1 |
On 07/01/19 07:59, Rich Freeman wrote: |
2 |
> On Mon, Jul 1, 2019 at 1:02 AM desultory <desultory@g.o> wrote: |
3 |
>> |
4 |
>> publishing PII purely on the basis of disciplinary |
5 |
>> considerations could be quite reasonably considered to be an outrageous |
6 |
>> overreach. There are reasons that "doxing" is generally considered to be |
7 |
>> rather reprehensible. |
8 |
> |
9 |
> It obviously is reprehensible. However, nobody is suggesting |
10 |
> publishing PII for any reason, and I have no idea where this idea even |
11 |
> came from. |
12 |
> |
13 |
How, exactly, is a requirement to provide and publish "legal name as a |
14 |
natural person, i.e., the name that would appear in a government issued |
15 |
document" [GLEP76] not a requirement to publish persona data [PII]? |
16 |
Though, I suppose GLEP 76 is not "suggesting" anything. |
17 |
|
18 |
> For the sake of clarity, I do not believe that Gentoo should publish |
19 |
> PII collected confidentially for any reason. |
20 |
> |
21 |
On that much, we agree. Well, modulo when it is actually legally required. |
22 |
|
23 |
> Furthermore, I do not think that Gentoo should be collecting PII under |
24 |
> conditions of confidentiality for any reason in the first place. Nor |
25 |
> should we be doing any activities that require us to do so, such as |
26 |
> accepting money from people, or paying people. IMO we do not have the |
27 |
> demonstrated ability to do this in a safe and compliant manner, and we |
28 |
> have a history of not performing legally-required activities in a |
29 |
> compliant manner. |
30 |
> |
31 |
Too late, Gentoo has multiple services which collect some form of PII |
32 |
(e.g. the EU considers an IP address to be, at least potentially, PII), |
33 |
and retain at least some of that data without publishing it. |
34 |
|
35 |
> For this reason, I think it would be a big mistake to allow people to |
36 |
> contribute under pseudonyms under the condition that they reveal their |
37 |
> real identities to some Gentoo body that would retain this information |
38 |
> in confidentiality. That would expose Gentoo to a rather large number |
39 |
> of privacy laws in a large number of places, for IMO little gain. |
40 |
> |
41 |
So, under the mistaken premise that Gentoo does not collect or retain |
42 |
any form of PII you believe that Gentoo should not collect or retain any |
43 |
PII, correct? |
44 |
|
45 |
Knowing that Gentoo does indeed collect and retain some PII, does your |
46 |
opinion change? And no, not collecting any PII, at all, ever is not a |
47 |
practical solution to "replace" the cases where it is presently |
48 |
collected and retained. |
49 |
|
50 |
> None of this is a risk with GLEP 76 as it currently stands. People |
51 |
> who wish to contribute code to Gentoo must divulge their names. They |
52 |
> can choose to do this, or not, and if they choose not to, then their |
53 |
> contributions will not be accepted. If they do, then Gentoo doesn't |
54 |
> have any private information they have to safeguard, because it has |
55 |
> been made public by the person it pertains to. There is no database |
56 |
> of PII that we have to make accessible to people we already barely |
57 |
> know scattered around the world, but protect from exposure via hacking |
58 |
> attacks/etc. |
59 |
> |
60 |
LDAP, though most of that data is now published in some form it is still |
61 |
by and large a collection of PII. |
62 |
|
63 |
> None of this is intended as some kind of attack on Trustees/Infra/etc. |
64 |
> They're volunteers doing the best they can do without pay, and |
65 |
> generally trying to clean up after a long period of neglect. It is |
66 |
> simply a fact that if you have nothing to steal, then it is impossible |
67 |
> to steal it, and no effort is required to protect it. |
68 |
> |
69 |
Believing that you have nothing worth stealing is no defense against |
70 |
those who believe that you do and intend to take it. |
71 |
|
72 |
Note that in this message I am addressing only the the points you raised |
73 |
in regard to the comments which you quoted out of context. And, |
74 |
diverting as it may be to have your attention so squarely focused on |
75 |
part of one point, I would very much appreciate it if you would address |
76 |
the other concerns I mentioned in that e-mail. Most especially I would |
77 |
appreciate clarification on why your arguments appear to completely |
78 |
discount introverted individuals, is it a disbelief in their existence, |
79 |
in the value of their work, or mere oversight? Also, would you be so |
80 |
kind as to either respond to the whole of the comment you took out of |
81 |
context or, better still, the entire message? |
82 |
|
83 |
[GLEP76] https://www.gentoo.org/glep/glep-0076.html |
84 |
[PII] https://en.wikipedia.org/wiki/Personal_data |