3

Maybe I should be asking this in Law Stack Exchange but, because I found it to be quite "techy" and more related to how Google manages this GDRP "thing", I'll ask it here.

In our Fabric console App Settings we have 3 privacy toggles:

  1. Enable/Disable Privacy Prompt
  2. Enable/Disable IP Address Tracking
  3. Enable/Disable Crash Insights

I'm only interested in basic crash reports, no Answers, no custom Key/Value crash reports - just pure stack trace - like in Logcat.
Am I completely legal just by doing this: Fabric.with(this, new Crashlytics());?
Does Google anonymize this data by default? If it does, why bother asking for users permission (honest question)?

I've search it a bit and I found that IP Address Tracking it's anonymized here.
When I toggle OFF Crash Insights it pops up a warning saying:

Your anonymized crash data can be used to identify crash trends across apps using Crashlytics. We use this information to surface insights on your issues. We recommend leaving this enabled so you can triage crashes more quickly.

Are you sure you want to disable this feature?

Note: Disabling data sharing will also remove insights on your issues. Changes may take up to 24 hours to take effect.

So this brings us to:

  1. IP Address Tracking - anonymized
  2. Crash Insights - anonymized

Only one question left:

  1. Privacy Prompt - do we really need it?

If we toggle it ON:

When a crash occurs in any version of [our app name], this will ask your users if that crash should be reported.

Wait for it...

Our analytics data shows that most users will decline to report crashes, so we recommend leaving this disabled.

Is Fabric saying we shouldn't bother with this?
We have a help button that point us to Fabric Docs. Actually, this alone doesn't help much, because we need to change our instantiation to:

final CrashlyticsCore core = new CrashlyticsCore
                .Builder()
                .listener(new CrashlyticsListener() {
                    @Override
                    public void crashlyticsDidDetectCrashDuringPreviousExecution() {

                    }
                })
                .build();
 Fabric.with(this, new Crashlytics.Builder().core(core).build());

And this is what will enable the Crashlytics Privacy Dialog. I found it thanks to this post.
Unfortunately this alone doesn't answer my question. Finally the docs states:

Crashlytics

Personal Data collected:

Installation UUID
Crash traces

How data helps provide the service:
Helping a customer associate crash data with specific instances of their app.

Retention:
Crash traces and their associated identifiers are kept for 90 days.

Is this only an issue for iOS? Android doesn't seem to have personal data (like UDID) being sent. If everything (for Crashlytics) is anonymized why bother with Privacy Prompt in Android? How about iOS, should I ask for permission due to UDID?

EDIT: after reading my post again I've noticed that Fabric doesn't ask for the UDID, it askes for UUID. So, saying that, I guess we don't need to ask for permission, there's no personal data being shared.

Thanks.

GuilhE
  • 11,591
  • 16
  • 75
  • 116
  • 1
    This is very broad - you have a lot of questions here. Consider posting to firebase-talk instead to get a discussion. It is closely monitored by Firebase staff. http://groups.google.com/group/firebase-talk/ – Doug Stevenson Apr 12 '19 at 14:47
  • @DougStevenson thanks for your suggestion, I'll! – GuilhE Apr 12 '19 at 14:50

0 Answers0