotation because all other "telemetry"-operating systems are bad companionship.

KDE doesn't want to identify with the bad guys and has creatively come up with a positive name for their exposure. But KUserFeedback is not user feedback in its original sense, KUserFeedback is actually logging with log files. Read what is normally meant by user feedback and how to implement here. The real name of the KDE package should have been: KUserTelemetry.

Conclusion

As "real user feedback" this website has through its Twitter account suggested KDE to improve:
1. If user chooses opt-in, after that install the KUserFeedback telemetry package.
2. Make it possible user removes KUserFeedback telemetry package via GUI without dependencies, so entire desktop will not disappears (no errors).
3. Remove KUserFeedback as software in the entirety of KDE desktop and handle old school survey.
4. Have a privacy audit performed periodically by an independent certified auditing firm, as proof that KDE does not store the IP addresses of "opt-in users" and clears server logs every 24 hours.
5. Publish on website the domain names of KDE to which "opt-in users" telemetry is sent, so Linux users can add them to their firewall, just in case.
Example /etc/hosts: 127.0.0.1 kde.kuserfeedback.telemetry.domain.com

No response was received to these excellent and simple to implement changes. And that "not responding" is a concern because if KDE takes their user feedback mission seriously, they would respond to these suggestions.

With the 2020 introduction of KUserFeedback, KDE did not pay any credit to the Linux domain. Persons, companies, governments, organization; anyone who intends to switch to Linux for privacy reasons may now start wondering whether such a drastic and costly migration is worthwhile at all.

KDE KUserFeedback telemetry package has exceeded the Privacy By Design threshold. Linux distros with KDE desktop and KUserFeedback telemetry package built-in can now be compared to other operating systems such as Windows, macOS, Android, ChromeOS and iOS, and the privacy advice is not to use these OS's.

Distro Telemetry Watch

As described above, there are many variants of distros and desktops. And not all KDE desktop distros have KUserFeedback telemetry package installed.

For the average user, it is now a quest to determine in advance whether or not the intended Linux distro has telemetry in it. And certainly for those who want to buy a device with Linux without telemetry installed out-of-the-box, because telemetry is not advertised on the website or on packaging.

An additional problem is any distro or desktop can decide at any time to download the KUserFeedback telemetry package via GitHub to install in their version. KUserFeedback developers and KDE have opened the gate within Linux to anyone.

Given the nature of the rapidly changing Linux domain, any inventory such as the following of KDE KUserFeedback telemetry package has a temporary expiration date.

Color-coded statement for clarity:
→ Good, recommend: distro + KDE version without telemetry implementation (green)
→ Bad, don't use: distro + KDE with telemetry (red-flag)
→ ARM processor is "Mobile"

distros + KDE version without KUserFeedback

Kali Linux - Debian based + KDE Apps
Kali Linux Mobile - Debian based + KDE Apps
Kubuntu - Ubuntu based + KDE Apps
MX Linux - Debian based + KDE Apps
Q4OS - Debian based + Trinity Desktop + KDE Apps
Q4OS Mobile - Debian based + Trinity Desktop + KDE Apps
SparkyLinux - Debian based + KDE Apps
SparkyLinux Mobile - Debian based + KDE Apps

distros + KDE desktop with KUserFeedback

Arch Linux + KDE desktop
ArcoLinux Plasma + KDE desktop
CentOS + epel-repo/KDE desktop
EndeavourOS + KDE desktop
EndeavourOS Mobile + KDE desktop
Fedora + KDE desktop
Fedora Mobile + KDE desktop
freeBSD + KDE desktop
freeBSD Mobile + KDE desktop
Garuda Linux Plasma + KDE desktop
KDE neon
LliureX Ubuntu based + KDE desktop
Mageia + KDE desktop
Manjaro + KDE desktop
Manjaro Mobile + KDE desktop
openSUSE + KDE desktop
PCLinuxOS + KDE desktop
Solus + KDE desktop

Hardware + Linux distro + KDE desktop with KUserFeedback

Pinebook Pro: distro Manjaro Mobile + KDE desktop (*)
Slimbook: Linux distro KDE neon
Slimbook: Linux distro Lliurex + KDE desktop
Tuxedo Computers: Linux distro Ubuntu / openSUSE + KDE desktop
Tuxedo Computers InfinityBook: Linux distro Manjaro + KDE desktop

(*) red-flag: Pine64 edition Manjaro has been announced and now in shop for pre-order. It is not clear if telemetry will be included, or they decide not to implement telemetry package. When clear this paragraph will be updated.

