I see a trend of software engineers that don't see users as someone who they are providing service to - they see them as just one element of a machine they're optimizing to make their software better. They feel that the engineering quest itself is the most important thing in the world, so they feel entitled to any and all data they are technically capable of collecting.
It's a shame. I wish more engineers would see things through Richard Stallman's eyes, and realize that software is supposed to serve its users, not its creators. But, as the saying goes: "It is difficult to get a man to understand something, when his salary depends on his not understanding it."
There is a reason it's popular: it's extremely useful for software development to a) have actual hard data on how your software is being used, and b) have a large selection of crash data for debugging rare issues. If it's not the software engineers who want it, it's the technical management who see the immense value in having it.
You're forgetting the monetary incentives. It allows companies to collect personal data of every user and sell it to "our partners" to build larger marketing profiles.
This depends on what kind of data they're collecting. The most common kinds of telemetry data is not actually particularly useful for that, and usage of it for selling advertising, especially to third parties, would be contradictory to most privacy policies (now how much you trust that they are actually following their own policy is another matter: and dropbox does call out that they may try to use this data to upsell you on their own products).
Nonetheless, the potential is there and GDPR does consider it personal data from the point of view of consent, so dropbox is almost certainly violating the rules here even if they do not sell the data for advertising (as unlike the actual data they store, it is not necessary for providing the service, merely useful to the company for improving their service). Such telemetry almost certainly requires an opt-out, and most likely should be an opt-in as far as GDPR is concerned.
There was an opt-out telemetry proposal in Go [0], which caused a huge backlash. The proposal authors were so focused on the benefits of the telemetry, that they did their best to invent all kinds of very convincing arguments why their telemetry is okay, useful, not intrusive, etc. etc. They completely ignored the ethics of the problem - that they are not entitled to users' data without consent.
It took a very dramatic reaction from the community to convince them that adding opt-out telemetry without users' explicit consent is a bad idea, no matter how "non-intrusive" and "helpful" it is.
That depends what telemetry though. Assuming this telemetry is purely about app's performance and behavior and is trully anonymous(I know that's big assumption, for sake of the argument let's believe it is the case), taking away from devs informations about whether or not the app is working well, is indeed quite unreasonable
I distinctly recall a webcomic in the past few years lampooning cloud storage. There was a guy who said "hey, there's this guy down the street who lets me keep stuff on shelves in his garage." "What does he charge you?" "Nothing, he says it's just cool if I keep it there." and then the stuff is sold off or tampered with, the guy is irate, and the moral of the story is essentially "why did you trust a random guy with a garage to keep your stuff?"
But also the comic as you remembered it has a different moral from the actual comic, and would be very insulting to apply to non-paying dropbox users.
It's okay for a free service to change how they operate with a take-it-or-leave-it offer. It is not okay for a free service to invade your privacy without permission.
Additionally, all users should be able to trust Dropbox just as much as the paying users.
It's polite to be transparent about telemetry, but it's not like there is a requirement in any regulation anywhere to ask for explicit consent (e.g. similar to how GDPR works when PII is involved)
There might not be a hard legal requirement, but it's still a valid complaint.
There's no legal requirement for someone to be polite to a cashier at a supermarket, yet complaining when somebody is an asshole is still a valid complaint.
You're mixing several things together here. Transparency is one of GDPRs cornerstones and very much not just nice to provide, but a deeply serious and non-negotiable hard requirement regardless of how you legitimise the data collection.
What I’m saying is that the GDPR is irrelevant unless there is data collected that counts as PII. Collecting non PII isn’t covered by the GDPR.
So yes there are two things: GDPR which is irrelevant here, and storage of non-PII which should be done transparently because it’s polite to be transparent, but not a regulatory requirement.
Well, to be fair, if there is no PII, the telemetry isn't relevant at all and nobody should be concerned by it. (Except for the people that are concerned they will A/B test their software into exhaustion and optimize it into an abomination; but that's not a loud crowd.)
All the complaints are about them collecting PII. Even if they say they don't, the concern is that they could be lying, or change easily, and nobody would know.
