Spyware in SolydK

Here is the place were the team and the community projects meet together. Help us to develop SolydXK projects or contribute your ideas for future releases.
Posts: 4
Joined: 30 Apr 2020 09:09

Spyware in SolydK

Postby solydk » 30 Apr 2020 09:48

What is the team's stance on spyware to be included in the future version of SolydK? What is SolydK policy regarding all those "telemetries". For me it's just a fancy name for spyware. What is your policy?

User avatar
Posts: 2677
Joined: 09 Oct 2013 12:45

Re: Spyware in SolydK

Postby ilu » 30 Apr 2020 16:11

I don't know of any spyware in SolydXK images. We would immediately remove whatever component that is responsible.
We also try to the best of our knowledge to deliver a system image with all telemetry switched off. That's why we have configuration packages for Firefox.

But we can't say anything about the applications the user installs later. If the user installs Skype or uses Zoom s/he will have not just have telemetry but spyware. Also the user can change settings and reactivate telemetry if s/he isn't careful.

If you have anything specific in mind you'll have to explain better: Which telemetry are you talking about? Which applications are you talking about?

Edit: I'm just now seeing your other post and I'm regretting I have answered at all. Nothing will come of this.

Posts: 4
Joined: 30 Apr 2020 09:09

Re: Spyware in SolydK

Postby solydk » 30 Apr 2020 17:29

Thank you for your reply. I use SolydK for my daily driver. If you keep the policy up, then I will continue to use it. Although you pull packages from Debian. Debian follows upstraeam. And then ktelemetry happens KDE Plasma 5.18. If you don't already know its unremovable. You just cannot uninstall this ktelemetry spyware. If you try you will break KDE and make system unbootable. Plus I am not sure if you compile KDE without this telemetry, all software of KDE Apps Compilation will work. Its hard dependency, so not sure if you can remove it by compiling with special flags.

Reddit post was censored by KDE. I have copy. Here it is. Its all true. Plus bear in mind that KDE provided FAKE GUI for this. Regardless of user interaction with this GUI (slider to the left) the thing is still running and colecting data (your ip, geo etc). They engaged in the semantic that is "opt-in". It isn't. You have to compile and you simply cannot "$ apt-get remove kdespyware". They also engaged in the tactics to name it "kuserfeedback". Fancy name for spyware. User has nothing to do with it. They have no choice its constantly running in the background and collecting data. One thing more: they claim it uses only two places in home folder (but it might not be true) to store obfuscated data.

Here is the reddit post that was removed by KDE (fortunately, I spotted it very soon and mad a copy, lucky me):
KDE Plasma "kuserfeedback" collecting telemetry data even when disabled

Plasma 5.18 forced upon us a new software component called "kuserfeedback". This is what KDE have chosen to call their shiny new telemetry module. There's a gold rush for data happening, and KDE apparently can't resist the temptation to get on the gravy train.

Of course it is claimed that no private information will be collected. This is hard to argue, as inevitably the data will be tied to an IP address when submitted, and this is much stronger of an identifier than many would have us believe. "we will not use anything that would be considered personal data by common sense" says the privacy policy, and yet my home IP address is static, never changes and can geolocate me within a tight radius. Common sense says it's PII, especially when combined with other data and metadata. It's impossible for end users to ensure it's not utilized.

Besides, what's considered private information is not for KDE to decide. How I use my systems is private information to me. It's not secret, but it's private. If you don't know the difference there, you have no business handling data at all.

Currently, the collected data can be seen in .config/KDE/ and .config/kde.org/ in files starting with UserFeedback. This is happening while the functionality is supposedly "disabled". I assume that means only data transmission is disabled, which I haven't been able to verify, but then again I assumed that data collection was disabled as well. Inside the files there is information like how many times a Plasma component has been started, and for how long it's been used. Seems like absolutely useless information, for now anyway. Why even bother with this? Why go through all this trouble just to collect seemingly useless information? "We do not collect data preemptively or for exploratory research" the privacy policy says. Obviously this has been violated already in the first release.