Buyer of a device with out-of-the-box Linux can of course decide to remove installation by installing a distro and desktop of his choice on it. Think of a mobile phone for example Ubuntu Touch by UBports, Mobian Mobile Debian based + desktop Phosh, openSUSE Mobile + desktop Gnome, SailfischOS Mobile + desktop Lipstick, PureOS Mobile + desktop Gnome, Fedora Mobile + desktop Xfce, LXDE, MATE, Sugar on a Stick, Arch Linux Mobile + desktop Gnome, AVMultiPhone Mobile PostmarketOS based + desktop MATE.

Final Word

A great deal of effort has already been made to improve privacy. Think specifically of alternative developments for mobile phones, such as LineageOS, GrapheneOS, F-Droid and Aurora store, MicroG, hardware kill switches on Librem5 and PinePhone. Also de-Googled Android Fork /e/ OS . And so on; all for better privacy.

Furthermore, in Europe (EU) the aim is to implement open source. Everything for better privacy & security and transparency. There are many initiatives worldwide, all in good direction.

While huge efforts are being made to improve privacy & security, KDE believes it is a good plan to counterintuitively introduce a new breach and threat. Given all the positive privacy efforts it's absurd that KDE has introduced telemetry "built-in" into the Linux domain.

It would be better if The Linux Foundation and GNU Project and The Free Software Foundation puts any distro / desktop combo with telemetry built-in on a" not allowed"-list, prohibits use of licenses on Linux, and prohibits use of name "free open source software (FOSS)".

To maintain the adage "Linux Privacy By Design" it would be better if hardware suppliers with Linux "out-of-the-box" no longer deliver software with telemetry built-in. And every official or community distro / desktop refuses to participate in telemetry in the Linux domain.

disclaimer & comments

It can and will happen: mistakes, errors, new developments, comments on details about distros, GUI desktops, suppliers, products and so on. Something to report? Then please DM via Twitter account of this website. Necessary corrections will be made as soon as possible.

Comments

Post a Comment

Popular posts from this blog

Debian GNU/Linux = Lies, Lies, Lies!

By
"linuxiac.com 30 Years of Stability, Security, and Freedom: Celebrating Debian’s Birthday Happy 30th birthday, Debian! Inspiring generations, you shine as a symbol of open-source ideals, innovation, and community. By Bobby Borisov On August 16, 2023 In the dynamic realm of today’s technology world, where trends change faster than the blink of an eye, staying relevant for three decades is a feat achieved by a rare few. Debian, the venerable and iconic open-source operating system, stands proudly among this elite group as it celebrates its 30th birthday. Debian… ok, I know, Debian/GNU Linux is an operating system that emerged from the brilliance of a passionate software developer, Ian Murdock, on August 16th, 1993. Today, 30 years later, it is no exaggeration to say that it is the most respected Linux distribution, deservedly so. In all that time, Debian has released 17 major and 123 minor releases, establishing itself as a bastion of predictability, s
Read more

Microsoft Windows = [Almost] No Fanboys!

By
"ghacks.net Microsoft showing Windows 11 upgrade prompts on more Windows 10 devices Martin Brinkmann Feb 29, 2024 Comments Anonymous said on February 29, 2024 at 11:13 pm If only Microsoft had developed an operating system like Windows 7 that people would truly desire to use. There would be no hesitation about upgrading. George said on February 29, 2024 at 7:25 pm They managed to make an older PC actually preferable and desirable. Well done, Microsoft. John said on February 29, 2024 at 6:49 pm Nothing specifically against Windows 11, but I have a PC that I want to continue to use Windows 10 on until the end of support in 2025. It would be nice if Microsoft would respect my decision as I have already declined a upgrade to Windows 11 multiple times. Since it is my business PC and it runs Windows 10 Pro I would have thought Microsoft would be a bit more respectful of my decline to upgrade. But apparently not, and this is where mayb
Read more

Labels

Contact Form

Name

Email *

Message *