Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rethink Scarf usage #352

Closed
2 tasks done
DanielHabenicht opened this issue May 8, 2020 · 11 comments
Closed
2 tasks done

Rethink Scarf usage #352

DanielHabenicht opened this issue May 8, 2020 · 11 comments
Labels
NOT a bug

Comments

@DanielHabenicht
Copy link

DanielHabenicht commented May 8, 2020
edited by orizens
Loading

Expected Behavior

I expect this dependency to not collect any of my (personal) data by default.

Actual Behavior

This package is using scarf with an opt-out functionality - not opt-in.
Thereby collecting the following information on each install:

  • installed packages (except @org scoped)
  • IP address (to track which company I am from)
  • operating system

Possible Solution

  • Make scarf opt-in.
  • Or Disable IP Tracking and disable reporting of other packages installed

It should at least be explained in the readme. There should be a note saying how to disable it before installation - as currently there is no way to opt-out of the first installation because the installing person simply does not know about the package.

Context

Even Google has made its usage statistics optional.
I understand that information like: "Which versions are currently used?" are of particular interested for package managers and I would let you track this kind of data (also with opt-out) - no problem.

But as you are also collecting information about the installed packages (Wherefore? Github already has a way less invasive function with "Used by") and part of who I am (IP Adress and Company info) - I don't quite get it. Please also be aware that this is likely putting you into the reach of GDPR laws because IP addresses and company affiliation are both likely to uniquely identify a person.

I love your work and I am using this package for years now. But still, I think before collecting data the reasons behind it and what they are used for should be explained. Also, the amount of data should be minimized.

Your Environment

  • Version used: 8.0.2
  • Browser Name and version: Chrome 81
@orizens
Copy link
Owner

orizens commented May 8, 2020

hi @DanielHabenicht
i'm happy to receive a pr that suggests to opt-out scarf.
i was inspired by https://github.com/tannerlinsley/react-table which is also using scarf - but havnt seen any option for opting out.

@aviaviavi
Copy link
Contributor

Hi, author of scarf-js here 👋 . I just wanted to clear up a few things brought up here:

  1. Scarf isn't actually storing IP addresses. We look up any business information associated with the IP address and then delete it the IP itself. All in all, Scarf is not storing any personally identifying information collected from package analytics.
  2. The Github "used by" section doesn't quite do the job of informing you who your commercial users are, but yes it does help. Most corporate repositories are not publicly hosted on Github, so this section misses the most important category - large companies using a project, who would be more likely to pay maintainers for support. Scarf fills in those gaps and offers additional around it in order to help maintainers financially support their work.
  3. Keep in mind, npm does collect quite a bit more already https://www.npmjs.com/policies/privacy#data. We're collecting a whole lot less (you can set SCARF_VERBOSE=true to see the exact payload we're sending, it's very small), and actually sharing that with the maintainers, which will ultimately lead to better-maintained software for everyone.

@orizens
Copy link
Owner

orizens commented Jul 1, 2020

@DanielHabenicht considering the above from @aviaviavi , scarf is doing less than npm.

@simon-jouet
Copy link

Hi,

Thanks for the great work on ngx-infinite-scroll.

I would like to add to this issue regarding the use of scarf, I'm currently running into problem installing my dependencies because scarf is failing with SyntaxError: Unexpected end of JSON input when installing ngx-infinite-scroll

It's a bit frustrating that, a dependency of a dependency is causing issues project-wide while it is itself not necessary. I tried to opt-out using the environment variable and modifying the package.json but it's still failing for now (need to keep looking into it).

EDIT: looks like SCARF_ANALYTICS=false npm install --scripts-prepend-node-path is allowing me to install the dependencies

Additionally to this, I'm not 100% convinced that the current behaviour is compliant with GDPR (for all European users) as consent should be explicitly given which isn't the case here. I'm personally not too fussed about it but I know some people are, and knowing that information are being sent would have been nice to know before running into troubles.

@aviaviavi
Copy link
Contributor

Sorry to hear this caused issues @simon-jouet. This bug was fixed a while ago but it looks like the scarf-js dependency in this repo is hard-coded to an old version. I can open a PR.

@aviaviavi aviaviavi mentioned this issue Sep 8, 2020
Merged
5 tasks
@orizens
Copy link
Owner

orizens commented Sep 9, 2020

#363 merged.
@simon-jouet please review and update this issue

@orizens
Copy link
Owner

orizens commented Dec 9, 2020

@simon-jouet does the pr #363 fixed this issue?

@simon-jouet
Copy link

@simon-jouet does the pr #363 fixed this issue?

Thanks, it does look like this solved it, we haven't run in any issues recently.

I think the GDPR point I raised previously might still be valid, I'm far from an expert on the matter but as far as I know consent must be explicitly given, which isn't that case here.

@orizens
Copy link
Owner

orizens commented Dec 9, 2020

@aviaviavi can you suggest how to let use opt out for scarf in ngx-infinite-scroll?

@aviaviavi
Copy link
Contributor

aviaviavi commented Dec 9, 2020
edited
Loading

Of course! scarf-js analytics is entirely optional too. As a user of ngx-infinite-scroll, you can always set SCARF_ANALYTICS=false in your environment before running npm install, or by adding an entry to your project's package.json:

// your package.json that depends on ngx-infinite-scroll
{
  // ...
  "scarfSettings": {
    "enabled": false
  }
  // ...
}

See https://github.com/scarf-sh/scarf-js#as-a-user-of-a-package-using-scarf-js-how-can-i-opt-out-of-analytics for more details about opting out of scarf-js analytics, it's entirely optional.

As for GDPR - We've discussed this GDPR concern extensively with Scarf's legal team. The current behavior of scarf-js is indeed GDPR compliant. As a Scarf user, @orizens is the legal agent collecting information about his package distribution, and Scarf acts as the data processor acting on his behalf. @orizens never has access to any personally identifying information from this telemetry (and neither does Scarf, we only store IP address metadata), so consent is not required. If we were providing @orizens with raw IP addresses or any other PII, it would be a different story entirely, but that is not the case here. None of the data stored by Scarf or provided to @orizens through Scarf is subject to regulations that require him to obtain explicit consent.

@orizens
Copy link
Owner

orizens commented Dec 9, 2020

thank you @aviaviavi
@simon-jouet does that answer your question?

@german-e-mas german-e-mas mentioned this issue Aug 25, 2022
Merged
@german-e-mas german-e-mas mentioned this issue Jan 17, 2023
Merged
@gbmeow gbmeow mentioned this issue Mar 17, 2023
Closed
@orizens orizens closed this as completed Jun 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NOT a bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@simon-jouet @orizens @aviaviavi @DanielHabenicht