The amount of information collected is bound to grow, it always does. No one can resist once they have their fingers in the cookie jar. A list of what's currently in the works can be seen here. We'll just be the frogs being brought up to a slow boil. We know this tune, have seen this show many times before. There's always a plan. The time for naivety on this has passed, years ago.

If the information is collected no matter what you choose in the settings, all that information will just sit there. Problem is, it's just one little "oopsie" away from behind transmitted wholesale to KDE. One innocent bug that just happens to sell you out. Or a different application reading and transmitting it, along with who knows what else. User data protection on Linux blows. This information simply shouldn't exist.

To quote the KDE Telemetry privacy policy, "Privacy always trumps any need for telemetry data, no matter how legitimate." Well then, allow us to nuke this thing from orbit, because my need for privacy trumps your supposed needs. You said it yourselves.

Here are some obvious steps to take to make this better:

Make kuserfeedback an entirely optional component of Plasma. There is no excuse for not doing this, don't even try to tell us there's a good reason why Plasma can't function without this component, unless you intentionally design it that way.

Make sure NOTHING is collected when installed and disabled, not a single thing. This is very simple to ensure, if you wanted to.

Rename the module to ktelemetry. User feedback is what happens when we send you an email or write a post such as this one. Involuntary data collection is telemetry, and spying. Windows 10 has already seen to it that telemetry is synonymous with spyware. Call it what it is and spare us the orwellian language. Your privacy policy calls it telemetry, so should the interface.

So I ask: Will any of this be done?

I have tried replacing kuserfeedback with a dummy package on Arch Linux. Plasma simply freezes during startup. No data for you, no Plasma for me.

It is hard to fathom why the KDE developers would want to gamble all the good will they've accumulated over the last few years, just to see how many times I've started up Plasma. Why was this implemented this way? What's the reasoning? Why make it mandatory? Why make it collect information even when disabled?

As you can tell, I don't even mention the option of just scrapping the whole telemetry project altogether, which would be the right course for a project supporting software freedom. I'm old enough to know that when these things are brought in by the powers that be, they're here to stay. Having to manually patch and build Plasma myself will be too much for me. I'll just leave it behind, and I'm sure I won't be alone. I had a mind to donate to KDE. Now I'm just staring at that huge Google logo on the KDE homepage with a bitter taste in my mouth.

Seriously disappointing.

Code: Select all

I can only say this. And it may be amusing or not. But if you're intelligent you will understand:

How would you feel if I went to your house and installed cameras and microphones that would constantly monitor you and record everything you do. And I wouldn't even tell you? If you found out and would you try to remove it from your house (bedroom, bathroom, shower, living room, telephone)? Guess what? I would make sure you couldn't remove it. If you would find out, I would tell you that it wasn't me- it was someone else

-"Oh don't worry I do not spy on you"
-"But its constantly recording"
-"No it isn't- you see it has your name on it: "userhousefeedback"
-"But its recording me"
-"You can turn it off- the cameras and microphones have a shiny slider"
-"I put the slider of the microphones and cameras to the left"
-"You see, I am not spying on you"
-"Are those cameras and microphones turned off?"
-"Yes they are"
-"But my uncle, who is engineer, says they are still recording- those cameras and microphone"
-"No they don't don't, its opt-in you know"
-"Oh so its opt-in. So if its opt-in how come its still running, I didn't op-in!. When did I opt-in? I put the slider to off!?"
-"I don't see the problem"
-"But I do"
-"I don't like your tone"
-"**** off. Remove the spyware"
-"If you don't like it, nobody is forcing you to use The House"
-"But it's my house, I don't want spyware"
-"Look it doesn't send anything anywhere"
-"But they're constantly recording me"
-"You are rude. I am warning you, you are troll!"
-"Remove the spyware ASAP!"
-"If you don't like The House, then don't use the house, nobody is forcing you"
-"How do I uninstall it then?"
-"Rebuild the house, its up to you"
-"What the ****? You want me to destroy My House? For **** sake! Just remove your **** microphones and cameras!"
-"You are a troll. You're banned!" 

