← Back to context

Comment by swyx

1 day ago

could you point me to what jurisdictions require analytics opt in esp for open source devtools? thats not actually something ive seen as a legal requirement, more a community preference.

eg ok we all know about EU website cookie banners, but i am more ignorant about devtools/clis sending back telemetry. any actual laws cited here would update me significatnly

4 comments

swyx

Reply
47282847  5 hours ago

GDPR is not about cookies but about privacy in general. It’s an easy read, and yes, it applies to software and telemetry as much as it applies to websites and cookies, and it applies to anyone providing services and tools to Europeans.

"Personal data is information that relates to an identified or identifiable individual. If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual."

gpm  1 day ago

I mean, you've labelled one big one already with the GDPR covering a significant fraction of the world - and unlike your average analytics "username and email address" sounds unquestionably identifying/personal information.

Where I live I think this would violate PIPEDA, the Canadian privacy law that covers all business that do business in any Canadian province/territory other than BC/Alberta/Quebec (which all have similar laws).

There's generally no exception in these for "open source devtools" - laws are typically still laws even if release something for free. The Canadian version (though I don't think the GDPR does) has an exception for entirely non-commercial organizations, but Bloop AI appears to be a commercial organization so it wouldn't apply. It also contains an exception for business contact information - but as I understand it that is not interpreted broadly enough to cover random developers email addresses just because they happen to be used for a potentially personal github account.

Disclaimer: Not a lawyer. You should probably consult a lawyer in the relevant jurisdiction (i.e. all of them) if it actually matters to you.

  • generalizations  1 day ago

    > GDPR covering a significant fraction of the world

    > privacy law that covers all business that do business in any Canadian province

    A random group of people uploaded free software source code and said 'hey world, try this out'. I wish the GDPR and the PIPEDA the best of luck in keeping people from doing that. (Not to actually defend the telemetry, tbh that's kinda sleezy imo.)

    • gpm  1 day ago

      I mean, those are merely the two countries privacy laws I'm most familiar with. The general principal of "no you can't just steal peoples personal information" is not something unique to the ~550 million people the laws I cited cover.

      And the laws don't prevent you from uploading "random" software and saying "try this". They prevent you from uploading spyware and saying "try this". Edit: Nor does the Canadian one cover any random group of people, it covers commercial entities, which Bloop AI appears to be.