stremio-features
stremio-features copied to clipboard
Stremio
Introduce Privacy Respecting Analytics/Opt Out of Analytics
Stremio Version Stremio on all platforms
Is your feature request related to a problem? Please describe. Stremio uses google analytics and microsoft crash analytics and it can be seen by using dns or adguard or any adblocker, now this isnt good since privacy focused people wouldnt like their data of what show they watch or any kind of data sent to google and microsoft
Describe the solution you'd like Stremio to introduce privacy respecting analytics, using google analytics and microsoft crash analytics for its apps seems sketchy, thats why it will be better for both privacy focused users and stremio's users in general
Describe alternatives you've considered To put the option of opting out of the analytics from settings
Additional context This is something which i think would be amazing if even one of those options gets pushed for stremio
What is sketchy in using microsoft crash analytics for apps? Looks like you are refering to the mobile app, you can disable this in the app settings.
What is sketchy in using microsoft crash analytics for apps? Looks like you are refering to the mobile app, you can disable this in the app settings.
Microsoft is a notoriously privacy invasive company. Users may not trust or feel comfortable givijg them data. I see the option to disable crash reports for the mobile app, but what about the desktop apps? And what about Google Analytics? @TRtomasz
We do not use microsoft crashlytics for the desktop app we use sentry there.
We do not use microsoft crashlytics for the desktop app we use sentry there.
@TRtomasz Thanks for clarifying, but Sentry isn't much better...
All that we're really asking for at the end of the day is just a way to disable this form of tracking. It doesn't seem possible to disable Google Analytics on any platform, and it doesn't seem possible to disable the Sentry crash reporting on desktop either.
@TRtomasz Is there a reason you're closing this as not planned without any comment?
Will it at least be considered to allow disabling Google Analytics? It is very likely in violation of the GDPR to not give users control of this...
Not to mention Google Analytics is even illegal in various jurisdictions due to its privacy invasive nature.
@celenityy we will add setting for GA in our web app. Other apps use analytics only for crashlytics so we are not collecting any user identifying data.
@TRtomasz
we will add setting for GA in our web app
Great news, thank you!
Other apps use analytics only for crashlytics so we are not collecting any user identifying data.
I disagree with your assertion that Crashlytics isn't collecting identifiable data.
From Google's Data processing information Page:
Multiple unique identifiers, specific OS info, device specs, etc...
I'm not sure how all of this wouldn't be considered identifiable data.
IANAL, but my understanding is that this is also in violation of the GDPR by not giving users consent.
Will it please be considered to at least also allow disabling Crashlytics?
Under GDPR consent is only one of few lawful grounds to collect data
Additionaly effoty needed to identify individual should be proportionate to the sensitivity and value of information - and in this case this is just crash report. Also we do not create match between firebaseID and our information about user so we have no way to identify any individual based on crash report or FirebaseID.
Under GDPR consent is only one of few lawful grounds to collect data
I'm by no means pretending to be a legal expert... but have you or your team actually read through the GDPR? Particularly Article 6 is relevant here.
Processing shall be lawful only if and to the extent that at least one of the following applies:
* the data subject has given consent to the processing of his or her personal data for one or more specific purposes; * processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; * processing is necessary for compliance with a legal obligation to which the controller is subject; * processing is necessary in order to protect the vital interests of the data subject or of another natural person; * processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; * processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Which of these exactly does Crashlytics fall under? 🤔 Let's break this down I suppose, one by one:
- Well, you're not asking for consent... or even giving the users an option to disable this. :/
- Crashlytics is certainly not necessary for Stremio to function.
- No legal obligations are tied to this.
- Not necessary whatsoever to protect Stremio's vital interests
- Nope, this data only benefits Stremio, the business, certainly not public interest.
- Already ruled this one out; Crashlytics is not necessary for Stremio to function or any of its legitimate interests. This data being collected also directly harms the rights, freedoms, & interests of users, as it is sending personally identifiable information to an advertising company...
In fact, if you still don't think the data your collecting is identifiable... let's look at Article 4.
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number (1), location data (2), an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity (3) of that natural person;
-
As I detailed above, we know Crashlytics is collecting multiple Unique IDs: the RFC-4122 UUID, the Crashlytics installation UUID, the Firebase Installations ID, & the Firebase Session ID. What else would you define these as if not identification numbers?
-
User's IP Addresses are also being sent with these reports to Google, which reveals general location (also acts as another unique identification number... :/). Crashlytics above also mentions collecting the timestamp of when the crash occured, meaning locale/timezone is also being sent.
-
Revealing specific phone model & specs can potentially reveals one's economic status. For instance, it could be inferred that a user with a Pixel 9 Pro is likely in a better financial situation than one with a ~15 year old ZTE Android phone?
I'll even give you an example of how this could be used for tracking in real-time.