Oh and my suspicion is this:  lately a lot has been happening. A lot. MS became platinum member of Linux Foundation. Linux Foundation sponsors KDE. KDE gains spyware (after 20 years! of its existence). MS asks Stallman to make a speach in Redmond. Boom. Anti Stallman (false accusations, tone trolling/policing) is launched. Then of course they claim their software is "open source" (term explained by Stallman), but nobody has seen the source code of any MS crap. Bear in mind that this company is ugly as hell. They for example after 30 years run and patened kdesu/sudo. They sued 8x TomToma and via phoronix they promote MS products and ... exFAT (but nobody is promoting f2fs on usb sticks and root! Only one guy is trying to fix Debian, so we can utilize our SSDs to its full potential.). No its not conspiracy theroy. No. Its a fact. I am not blind.

One last thing. Mnajaro is Ltd. (GmBH- its german company), and they refused to reveal who's their sponsor and where the money comes from. Secret donation also have been made to ElementaryOS (the infamous 1mln $- would you take it to include spyware and call it telemetry? Will you follow KDE and include this ktelemetry? You know money corrups). Since Manjaro 20 (and 19) they have this telemetry and they will not remove it. I don't know for whom this Philip Muller works, but judging, by the recent German Government document  - Microsoft is "threat to Germany". So maybe its also german govt/BND (their intlligence office). I don't know.
Edited by ilu to keep this readable and on topic. Nothing was deleted.

User avatar
Posts: 2677
Joined: 09 Oct 2013 12:45

Re: Spyware in SolydK

Postby ilu » 30 Apr 2020 22:49

Well, I'm using SolydX and I know why.

It's either a plain system that just works - or its a system with bells and whistles and whatever stuff is deemed necessary to provide those bells and whistles. It's YOUR choice. Don't use a system with KDE if you don't like their policy.

Anyway, as far as I know, SolydK does not contain Plasma 5.18. It's not in buster and not in bullseye. It hasn't even reached sid yet. I can't find a package named "kuserfeedback" anywhere on debian, not even as part of another package. At least not with that name. But thanks for bringing this up, we'll watch out for it.

You don't need to be that combative. We know what privacy is and why we need it. I have edited your post to make it readable and to keep it on topic. For SolydK it's not relevant how Manjaro organizes itself. We also don't want to get into any Stallman debates.

We ARE interested in hearing about KDE telemetry though. We need to keep an eye on it.

Edit: KDE telemetry parameters are listed here: https://community.kde.org/Telemetry_Use

And the reddit thread is here https://www.reddit.com/r/kde/comments/f ... telemetry/, without the deleted OP. It confirms that switching telemetry off stops the data transmission. Whether the data is still collected locally or not remains unclear, the files in ~/.config/kde.org/ most probably only hold config data.

Collecting behavior data is not exactly new and it CAN be a problem even if its not transmitted. That's the reason why I do not use neither Gnome nor KDE. Both desktops routinely store behavior data for "user convenience", but this has nothing to do with kuserfeedback. The Gnome component doing this is called "zeitgeist" and the KDE equivalent is "nepomuk". Both components don't transmit anything, they work local only, so from a GDPR/privacy point of view, they are ok. Still, not my cup of tea, I don't need that kind of convenience. So, whoever feels the same, use SolydX. That's why we have it.

User avatar
Posts: 184
Joined: 24 Mar 2013 09:55
Location: Catalonia

Re: Spyware in SolydK

Postby eselma » 01 May 2020 09:37

These days paranoia flies free...

Return to “Suggestions & ideas / Open Projects”

Who is online

Users browsing this forum: No registered users and 1 guest