| 1 |
On 07/01/19 07:59, Rich Freeman wrote: |
| 2 |
> On Mon, Jul 1, 2019 at 1:02 AM desultory <desultory@g.o> wrote: |
| 3 |
>> |
| 4 |
>> publishing PII purely on the basis of disciplinary |
| 5 |
>> considerations could be quite reasonably considered to be an outrageous |
| 6 |
>> overreach. There are reasons that "doxing" is generally considered to be |
| 7 |
>> rather reprehensible. |
| 8 |
> |
| 9 |
> It obviously is reprehensible. However, nobody is suggesting |
| 10 |
> publishing PII for any reason, and I have no idea where this idea even |
| 11 |
> came from. |
| 12 |
> |
| 13 |
How, exactly, is a requirement to provide and publish "legal name as a |
| 14 |
natural person, i.e., the name that would appear in a government issued |
| 15 |
document" [GLEP76] not a requirement to publish persona data [PII]? |
| 16 |
Though, I suppose GLEP 76 is not "suggesting" anything. |
| 17 |
|
| 18 |
> For the sake of clarity, I do not believe that Gentoo should publish |
| 19 |
> PII collected confidentially for any reason. |
| 20 |
> |
| 21 |
On that much, we agree. Well, modulo when it is actually legally required. |
| 22 |
|
| 23 |
> Furthermore, I do not think that Gentoo should be collecting PII under |
| 24 |
> conditions of confidentiality for any reason in the first place. Nor |
| 25 |
> should we be doing any activities that require us to do so, such as |
| 26 |
> accepting money from people, or paying people. IMO we do not have the |
| 27 |
> demonstrated ability to do this in a safe and compliant manner, and we |
| 28 |
> have a history of not performing legally-required activities in a |
| 29 |
> compliant manner. |
| 30 |
> |
| 31 |
Too late, Gentoo has multiple services which collect some form of PII |
| 32 |
(e.g. the EU considers an IP address to be, at least potentially, PII), |
| 33 |
and retain at least some of that data without publishing it. |
| 34 |
|
| 35 |
> For this reason, I think it would be a big mistake to allow people to |
| 36 |
> contribute under pseudonyms under the condition that they reveal their |
| 37 |
> real identities to some Gentoo body that would retain this information |
| 38 |
> in confidentiality. That would expose Gentoo to a rather large number |
| 39 |
> of privacy laws in a large number of places, for IMO little gain. |
| 40 |
> |
| 41 |
So, under the mistaken premise that Gentoo does not collect or retain |
| 42 |
any form of PII you believe that Gentoo should not collect or retain any |
| 43 |
PII, correct? |
| 44 |
|
| 45 |
Knowing that Gentoo does indeed collect and retain some PII, does your |
| 46 |
opinion change? And no, not collecting any PII, at all, ever is not a |
| 47 |
practical solution to "replace" the cases where it is presently |
| 48 |
collected and retained. |
| 49 |
|
| 50 |
> None of this is a risk with GLEP 76 as it currently stands. People |
| 51 |
> who wish to contribute code to Gentoo must divulge their names. They |
| 52 |
> can choose to do this, or not, and if they choose not to, then their |
| 53 |
> contributions will not be accepted. If they do, then Gentoo doesn't |
| 54 |
> have any private information they have to safeguard, because it has |
| 55 |
> been made public by the person it pertains to. There is no database |
| 56 |
> of PII that we have to make accessible to people we already barely |
| 57 |
> know scattered around the world, but protect from exposure via hacking |
| 58 |
> attacks/etc. |
| 59 |
> |
| 60 |
LDAP, though most of that data is now published in some form it is still |
| 61 |
by and large a collection of PII. |
| 62 |
|
| 63 |
> None of this is intended as some kind of attack on Trustees/Infra/etc. |
| 64 |
> They're volunteers doing the best they can do without pay, and |
| 65 |
> generally trying to clean up after a long period of neglect. It is |
| 66 |
> simply a fact that if you have nothing to steal, then it is impossible |
| 67 |
> to steal it, and no effort is required to protect it. |
| 68 |
> |
| 69 |
Believing that you have nothing worth stealing is no defense against |
| 70 |
those who believe that you do and intend to take it. |
| 71 |
|
| 72 |
Note that in this message I am addressing only the the points you raised |
| 73 |
in regard to the comments which you quoted out of context. And, |
| 74 |
diverting as it may be to have your attention so squarely focused on |
| 75 |
part of one point, I would very much appreciate it if you would address |
| 76 |
the other concerns I mentioned in that e-mail. Most especially I would |
| 77 |
appreciate clarification on why your arguments appear to completely |
| 78 |
discount introverted individuals, is it a disbelief in their existence, |
| 79 |
in the value of their work, or mere oversight? Also, would you be so |
| 80 |
kind as to either respond to the whole of the comment you took out of |
| 81 |
context or, better still, the entire message? |
| 82 |
|
| 83 |
[GLEP76] https://www.gentoo.org/glep/glep-0076.html |
| 84 |
[PII] https://en.wikipedia.org/wiki/Personal_data |
Archives