[Fedora-legal-list] Privacy Policy Concern

Thu Mar 8 23:42:55 UTC 2012

On 08/03/12 23:16, Kevin Fenzi wrote:
> On Thu, 08 Mar 2012 10:10:33 -0500
> Tom Callaway <tcallawa at redhat.com> wrote:
> 
>> On 03/08/2012 01:35 AM, inode0 wrote:
>>> Hi all,
>>>
>>> The following describes the policy for information controlled by the
>>> privacy flag in FAS.
>>>
>>> https://fedoraproject.org/wiki/Legal:PrivacyPolicy#Publicly_Available_Personal_Information
>>>
>>> It appears to me that the IRC nickname if provided in FAS is also
>>> treated as public information in various places now regardless of
>>> the privacy settings. If I log into FAS and look at another user
>>> who has the privacy flag set I can see the IRC nickname, if I query
>>> the fas plugin to zodbot I also see the user's IRC nickname.
> 
> Yeah, this is a bug. ;( 
> 
> We are fixing it now. 
> 
>>> I do think the IRC nickname should be considered public information
>>> if provided (and especially for users with fedora cloaks) so I'm
>>> wondering if the privacy policy should just add this as a second
>>> exception along with the email address listed in the current policy?
>>
>> This makes sense. 
> 
> I'd be ok with ircnick being public too I suppose. I don't feel
> strongly about it though. ;) 
> 
> I think we should clarify the email sentence tho. 
> It says: 
> 
> "The only exception to this is for your email address, which may still
> be visible in some Fedora services such as Bugzilla."
> 
> I think we should amend it to say: 
> 
> "The only exception to this is for your email address, which will be
> publicly available."
> 
> Possibly adding a 'Fedora is a open community and identifies it's
> contributors by their email address, thus it's important to make this
> information available' or something. 
> 
> Also, should we note something about usernames?
> 
>> We probably should also ask the Board (and
>> Community) if there are any other changes they want to make to the
>> privacy policy at the same time, since we have to make a big noise
>> every time we change it (even for a minor change like this).
> 
> Yeah. I wonder, should we consider badges? 
> Would your badge information be public or private? 
> 
>>> I also have a question about what the "your affiliations" in the
>>> last bullet in that section refers to?
>>
>> At one point, there was a plan to extend FAS to show external
>> "affiliations", but I don't think it ever happened. Toshio would know
>> more, but he's off at PyCon atm.
> 
> yeah. 
> 
> kevin
> 
> 
> 
> _______________________________________________
> legal mailing list
> legal at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/legal
I personally believe there should be a very frank discussion about this.
There is a tendency to be quite liberal with personal information, which
in my very humble opinion, in terms of the fas username is a security
risk, in terms of the sign up email being shown, can allow anyone to
write a script to query fas, and spam people to death, maybe harass
them. In terms of the real name being shown, if you make public
statements, you might disgruntle future employers, maybe your local
judicial system, who do not value free speech, as the US constitution
does or even worse, somebody just takes an exception to statements made,
and you get arrested (happens a lot in other countries I hear). Of
course these are all extreme examples, but I do not think we should
underestimate these issue.

Further, speaking for myself, when I signed up years ago, I did not
realise that:
a. I could not change my username after sign up
b. That this information was going to be public.
Of course then, legally "you" would say, well we had this 100 page
document in our terms and conditions, but does that make it right ?
Should we as a free and open community not be better at respecting
people's beliefs ? What if I want to change my username ? Or what if I
want to delete my user/participation ? What are the procedures for our
users ? What guarantees do we give people to protect their
privacy/details after they leave, or they change their minds on being so
open, in terms of disclosure ?

I personally think, these are very real concerns, especially when we see
other corporations getting more and more greedy with information on the
general public and more and more laws by government to snoop on people.
We should also never forget, that it is getting harder and harder to
delete data, which is why the EU is debating a "right to forget" law.

The community should have have a very frank and open discussion about
these concerns and the board should then take up these issue, discuss
the findings and make appropriate changes to the policies and how we
inform our contributors about what happens with this data, and what and
how we help them to erase any data about them.

Of course there have to be technical limits, especially as we use fas in
pretty much everything, but these should be discussed too, and maybe
work arounds found.

I apologise for this long email, but these are just some concerns I see
with regards to this issue.

Regards,

Tristan

-- 
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore at internexusconnect.net

Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)

For Fedora related issues, please email me at:
TSantore at fedoraproject.org