Rethink Scarf usage

[DanielHabenicht]

Expected Behavior

I expect this dependency to not collect any of my (personal) data by default.

Actual Behavior

This package is using scarf with an opt-out functionality - not opt-in.
Thereby collecting the following information on each install:

• installed packages (except @org scoped)
• IP address (to track which company I am from)
• operating system

Possible Solution

• Make scarf opt-in.
• Or Disable IP Tracking and disable reporting of other packages installed

It should at least be explained in the readme. There should be a note saying how to disable it before installation - as currently there is no way to opt-out of the first installation because the installing person simply does not know about the package.

Context

Even Google has made its usage statistics optional.
I understand that information like: "Which versions are currently used?" are of particular interested for package managers and I would let you track this kind of data (also with opt-out) - no problem.

But as you are also collecting information about the installed packages (Wherefore? Github already has a way less invasive function with "Used by") and part of who I am (IP Adress and Company info) - I don't quite get it. Please also be aware that this is likely putting you into the reach of GDPR laws because IP addresses and company affiliation are both likely to uniquely identify a person.

I love your work and I am using this package for years now. But still, I think before collecting data the reasons behind it and what they are used for should be explained. Also, the amount of data should be minimized.

Your Environment

• Version used: 8.0.2
• Browser Name and version: Chrome 81

[orizens]

hi @DanielHabenicht
i'm happy to receive a pr that suggests to opt-out scarf.
i was inspired by https://github.com/tannerlinsley/react-table which is also using scarf - but havnt seen any option for opting out.

[aviaviavi]

Hi, author of scarf-js here 👋 . I just wanted to clear up a few things brought up here:

1. Scarf isn't actually storing IP addresses. We look up any business information associated with the IP address and then delete it the IP itself. All in all, Scarf is not storing any personally identifying information collected from package analytics.
2. The Github "used by" section doesn't quite do the job of informing you who your commercial users are, but yes it does help. Most corporate repositories are not publicly hosted on Github, so this section misses the most important category - large companies using a project, who would be more likely to pay maintainers for support. Scarf fills in those gaps and offers additional around it in order to help maintainers financially support their work.
3. Keep in mind, npm does collect quite a bit more already https://www.npmjs.com/policies/privacy#data. We're collecting a whole lot less (you can set SCARF_VERBOSE=true to see the exact payload we're sending, it's very small), and actually sharing that with the maintainers, which will ultimately lead to better-maintained software for everyone.

[orizens]

@DanielHabenicht considering the above from @aviaviavi , scarf is doing less than npm.

[simon-jouet]

Hi,

Thanks for the great work on ngx-infinite-scroll.

I would like to add to this issue regarding the use of scarf, I'm currently running into problem installing my dependencies because scarf is failing with SyntaxError: Unexpected end of JSON input when installing ngx-infinite-scroll

It's a bit frustrating that, a dependency of a dependency is causing issues project-wide while it is itself not necessary. I tried to opt-out using the environment variable and modifying the package.json but it's still failing for now (need to keep looking into it).

EDIT: looks like SCARF_ANALYTICS=false npm install --scripts-prepend-node-path is allowing me to install the dependencies

Additionally to this, I'm not 100% convinced that the current behaviour is compliant with GDPR (for all European users) as consent should be explicitly given which isn't the case here. I'm personally not too fussed about it but I know some people are, and knowing that information are being sent would have been nice to know before running into troubles.

[aviaviavi]

Sorry to hear this caused issues @simon-jouet. This bug was fixed a while ago but it looks like the scarf-js dependency in this repo is hard-coded to an old version. I can open a PR.

[orizens]

#363 merged.
@simon-jouet please review and update this issue

[orizens]

@simon-jouet does the pr #363 fixed this issue?

[simon-jouet]

@simon-jouet does the pr #363 fixed this issue?

Thanks, it does look like this solved it, we haven't run in any issues recently.

I think the GDPR point I raised previously might still be valid, I'm far from an expert on the matter but as far as I know consent must be explicitly given, which isn't that case here.

[orizens]

@aviaviavi can you suggest how to let use opt out for scarf in ngx-infinite-scroll?

[aviaviavi]

Of course! scarf-js analytics is entirely optional too. As a user of ngx-infinite-scroll, you can always set SCARF_ANALYTICS=false in your environment before running npm install, or by adding an entry to your project's package.json:

// your package.json that depends on ngx-infinite-scroll
{
  // ...
  "scarfSettings": {
    "enabled": false
  }
  // ...
}

See https://github.com/scarf-sh/scarf-js#as-a-user-of-a-package-using-scarf-js-how-can-i-opt-out-of-analytics for more details about opting out of scarf-js analytics, it's entirely optional.

As for GDPR - We've discussed this GDPR concern extensively with Scarf's legal team. The current behavior of scarf-js is indeed GDPR compliant. As a Scarf user, @orizens is the legal agent collecting information about his package distribution, and Scarf acts as the data processor acting on his behalf. @orizens never has access to any personally identifying information from this telemetry (and neither does Scarf, we only store IP address metadata), so consent is not required. If we were providing @orizens with raw IP addresses or any other PII, it would be a different story entirely, but that is not the case here. None of the data stored by Scarf or provided to @orizens through Scarf is subject to regulations that require him to obtain explicit consent.

[orizens]

thank you @aviaviavi
@simon-jouet does that answer your question?