Include explicit privacy statement in docs

[abeyerpath]

The documentation (and maybe a reference in README.md) should include a privacy statement and disclosure.

It would be good practice to be explicit about what isn't collected. Also would be handy to head off questions about things like linehaul that might be surprising to some people or prone to trigger audit questions or IDS alerts.

[ichard26]

For what it's worth, the pip project does not collect any telemetry. What we do is collect system/python environment information and send it over as part of the User Agent which may or may not be collected by the remote index. In practice, pip's user-agent is formatted for ingestion by PyPI's linehaul service and PyPI is the most commonly used index.

I'm fine with documenting what the average pip user would be revealing through telemetry, but it is at risk of falling out of date when PyPI updates their policies (like whether they store IP logs, etc. etc.). Also, by inspecting the tags of the wheels, the remote index can still (w/o the user agent) infer a handful of system properties (architecture, OS, and Python version) when a platform specific wheel is used.

[notatallshaw]

I'm fine with documenting what the average pip user would be revealing through telemetry, but it is at risk of falling out of date when PyPI updates their policies (like whether they store IP logs, etc. etc.).

I agree, and to emphasize I think for any documentation ishould be clear there are two separate questions:

1. What information pip purposefully sends to a remote index? e.g. linehaul information
2. What information a remote service collects and stores?

For 1. I think this should be fairly simple to document. But should probably be noted that most of this information could be derived by a remote index by looking at a user's download patterns.

For 2. I think it should be made clear it is out of pip's hands and user's must check with the remote service, whether that's an index, or a remote VCS service, or an sdist build that makes external calls. Though I do think as PyPI is the default index it might make sense to link to any policy they have on this, though I'd want the PyPI team's input before linking to some page.