Ferguson Charity (CEMINFERGUSON)
2023-Oct-02 07:48 UTC
[R] Question about R software and output
To whom it may concern, My understanding is that the R software is downloaded from a CRAN network and data is imported into it using Microsoft Excel for example. Could I please just double check whether any data or results from the output is held on external servers or is it just held on local files on the computer? Many thanks, Charity ************************************************************************************* The information contained in this message and or attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Unless otherwise specified, the opinions expressed herein do not necessarily represent those of Guy's and St Thomas' NHS Foundation Trust or any of its subsidiaries. The information contained in this e-mail may be subject to public disclosure under the Freedom of Information Act 2000. Unless the information is legally exempt from disclosure, the confidentiality of this e-mail and any replies cannot be guaranteed. Any review, retransmission,dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any system and destroy any copies. We make every effort to keep our network free from viruses. However, it is your responsibility to ensure that this e-mail and any attachments are free of viruses as we can take no responsibility for any computer virus which might be transferred by way of this e-mail. ************************************************************************************* [[alternative HTML version deleted]]
It's conceivable that functions in a contributed package would
communicate/transmit or receive data from a remote server, but base R
does nothing like that (unless you explicitly ask it to).
cheers
Ben Bolker
On 2023-10-02 3:48 a.m., Ferguson Charity (CEMINFERGUSON)
wrote:> To whom it may concern,
>
>
>
> My understanding is that the R software is downloaded from a CRAN network
and data is imported into it using Microsoft Excel for example. Could I please
just double check whether any data or results from the output is held on
external servers or is it just held on local files on the computer?
>
>
>
> Many thanks,
>
>
>
> Charity
>
>
>
*************************************************************************************
>
> The information contained in this message and or attachments is intended
only for the
> person or entity to which it is addressed and may contain confidential
and/or
> privileged material. Unless otherwise specified, the opinions expressed
herein do not
> necessarily represent those of Guy's and St Thomas' NHS Foundation
Trust or
> any of its subsidiaries. The information contained in this e-mail may be
subject to
> public disclosure under the Freedom of Information Act 2000. Unless the
information
> is legally exempt from disclosure, the confidentiality of this e-mail and
any replies
> cannot be guaranteed.
>
> Any review, retransmission,dissemination or other use of, or taking of any
action in
> reliance upon, this information by persons or entities other than the
intended
> recipient is prohibited. If you received this in error, please contact the
sender
> and delete the material from any system and destroy any copies.
>
> We make every effort to keep our network free from viruses. However, it is
your
> responsibility to ensure that this e-mail and any attachments are free of
viruses as
> we can take no responsibility for any computer virus which might be
transferred by
> way of this e-mail.
>
>
*************************************************************************************
>
> [[alternative HTML version deleted]]
>
> ______________________________________________
> R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide
http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
? Mon, 2 Oct 2023 07:48:36 +0000 "Ferguson Charity (CEMINFERGUSON)" <Charity.Eminferguson at gstt.nhs.uk> ?????:> My understanding is that the R software is downloaded from a CRAN > networkThis is mostly true. (There are other ways of installing R, but it is most frequently downloaded from a CRAN mirror.)> and data is imported into it using Microsoft Excel for example.This is not exactly the case. It is possible to prepare data using Microsoft Excel and store it in the Microsoft Excel format, but the actual import process is performed either using base R functions (e.g. read.csv(), which is built into R), or using third-party packages running inside R (e.g. "openxlsx", which is available on CRAN) that implement the functions necessary to transform Excel format into R data structures. It is also possible to prepare data using other software, or type it manually into R, or store it only in R's native data format (using the saveRDS() or save() functions).> Could I please just double check whether any data or results from the > output is held on external servers or is it just held on local files > on the computer?As long as you're running R on your own computer, it should keep the data locally. The words of a J. Random Hacker from the Internet don't carry much weight with government agencies (as they shouldn't), but the source code of R is open to audits. Additionally, there are some guidance documents at <https://www.r-project.org/certification.html>. Note that this only covers R itself and not any third-party software packages that you could be using together with R. (You could also be connecting to an RStudio server or running an instance of webR in your web browser, in which case your data is subject to the privacy policy of the server administrators.) For example, the "googleCloudRunner" package available on CRAN is designed for the purpose of running code on Google infrastructure and will send the data there if asked to. CRAN packages are required never to do anything that might be regarded as antisocial <https://cran.r-project.org/web/packages/policies.html>, but a dedicated attacker may be able to slip something past the reviewers anyway. Since your e-mail address contains nhs.uk, the <https://nhsrcommunity.com/> website could help you find the information you need. -- Best regards, Ivan
I am pretty sure you'll get more replies than mine, so just consider this as part of the story. Your understanding is confused/flawed. 1. R can be downloaded from hundreds/thousands of software repositories, not just CRAN. 2. R can read/upload data in hundreds of different formats, not just Excel's. R makes no use of Excel to read external files (I wasn't clear what you meant here). 3. As Ben said, it is certainly possible that some R packages -- optional add-ons extending R capabilities --- communicate with and store data or results on external servers. R, itself, can run locally and can store results either locally or externally. Like most software, it can also be integrated as part of the infrastructure on a server for web applications. If you have a specific question not addressed by these various replies, ask it. You will most likely get a useful reply. Cheers, Bert On Tue, Oct 3, 2023 at 7:17?AM Ferguson Charity (CEMINFERGUSON) < Charity.Eminferguson at gstt.nhs.uk> wrote:> To whom it may concern, > > > > My understanding is that the R software is downloaded from a CRAN network > and data is imported into it using Microsoft Excel for example. Could I > please just double check whether any data or results from the output is > held on external servers or is it just held on local files on the computer? > > > > Many thanks, > > > > Charity > > > > ************************************************************************************* > > The information contained in this message and or attachments is intended > only for the > person or entity to which it is addressed and may contain confidential > and/or > privileged material. Unless otherwise specified, the opinions expressed > herein do not > necessarily represent those of Guy's and St Thomas' NHS Foundation Trust or > any of its subsidiaries. The information contained in this e-mail may be > subject to > public disclosure under the Freedom of Information Act 2000. Unless the > information > is legally exempt from disclosure, the confidentiality of this e-mail and > any replies > cannot be guaranteed. > > Any review, retransmission,dissemination or other use of, or taking of any > action in > reliance upon, this information by persons or entities other than the > intended > recipient is prohibited. If you received this in error, please contact the > sender > and delete the material from any system and destroy any copies. > > We make every effort to keep our network free from viruses. However, it is > your > responsibility to ensure that this e-mail and any attachments are free of > viruses as > we can take no responsibility for any computer virus which might be > transferred by > way of this e-mail. > > > ************************************************************************************* > > [[alternative HTML version deleted]] > > ______________________________________________ > R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see > https://stat.ethz.ch/mailman/listinfo/r-help > PLEASE do read the posting guide > http://www.R-project.org/posting-guide.html > and provide commented, minimal, self-contained, reproducible code. >[[alternative HTML version deleted]]
I would answer "local files only," but with sufficient motive it is
possible for some people to abuse a system. Base R does not download any of your
data. The packages that I know about do not download data. You can add a layer
of protection by only downloading directly from the source rather than through
some third party. If you are skilled, you should be able to read through the
source code to check for statements that would write your data to an external
source.
Another viewpoint: R is an approved software for the University of Florida. The
University is very aware of regulations and risks associated with personally
identifiable information. Downloading to an external location would be a
security risk that the University would not allow. That said, the university
provides students and employees an approved link for downloading the software.
It is designed to help people avoid third party sites and associated risks.
If this is an issue with personally identifiable information, then you should
check with your employer if R is an approved software.
-----Original Message-----
From: R-help <r-help-bounces at r-project.org> On Behalf Of Ferguson
Charity (CEMINFERGUSON)
Sent: Monday, October 2, 2023 3:49 AM
To: r-help at r-project.org
Subject: [R] Question about R software and output
[External Email]
To whom it may concern,
My understanding is that the R software is downloaded from a CRAN network and
data is imported into it using Microsoft Excel for example. Could I please just
double check whether any data or results from the output is held on external
servers or is it just held on local files on the computer?
Many thanks,
Charity
*************************************************************************************
The information contained in this message and or attachments is intended only
for the person or entity to which it is addressed and may contain confidential
and/or privileged material. Unless otherwise specified, the opinions expressed
herein do not necessarily represent those of Guy's and St Thomas' NHS
Foundation Trust or any of its subsidiaries. The information contained in this
e-mail may be subject to public disclosure under the Freedom of Information Act
2000. Unless the information is legally exempt from disclosure, the
confidentiality of this e-mail and any replies cannot be guaranteed.
Any review, retransmission,dissemination or other use of, or taking of any
action in reliance upon, this information by persons or entities other than the
intended recipient is prohibited. If you received this in error, please contact
the sender and delete the material from any system and destroy any copies.
We make every effort to keep our network free from viruses. However, it is your
responsibility to ensure that this e-mail and any attachments are free of
viruses as we can take no responsibility for any computer virus which might be
transferred by way of this e-mail.
*************************************************************************************
[[alternative HTML version deleted]]
______________________________________________
R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.r-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
@vi@e@gross m@iii@g oii gm@ii@com
2023-Oct-03 15:06 UTC
[R] Question about R software and output
Charity, As some of the answers I have seen show, your question is not clear. You need to be clear on what you mean about R software and other concepts before an answer makes sense. The Base version of R may come on your computer already but likely has been installed from some external source, or updated and the CRAN mirrors are one such installation. As far as I know, it downloads the main R software as well as packages considered important as part of that distribution and from then on, you can disconnect your computer from any network and it will work fine for any programs that operate only locally. Of course any program you run that wishes to access external resources can do so. In particular, it is quite common for you at the prompt, or within an R program, to ask for a package stored externally to be placed within your computer but once done, it remains there until and unless you want to get a newer version or something. There are packages that include data within themselves and may well be some that dynamically go out and get info from somewhere but I know of no simple way to find out other than reading the source code or seeing what happens if you disconnect from the internet. Your mention of EXCEL also needs clarification. EXCEL has absolutely nothing to do with R. It is an unrelated product and you do not need to have it installed to run R and vice versa. That does not mean your program cannot interact with EXCEL or the files it makes, just that it is not part of base R. R does allow importing data (locally or not) in lots of formats including some that EXCEL can save data in. But generally, internal to R there are storage methods such as the data.frame that hold data and manipulate it and a typical R program may read in some data from files like .CSV that can be saved from EXCEL or many other sources or with the proper packages, you can read directly from more native EXCEL formats such as XLSX files. And, you can write out results in many ways using packages that include those formats. Once data has been received, I know of no way in R that tags it with the source of the data as being internal or external. Often the fact that something is external is well hidden as many R packages have ways to access external data as if it were local. Perhaps you can explain more clearly what your concerns are. But note R is not atypical among computer languages and many others might share the same issues that concern you. Avi -----Original Message----- From: R-help <r-help-bounces at r-project.org> On Behalf Of Ferguson Charity (CEMINFERGUSON) Sent: Monday, October 2, 2023 3:49 AM To: r-help at r-project.org Subject: [R] Question about R software and output To whom it may concern, My understanding is that the R software is downloaded from a CRAN network and data is imported into it using Microsoft Excel for example. Could I please just double check whether any data or results from the output is held on external servers or is it just held on local files on the computer? Many thanks, Charity **************************************************************************** ********* The information contained in this message and or attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Unless otherwise specified, the opinions expressed herein do not necessarily represent those of Guy's and St Thomas' NHS Foundation Trust or any of its subsidiaries. The information contained in this e-mail may be subject to public disclosure under the Freedom of Information Act 2000. Unless the information is legally exempt from disclosure, the confidentiality of this e-mail and any replies cannot be guaranteed. Any review, retransmission,dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any system and destroy any copies. We make every effort to keep our network free from viruses. However, it is your responsibility to ensure that this e-mail and any attachments are free of viruses as we can take no responsibility for any computer virus which might be transferred by way of this e-mail. **************************************************************************** ********* [[alternative HTML version deleted]] ______________________________________________ R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
Dear Charity Since your organisation is a member of King's Health Partners you might like to ask colleagues in KCL for local support. Michael On 02/10/2023 08:48, Ferguson Charity (CEMINFERGUSON) wrote:> To whom it may concern, > > > > My understanding is that the R software is downloaded from a CRAN network and data is imported into it using Microsoft Excel for example. Could I please just double check whether any data or results from the output is held on external servers or is it just held on local files on the computer? > > > > Many thanks, > > > > Charity > > > ************************************************************************************* > > The information contained in this message and or attachments is intended only for the > person or entity to which it is addressed and may contain confidential and/or > privileged material. Unless otherwise specified, the opinions expressed herein do not > necessarily represent those of Guy's and St Thomas' NHS Foundation Trust or > any of its subsidiaries. The information contained in this e-mail may be subject to > public disclosure under the Freedom of Information Act 2000. Unless the information > is legally exempt from disclosure, the confidentiality of this e-mail and any replies > cannot be guaranteed. > > Any review, retransmission,dissemination or other use of, or taking of any action in > reliance upon, this information by persons or entities other than the intended > recipient is prohibited. If you received this in error, please contact the sender > and delete the material from any system and destroy any copies. > > We make every effort to keep our network free from viruses. However, it is your > responsibility to ensure that this e-mail and any attachments are free of viruses as > we can take no responsibility for any computer virus which might be transferred by > way of this e-mail. > > ************************************************************************************* > > [[alternative HTML version deleted]] > > ______________________________________________ > R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see > https://stat.ethz.ch/mailman/listinfo/r-help > PLEASE do read the posting guide http://www.R-project.org/posting-guide.html > and provide commented, minimal, self-contained, reproducible code. >-- Michael
R is open source software, available from CRAN servers, but also packaged for various Linux distributions. On this machine, running Ubuntu, R was installed using the 'apt' package manager. R is a complete programming language with built-in support for reading and writing over the network. Packages -- whether on CRAN or elsewhere -- extend R with code written in a mixture of Fortran, C, C++, and R. Base R behaves itself, but a package loaded from some random GitHub site could do anything. Data processed by R need not have been anywhere near Excel or any kind of spreadsheet. I don't even *have* Excel on any of the machines I run R on. Most of the data I process is not in .csv or .xslx format. R is able to read data in many formats as described in the R Data Import/Export manual, which is fairly brief. If there is a data exchange format with a significant community, chances are there's an R package that can read and/or write it. Indeed, it is even possible to extract information from PDFs in R using the pdftools package. It sounds as though your primary concern is data protection, and there's good news and bad news. The good news is that if you stick with R and with packages from a trusted repository, you're safe. The bad news is that a programming language that can do anything can do ANYTHING, and you are not safe from a malicious programmer in your own organisation sending data anywhere she wants to. % R> system("some possibly dangerous command goes here")Of course, this doesn't let anyone do something they couldn't already do *without* R. And this gets us to the real bad news. I think you are trying to achieve security by a method that cannot work. You're trying to limit yourself to safe software. But you ALSO need to plug ALL the USB ports, ALL the Thunderbolt ports, snip the wires to the Wifi and Bluetooth modules, &c &c. If a system is capable enough to install R (or anything else), it is insecure *without* R. You have to limit the internet connections that can possibly be established by ANY program, and that means several levels of firewalls. It also means no "work from home". On Wed, 4 Oct 2023 at 03:18, Ferguson Charity (CEMINFERGUSON) < Charity.Eminferguson at gstt.nhs.uk> wrote:> To whom it may concern, > > > > My understanding is that the R software is downloaded from a CRAN network > and data is imported into it using Microsoft Excel for example. Could I > please just double check whether any data or results from the output is > held on external servers or is it just held on local files on the computer? > > > > Many thanks, > > > > Charity > > > > ************************************************************************************* > > The information contained in this message and or attachments is intended > only for the > person or entity to which it is addressed and may contain confidential > and/or > privileged material. Unless otherwise specified, the opinions expressed > herein do not > necessarily represent those of Guy's and St Thomas' NHS Foundation Trust or > any of its subsidiaries. The information contained in this e-mail may be > subject to > public disclosure under the Freedom of Information Act 2000. Unless the > information > is legally exempt from disclosure, the confidentiality of this e-mail and > any replies > cannot be guaranteed. > > Any review, retransmission,dissemination or other use of, or taking of any > action in > reliance upon, this information by persons or entities other than the > intended > recipient is prohibited. If you received this in error, please contact the > sender > and delete the material from any system and destroy any copies. > > We make every effort to keep our network free from viruses. However, it is > your > responsibility to ensure that this e-mail and any attachments are free of > viruses as > we can take no responsibility for any computer virus which might be > transferred by > way of this e-mail. > > > ************************************************************************************* > > [[alternative HTML version deleted]] > > ______________________________________________ > R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see > https://stat.ethz.ch/mailman/listinfo/r-help > PLEASE do read the posting guide > http://www.R-project.org/posting-guide.html > and provide commented, minimal, self-contained, reproducible code. >[[alternative HTML version deleted]]