Last week, the Linux Foundation introduced a new policy around the collection and usage of telemetry data. As per this new policy all linux projects before using any telemetry data collection mechanism will have to take permissions from the Linux Foundation and the proposed mechanism will undergo a detailed review.
The official statement from the Linux Foundation reads as follows,
“Any Linux Foundation project is required to obtain permission from the Linux Foundation before using a mechanism to collect Telemetry Data from an open source project. In reviewing a proposal to collect Telemetry Data, the Linux Foundation will review a number of factors and considerations.”
The Linux Foundation also states that the software sometimes includes the functionality to collect telemetry data. The data is collected through a “phone home” mechanism built into the software. And the end user deploying the software is typically presented with an option to opt-in to share this data with the developers. In doing so certain personal and sensitive information of the users might also get shared without realizing. Hence, to address such data breach and to adhere to the recent data privacy legislation like GDPR, the Linux Foundation has introduced this stringent telemetry data policy.
Dan Lopez, a representative of the Linux Foundation states, “by default, projects of the Linux Foundation should not collect Telemetry Data from users of open source software that is distributed on behalf of the project.”
New policy for telemetry data
As per the new policy, if a project community desires to collect telemetry data, it must first coordinate with members of the legal team of the Linux Foundation to undergo a detailed review of the proposed telemetry data and collection mechanism. The review will include an analysis of the following:
- the specific data proposed to be collected
- demonstrating that the data is fully anonymized, and does not contain any sensitive or confidential information of users
- the manner in which users of the software are (1) notified of all relevant details of the telemetry data collection, use and distribution; and (2) required to consent prior to any telemetry data collection being initiated
- the manner in which the collected telemetry data is stored and used by the project community
- the security mechanisms that are used to ensure that collection of telemetry data will not result in (1) unintentional collection of data; or (2) security vulnerabilities resulting from the “phone home” functionality
The Linux Foundation has also emphasized that telemetry data should not be collected unless and until the legal team approves the proposed collection.