(In reply to Christian Stadelmann from comment #0)
> When displaying information for a contact on gnome-contacts 3.16 it always
> tries to load a map. To do that it connects to proxy.gnome.org and some
> server at akamai.net, in my case a1158.g.akamai.net.
> According to German law this is illegal: You must not give any data related
> to a person (in this case: address) to any third party without asking the
> user before. I am not a lawyer, but I think leaking data to proxy.gnome.org
> could be ok. It is not for akamai.net servers.

Akamai is a CDN, so libchamplain which is what we use to query is probably querying some services using it. On the other hand, we're just asking for the coordinates of an address, we're not sending in any way to who is that address related, so basically, we're not leaking any personal data information.

Anyhow for further information on the subject, I'll CC the expert on the subject.

An address is considered personal data by German law in some cases. It is even whithout sending the name along. And Akamai is a third party, so the problem persists.
So this is a bug and it is not resolved.

(In reply to Christian Stadelmann from comment #2)
> An address is considered personal data by German law in some cases. It is
> even whithout sending the name along. And Akamai is a third party, so the
> problem persists.
> So this is a bug and it is not resolved.

So, yeah.

We have nominatim.gnome.org as a proxy, it will send the query along to nominatim.openstreetmap.org, a third party site.

So we will send the address of your contacts to the OpenStreetMap geocoding server. We want to ask it which lat/lon corresponds to the address of your contact.

So according to German law we need to ask the user for permission to send the contacts address to openstreetmaps? Is that correct?

As far as I understand (I am not a lawyer) we need to do so, yes. It has to be asked when running gnome-contacts for the first time.
Alternatively there could be an option to not load maps.

I have sent a mail to the foundation board, hoping we can have someone look into this. I guess Clocks / Weather would be in a similar situation? Sending your lat/lon to openstreetmaps and getting the name of a city back.

Ot I guess that is covered by the Location Service privacy setting in gnome control center? Is this as well?

(In reply to Christian Stadelmann from comment #4)
> As far as I understand (I am not a lawyer) we need to do so, yes. It has to
> be asked when running gnome-contacts for the first time.
> Alternatively there could be an option to not load maps.

I can not possibly imagine why it is unlawful to ask the coordinates of random address to a server. Or why I should warn the user about it. Remember the server can only see an address, not related to anyone. We should ask a lawyer. This is not even the case of Maps, or Weather, or Clocks, where the user advertise its own geographical position.

Yes, I think Clocks/Weather could be in a similar situation. I don't use these apps.

The juridical situation as I was tought in a course on (data) privacy at a major German university:
Sharing *personenbezogene Daten* it is illegal in Germany with 2 exceptions.
1st exception: there is a law which allows to share this data in a specific context (e.g. medical record, fiscal authorities, …)
2nd exception: the "data subject" has given its consent.
In practice *personenbezogene Daten* means any data related to any person which could possibly be used to identify this person. This includes postal address, IP address, name, email, phone number, MAC address, …. In my opinion "postal address" includes coordinates generated from a postal address.

You can read the law at
http://www.gesetze-im-internet.de/englisch_bdsg/englisch_bdsg.html (English)
http://www.gesetze-im-internet.de/bdsg_1990/BJNR029550990.html (German)
The most relevant part is section (§) 4 (1).

Re comment #8: so this looks like a nice law "in theory" and impossible to apply in practice without changing a whole industry and being a PITA to users that will click "yes, whatever" anyway because it breaks the app otherwise. And think of all the apps out there that do a regular version/updates check: Firefox, LibreOffice, SparkleShare, Pitivi, Chromium… according to what you're mentioning here, such apps are infringing as initiating a connection to a server means your IP address is theoretically traceable and Big Brother is watching you and analyzing your behavioral patterns…

Re comment #9: No matter what the law is, I don't want applications I use to leak sensitive data. I consider this sensitive data.
Version checks are quite different: They only happen once in a while and do not have to contain any *personenbezogene Daten* except your IP address. And if you are using your favorite linux distribution the distribution will do version checks for you. A browser obviously needs to connect to the internet, so this is implicitly allowed.
If those apps (e.g. chromium) contain a unique ID when checking for updates that is illegal too.

Let's not talk about German law here.
Let's talk about the problem of leaking data when the user does not want this to happen.

GNOME should indeed make it convenient for users to get control over whether addresses are sent out or not.
We have this nice privacy settings panel now. It might be the most straight forward solution to offer a toggle button which controls whether to show the map or not. In my GNOME 3.14 there is already a maps related setting: Location services. So it might very well fit there, too.

Is the data sent over TLS?

@Michael Catanzaro: Yes, data is sent over TLS (checked with wireshark)

> GNOME should indeed make it convenient for users to get control over whether addresses are sent out or not.

+1

Hey everyone!

I just landed commit b499b30 on master which allows you to disable the map feature at compile time. Is this good enough of a solution (for now)?

(In reply to Niels De Graef from comment #15)
> Is this good enough of a solution (for now)?

I don't think so. It's enabled by default, so it's unlikely that distros will choose to disable it.

(In reply to Michael Catanzaro from comment #16)
> (In reply to Niels De Graef from comment #15)
> > Is this good enough of a solution (for now)?
> 
> I don't think so. It's enabled by default, so it's unlikely that distros
> will choose to disable it.

Actually, rereading this issue, I think it is good enough. GNOME itself probably does not need to be concerned with the issue described in the first comment. Use of CDNs such as Akamai is standard business practice in the United States and, since TLS is being used, I doubt it would be reasonable to consider CDN use to be a leak of sensitive information. The compile flag allows German distributions to turn it off if they need to do so.

If there is still concern that German law may be relevant to the GNOME Foundation (which I find doubtful), the best way to proceed would be to raise it with the board at <board@gnome.org>. They can ask our legal counsel about the extent to which this could be a problem.

I've thought about this a bit longer, and I agree with Michael that the compile flag is "good enough". Another somewhat similar example is from fwupd, on the choice of sending firmware update results back to the manufacturer [1].

Closing this as FIXED.


[1]: https://blogs.gnome.org/hughsie/2018/01/10/phoning-home-after-updating-firmware/

I would have raised this to the board, but as of https://bugzilla.gnome.org/show_bug.cgi?id=765274#c5 and de836fe, the maps widget will be removed soon and addresses will be opened in gnome-maps instead as suggested in bug #792694.