Drupal CMS enables Phone Home feature (update manager) without consent

Adding related issue 🌱 [META] Proposal: Track ##: Telemetry Active regarding Drupal CMS and Telemetry in general.

Project browser and automatic updates are enabled out of the box, and at least automatic updates depends on update status. Project browser at a minimum needs to make http requests to d.o even if it doesn't rely on automatic updates (not sure about that bit). Drupal CMS doesn't really exist without project browser because otherwise you can't install recipes and other modules etc., it may end up getting integrated into the installer itself.

So I think this would probably need to be a required checkbox (e.g. you have to click it to continue through the installer), which I normally would not like, but we could include a sentence that this can be changed after install (e.g. you can uninstall those three modules).

What's the point of a required checkbox? It's not consent if you have to consent. All it's gonna do is add confusion and cognitive load.

Also, the Update module is not collecting any kind of identifying information whatsoever, as far as I know.

I would be against this change, personally, unless there's a legal requirement around it.

Also, the Update module is not collecting any kind of identifying information whatsoever, as far as I know.

https://git.drupalcode.org/project/drupal/-/blob/928a5cbd476d536530ba427...

It uses an HMAC’ed copy of the site domain coupled the site salt file.

In other words: a unique identifier that identifies an individual install. Likely equivalent to how a Customer ID is considered PII under various privacy laws.

D.O. Infra has said in the past the ID is recorded to remove duplicates call-in’s from the installed module count reporting so it is known to be recorded.

The identifier breaches some environments security policies on telemetry reporting. Calling home to get an update list can pass review. Once you include a unique ID (especially one that can be used to validate the validity of a leaked secret key) it pushes it over the limit in some security reviews.

Not uncommon in my experience for corporate installs of software to prohibit all telemetry (though by no means would I say it’s universally refused).

This is the original issue that added the checkbox #178581: beta 3 breaker: update.module: opt-in, not opt-out → . Unfortunately it does not go into details about what the WordPress FUD was.

Found it :) https://yro.slashdot.org/story/07/09/25/1632246/wordpress-23-does-not-sp...

Unfortunately it does not go into details about what the WordPress FUD was.

I can’t speak to what it was that long ago, I however note that Wordpress has been involved in more issues around their update module lately being believed to be uploading significantly private details leading to the creation of the WPEngineTracker site.

D.O. too my knowledge couldn’t leak as much details as that system did (I don’t believe we send the plaintext hostnames as part of any headers) however even a unique ID per site is sufficient to create a similar counting system.

See https://duanestorey.com/posts/down-the-rabbit-hole-a-deep-look-at-the-wo... for the recent 2024 issues with their update API.

This will likely be something those migrating from Wordpress will be more sensitive about allowing given the perceived risks.

Drupal CMS doesn't really exist without project browser because otherwise you can't install recipes and other modules etc., it may end up getting integrated into the installer itself.

I'll note that if these services are that critical for Drupal CMS, the project could possibly add a Service Decorator on the update.fetcher service. The decorator could always provide an empty value to the the site_key parameter, that should be sufficient to mitigate the 'phone home' issue allowing Drupal CMS to keep the dependencies.

Drupal CMS would still want to disclose it makes web connections either as part of its quick start guide or the installer (I've worked in several environments that an unexpected network request from a server will result in the Network Access Control killing the network port) however it would not need to receive telemetry consent since the unique identifier is removed.

Drupal CMS would need to keep an eye on core to be sure it does not add any other telemetry data which could necessitate adding a consent form.

possibly add a Service Decorator on the update.fetcher service. The decorator could always provide an empty value to the the site_key parameter,

I have not published a release yet, however there is now https://www.drupal.org/project/site_key_mutator → which will (by default) empty out the site id removing the Unique Identifier (phone home) portion of the update checker.

✨ Moving project telemetry reporting from the update module into core Active would have been the better issue however its postponed and unlikely to see resolution anytime soon.