Let's say I'm using Stremio (We'll say I'm on a Pixel 6 for this), doing my thing... and it crashes, sending the data to Google, without giving me a choice. I'm annoyed, but fine, I'll just go on with my day. I decide to work on my projects, but I have to look something up. I use Google... and now I'm seeing an advertisement for the Pixel 9, with a special trade-in deal for my Pixel 6, at a store just down the street!
This isn't farfetched at all based on the info you're giving Google here. IP Address is a strong vector alone, revealing my general location (How Google could locate the store near me & find the special deal in this example) & allowing my activity to be linked across devices (Why it showed up later when I did research in this example). It also reveals I'm running a fairly old phone (How Google found the trade-in deal for the specific phone model in this case)... but not only that, one that's crashing!
This example is of course a hypothetical, but it is a very real (& with Google's track record, I'd even argue likely) possibility of what could happen with this data you're sending off.
So, what now? I've explained how the information is in fact considered personally identifiable as defined under Article 4. of the GDPR, I've given an example of how it could be used for tracking, and I've demonstrated how you're not collecting it for legitimate interest as defined under Article 6 of the GDPR.
I tell you what, ignore the GDPR & everything I said above. I'll give you an even better reason to support disabling Crashlytics: it's the right thing to do. This isn't effective at building goodwill with your community & attracting people to your product.
I personally don't think Stremio (or any other app) should've ever even considered adding Google Analytics or Crashlytics in the first place - The least you could do is simply make a toggle to disable it. I appreciate you doing this for Google Analytics itself - but Crashlytics is still an issue. Google gives simple instructions on making it opt-in here. But again, even having an opt-out option would be a huge step in the right direction. Just some way to disable this tracking in this otherwise legitimately great app would be awesome.
The last one is 'legitimate interests' We need it to detect bugs and issues in the app so we deliver bug free and performant app, especially when we release new versions.
And as i wrote earlier under GDPR there must be exist cost-effective method Additionaly effort needed to identify individual should be proportionate to the sensitivity and value of information
There is no other way to identify a user based on Firebase installation ID, other IDs mentioned in google documentation are per session or per crash, than -
- Someone gets access to google servers and obtains list of Firebase installation Ids
- Get access to multiple phones, root them or use something like Frida Gadgets to extraxt firebase ID
- Now he can identify a user based on firebaseID As i wrote we do not make any connection between FirebaseID and user account in our system, so are you sure this is a cost-effective method? Regarding Ip addresses i didnt find anything saying that crashlytics collects IP address. Also before using the app, either by creating user account, or even when using it as a guest user has to agree to our privacy policy - https://www.stremio.com/privacy
The last one is 'legitimate interests'
Right, but it does specify except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. I would argue this is a case where the privacy of users (Not giving identifiable data to an ad surveillance company) does outweigh Stremio's interest of growing their business & improving revenue.
We need it to detect bugs and issues in the app so we deliver bug free and performant app, especially when we release new versions.
While I understand your reasoning here... I still don't see why there can't be an option to disable it?
I would also argue that adding an unnecessary third party library (Crashlytics) in fact makes the app less performant... but I digress.
I think you should also keep in mind that behavior like this actively discourages users from contributing to Stremio & reporting bugs. As you can tell by my contribution graph, I myself am an active contributor to apps I use and care about. Users like me are exactly who you want to attract. Adding mandatory tracking libraries like this though simply drives people like me away, and causes at least me personally to have no interest in contributing.
There is no other way to identify a user based on Firebase installation ID, other IDs mentioned in google documentation are per session or per crash, than -
I've already explained how this isn't the case though, and even gave an example of how this data could actually be used for tracking. The information being collected could absolutely be used to fingerprint and uniquely identify a user.
Someone gets access to google servers and obtains list of Firebase installation Ids
So you do acknowledge Google can uniquely identify users through this data? I guess we agree then?
As i wrote we do not make any connection between FirebaseID and user account in our system, so are you sure this is a cost-effective method?
The problem isn't your system though, it's not about Stremio itself. You're giving this data to a third party, Google. It's out of your hands how Google handles this data or what they do with it. You have no way to verify any claim Google makes, and to make things worse, let's be honest here, Google isn't exactly known to respect users' privacy... In fact, as outlined in that article, Google has been fined hundreds of millions of dollars for violating the GDPR & other laws.
To reiterate, I have no problem trusting Stremio. I do not believe you are tracking users yourself. Rather, my concern is with you giving this data to Google, a company known to illegally track users and sell data, and without giving users any way to opt out of it. Do you not see my concern here?
Regarding Ip addresses i didnt find anything saying that crashlytics collects IP address.
It's fundamentally how the internet works. If I make a connection to crashlytics.com, there's no way around it; I'm giving my IP address to Google.
I do want to say thank you for your time @TRtomasz & being open to chat about this; and I do hope you are willing to reconsider this. Like I said above, I don't think that simply adding a toggle to disable this crash reporting is too much to ask. Stremio is a great app, and I thank you for your work on it. I'm here talking to you about this because I want the app to do well, and I want to be able to use it & recommend it to others. Adding this mandatory tracking though is a deal-breaker for me & many others.