# Fedora Linux **User** Privacy Expectations

Fedora Linux tries to protect your privacy.
There is no built-in telemetry or collection of data about user behaviour.
All packaged applications must strive to protect user privacy.
FIXME: should the Packaging Guidelines require a check for data sharing?

This document describes private data exposure and data collection practices relevant to a user of an installation of Fedora.

It does **not** cover interacting with the project as a contributor (i.e. anything that would require registering an account in the [fedora packaging guidelines machine-id](Fedora infrastructure)),
nor does it cover participation in conferences or other events related to Fedora (see https://fedoraproject.org/wiki/Legal:PrivacyPolicy instead).

Nevertheless, when interacting with the web, some information about the installed system and the users on that system is shared.
Also, the distribution contains tens of thousands of packages from different authors, and the  behaviour of some components may not conform exactly to this policy.
If a discrepancy is found, it will be treated as any other bug: either some component or the default settings for that component will be adjusted, or this policy document will be amended.
Thus, the policy described here must be understood to be a best-effort description, not an absolute promise.
Please report any issues with the policy at https://TBD.

### Local accounts, passwords, and telemetry

Information about local accounts is not sent outside of the machine.
This is mentioned explicitly to avoid confusion about a Fedora Linux **user** account (a local affair),
and Fedora Linux **contributor** accounts (https://accounts.fedoraproject.org/, 
https://bugzilla.redhat.com/, matrix and irc handles, etc).
Those external accounts are generally only necessary to perform *contributions* or ask questions.
Browsing the online documentation, project wiki, package descriptions, and mailing lists does not require an account.

As an exception, it is also possible to join the machine to a federated login database (LDAP, Kerberos).
In that case, login information is obviously shared with those servers.

In general, no information about the way that the user interacts with the machine is collected (apart from local logs).
Some exceptions are listed below.

#### Integration with third-party accounts

Desktop environments optionally integrate with third-party online services.
For GNOME, this is "Online Accounts", https://wiki.gnome.org/Projects/GnomeOnlineAccounts .
For KDE, FIXME.

To opt out, simply don't configure any accounts.

### Information collected about crashing software

Whenever a program crashes, information about the event is logged on the local system.
For programs which are part of the destribution, by default, *an offer* to report information about the crash to [https://bugzilla.redhat.com/](Red Hat Bugzilla) is made through a graphical dialog.
ABRT [https://developer.fedoraproject.org/tools/abrt/about.html](Automatic Bug Reporting Tool)
is reponsible for uploading redacted information about the crash.
An attempt is made to remove any private information from the upload.
Nevertheless, it is best to review the information being sent.
Note that an Fedora account or separate Red Hat Bugzilla accounts are needed to actually upload this information.

To opt out, it's enough to cancel the submission dialog.
It is also possible to make the reports automatic (https://abrt.readthedocs.io/en/latest/conf.html#system-autoreporting),
and also to opt out fully.
FIXME: opt-out instructions?

WHOKNOWS: what are the defaults? Is µReport enabled by default?

### Information collected during package upgrades

Summary: information about system architecture and some hardware components, installed variant of Fedora and installed package set, and the installation age, and client network addresses are collected by the update mirrors.

During an upgrade of installed packages, the package manager (footnote: `dnf`, `Gnome Software`, `dnfdragora`, …) contacts one of the mirror servers to get an updated list of available packages, and then downloads a set of updates.
Information about Fedora version and variant, the system architecture (amd64, arm64, ppc64el, …), and update counter (next section) are sent as metadata with the request. Also, since the set of packages that is downloaded is determined by the set of already installed packages, the mirror server can guess the approximate set of installed packages.
Mirror servers collect general information about the HTTP request, including the IP address of the client, date and time of the request, the URLs of the resources (effectively the package names and versions), user agent information (effectively the identifier of the program used for updates).

WHOKNOWS: is https used for all downloads? Can a network sniffer see details or only encrypted traffic?

#### DNF update counting

When package updates are downladed, DNF by default includes a "countme" variable that Fedora mirrors use to count unique installations and their approximate age. See
https://dnf.readthedocs.io/en/latest/conf_ref.html?highlight=countme#options-for-both-main-and-repo
for details.

FIXME link: https://bugzilla.redhat.com/show_bug.cgi?id=1965812

-- Some discussion in https://bugzilla.redhat.com/show_bug.cgi?id=1965813 .
To opt out, something like the following command may be used:
```
sudo sed -r -i s/countme=0/countme=1/ /etc/yum.repos.d/*repo
```
Unfortunately this needs to be done after every update of `fedora-repos` and related repositories.

Aggregated information collected in this fashion is shared publicly.

