Dependencies Telemetry Data is not Disabled
Base Metric | score | severity |
---|---|---|
overall | 3.7 | low |
Type: Weakness
Status: fixed
Reporting Date: 2023.04.05
Application dependencies have their own telemetry system, which is not documented, disabled or controlled by the bloop application.
Description
The application facilitates qdrant
1, which has telemetry enabled
by default.
The telemetry data seem to be reasonable pseudo anonymized2 but
should be disabled if the users choses to opt-out of telemetry or by default.
The usage of ONNX Runtime3 is not completely clear yet. It seems to collect telemtry on windows clients4 but only if used as a system dependency, which was not compiled from source.
Vector Search Engine https://qdrant.tech/
System information - general information about the system, such as CPU, RAM, and disk type. As well as the configuration of the Qdrant instance. Performance - information about timings and counters of various pieces of code.Critical error reports - information about critical errors, such as backtraces, that occurred in Qdrant. This information would allow to identify problems nobidy yet reported to us.
Impact
Telemetry data is transmitted to third parties without consent of the user or the possibility to opt out of such transmission.
Recommendation
- Document possible telemetry transmission from dependencies in the privacy policy
- Disable dependency telemetry if possible
- Investigate telemetry data from
onnxruntime
Retest Notes
The issue was promptly fixed by disabling the telemetry with PR 400.