I just realized this library tracks you by default. This is not OK and I am very disappointed, specially since it's not documented in the readme of the MAIN library which is https://github.com/pact-foundation/pact-js.
To respect your privacy, anyone can turn it off by simply adding a 'do not track' flag within their package.json file:
The fact that you add this line doesn't respect my privacy any more because I didn't know this was a thing in the first place.
Furthermore, I'm not even sure this library complies with GDPR as I remember something where they mention that to collect user data you must explicitly ask them to opt-in to it and must NOT opt-in by default. Here's the link, search for the subtitle "Clear Affirmative [Action]"
Hi @chris-fran thanks for raising this. You're right, we should put some docs here. We'll get that added shortly.
I would like to hear more about your concerns so that we can address them. Perhaps it's not clear, but all we collect that is specific to you is your OS and your IP (as it will ping a google analytics server). It's similar to what would happen should you head to pretty much any web page on the internet.
I'm not sure whether this constitutes a privacy breach, and I won't comment specifically on GDPR as I'm not an expert. However, as an example today, when you download any package from npm they collect even more information https://www.npmjs.com/policies/privacy#data. Consent is implicit, by downloading and using their tools.
Following this (and again, thank you for bringing it to our attention), I've submitted https://github.com/pact-foundation/pact-node/pull/143. This will reduce tracking of the IP address to the first 3 octets, which is incidental information that we are not interested in.
Yep, I'd agree with making it clearer in the docs. However, I think you might be blowing this slightly out of proportions. We're not tracking everything, we're only tracking when you specifically download the binary the first time around, specifically if you are a CI server or an actual user, which OS version of the binary you're downloading, which version you're installing, and your IP as part of the event sent to google analytics.
We decided to do this because npm statistics aren't very thorough nor accurate and we wanted to base our decision making on facts and knowing where people are using it, which version their up to, etc makes a massive impact for us to continue developing this product.
I've been working on GDPR for a few months now and I can say that we are not in any way in breach of it simply because we are not tracking any personally identifiable information. Everything is anonymous in every way.
Hey @mefellows, I should start by apologizing as I definitely overreacted to this. I've been the one leading and pushing for the usage of Pact across the organization and all its micro-services (as I really believe this is an excellent tool) so when somebody pointed out there was some tracking, I panicked as I had never read about it and could potentially make the entire N-months effort go to waste due to company policies so I came here. But I did it definitely not in the appropriate manner, for that I apologize.
Moving on, thank you for your clarification. I'm also no expert about GDPR but I did have to take an exam on it and it basically said that it applies for data that could identify a user. After your explanation I believe this is not the case (not sure about the IP address though).
I do think it would be better, more transparent and make people feel safer if it's documented in the main README, just for the sake of preventing people from panicking and rushing to create a ticket like I just did.
Last but not least, thank you for addressing this as fast as you did, I really appreciate it
Edit:
@mboudreau Yes you're right, this is not identifiable data so there's nothing wrong with GDPR
Thanks @chris-fran, no worries, and thanks again for bringing the issue of documentation to our attention. We do take this sort of thing seriously, and we're not trying to do anything nefarious. I'm going to close this for now, as I'll be pushing up a docs change shortly.
Closing - we've updated the docs and anonymised the IP in pact node.
Most helpful comment
Yep, I'd agree with making it clearer in the docs. However, I think you might be blowing this slightly out of proportions. We're not tracking everything, we're only tracking when you specifically download the binary the first time around, specifically if you are a CI server or an actual user, which OS version of the binary you're downloading, which version you're installing, and your IP as part of the event sent to google analytics.
We decided to do this because npm statistics aren't very thorough nor accurate and we wanted to base our decision making on facts and knowing where people are using it, which version their up to, etc makes a massive impact for us to continue developing this product.
I've been working on GDPR for a few months now and I can say that we are not in any way in breach of it simply because we are not tracking any personally identifiable information. Everything is anonymous in every way.