Hi Christian, Thanks so much for sharing this detailed feedback and for helping us to improve the OONI Probe apps.
We previously received legal consultation to ensure our apps and data policies are GDPR compliant, but more eyes are always better! Apart from GDPR compliance, we generally aim to adhere to best practices when it comes to data collection, as we genuinely care about user privacy and safety. I have replied below: On 10/02/21 11:56, Christian Pietsch wrote: > Dear Maria, > > On Mon, Feb 08, 2021 at 11:15:43AM +0100, Maria Xynou wrote: >> Importantly: You can opt-out of Countly and Firebase data collection by >> disabling this in the Settings of your OONI Probe app. > I'm afraid by the time users have found this opt-out, the app has > already transmitted data to Google and Countly. This violates the > GDPR. The GDPR also demands opt-ins for this kind of surveillance. OONI Probe users opt-in to the collection of app usage metrics and crash reports in 2 cases: 1. During the initial onboarding process (where the user is informed of the collection of app usage metrics and crash reports, and they can opt in to this) 2. When we added app usage collection, a modal appeared for OONI Probe users, asking them if they want to opt-in to this (this modal also appeared for users updating from older versions) If users have opted-in and they change their mind, they can always go back and opt-out through the settings of the app. That said, your feedback made us realize that we should probably make the opt-in process more clear in the onboarding, which is why we worked yesterday on making relevant OONI Probe mobile and desktop app releases. In the latest release: * When you tap on "Change default settings" in the onboarding, you are taken directly to settings where you can opt in to app usage metrics and crash reports collection (it's disabled by default). * We have removed Google Firebase Analytics entirely (it was previously used as a dependency to make the use of Crashlytics better). * We have removed Countly crash reports collection from F-Droid (this was self-hosted). > >> We recently enabled Firebase because we were investigating several app >> crashes that were not being displayed properly by Countly. > This is not correct. According to the Ex0dus database, the OONI Probe > app has included Google Firebase Analytics for many versions: > https://reports.exodus-privacy.eu.org/en/reports/search/org.openobservatory.ooniprobe/ > The tracker you recently added is called Google CrashLytics: > https://reports.exodus-privacy.eu.org/en/reports/163803/ What I meant is that we recently re-enabled Firebase Crashlytics, because: * We realized that Countly doesn't do crash reporting well and we were unable to investigate crashes. * We weren't able to collect crash reports in countries where we're blocked (when we were using the Countly self-hosted platform for crash reports). While we agree that it's not optimal to use Google services from a privacy perspective, Google services are less likely to get blocked (due to the collateral damage that would cause). Google Firebase Analytics was used alongside Google Firebase Crashlytics because that is the recommended way to use Crashlytics (see: https://firebase.google.com/docs/crashlytics/get-started?platform=android & https://firebase.googleblog.com/2020/09/crashlytics-analytics-together.html). Yesterday we reviewed this more carefully, and concluded that since Firebase Crashlytics seem to work well without Firebase Analytics, we removed Firebase Analytics entirely from the latest OONI Probe mobile release (2.9.3). That said, we would prefer to use an alternative (non-Google) analytics platform for crash reports, which is why we are temporarily using Sentry (https://sentry.io/) for collecting crash reports on mobile too. We're in the process of evaluating whether Sentry could serve as a replacement for Firebase Crashlytics, and we're also evaluating other open source, self-hosted options too (such as Acra recommended by Nathan). It's worth noting that through the use of Countly (which is open source and self-hosted), Firebase Crashlytics, and Sentry, we do *not* collect any information that would enable us to identify users. If you opt in to the collection of app usage metrics (which is not sent to Google, as we host this), we will collect aggregate app usage data (such as how many users tap on specific buttons), as this information can help us better understand user needs and improve the app. We do not collect the IP address of the user. If you opt in to sharing crash reports with us, we will collect sanitized technical data which will help us understand why the OONI Probe app has crashed. We do not collect the IP address or a unique identifier of the user (though Google may collect this, which is why we would ideally like to replace Firebase Crashlytics). All of this being said... the biggest risk to OONI Probe users is probably not the aggregate/sanitized collection of app usage and crash reports, but running OONI Probe itself: an investigatory tool specifically designed to expose internet censorship. For example, if a user runs OONI Probe in Iran, the biggest risk is probably the fact that their ISP can likely see that they're running OONI Probe, testing lots of censored/banned sites, and uploading test results to servers hosted outside of Iran. We inform users about this risk during the onboarding, where we present users with a quiz that they have to answer correctly (demonstrating their understanding of potential risks), as a prerequisite to using the app and as part of practically acquiring their consent. We also link to relevant documentation (written based on extensive legal consultation) in the apps and on our website, and we discuss these risks during workshops/meetings/presentations and other community interactions. > >> We are not sure if we are going to keep Firebase in the long-run, but >> it's difficult to investigate app crashes without proper reports. >> >> Do you have any suggestions for better tools to collect app crashes on >> Android? > Are you looking for a replacement for Google CrashLytics or Google > Firebase Analytics or both? I can ask around on Twitter and in the > Fediverse if you need advice. Thanks, that would be very helpful! We have already removed Google Firebase Analytics (this was included as it was the recommended integration for Firebase Crashlytics), and so we're mainly evaluating to replace Google Firebase Crashlytics with an open source and privacy-preserving alternative. > >> You can learn more about OONI data practices through our Data Policy: >> https://ooni.org/about/data-policy > This document does not mention Google or Countly. This is another > reason why your app violates the GDPR. In case do did not know, the > GDPR is applicable law for anyone targeting EU users. To be completely honest, I had no idea that specifying the analytics platforms was a GDPR requirement (this was not communicated to us when we received legal consultation, nor do I recall seeing this in the data policies of other organizations in our field). The only reason why we didn't name the specific analytics platforms in our Data Policy was because we were trying out different solutions, and we weren't sure what we would keep. This is why we, instead, pointed to https://github.com/ooni/sysadmin, which includes details about our specific setup. To ensure full transparency and clarity, I have updated OONI's Data Policy to include details about every analytics tool we use in the OONI Probe mobile app, OONI Probe desktop app, and ooni.org. You can view the updated version of the OONI Data Policy here: https://ooni.org/about/data-policy Overall, we're mainly using open source, self-hosted analytics tools that users can opt in to, and we don't collect IP addresses. We're looking into potentially replacing Firebase Crashlytics with something open source and privacy-preserving, and we're going to request further legal consultation with regards to GDPR compliance. If you (or lawyers in your team) have any further feedback, we would greatly appreciate it! Feel free to follow up with us off-list. Thanks so much for your time, and thanks for helping us to improve OONI Probe and our Data Policy. Cheers, Maria. > > Cheers, > C: -- Maria Xynou Research & Partnerships Director Open Observatory of Network Interference (OONI) https://ooni.org/ PGP Key Fingerprint: 2DC8 AFB6 CA11 B552 1081 FBDE 2131 B3BE 70CA 417E -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
