Add nap for telemetry

[Czaki]

Description

Add NAP with the proposition of a telemetry system.

Type of change

• Adds new content page(s)

[DragaDoncila]

@Czaki this is looking great, thank you for all your work on this 🎉 ❤️ ! I've done a pass of suggestions for wording etc. Once those updates are made and I've made sure the formatting is correct, I'll be happy to approve the draft.

In terms of comments on the proposal itself these are my general thoughts:

• I would like to see us include in the NAP a process for getting community feedback and concerns before implementation. While the NAP is usually the way to publicize big changes like this, I think they're mostly watched/discussed by core devs. Since telemetry can be a controversial topic, I would like us to include a process here that ensures the community is aware of and on board with the proposal
• I think before accepting the NAP, I would like to see a complete list (as complete as possible) of exactly what is collected with each level of telemetry, and potentially also a sample report, and what would show up on the public dashboards
• We mention collecting information on what plugin contributions are used, but I think it would be great to collect information on what internal commands are used as well. It would give us great insight into popular features, potentially underused/underpublicized features and "danger zones" for API deprecations. Not sure to what extent this is possible, but once the app-model conversions are done there should be a few things we can learn?
• I would like us to expand a little on the motivation for telemetry beyond "gauging user numbers" which imo is the weakest motivation. For me it's really more about learning what plugins and parts of the codebase are seeing heavy usage, predicting the impact of changing APIs and gaining insight into what could be deprecated, changed, better documented, etc.

[Czaki]

I would like us to expand a little on the motivation for telemetry beyond "gauging user numbers" which imo is the weakest motivation. For me it's really more about learning what plugins and parts of the codebase are seeing heavy usage, predicting the impact of changing APIs and gaining insight into what could be deprecated, changed, better documented, etc.

This is mentioned in the motivation and scope paragraph. Should I rephase it?

• We mention collecting information on what plugin contributions are used, but I think it would be great to collect information on what internal commands are used as well

great idea. I will add this in the following days.

I also agree with polishing the list of collected data. Opening this PR is way to open it on the community. I think, that after some polishing we should make a public announcement.

[Carreau]

Suggested change

	4. Full list of endpoints used for collecting telemetry, that could be filtered on the firewall level.
	5 . Disable at system-wide level in a way that is not user-controlable (Hpc/ other deployments).

[Czaki]

You mean to add new point?

[DragaDoncila]

Possibly we should merge the two sentences:

4. System-wide disablement e.g. via firewall filtering for hpc or other environments

[Carreau]

Detail, I would store the date when someone agreed, and maybe reconfirm every few month or so.

You might need a way for the remote to reply with a specific error code/version number that void the user consent, and retrigger asking consent as well.

[Czaki]

Why do you prefer longer storage?

[DragaDoncila]

I think the proposal is that we reconfirm opt-in every few months or so. I think this is a good idea and worth adding.

[Czaki]

I still do not follow.
Did we want to reconfirm every three months (for example), or when we update the telemetry code, so change the amount of collected information?

[DragaDoncila]

I think it should be min(3_months, package_update) for re-confirming, personally.

The dialog for whether you want to continue sending telemetry could show an example of a recent report that had been sent, so the user can gauge their participation based on real data. We could always add a Don't ask me again option as well of course.

[Carreau]

You will need to describe the way people can contact napari for their data to be removed.

You have to be careful, login IP in the machine that collect logs may be considered collecting PII in some regions.

[Czaki]

My Idea is to at the first phase, not to log IP. I do not see the benefit of such information and only risk.

I ha e added GDPR section

[Carreau]

Sorry I was unclear, if for example you run the collection service behind nginx, the nginx logs may store IP. So you have to be careful that not only the service you write but part of the stack does not store data and/or that you can delete it.

[Czaki]

Some storage is required (Identifying spamming users), but it may be short with fast removal.
And such things will not be propagated to the aggregator.

[DragaDoncila]

@Czaki I have done a final pass and once that's done I think this should go in in draft mode. Once we have some sample reports to look at, we should be able to add any other necessary detail. It would be nice to have a basic architecture diagram as well.

[DragaDoncila]

Possibly we should merge the two sentences:

4. System-wide disablement e.g. via firewall filtering for hpc or other environments

[DragaDoncila]

I think the proposal is that we reconfirm opt-in every few months or so. I think this is a good idea and worth adding.

[Czaki]

dependency check is failing because of bug in main repo gregsdennis/dependencies-action#24

[DragaDoncila]

@Czaki you should update this, I think it's fine to date it as the day you opened the PR.

[DragaDoncila]

@Czaki I think this is fine to go in whenever in draft mode. Thanks for all your work! Any further updates can be made in future PRs as is standard for NAPs

[brisvag]

Agreed, let's get this in and iterate in a PR.