There are reasons to draw a line in the sand, to say that even attempting to do some things is contrary to a strong norm that we will defend even if you promise that you're not using it for anything malicious, something which is hard to police.
Taking a strong stand against tracking and, therefore, in favor of privacy is perfectly reasonable for people who use Linux in part due to our hatred of the deep tracking closed-source OSes do.
The problem with drawing lines in the sand is that you trip up all the players that make an effort to act responsibly as well, thus reducing the incentive to act responsibly.
You're basically reducing market effectiveness by ignoring the details of available information and grouping unalike things together. The market will likely respond by reducing access to or the clarity of that information *e.g. they'll track you, but hide it even if it's innocuous and the vast majority would have no problem in what info is given up because apparently the people can't be bothered to make a decision on anything but the coarsest of details).
You speak of "tracking" as if it's all the same thing. Every sale you make at a store is tracked, and for good reason to both the customer and the store (how else do you allow returns). Every time you visit a doctor, they add the info regarding your visit to a log. That's tracking. Tracking itself is not bad.
Tracking individuals and personal information about them while they are trying to remain anonymous or have no expectation anything peraonal has been revealed is bad.
Attacking anything with the word tracking in it because it's been conflate with this even though it shares little or no resemblance and can't be used later for this purpose it it's current form is just FUD and an indicator or how broken human communication fundamentally is.
> Every time you visit a doctor, they add the info regarding your visit to a log.
JohnFen already said most of what I'd say about these examples, but I want to add one big thing:
The tracking the medical world does is controlled by law. Laws people take very, very seriously. It therefore can't be mixed with other data through being resold or in any other fashion to help form a more accurate picture of me.
That data re-use is part of why I want strong norms against data collection.
> You speak of "tracking" as if it's all the same thing.
True, and that's bad of me. I'm speaking in shorthand.
> Every sale you make at a store is tracked
But the store does not track me if I don't use a card. Returns are handled through the receipt that they give me during the transaction. That's a kind of tracking, but tracking the transaction itself, not me.
> Every time you visit a doctor, they add the info regarding your visit to a log. That's tracking. Tracking itself is not bad.
Indeed, and here's where I'll try to introduce the shades of gray I left out. I consent to the doctor tracking me to that extent (but I would object strongly if the doctor started keeping track of my whereabouts or what I was doing). The doctor even gives me a consent form affirming that. If I'm not OK with the tracking, I don't see that doctor. Software is no different in this sense.
I oppose tracking that I don't give affirmative consent for. In the case of Red Hat's purpose, I will not give such consent, as the cost/benefit ratio is not sufficiently weighted to the "benefit" side.
> is just FUD and an indicator or how broken human communication fundamentally is.
It's not FUD, as I'm not claiming that Red Hat is intending to do anything nefarious. And I don't see this as a human communication problem.
Speaking personally, this is a reaction to the trend in software and online to engage in massive amounts of user tracking and data collection, both disclosed and undisclosed, that has resulted in real harm (both intentional and unintentional).
Once bitten, twice shy and all of that. This is a problem that comes from real misbehavior of software companies, not from poor communications.
> But the store does not track me if I don't use a card. Returns are handled through the receipt that they give me during the transaction. That's a kind of tracking, but tracking the transaction itself, not me.
That's exactly analogous to what's happening here. The data being tracked isn't you, it's generic information about how many Fedora installs of what type there are. The countermeasures in place mean it cannot not, nor ever, be used to track you if implemented in the way I've outlined.
> The doctor even gives me a consent form affirming that. If I'm not OK with the tracking, I don't see that doctor. Software is no different in this sense.
Even if you don't affirm any documentation, you are still tracked by the docter himself. If you visit the same doctor, even without a log of prior visits, he or she might remember you. This is implicit in all communication. That's why the discussion is not really track vs not track, but what data is tracked and how. Every time you request updated from any network based update system, you can bet your connection is tracked in some manner.
> I oppose tracking that I don't give affirmative consent for. In the case of Red Hat's purpose, I will not give such consent, as the cost/benefit ratio is not sufficiently weighted to the "benefit" side.
Why I'm so confused by your stance is that your reasoning for disliking "tracking" does not seem to follow (in my eyes) from the evidence you've presented for that reasoning.
