wire-webapp icon indicating copy to clipboard operation
wire-webapp copied to clipboard

Published 20 hours ago verified publisher icon wireapp

New, "anonymous" telemetry contains a tracking identifier and is enabled by default

Open bleetsheep opened this issue 4 years ago • 0 comments

Your Account Type

  • [x] Wire Pro Account

What is the expected behaviour?

When new data processing takes place based on consent, the user is asked (opt-in).
When new data processing takes place on another basis (opt-out), the user is informed about the data processing as per GDPR article 13(1):

the controller shall, at the time when personal data are obtained, provide the data subject with [various information about the processing]

Actual behaviour

https://github.com/wireapp/wire-webapp/pull/9556/files#diff-f5d532f11887b4763660a02cea44e276ff2dfe3d867e8098e0e08efac5d76f2dR70

It's not anonymous if it tracks your device.

Also, why is this conveniently hidden from the release notes? This was committed not so long ago, I see the default-enabled configuration option in production now, but the release notes mentions nothing about there being extra tracking with the latest version.

The privacy policy is similarly vague:

We process individual data about the use of Wire services in order to create anonymous usage statistics and crash logs. Insofar as personal data are processed for this purpose and your consent is required for processing, we will only process your data after you have given your consent (Art. 6 § 1 a) GDPR).

You don't need consent for anonymous data since it's not personally identifiable information. It doesn't fall under GDPR at all. But for anything that isn't anonymous, you need to either seek consent, or inform the user about the data processing if there is another legal basis for its processing. I have yet to be notified of last June's privacy policy update, let alone this additional non-anonymous tracking.

Since it is not anonymous, the application cannot legally track users without informing them of the data processing and (depending on whether you classify this as consent-based) perhaps giving their consent. Data collected up until this point of users who registered before the new privacy policy was in effect has not been obtained legally. I assume that means this data must now be deleted.

The defect in the application is that the tracking is enabled by default or that the user is not shown this information upon obtaining the personal data, depending on the classification. It should either seek consent or inform the user.

bleetsheep avatar Nov 11 '20 09:11 bleetsheep