Privacy and Joplin

Privacy is an important feature of Joplin, and this is clear because all non-private features that access the internet can be disabled in settings. For example, auto-updating and geo-location retrieval for note properties.

Ideally I would prefer that all non-private features are disabled by default, or only enabled after prompting the user for permission/approval during installation or first start up.

However in any case, I think there should be a section near the bottom of https://joplinapp.org/ that states the Joplin privacy policy, and clearly discloses all features that are non-private. Nothing over the top, just something small to make sure the user is aware. I think it should also be included in the Welcome notes that populate a new installation.

Would it be worthwhile if I have a go at drafting such a section?

3 Likes

I think having this and a link at the top of the page to make it quick and easy to find would be enough. Because of the MIT license, the Joplin team is not liable for any usage of the app that leads to loss of data. The privacy policy would just be a formality to say “hey, we will try our hardest to make sure your data is reasonably safe from being released into the public domain”, right?

Of course, I’m not a lawyer, so i have little weight in this.

1 Like

The privacy policy would be the statement that Joplin values user privacy and considers the user should have complete control over what they choose to reveal.

It would also disclose all the non-private features, so the user can disable them if they want. Otherwise they may be oblivious.

It would serve two functions, 1) for users: to let users know what they can expect with Joplin and setup it up according to their desire, and 2) for development: to ensure designs of new features follow the same principles in the future.

I guess legally, there might have to be a disclaimer about the potential of bugs and other unintentional violations?

2 Likes

I completely agree and wouldn’t be using Joplin if that wasn’t the case in my current place in life. What I’m saying is that the license should cover a large chunk of the issues that could arise so this would be more of a thing to add to help with Joplin’s appearance to its users. I’m also stating that my thoughts on this could be totally wrong due to me not being fully versed in laws and whatnot.

I’ve lately started using less software and services these days due to disagreeing with their privacy policies or lack there of.

1 Like

This is our current privacy policy as it’s required to publish on Android: https://joplinapp.org/privacy/ but it’s dated and I don’t think it’s linked from anywhere except the mobile app.

Indeed if you have something in mind @mic704b please go ahead. The info in the footer and updated welcome notes sounds good.

I’m not so keen on disabling geo-location and auto-updating by default though. Prompting the user on startup, why not, but it’s a lot of GUI work to be done on mobile, desktop and cli.

3 Likes

I’m not sure what you mean. It takes 2 seconds to set the default for Save geo-location with notes to false in Settings.

1 Like

I mean I prefer it’s enabled by default.

2 Likes

Unfortunately this is not very good for privacy. Since Joplin is marketed as a privacy conscious app (privacy is always mentioned in combination with Joplin), using a default that ignores your privacy rights is counterproductive. This will come up in reviews at one point. e.g. I would comment on that negatively.

1 Like

Joplin is good for privacy because it doesn’t track any user. Third party might do but that can all be disabled.

With settings, we need to use the default that will satisfy the majority of users. Truth is, the majority of users doesn’t care that much about privacy (people who do care are vocal about it, but those who don’t we don’t hear from them), however they do care about the app “just working” - i.e. auto-update works, geo-location tracking works.

In any case, you can never satisfy everyone - if we disable these settings, people will ask why auto-update or geo-location doesn’t work; if we enable them, people will complain that it’s a privacy issue.

And I think what mic704b suggested is a good compromise - we document it well, we are open about it. Perhaps later we add some popup dialog that opens the first time the app is launched, etc.

4 Likes

I agree with you 100% in that regard.

Don’t get me wrong, I really don’t care, because I block any outgoing connections by defauly anyway.

It’s just that I’ve noticed several topics in this forum (and on github) over the past year which all asked for changing the default. I am rather extreme in that regard. I’d turn everything off by default. That’s just a personal preference. I see it like this: Currently more harm can be done by using the app out of the box without reading the documentation, which btw, hasn’t been all to clear that geo and version check were on by default.

As I mentioned before, I don’t care, because I block any outgoing connections. But what about the people that don’t? They use the app and just by doing so, data is transmitted.
It’s kind of lame telling people: hey, you should have read the doc BEFORE using the app.
Once again, this is just my opinion. But this is what it will come to, when we leave it like it is.

Having those things in the documentation is great, but I don’t think we can expect people to read the documentation before using Joplin.

Until then, the default should be changed to off.

4 Likes
1 Like

I like the principle by which Android apps now seem to work:
rather than a default being set to attempt to meet what we can only presume to be any user's preference,
all permissions are switched off by default and they are programmatically invoked when they might first be relevant - this then meets the needs (at first potential use of any and all features worthy of a privacy protocol),
and also allows the features to be promoted/ made known to the user, but
not simply switched on or off - which still doesn't actually bring attention to the user that they are available, let alone allowed by default.

3 Likes

Just to add a little to the discussion.
If note collaboration runs through Joplin Server, the hoster need other things in a privacy statement then the Android app (just working local).

1 Like

I have been sharing notes with others that use Joplin for the past few months and I am upset to see that the geolocation setting has been on by default leaving users to know where I live, where I work, or where I could be just to take notes.

I do see a benefit for a person using Joplin to keep a track of there notes depending where they are but there needs to be an option in the UI where this setting can be managed by the user.

1 Like

You can disable this in the settings under the "Note" section. The information about this is actually in the Welcome notes, under the "Privacy" section and can also be found there: joplin/5_privacy.md at dev · laurent22/joplin · GitHub

1 Like

May I ask what version of Joplin will have that setting because I do not see a way to disable it under the "Note" section. I am currently running 2.2.5 on Linux

1 Like

I did a quick check (not sure how accurate it is, but will be in the ballpark).
This option was added around 4 years ago, and has been available in every release from v1.0.62 until 2.3.5.

It's the second option in this section.
image

edit: Here is the commit where it was first added (I think)

2 Likes