Hi, On Mon, Aug 21, 2023 at 09:48:26AM -0700, Russ Allbery wrote: > Dominik George <naturesha...@debian.org> writes: > > > For the GitHub case, the problematic terms would be that in order to > > register for a GitHub account, users must be at least 13 or 16 years old > > (depending on the jurisdiction) ant must not live in a country under US > > embargoes. > > This implies that Salsa is happy to create accounts for people under the > age of 13, since the implicit statement here is that Debian's own Git > hosting infrastructure is less excluding than GitHub. > > That's a somewhat surprising statement to me, given the complicated legal > issues involved in taking personal data from someone that young, so I want > to double-check: is that in fact the case?
That is, in fact, the case.
And no, it's not not legally complicated to collect personal data from
children. If we, for now, only look at COPPA and GDPR, the laws relevant
for the US and EU, respectively, the situation is:
* You can accept consent from children, if:
* it can be, objectively, assumed that they can overlook the
consequences of the data collection
→ we can assume that, if someone sucessfully contributes to
a Debian package, they are knowledgable enough, given that
Salsa only collects a pseudonym and an e-mail address
* you don't use the data for marketing or profiling purposes
→ we don't do that
* you don't direct commercial advertisements at children
→ we don't do that
* you don't explicitly advertise your service to children
(as in, promising them a benifit exceptionally attractive for
children)
→ we don't do that
Even if we did one of the above things, we'd still be able to accept
children if they have parental consent, which is a bit tricky (but,
should we get to this at some point, be outsourced to a trusted partner,
like Teckids, who has expertise in that field). If we get to this point,
I will certainly fight to accept children with parental consent, even
if it implies some work. GitHub and a lot of other services, however,
in addition to not being able to allow children without parental
consent, also don't accept them *with* parental consent.
As it stands, Salsa (and a lot of other Debian services) are not
GDPR-compliant because they do not have a privacy statement making the
above clear, but while related, let's not mix that into this thread.
Cheers,
Nik
signature.asc
Description: PGP signature
