Question regarding OTel identities for 3rd party utils/services.

[breedx-splk]

Hiya. Not sure who might know this (likely GC/TC @open-telemetry/governance-committee @open-telemetry/technical-committee ), but the Android SIG maintainers are entertaining the idea of enabling the Google Play SDK Console (tracking issue here) for our agent. This utility would allow us (Android SIG maintainers) to better understand if/how the SDK might be (mis)behaving, and we think it should provide some useful data that could help inform direction around project direction/features. Even more information here: https://play.google.com/sdk-console/about/

So I guess first question is: Are there any concerns about an otel project using this? I assume no, and that we have the agency to do so if we wish.

The main question is around group/collective identity and how this relates to Google's view of ownership of the maven artifacts after signup. As one of the maintainers, I could just go sign up and use my corporate google account/identity, but this seems far from ideal, because it tells google that the "owernship" of io.opentelemetry.android in maven central is somehow tied to jplumb@splunk.com -- which isn't entirely true, and would also be a problem if something were to happen to me.

Do we have any existing/prior art for creating or using any existing "shared" otel google accounts? If so, what would be my next step to leverage that? If not, do we have any creative ideas about how to prevent this control from being tied to a single person?

Thanks thanks! 🍻

[svrnm]

We have a Google Workspace and probably could tie it to an account there, maybe the admin account and then share further access via groups if this is possible?

The bigger question for me, is how this is addressed with respect to privacy related local regulations. Indeed OpenTelemetry is already collecting a lot of information, and our users would need to let their users know about this, especially when they use a 3rd party like an observability vendor for processing, but I suspect this would require some additional clarifications towards the consumers of our SDK that they can then signal to their end users as required. Or is this something that is already taken care of by Google, I couldn't find a lot about that topic in the respective documentation for the Play SDK Console.

[breedx-splk]

Thanks @svrnm. I also just found this resource, which describes the ability to add additional users (via email) to a given Play SDK Console, and there are two roles, so that might just be enough.

As far as the privacy question goes -- I appreciate that and I agree that it's important for us to take this into series consideration. My understanding is that the data is anonymous and doesn't really divulge anything about the end user, other than what version they're running, and some metrics around ANRs and crashes. The crashes do contain stack traces, but I understand them to be anonymized/obfuscated.

And like you suggested, Google already has to handle most of this.
There are some additional notes about this here:

https://support.google.com/googleplay/android-developer/answer/12246238

Specifically:

Note: SDK Console only shows data that meet certain privacy thresholds. 
Data that does not meet these thresholds are grouped under an 
additional “other” value or omitted entirely.

So yeah, I feel pretty good about the privacy factors, and I am open to hearing of any other specific concerns.

[svrnm]

Thanks for confirming on that question, that's good to hear!

We (GC/SIG Project Infra) can go ahead and create an account for admin@opentelemetry.io and then invite more people. I think that's how it should work.

cc @open-telemetry/sig-project-infra-approvers @open-telemetry/governance-committee

[svrnm]

I'll figure out how to provide you with that access :-)

[svrnm]

@breedx-splk looks like you and I need to work together to make this happen, I'll send you a DM on slack to find a time to work on this together!