1 |
On Wed, Jun 20, 2018 at 4:32 AM Michał Górny <mgorny@g.o> wrote: |
2 |
> |
3 |
> Please tell me, how many times did we have to disambiguate two |
4 |
> developers using the same name? Even if we ever have to do that, do you |
5 |
> really think we'd use one's birthday all over the place? |
6 |
|
7 |
Even if we've had two people from the same location with the same |
8 |
name, WHY would we ever have to use their date of birth to identify |
9 |
them? We already have their nicks which is what we use internally, |
10 |
and those are always unique. |
11 |
|
12 |
And if we DID have to identify a specific individual legally, then why |
13 |
aren't we collecting government ID numbers, which actually do the job |
14 |
a LOT better than DOB? |
15 |
|
16 |
As far as I'm aware, under most privacy laws and policies I've seen, |
17 |
name+DOB is just as sensitive as a government ID number. If |
18 |
collecting the latter makes you recoil in horror, then you should be |
19 |
just as concerned about DOB collection. |
20 |
|
21 |
I don't see the need to collect either for legal identification |
22 |
purposes, so why do it? |
23 |
|
24 |
> b. There is no reason to store the full birth date if all we need is |
25 |
> a boolean whether someone is of 'legal age'. |
26 |
|
27 |
++ |
28 |
|
29 |
Just ask put on the dev application a certification that they are |
30 |
legally allowed to sign agreements. That depends on more than just |
31 |
age anyway. |
32 |
|
33 |
Could somebody lie? Sure, just as they can lie today about their DOB. |
34 |
|
35 |
This is just reasonable care. I don't think there is any expectation |
36 |
by anybody that we have a higher level of certainty that our |
37 |
developers are able to sign things (DCOs or otherwise - which are also |
38 |
just reasonable care, unless we intend to start doing in-depth reviews |
39 |
of every commit). |
40 |
|
41 |
If we did need a higher level of certainty, then just asking for DOB |
42 |
won't cut it. We'd need to verify IDs, take at least some level of |
43 |
care that they aren't mentally incapacitated, and know the local age |
44 |
of being able to sign such agreements. |
45 |
|
46 |
I think we need to take a step back and consider the threat model |
47 |
here. What is the threat we need to protect against? Is collecting |
48 |
DOB an effective but least-intrusive way of mitigating that threat? |
49 |
|
50 |
-- |
51 |
Rich |