#### Third-party repositories

Fedora editions and spins by default enable some third-party repositories.
It also allows the user to easily enable additional such repositories through the graphical package managers.
Third-party repositories are most often used for software which cannot be provided directly because of legal reasons.

Third-party repositories are only enabled after review of the quality and policies of the third party.
See https://docs.fedoraproject.org/en-US/fesco/Third_Party_Repository_Policy/.

Currently, a repository that allows the openh264 codec to be downloaded directly from Cisco servers is enabled by default.

WHOKNOWS: any other repos? Is there some easy query?

#### Graphical package descriptions with AppData

Gnome Software and other tools make use of AppData (an `xml` format to describe programs and fonts in a manner suitable for graphical environments, that also includes screenshots).
Links to screenshots embedded in those descriptions may lead to arbitrary third-party web servers.
Thus those third-party servers will know when the users visits the descriptions of some specific packages.

#### The Linux Vendor Firmware Service

[https://fwupd.org/](LVFS) allows hardware manufacturers to provide firmware updates.
The `fwupd` daemon downloads and installs the updates.
*Which* updates are downloaded corresponds closely to the installed hardware,
similarly to the case of downloaded package updates corresponding closely to the set of already installed packages, as described above.

Q: is the mirror system used for lvfs?
Q: what information is collected

### Network host identification

#### Hostname

The hostname is often exposed on the local network, for example in DHCP requests and through multicast DNS.

The default hostname is "fedora".
The default unambiguously identifies the machine as a Fedora installation.
If the hostname is changed, it will too be exposed on the local network, unless specifically configured otherwise.

#### MAC addresses

Network interfaces generally have stable hardware hardware addresses and may be used to identify the machine on a network.
Fedora by default does not try to obscure those addresses.

#### Machine identifiers

Each Fedora Linux installation contains a unique identifier
[https://www.freedesktop.org/software/systemd/man/machine-id.html](machine-id).
This identifier is not exposed directly outside of the system.

`machine-id` be used as basis for stable identifiers used with external services.
For example, a stable identifier is useful when requesting DHCP leases.
Fedora Packaging Guidelines state that those secondary identifiers should be generated by hashing the machine-id with a per-application secret.
Effectively, those secondary identifiers are stable, but the underlying machine-id may not be recreated from them, and identifiers used for different services cannot be derived from one another.

FIXME: is this the policy?

### Network connectivity checks

When a network connection is established, NetworkManager will periodically make a connection request to check connectivity, see https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html .
FIXME: better link

It it possible to opt out: see https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html .
FIXME: better link

### Network Time Protocol

By default, the time is synchronized using NTP.
The default servers used are from the `fedora.pool.ntp.org` pool.

It is possible to opt out by `timedatectl set-ntp off` or through the graphical setting dialogs in desktop environments.

### Web browsers

For many users, majority of interaction with the internet is through a web browser.
Every browers has its own privacy characteristics and policy.
In general, any modern browser apart from the directly requested operations will make a number of queries to search servers (for example to provide suggestions and completions), queries to databases of malicious sites, and similar.
In addition, browsers provide optional integration with an online account that facilitates sharing of browsing history, bookmarks, and settings between different installations.

Those behaviours are too complex to describe in this document. Instead, see
- for Firefox, https://www.mozilla.org/en-US/privacy/firefox/
- for Chromium and Chrome, https://www.chromium.org/Home/chromium-privacy
- for Gnome Web a.k.a. Epiphany, WHOKNOWS

### Installers for specific programming languages and tools to access external software packaging ecosystems

Fedora Linux provides packages for a number of language-specific tools (`pip`, `maven`, `cargo`, `go`, …), 
tools that primarily exist to access external software packaging ecosystems (`snap`, `apt`, `pacman`, …),
and tools that provide images of other systems (`docker`, `podman`, `machinectl`, …).
Those tools obviously communicate with third-party systems.

An explicit user interaction is required to make use of those tools. 
The distribution does not use such tools to provide packages to users, but always repackages the software in the `rpm` format.

### Antivirus database updates

Fedora provides programs that will perform periodic refreshes of antivirus databases (e.g. `clamav-update`),
using third-party servers.

### Games

Fedora includes a number of games which allow networked play.
This generally means that some player identification and user input are sent to servers under third party control.

### Printing

TBD.

### Other programs that interact with the network

In general, any program making network requests transmits information to the other party.
This usually includes some Agent ID (information about the name and version of the software making the request, often including the fact that it is provided by the distribution), and the other party can record both the requested address and the network address from which the connection originates.

For unencrypted protocols, parties on the local network and parties along the route the destination server can often glean details about the request and response.