I was publishing the announcement too haste. Should we do one of the

* not sending any personal data to the list
* have an opt-in list instead of opt-out

The difficulty I mentioned is to reach the minimum we need to report.

Also the data we are providing only has the initials of the name plus the
country.  But combining the list of Debian developers and other facts
that's already on the Internet it can still be used to identify an entity.

If they can accept only the aggregated data of nationality I would be happy
to provide that instead.

Yao Wei

On Sun, Aug 12, 2018 at 07:26 Philip Hands <p...@hands.com> wrote:

> Yao Wei <m...@debconf.org> writes:
> > Hi,
> >
> > I am thinking that this should be an opt-in rather than opt-out for
> > GDPR compliance.  However it is difficult to accomplish in my
> > opinion...  So opt-out can be really a compromise here.
> I don't think I've ever come across an opt-out list that didn't contain
> people that (if properly informed) would prefer not to be on that list.
> Is it really a compromise to ignore that fact?
> Personally, now that I'm aware of this, I will opt-out myself and my
> family from an opt-out list, simply because I think opt-out lists are
> fundamentally unethical.
> On the other hand, if I'm given the chance to opt-in, along with a
> full-disclosure description of exactly how opting-in will help DebConf
> fund itself, I will almost certainly opt in (for myself at least).
> If there is some option to fuzz the data a bit, I might[1] be able to
> persuade Gunde (my wife) that all four of us should opt in.
> Even if I don't get upset enough about "Debian" and "opt-in" being in
> the same sentence to blog about it, I'm pretty sure others will, and the
> resulting news reports will not be good for Debian's reputation.
> Is that aspect of our reputation worth more than 70k EUR?  If so, we
> should definitely prefer telling them "No!", and paying the money out of
> Debian funds.
> However I suspect that there is a way of proving that the attendees were
> sufficiently international without handing over an improperly authorised
> list.  I'd suggest that we should find out how that might be achieved.
> Cheers, Phil.
> [1] No guarantees about persuading Gunde though:
>     She has initiated legal action in the past when someone used her
>     data without proper permission.
>     The saga of how/if one could discover if the UK's NHS had uploaded
>     our kids data to "The Spine" is quite a long story -- Gunde tends
>     not to give up on these things.
>     I doubt she's unique among our attendees in this attitude.
> --
> |)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
> |-|  http://www.hands.com/    http://ftp.uk.debian.org/
> |(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,    GERMANY

Reply via email to