On 02-04-2009 17:50:50 +0200, Sebastian Pipping wrote:
> Fabian Groffen wrote:
> > Is it really necessary to associate collected information to personal
> > data at all?
> 
> Are you referring to item
> 
>   * Add user's real name and contact info if wanted
> 
> ? That's completely optional.  I expect some people to
> be willing to share their contact info, especially in the
> beginning.  It's not "needed" in any way.  Does that answer
> your question?

I was wondering if this was necessary at all, and hence if you should
include it.

> >  What if there would be a unique identifier (hashed MAC
> > address?) that just identifies the Gentoo installation, would that be
> > enough?  That way you can track without any privacy issues involved, I
> > think.
> 
> We could use such an identifier to identify repeated submissions
> (users should send in more up to date again later) and handle
> some kind of "database pollution" attacks.  We wouldn't catch
> attackers that change their MAC before submission.

I actually assumed that "updates" are one of the most important
happenings of a system like this.  Updates actually allow you to see
when and how people update, what the effect of an GSLA is, usage
patterns, etc. etc.

DoS attacks are different problem, but most probably can easily be
solved by infra using some rate-limiting.  Poisoning attacks are again a
different thing, but perhaps not so important because their impact is
low, and when detected easily remedied (restart from scratch, restore
backup ...)

> I suppose a privacy issue still exists as you might be able to
> resolve certain changes in submission data over time down
> to a person.  I better not construct scenarios here, but I'm
> afraid that would be possible.

So, question, is dealing with the privacy via identity problem one that
gives you any extra benefits, or can you entirely let it go?


-- 
Fabian Groffen
Gentoo on a different level