The Linux Foundation has introduced a new policy around the collection and usage of telemetry data, which may have far-reaching implications given the number of projects under the Linux Foundation’s tutelage to which the policy will apply. The new policy defines telemetry data as “data about how the software is used or performing” — as opposed to aggregate data, such as the number of downloads of a piece of software that can be collected outside of the software itself — and now any collection of such data must “undergo a detailed review of the proposed Telemetry Data and collection mechanism.”

Beyond individual projects hosted by the Linux Foundation, such as Ceph, Rook, and Etcd, the foundation is also host to a number of other sub-foundations, including the Cloud Native Computing Foundation, the OpenJS Foundation, and the Continuous Delivery Foundation (CDF), the last of which took up the topic of its adoption in its most recent technical oversight committee (TOC) meeting.

In the meeting, which took place a day after the new policy was unveiled, Dan Lopez, speaking as a representative of the Linux Foundation, explains to the CDF TOC the origins of the policy and that it will apply to all projects, regardless of what telemetry collection they had been doing up until this point. The policy itself makes this clear, stating that “by default, projects of the Linux Foundation should not collect Telemetry Data from users of open source software that is distributed on behalf of the project.”

“All Linux Foundation projects will fall under this for many reasons. […] It’s my understanding that there’s not going to be any grandfathered technologies or projects that are allowed to continue down a path of telemetry gathering without review,” said Lopez. “There’s a lot of concerns that have come to the Linux Foundation around privacy behind the firewall type of security issues and even [personal identifiable information] floating about. We need to get that under control as well as compliance with other policies out there, like GDPR.”

In the ensuing discussion, Andy Glover, CDF TOC member and Spinnaker representative, mentions that the project had been discussing how to introduce telemetry data collection into Spinnaker, to which Lopez responds “that was not a coincidence, Andy — this kind of policy was driven by us finding out how to do the Spinnaker data collection correctly.”

The new Linux Foundation policy includes a number of points around which any new telemetry data collection will be considered by the foundations legal team, such as what data will be collected, how users are notified and consent is acquired, how data is stored, the security around such data, and that data’s anonymization.

The Linux Foundation wasn’t the only on talking about telemetry data collection and usage this month, as GitLab had also previously said that it would begin collecting new data by inserting JavaScript snippets to collect data and interact with both GitLab and a third-party SaaS telemetry service. The telemetry collection was to be opt-out, rather than opt-in, with telemetry data collection to be turned off on a per-user basis by way of the Do Not Track (DNT) mechanism in web browsers. This point was one of contention among many GitLab users, however, and the company last week offered an update, saying “We’ve heard your concerns and questions and have rolled back any changes to our Terms of Service. We’re going to process the feedback and rethink our approach. We will not activate user level product usage tracking on GitLab.com or GitLab self-managed before we address the feedback and re-evaluate our plan.”

The Linux Foundation is a sponsor of The New Stack.

Feature image via Pixabay.