#Debian has been moving more towards the deb.debian.org mirror which is provided by a single CDN company, #Fastly. It works well, but also feeds an enormous amount of #metadata to a single company, and it can be used to track computers and maybe even people. And the privacy policy in effect is unclear. Fastly says the #privacy policy of the "subscriber" applies, but the privacy policy for deb.debian.org is not listed anywhere I could find. Anyone have any insight here?
@eighthave @neil As far as I know Fastly chooses not to store logs but instead allows customers to have them forwarded directly to their own storage endpoint
@andydavies @neil that would be nice, do you have any documentation on that?
@andydavies @neil I'm looking for actual privacy policies since those would be legally binding and the company could be help liable for violations. I've seen a lot of language like that, it promises little, since it has broad, vague exceptions like "except where explicitly stated in the Documentation and related to the functional performance of the services". Like, if some gov asks nicely for data, would handing it over be considered "functional performance of the services"?
@andydavies @neil Hi @eighthave we have a lot more information about our trust/ privacy practices and our ethical standards on our website: https://www.fastly.com/solutions/customer-trust
and our privacy/ data processing policies are on our website too:
—https://www.fastly.com/privacy/
—https://www.fastly.com/data-processing
@haubles @andydavies @neil thanks, I've read through those already, and it is still difficult for me to say what data about deb.debian.org Fastly actually keeps and for how long. Here are the policies of some other Debian mirrors, which are much simpler but perhaps leave out a couple key details like what log format they use.
* https://ftp.lysator.liu.se/datahanteringspolicy.txt
* https://plug-mirror.rcac.purdue.edu/info.html
* https://mirror.fcix.net/policy/
* https://mirror.ossplanet.net/
@eighthave @neil This is the clearest statement I know on the subject of customer request logs https://docs.fastly.com/en/guides/data-management#customer-request-logs
I’ve also had discussions with Fastly where they’ve talked about how they don’t want to store customer request log data for privacy reasons