[🐛 Bug]: GDPR infringment, US plausible telemetry without consent #14588
Comments
|
@aeris, thank you for creating this issue. We will troubleshoot it as soon as we can. Info for maintainersTriage this issue by using labels.
If information is missing, add a helpful comment and then
If the issue is a question, add the
If the issue is valid but there is no time to troubleshoot it, consider adding the
If the issue requires changes or fixes from an external project (e.g., ChromeDriver, GeckoDriver, MSEdgeDriver, W3C),
add the applicable
After troubleshooting the issue, please add the Thank you! |
|
I understand your concern, the tool assures us that it is GDPR compliant and it was properly reviewed. This is the same as the thread you referred to, so I will leave the same link here as a reply #13173 (comment). Thank you. |
|
It wasn't. Pretty every software say they are GDPR compliant. Way too many if not all are not even closed to that in practice… |
|
Slightly off topic, sorry in advance: |
|
Yes |
|
I went and checked Plausible's documentation and our subscription to make sure I was saying the right thing above. I also got in touch with them and their co-founder replied with helpful information:
@aeris Having said that, if you have anything concrete, please reach out to our lawyers. @joerg1985 might be a good idea to add that, would you like to help us and add that page? |
|
Also, feel free to check the information Plausible has: |
These legal assessment point exactly the trouble with such integration
So where are you opt-out option? GDPR not permit "GDPR compliant tool" certification even self-assessed For processing, you need to explain why you need such stats, what you collect, how you anonymize the data, why you need such processing, and why you can't use another way less intrusive. There is no current user information of the processing when using Selenium. The processing is then unlawfull. Even in the case it would be, you need then a legal basis. In such case, legitimate interest. Then you need to pass the triple test. Legitimate, necessary, proportionate. Even the first is not easy because you have no information before processing as stated above. Necessary seems difficult too, we have no idea of what you do with data, if there are critical enough to be really necessary and even statement from your team show there are not necessary (i don't find again the github post but somebody said something like "if it's too difficult, we can remove this feature", I will edit if I find it again). So legitimate interest 6(1)f is NOT possible and only consent. Even if 6(1)f would be possible, it mean opt-out as said in the legal statement above, right to object (article 21), right to access (article 15), legal DPA signed with Plausible with yearly audit for there infrastructure as stated on article 28 for contractor/sub-contractor, legal validation like international data transfert (yes, plausible is under UK law, which is no more EEE/GDPR covered since Brexit) article 44, and many other things. I bet you cover nothing. So no, your processing is currently clearly unlawfull, even if using a "GDPR compliant" tool like Plausible. |
|
You probably missed this link as well: https://www.selenium.dev/documentation/selenium_manager/#data-collection We have all our information public. As the link says, we are using this to understand Selenium usage. @aeris If you have anything concrete, please get in touch with our lawyers at https://sfconservancy.org/. Please also keep in mind your tone. We are respectful and listen to your comments, whereas you come to us with a harsh tone. |
|
I find the link I speak about above : #13173 (comment)
Because you admit yourself you CAN not collecting at all this data mean you MUST not collecting it at all. Article 5 allow only strictly necessary processing, and article 6(1)f specifically for triple test about legitimate interest (legitimate, necessary, proportionate) |
It's not missed. It's just not a legal one shown at least at the first processing. Article 21(4) GDPR:
No you are definitively not. We are fed up of "GDPR compliant processor keeping very seriously your data privacy" which not even know a single line of GDPR in practice and refuse to admit unlawful processing stated by multiples EDPB guidelines or other explicit statement on the law by itself. You point to me "legal statement" you don't even read correctly or at least don't follow the explicitly given statement saying legitimate interest MUST provide 1- explicit information and 2- way to opt-out. You provide NONE. It's the same endless thing each time, for pretty any piece of software we need to use as end user, with company saying "if not ok, just look for my lawyer" with lawyer not even able to read correctly this text in place since 2016 for GDPR and 1995 for Directive 95 which is the ancestor of the GDPR and a word-by-word copy. For pretty every single software, we literally have to take countless time to explain why a software break the law and violate our fundamental rights. |
|
To show the trouble, we already have this exact same discussion with the exact same month-long discussion, with the same "we respect privacy, speak to my lawyer" shit on
Each time it hours, days, weeks if not monthes or years to be able to have those unlawfull features removed from "privacy aware" FLOSS… |
|
This issue has been automatically locked since there has not been any recent activity since it was closed. Please open a new issue for related bugs. |
|
I respect your concerns, but disagree with your conclusions about Selenium Manager’s compliance. This discussion hinges on whether Selenium collects personal data, and we are very conscientious about ensuring that we do not. The only potential area of concern would be how Plausible handles IP addresses, and if there is an issue with that, it would affect all of Plausible’s web analytics offerings, not just Selenium. That said, improving clarity is always a good thing, so I’ve created a PR that should make things more obvious: #15317 If you have any additional suggestions for improvements (other than making telemetry opt-in), I welcome constructive input. Regarding DataCamp, we are again relying in good faith on Plausible’s stated data policy: Plausible Data Policy. If you have specific evidence that Plausible is not adhering to their stated policy, please include us in any communications with Plausible so we can assess the situation properly: |
What happened?
Since #13173, Selenium Manager track usage with Plausible, without consent. This is GDPR violation.
Using telemetry without consent is GDPR violation, and also violation of multiple EDPB guidelines about this topic. I don't copy all the thread here, but rational available on the same kind of trouble on thunderbird/thunderbird-android#8199 (comment)
Worse, you use plausible.io, hosted on 143.244.56.50 IP, which is DataCamp, a US company, exposed to FISA request and so also trouble with Schrems I & II. DataCamp is not even DPF approved (or at least I can't find them on https://www.dataprivacyframework.gov/list), and so it's a GDPR article 50 violation too.
How can we reproduce the issue?
Relevant log output
2024-10-11 17:28:51 WARN Selenium [:selenium_manager] Error sending stats to Plausible: error sending request for url (https://plausible.io/api/event)Operating System
Not applicable
Selenium version
Ruby selenium-devtools 0.127.0
What are the browser(s) and version(s) where you see this issue?
Not applicable
What are the browser driver(s) and version(s) where you see this issue?
Not applicable
Are you using Selenium Grid?
No response
The text was updated successfully, but these errors were encountered: