On 10/11/2018 05:12 PM, Paul W. Frields wrote:
> On Wed, Oct 10, 2018 at 10:41:07PM -0400, Dusty Mabe wrote:
>> /me waves at legal experts
>>
>> In the Fedora CoreOS community we'd like to log our IRC channel so we
>> can refer back to conversations we've had or link people to conversations
>> if they weren't in the channel and start a discussion with them while
>> allowing them to gain full context.
>>
>> We were using botbot.me, but they will be shutting down soon [1]. We
>> are looking to explore other options for this and are looking for legal
>> help to know what we can and can not do. A few comments/questions:
>>
>> - logging channels seems to possibly conflict with GPDR
>> - if we were to keep logs for a shorter period of time, would it help?
>> - if an individual kept logs and provided a service, would that be
>> possible or would that possibly have implications for the individual's
>> employer?
>> - Are fedora irc meeting logs something that should have GPDR concern?
>> - If not, why not? Could the same reason apply to a general channel?
>>
>> Do you have any advice on how we can achieve this goal?
>>
>> See [2] where we have been having this discussion in Fedora CoreOS community.
>>
>> Thanks for any help you can provide!
>> Dusty
>>
>> [1]
https://lincolnloop.com/blog/saying-goodbye-botbotme/
>> [2]
https://github.com/coreos/fedora-coreos-tracker/issues/11#issuecomment-42...
>
> While IANAL, here is some guidance I can give based on recent
> experience in looking at the GDPR:
>
> The Fedora Project has a legitimate business interest in maintaining
> records that sometimes have personally identifying information. This
> is balanced against GDPR rights such as the so-called "right to be
> forgotten," which itself is not unlimited. This is a basis on which
> we maintain records like email archives and other communications the
> community uses to research, analyze, understand, and act on background
> or other information.
>
> A limited lifespan for communications certainly means less risk of
> upsetting that balance. So if you intend these communications to be
> archived for only a window of a week or two, that's helpful.
>
> It would be a good idea to inform all channel users about any
> round-the-clock logging. I'd recommend text like "NOTE: This channel
> is logged at all times for historical and decision purposes. Logs are
> retained for <$TIME> and can be found here: <$URL>." I'd also
> recommend having a bot that echoes a notice to the channel routinely,
> at least every few hours (hourly would be even better). The point is
> to make sure no one is under-informed.
>
> I do not recommend an individual do the logging or retention, since I
> don't know whether they'd have the same level of legitimacy in
> retaining information as the Fedora Project does.
>
> Given what I know about GDPR and our project, the above seems
> reasonable. Periodic IRC meetings have different sets of
> expectations.
>
Thanks Paul. I'll try to make sure all of your recommendations get put
into practice. I'll also reach out to fedora infra to see if we can set
up a botbot.me instance to solve this problem for us in the future.
Suggestion: Build a containerized service and offer to keep it
updated, so that all they have to do is deploy it in an Openshift
cluster.
josh