I feel it's akin to looking at the ills that automobiles have brought about with pollution, and taking a stance against vehicles. When someone comes by to show you a bicycle, you say no-thanks, you've taken a hard line against all vehicles because of pollution. When they show you how it doesn't pollute, even can't pollute in that manner, you say that it's your right, which it is, and you've drawn a line you won't cross, which you have, but I can't help but think you've drawn that line in a rather odd spot.
You can obviously do what you want, but I'm not sure I can be blamed for trying to figure out how this reasoning works, because it makes no sense to me.
> It's not FUD, as I'm not claiming that Red Hat is intending to do anything nefarious.
You're equating tracking, as being discussed here, with identity tracking, which is not really on the table as an option at all.
> Speaking personally, this is a reaction to the trend in software and online to engage in massive amounts of user tracking and data collection
And I would classify it as an overreaction to that problem. Sure, the problem is bad, but does that mean we should attack real solutions which do not exhibit that problem just because it shares some easily identifiable similarities, such as a name?
What we have is an open source operating system offered for free with open source utilities that are used to check for remote updated for that operating system, also entirely free, with the ability to see who is asking for updates. That's what we already have, by nature of using IP transport.
All they are proposing is to get a finer grained view (but still not perfect) of how many systems there are and what version they are. None of that is personal to an individual, and the discussion is how to go about it in a way that it is not, and can not, be used later for those purposes. If that's not okay, you might as well just shut off your internet connection, because there's startlingly little you can do online that doesn't reveal massively more information about you than that at every interaction. Just loading a web page generally gives the host your IP address, browser of choice, a list of installed extensions, what the dimensions of your browser window are, what the dimensions of your desktop is, what the 3D capabilities of your video card are, what fonts you have available to use, and more.
Unless you are browsing HN through lynx, telnet, or some system that mails webpages to you after you submit the URL (a-la Stallman), I can't reconcile your hard line in one instance and apparent blasé attitude in the other.
> That's exactly analogous to what's happening here. The data being tracked isn't you
If we're talking about using a unique identifier, then I disagree. This isn't analogous to getting a store receipt at all. With a store receipt, there is nothing that connects me to the transaction described in the receipt except that I am in physical possession of the receipt.
> If you visit the same doctor, even without a log of prior visits, he or she might remember you.
Indeed, but that's in no way similar to what we're talking about.
> I feel it's akin to looking at the ills that automobiles have brought about with pollution, and taking a stance against vehicles. When someone comes by to show you a bicycle, you say no-thanks
I think this analogy also misses the mark. If tracking is like a car, then the UUID tracking we're talking about is like a compact car. Not at all like a bicycle (Poettering's suggestion, which I'm OK with, is more like that).
> You're equating tracking, as being discussed here, with identity tracking, which is not really on the table as an option at all.
I view this as effectively identity tracking. Much like the "advertising IDs" that Android uses.
> And I would classify it as an overreaction to that problem.
Perhaps it is, but if so, it's because as a user it's impossible to determine which tracking is OK and which isn't, therefore it's wise to avoid it all.
> but does that mean we should attack real solutions which do not exhibit that problem just because it shares some easily identifiable similarities, such as a name?
Of course not, but I'm not sure that this is an example of that. Also, it's important that a company prove (I'm not sure how that would be done, admittedly) that their representations of the tracking system are accurate, and that future business decisions couldn't change that.
> That's what we already have, by nature of using IP transport.
It's not, really. For instance, I run about a dozen Linux machines at home. Each of those machines does not go to the distro's repository for updates -- I have an update server that caches them and the other machines get their updates from that. So, if you're looking at the repository's logs, it looks like only one machine is getting updates. And, if I wanted to be even safer, my update server could get the updates using a VPN and thus completely disconnecting my IP address from the IP address the repository is seeing.
Besides, as I said before, just because there's one data leak doesn't mean it's OK to introduce another one.
> All they are proposing is to get a finer grained view (but still not perfect) of how many systems there are and what version they are.
Yes, I understand.
> I can't reconcile your hard line in one instance and apparent blasé attitude in the other.
That might be because you're assuming I have a blasé attitude in an area where I don't.
Taking a strong stand against tracking and, therefore, in favor of privacy is perfectly reasonable for people who use Linux in part due to our hatred of the deep tracking closed-source OSes do.