Avoid usernames in logs

[cihe13375]

Currently the log files contain the user's login name on the OS level. For example:

runtime Log for *username* (LogLevel: Verbose)

[time] [verbose]: Opened realm "C:\Users\*username*\AppData\Roaming\osu\client.realm" at version xx

This can potentially leak the reporter's personal information (maybe it contains their real names or usernames on other websites), which could be a concern because logs are publicly accessible after uploaded on github. I don't think these usernames are helpful in debugging either.
I suggest removing the appearances of usernames in the log files, or replace them with generic strings like myusername or something.
idk if the user's osu! id is recorded in logs (probably not, at least I did not find them), imo they should not appear in logs either.

[bdach]

I don't think these usernames are helpful in debugging either

They are. Not by themselves, but knowing the full path can be.

idk if the user's osu! id is recorded in logs (probably not, at least I did not find them), imo they should not appear in logs either.

They can be recorded (e.g. API request logs, or indirectly via logged score submissions or something) and they also are useful for debugging.

Put it this way: if there is an issue that is caused by the user's storage location for whatever reason not being writable, then it is much easier for us to go "please check if (full path here) is writable" than "oh hey there's this path here that we can't really fully see so you should go try and find it for us and then check it please".

Same goes for user IDs. Many times we'll require to identify reporters ourselves directly when it comes to their osu! profile because we need to check the particular score in the database or something along these lines.

It's not like we log passwords or something. In most user facing software I've seen paths are fair game to log. This request seems unreasonable to me. We cannot be expected to know what is on your system and redact everything that could be potential identifying information to you. If you don't want to provide logs due to privacy concerns then either redact them manually or provide clear reproduction steps that don't require them.

[cihe13375]

it is much easier for us to go "please check if (full path here) is writable" than "oh hey there's this path here that we can't really fully see so you should go try and find it for us and then check it please".

afaik major OSes (if not all that osu! supports and have user profiles) have aliases/variables point to the user's "home" folder (that's the major reason why a path may contain usernames) which works basically same as the full path. e.g. on Windows the osu! profile is at %userprofile%\AppData\Roaming\osu (i.e. C:\Users\username\AppData\Roaming\osu), on linux it's ~/.local/share/osu (i.e. /home/username/.local/share/osu).

Anyway, if it's not viable to remove them, I think the osu! client should warn users about the personal information potentially included in logs when they try to export them.

[bdach]

afaik major OSes (if not all that osu! supports and have user profiles) have aliases/variables point to the user's "home" folder (that's the major reason why a path may contain usernames) which works basically same as the full path.

Windows users routinely don't know what %USERPROFILE% or %APPDATA% mean or what to do with them.

[sineplusx]

I agree with your statement about the username at the top of the log files, always wondered why it was there in the first place. It is possible that logs of multiple local users end up in the same place if you use a shared storage, but even then I don't think it would be useful to know which local user played the game.

The paths I see useful for debugging issues, same as @bdach already pointed out. If you don't want the username to show up in paths, you should consider moving the osu! data location to a path where the username is not part of it.

And if you want to go absolutely nuclear (and use Linux), you can simply prevent osu! from reading the username at all using an access control framework. I made an AppArmor profile for osu! which includes these lines:

 deny /etc/passwd r,
 deny /run/systemd/userdb/ r,

Produces no error ingame and the username in the logs stays blank.

[cihe13375]

wow thanks for the info, it's helpful. At least I don't need to batch replace in log files anymore I guess...

[peppy]

This was historically present because there were regular cases of users breaking the game with silly/long usernames (which ended up in their game path or otherwise).

I'm okay with removing it from the top of the file. Having the osu account username on the other hand is valuable and could even replace the windows one in the header.

[cihe13375]

Thanks for the response. Removing them from the top of the file is definitely an improvement (at least no need to do the access control thing suggested above anymore), though it's likely not enough for most users who don't change the osu data folder location (which contains usernames by default).
I still think it's desired to make it clear what information is included in logs, because the user is going to send them in public. Maybe add a "privacy notice.txt" in some place where the user would see before they upload logs (e.g. in the export and log folder):

The osu! logs may include the following information (idk the real list, just an example):
- the path of osu! data folder (currently xxx)
- your osu! id
- general information about your system, like the OS version, screen resolution, GPU model, etc.
- the history of browsing, playing, editing beatmaps, and submitting scores
Some of them may be personally identifiable; check the log files themselves for details. Note that files uploaded to Github are publicly accessible. 

The log files do NOT include your osu! or OS login password (and other sensitive information which may be considered related).

Or maybe a dialog when the user click "export logs", though I'm afraid of some users not understanding it and don't know what to do.

side comment: I think the osu! privacy policy is not very clear on this either. e.g. from this sentence, I won't realize that my OS login name would be included in logs:

We utilise error logging which collects technical and usage information as you use our services. This may include IP address, your username, browser type and version, time zone setting and location, operating system and platform and other details on what devices you use to access our services.

In old days I thought it's fine anyway since logs are only sent to developers and they said "This collected data is aggregated and only retained as it is useful. (more details)". But since now it's considered normal to send logs publicly on Github I think this should be clarified.

[sineplusx]

I'm sorry, but I think the "privacy notice" you propose is not something the dev team should pursue. Most users don't care about this level of privacy, and the ones that do care about it likely know the log contents already. To my knowledge, you are the first person to complain about this, and the dev team frankly has better things to do.

Unlike Sentry, uploading logs to GitHub is not automated, and the user can always choose to redact logs or send excerpts, at the expense of information that might be missing for troubleshooting. Uploading logs to a public, third-party platform is still your choice, and the stuff that you upload is your responsibility.

The sentence from the osu! privacy policy you mentioned literally says

This may include IP address, your username (...)

I would assume this refers to both the osu! username and the username on the OS. And if it doesn't, you may be surprised how much data can fit under the catch-all of "technical and usage information"

[cihe13375]

Most users don't care about this level of privacy, and the ones that do care about it likely know the log contents already. To my knowledge, you are the first person to complain about this...

I'd say that this is (probably) not complained before because many users don't know it at all as they don't check the content of logs (now this is even more likely to happen since they are compressed). At least for me, it's only until recently (I have been using lazer for years and submitted many issues) that I once checked the logs out of curiosity, and accidentally noticed the problem. In other words, I have been uploading my logs to the public for years without aware of what they include at all. If I knew what they include earlier, I'll at least remove the sensitive info before uploading them.

and the dev team frankly has better things to do

yea, but I'll be kinda surprising if it takes more than like 10 minutes of work to add an extra txt file to osu data folder (it's already done in many places)... I could be wrong though.

Uploading logs to a public, third-party platform is still your choice, and the stuff that you upload is your responsibility.

Of course that's true (just like playing osu! at all). The point is that users should be made aware of the implications before they make the decision (including non-technical users who don't want to read through the logs and/or don't know how github works).

I would assume this refers to both the osu! username and the username on the OS. And if it doesn't, you may be surprised how much data can fit under the catch-all of "technical and usage information"

That's why I say it's not very clear instead of lying. If the osu! team decide to continue with this vague term I guess I can still live with it, though.