fix: Compliant telemetry

[AB-xdev]

Description

PoC showcasing how a better way of handling telemetry can be provided.

1. There is now a GLOBAL opt out in the form of the VAADIN_TELEMETRY_OPT_OUT environment variable
2. When executed for the first time it discloses the telemetry collection to the user (avoids potential violation of GDPR Art 13).

Overall the whole thing is quite similar to how Dotnet handles telemetry.

Please note that there is currently a placeholder for a site with more details about telemetry in place, as this can't be provided by the PR.

Type of change

• Bugfix
• Feature

Checklist

• I have read the contribution guide: https://vaadin.com/docs/latest/guide/contributing/overview/
• I have added a description following the guideline.
• The issue is created in the corresponding repository and I have referenced it.
• I have added tests to ensure my change is effective and works as intended.
• New and existing tests are passing locally with my change.
  - I can't verify that because I don't have all tools required for running tests locally installed and they are not in place in the repo.
• I have performed self-review and corrected misspellings.

[Copilot]

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

[jojule]

The telemetry collected does not include any Personal Data and thus the GDPR does not apply.

[jojule]

Intent here is driven by GDPR compliance. The telemetry collected does not include any Personal Data and thus GDPR does not apply for anonymous users.

Users who have a license key have explicitly approved usage terms and Personal Data usage terms there.

Requesting to drop additional log info here, but supporting addig a global telemetry opt-out environment variable.

[mshabarov]

I agree that the Vaadin statistics collector is not a case for GDPR. It doesn't add any extra to what license checking process already uses to discriminate a user (machine id, user keys), but only the Vaadin versions, exact feature names, OS and JVM information.

Having the env variable for disable it makes sense to me, however I'd keep one single name for it (or at least similar), i.e. reuse existing vaadin.devmode.usageStatistics.enabled in upper case.

Having one time logging looks acceptable to me with the current mild wording.

We have a short mention in the online docs about the existing property, would be good, as a pre-requisite for this, to add a dedicated short section in "development" article about statistics.

Finally, keep in mind that there is more stats collection in the browser controlled by https://github.com/vaadin/vaadin-usage-statistics, it needs a separate opt-out.

[AB-xdev]

Sorry for the late response, the last months were quite busy.

Intent here is driven by GDPR compliance

This is not limited to only GDPR.
For example AFAIK my company's contracts with customers usually contain a no-spy clause.
Having some badly documented, intransparent and not globally deactivatable telemetry traffic is kind of problematic.

The telemetry collected does not include any Personal Data and thus the GDPR does not apply.
...
Requesting to drop additional log info here

Although I'm not 100% sure about the legal aspects here, note that nearly every other major company or product that is collecting telemetry data - even without "personal data" - performs a disclosure on the first run. Examples:

• https://learn.microsoft.com/en-us/dotnet/core/tools/telemetry
• https://quarkus.io/usage/
• https://code.visualstudio.com/docs/configure/telemetry

  To ensure GDPR compliance, we made several updates to VS Code, these include:

  • Making it easier to opt out of telemetry collection by placing a notification in product for all existing and new users.
  • Reviewing and classifying the telemetry that we send (documented in our OSS codebase).
  • Ensuring that we have valid data retention policies in place for any data we do collect, for example crash dumps.

• https://www.jetbrains.com/help/idea/settings-usage-statistics.html#data_protection_laws_compliance

  Given our adherence to these principles, the General Data Protection Regulation (GDPR) does not apply to feature usage statistics. However, in alignment with the ePrivacy directive, we ask for the user’s consent for data collection, even when the information collected is anonymized.

If you still want to remove the first-run telemetry disclosure feel free to do this on the branch, I granted maintainers write access.

Having the env variable for disable it makes sense to me, however I'd keep one single name for it (or at least similar), i.e. reuse existing vaadin.devmode.usageStatistics.enabled in upper case.

You can also change that if you want however I would prefer a simple environment variable that is not that long and won't change because someone e.g. renames devmode in the future.

Finally, keep in mind that there is more stats collection in the browser controlled by https://github.com/vaadin/vaadin-usage-statistics, it needs a separate opt-out.

+1
Feel free to provide a additional opt-out functionality for that as the PR is currently scoped to Vaadin Flow Java code only.

[mshabarov]

Hi @AB-xdev , thanks for your patience and sorry for a long response: we eventually passed through the vacation season and completed 24.9 preparations. I raised a thread internally about this topic and seems like, taking your and your customers motivations, we can apply this.
Before merging, I'd make an addition to https://vaadin.com/docs/latest/flow/configuration/properties to mention the parameter and statistics in general, then we can put a link into PR.
Also I'll double check how to align the existing parameter name with the new one.
I'll take over the PR and finalise it. Let me know if you have any further thoughts.

[mshabarov]

Added few tests, renamed the variable and placed the link that is expected after vaadin/docs#4565.

Now I need someone else to make a review as I pushed some changes by my-self :)

[github-actions]

Test Results

1 273 files  + 2  1 273 suites  +2   1h 18m 16s ⏱️ + 2m 28s
8 802 tests + 6  8 735 ✅ + 6  67 💤 ±0  0 ❌ ±0 
9 261 runs  +20  9 183 ✅ +19  78 💤 +1  0 ❌ ±0 

Results for commit a6763f7. ± Comparison against base commit b091938.

♻️ This comment has been updated with latest results.

[sonarqubecloud]

Quality Gate passed

Issues
1083 New issues
1 Accepted issue

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Format Checker Report

There are 2 files with format errors

• To see a complete report of formatting issues, download the differences artifact

• To fix the build, please run mvn spotless:apply in your branch and commit the changes.

• Optionally you might add the following line in your .git/hooks/pre-commit file:

  mvn spotless:apply
  

Here is the list of files with format issues in your PR:

flow-server/src/test/java/com/vaadin/flow/server/ConstantsUsageStatsEnvTest.java
vaadin-dev-server/src/test/java/com/vaadin/base/devserver/stats/DevModeUsageStatisticsLoggingTest.java