Hello, the following email is from the former Arch developer Phil Thiselton. He can no longer post to arch-dev-public, so I am forwarding this on his behalf. He revisits the arguments from my original email on why I think that user names cannot be called "private data".
Forwarded message from Phil Thiselton (2017-03-06 12:06:22): > Hi Lukas > > You don't know me but I used be an Arch Linux dev. I read you email to the > arch-dev-public mailing list with real interest and just wanted to add some > commentary. I, obviously, can't reply to the list. > > IANAL but I do have a lot of data protection and information governance > experience. > > Firstly, in the UK, your username for a service is not protected by any > laws. It's not considered to be personal information. I seriously doubt any > country considers it to be. > > Secondly, I don't think there is any reason not to disclose information > that is already publicly available. You could advise AUR users that "you" > intend to share this information. Users cannot effectively opt out of this > because their username is already public. A realistic opt-out would be to > delete their account. You can offer them that option. > > Thirdly, a lack of a ToS or EULA, in this case, is pretty remiss. A ToS or > EULA should definitely be implemented. I would build this into the > backend, so agreement to the ToS is stored in the dbase. This way you can > ask existing users to log into the account and accept the new terms. You > can say that acceptance is a requirement of continued use. Set a deadline > and delete the accounts that don't accept. > > I strongly suspect "you" are storing out dated information for many users > in the AUR and many of these should be deleted anyway. > > Finally, I would start with a ToS/EULA simply as a statement of what > signing up CURRENTLY means. Completely avoid extending the scope of ToS > beyond what should be obvious to current users. > > Do not seek permission to share information with 3rd parties but do make it > clear that limited information is already accessible to third parties. > > Once this is established you can then make later amendments. For example, > that you will provide publicly available data on request. > > Personally, if anyone even talks about "privacy" with regard to their > username, I would laugh. They should have no expectation that their > username is private. Users number one concern would be about their real > name being linked to their username. I can't see there is a legitimate > service reason for adding your real name to the AUR account details, so I'd > consider deleting that from the interface entirely. I'd consider checking > the dbase to see who has actually completed that field as well. > > I'd have a slight security concern about links between the username and > email address but that's up to the users. > > Hope that helps. > > Best, > > Phil When I asked him whether I should forward the email to the mailing list, I got the following reply with some more details: Forwarded message from Phil Thiselton (2017-03-06 17:01:35): > Hi Lukas > > Happy for you to forward it on but I would like to expand on the privacy of > usernames comment and why the idea is laughable. > > In the AUR, your username is also your display name, as it is for many > other services (Twitter,Github). Usernames are one way in which real names > can be obfuscated i.e they act as pseudonym. Unless the argument is one of > security (username is part of authentication) the idea that your username > should be private would require a further abstraction of "identity", which, > at some point, becomes absurd. > > The security argument is weak too - I assume the AUR protects password > brute forcing? > > The real solution, if someone were concerned about "privacy", would be > never to reuse the same username for more than one service. Again, that's > in user hands. > > Best, > > Phil Best regards, Lukas