False, I will rephrase: it is a regulatory requirement under the GDPR to disclose the fact that you are collecting data, to provide a detailed and easily accessible specification of the information contents, a precise definition of how this data is processed and used, and your legal justification(s) for doing so, and to do so for each separate type or kind of collection involving individuals, regardless of whether this includes any PII or not.
The few exceptions that exist are only applicable in cases where there is no potentially identifiable data collected at all, which is obviously not the case here.
Here is a very accessible (although non-official) GDPR resource that I've come across: https://gdpr-info.eu/
> it is a regulatory requirement to disclose the fact that you are collecting data
Not if the data isn't PII, no. Not in any way shape or form.
> The few exceptions that exist are only applicable in cases where there is no potentially identifiable data collected at all
The whole point of collecting "anonymous usage data" (which is what telemetry usually does) is that it shouldn't be possible to attribute to a physical person, and thus not be PII. As an extreme example, you could take the most typical form of telemetry: a feature usage count. When a feature is used, the telemetry collects a (+1) for that feature. The only long term stored data is the total count N for each feature across the entire user base. Of course there is no PII stored.
> which is obviously not the case here.
Why do you say that it's "obviously" not the case, when there is no indication about what data it is, other than the Dropbox representative saying precisely that there is no PII collected so the GDPR isn't relevant? There may be PII (in which case they are both at fault for not disclosing, and complete asshats for lying in the support forum). But it would be a pretty uninteresting discussion once one assumes that...
Obligatory "I'm not a lawyer either but I've implemented telemetry in software and had those implementations thuroughly analyzed by lawyers a couple of times"
Ah gotcha, yes, you're right, except that only holds when you are not collecting any other data from the "subject" at all.
The major differentiating factor here is that that Dropbox does in fact process PII - convenient storage and distribution of their customers digital life is their raison d'être, after all, it's precisely what those people expect of Dropbox and pay them their monthly fee for.
In this case, where telemetry is gathered by the same desktop application that is also a primary component of their legitimate and consented-to data processing activities no less, they would at minimum be required to specify what information goes where, how it is anonymised, and for what purpose they require it.
I'm not assuming ill intent or unsanctioned data mining activities or anything of the sort, but whatever it is that they are collecting and doing is not as clear as it should be.
The GDPR lists IP addresses as PII, and not to be all "your IP address is leaking" but in order to send the telemetry, your computer's IP (or that of your VPN) is being sent to Dropbox, potentially to be logged.
AFAIK, it's only an issue if it's actually logged. Also, pretty much all services need to know the IP address during a session. It's fine if it's only used for the purpose of providing the service and not logged.
That’s not a GDPR issue other than if stored. And remember this is an app that already must send requests to the same place in order to function at all.
Of course not. It might send your medical records too.
It will send the IP regardless of whether telemetry is enabled. But they do claim that no PII is stored for telemetry. Whenever the topic of Telemetry comes up I try to keep to the discussion about properly anonymous telemetry, simply because that’s where there is any discussion at all. If anyone transmit or stores anything they aren’t entitled to it’s obviously always wrong so that’s not an interesting discussion.
Dropbox of course already stores PII (your files) but that doesn’t mean they can do so for other info or other purposes.
Just because the DNS entry says telemetry in the name doesn't mean a thing. Just like if they'd called it medical-records-here.dropbox.com and were only sending telemetry to it.
Whenever the topic of telemetry comes up, I try and point out that just because someone says it's just telemetry, it doesn't mean a damn thing. If anyone thinks it's not interesting because they think things are obviously always wrong, I ask them: what does telemetry mean to you? What does it mean to the company?
Are you sure those two definitions are in 100% agreement?
If they were entirely transparent about what they transmitted yet didn’t stick to that, then that would be bad.
Similarly, they might have an opt out but not honor it (in the case of Dropbox it wouldn’t be noticeable)
So all those things aside, the interesting discussion is the discussion that assumes they are honest when they say they don’t store any PII in telemetry. That means, for example that the IP isn’t stored.
“Telemetry” as a term means nothing about what’s stored which is why I try to be specific and talk about “anonymous usage statistics and crash reports” or similar. Telemetry without PII tends to be exactly that.
There is no explicit consent.