This may be illegal in EU if they don't use opt in. ~~Even then it may be illegal for under 18 year olds to collect MAC addresses and disk serial numbers, as those can potentially be used for identification.~~
The data is anonymized, and the IP is NOT stored. So I'm not sure this violates GDPR?
From the code we can see the machine ID is anonymized, sending only a SHA256 checksum.
def get_hashed_device_id():
# Read the machine ID
with open("/etc/machine-id", "r") as f:
machine_id = f.read().strip()
# Hash the machine ID using SHA-256 to anonymize it
hashed_id = hashlib.sha256(machine_id.encode()).digest()
# Convert the first 16 bytes of the hash to a UUID (version 5 UUID format)
return str(uuid.UUID(bytes=hashed_id[:16], version=5))
This makes it somewhat a nothingburger IMO.
That's not anonymous, that's pseudonymous.
What is the point of this? The machine-id already looks to be some unique random number, so you're calculating another unique random-looking number from that, might as well use the original number.
You can't glean any useful information from a unique random-looking number that would help with developing Manjaro. You can't calculate any statistics from that. The only use is tracking.
Edit: And as mentioned in my other comment, reversing the MAC SHA by brute force is trivial, so that one at least (and possibly the other hardware serial numbers they collect) shouldn't even be considered pseudonymous.
Nah, it's still considered Personal Data under GDPR, because it's possible to connect to natural persons. So GDPR applies. And this is illegal, there is no legal basis for processing this data.
because it’s possible to connect to natural persons.
That's debatable, and is only based on the claim that it's just a 24bit decoding that can be brute forced. I don't know for a fact that it's true that it can be boiled down to 24bit.
I checked my own /etc/machine-id, and the folder doesn't even exist, so what exactly is supposed to be in it IDK. And yes I use Manjaro.
I edited my comment on your other reply and by my estimation, calculating every SHA256 of all MACs ever potentially issued takes less than 89 seconds on an RTX 3090.
I also think MACs are (or should be considered) personally identifiable information, since there is potentially a paper trail back to the person who bought it. Plus MACs are not secret information, it's broadcast on the LAN and for wireless modules over the air in the immediate vicinity (though some systems will randomize wireless MACs for privacy reasons). Privacy-unfriendly software has been known to collect MACs (even from other devices on the network and in the vicinity), so there are already databases connecting MAC addresses with other data.
Why do they need half that data for a derivative of a distro? Fuck off. I don’t care if someone collects the model number of my GPU or whatever but that sounds like personally identifiable tracking data, not basic “telemetry” data to set development priorities or whatever.
- users can be identified
- probably Opt-out (still in discussion)
Two nogos combined makes nonogogos. Why do they need host name, MAC address and disk serial numbers? Why can't people set how much they want to send in, like KDE Plasma does? Will the data be shown to the user before its send in? Steam does that perfectly (show data and its opt-in) and that is even a proprietary application. Telemetry is okay if its done right, without user identification, opt-in and not hiding whats sent, preferably in multiple levels of what is being send.
I used Manjaro before and switched to EndeavorOS because I was not happy. Now I am. Manjaro can't stop being stupid (not the users, I'm not attacking any user here, only the maintainers or developers of Manjaro).
The way I read it, the developer wanted opt-out but it's likely it will be opt-in. I'm find with opt-in and vehemently against opt-out for telemetry.
I would prefer the information was statistical only. Rather than hostname (making the assumption they only want hostname to be able to somehow separate the data to follow changes over time), a much better idea would be some kind of hash based on information unlikely to change, but enough information that it would be unlikely possible to brute-force the original data out of the hash. So all they know is, this data came from the same machine, but cannot ID the machine. Maybe some kind of unique but otherwise untrackable unique ID is created at install time and ONLY used for this purpose and no other.
Another reason to hate manjaro.
I tried Manjaro last year and I hated it.
Something about the distro would lock up my PC, it would freeze from time to time.
I disabled the standby/sleep function, but allowed my monitors to go into standby. But if I left my PC for an hour or two my screens would not wake up, different types and brands. I had so many issues with Manjaro and while speaking with a friend I told him I had moved over to Nobara but he was still on Manjaro. But then a few weeks later he mentioned he was running Nobara. Seems he also ditched it.
My brother's been injecting himself with Linux?
Linux
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0