Skip to content

Making KUserFeedback opt-out using privact technology

The current state of KUserFeedback is limited. The main symptom KUF suffers from is the lack of interesting data, especially for UX work, marketing, or user support. The data we currently get from KUF only gives us hints to make top level decisions like "do we still need to support technology XY"? But there is no way to understand our user base more deeply.

Wearing UX glasses: This takes away an important pillar of usability — data-driven UX work. Currently we often have to guess, trust internal experts, or simply copy what others are doing. This is a significant problem for the quality of UX work we can achieve.

The fundamental problem is that KUF actually pushes real user data to the KDE servers. Since we currently have to do this, we:

  • ask users to opt in to sending their data, which results in a very small percentage of real users actually sharing their data.
  • apply our very restrictive telemetry policy, which allows only rather uninteresting data to be sent when it comes to UX issues.
  • have no actionable path to changing the data that gets sent, because this would require re-approval for those who already opted in, and no such functionality was ever written

As a result, we get uninteresting data from a too small (and definitely very biased) sample of users.

In privact.org, we have been working to fundamentally solve this problem. We have started to build an infrastructure that allows:

  • storing user data only on the user's system
  • evaluating collective data with an algorithm that ensures individual privacy

In the privact system, all locally collected data is under the full control of the user and is never sent as a blob anywhere. Instead, software on the system is able to respond to specific individual questions and return one answer; a random system is chosen to aggregegate the results from everyone using a combined federated, homomorphic and e2e encryption scheme that results in only the final aggregated answer being decryptable. This encrypted answer is sent to privact's servers, and then along to the final recipient (e.g. KDE). This ensures zero identifiability for every user. Integrating this technology into KDE would hence solve the problems described above:

  • We could make the use of this technology opt-out, resulting in significantly more users participating.
  • We could ask for more meaningful data, resulting in better insights into user behaviour.
  • The set of locally collected data could be changed at will, with no negative privacy implications

This would actually allow us to do data-driven UX work and thus significantly improve the quality of KDE software.

We have done a prototype integration of privact technology with KUF.

I propose to improve this prototype integration and include it upstream in KDE when it is mature enough.