Linux Foundation introduces strict telemetry data collection and usage policy for all its projects

Last week, the Linux Foundation introduced a new policy around the collection and usage of telemetry data. As per this new policy all linux projects before using any telemetry data collection mechanism will have to take permissions from the Linux Foundation and the proposed mechanism will undergo a detailed review.

The Linux Foundation’s announcement follows closely after Gitlab’s telemetry data collection plan came to a halt. Last week, GitLab announced that it would begin collecting new data by inserting JavaScript snippets and interact with both GitLab and a third-party SaaS telemetry service. However, after receiving severe backlash from users, the company reversed its decision.

The official statement from the Linux Foundation reads as follows,

“Any Linux Foundation project is required to obtain permission from the Linux Foundation before using a mechanism to collect Telemetry Data from an open source project. In reviewing a proposal to collect Telemetry Data, the Linux Foundation will review a number of factors and considerations.”

The Linux Foundation also states that the software sometimes includes the functionality to collect telemetry data. The data is collected through a “phone home” mechanism built into the software. And the end user deploying the software is typically presented with an option to opt-in to share this data with the developers. In doing so certain personal and sensitive information of the users might also get shared without realizing. Hence, to address such data breach and to adhere to the recent data privacy legislation like GDPR, the Linux Foundation has introduced this stringent telemetry data policy.

Dan Lopez, a representative of the Linux Foundation states, “by default, projects of the Linux Foundation should not collect Telemetry Data from users of open source software that is distributed on behalf of the project.”

New policy for telemetry data

As per the new policy, if a project community desires to collect telemetry data, it must first coordinate with members of the legal team of the Linux Foundation to undergo a detailed review of the proposed telemetry data and collection mechanism. The review will include an analysis of the following:

the specific data proposed to be collected

demonstrating that the data is fully anonymized, and does not contain any sensitive or confidential information of users

the manner in which users of the software are (1) notified of all relevant details of the telemetry data collection, use and distribution; and (2) required to consent prior to any telemetry data collection being initiated

the manner in which the collected telemetry data is stored and used by the project community

the security mechanisms that are used to ensure that collection of telemetry data will not result in (1) unintentional collection of data; or (2) security vulnerabilities resulting from the “phone home” functionality

The Linux Foundation has also emphasized that telemetry data should not be collected unless and until the legal team approves the proposed collection.

Additionally any telemetry data collection approved by the Linux Foundation must be fully documented, must make the collected data available to all participants in the project community, and at all times comply with the Linux Foundation’s Privacy Policy.

A recap of the Linux Plumbers Conference 2019