Send IAEP mailing list submissions to
iaep@lists.sugarlabs.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.sugarlabs.org/listinfo/iaep
or, via email, send a message with subject or body 'help' to
iaep-requ...@lists.sugarlabs.org
You can reach the person managing the list at
iaep-ow...@lists.sugarlabs.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of IAEP digest..."
Today's Topics:
1. Re: Sugar network / School Network (Chris Leonard)
2. Re: Sugar network / School Network (Dave Crossland)
3. Fwd: Sugar network / School Network (Sean DALY)
4. Re: Sugar network / School Network (Dave Crossland)
----------------------------------------------------------------------
Message: 1
Date: Tue, 17 May 2016 14:10:10 -0400
From: Chris Leonard <cjlhomeaddr...@gmail.com>
To: Dave Crossland <d...@lab6.com>
Cc: "sugar-...@lists.sugarlabs.org" <sugar-...@lists.sugarlabs.org>,
"iaep@lists.sugarlabs.org" <iaep@lists.sugarlabs.org>, Samuel
Greenfeld <sam...@greenfeld.org>, Laura Vargas <la...@somosazucar.org>
Subject: Re: [IAEP] Sugar network / School Network
Message-ID:
<cahdaatbgho3jj_5xb5xkfoxujqfaeb-qr2iypfxjirhlzz+...@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
On Tue, May 17, 2016 at 12:52 PM, Dave Crossland <d...@lab6.com> wrote:
Hi
Thanks for the lengthy explanation :) I think I understand your position
better now :)
On 17 May 2016 at 12:14, Chris Leonard <cjlhomeaddr...@gmail.com> wrote:
any form of human subjects research
Is https://activities.sugarlabs.org/en-US/statistics/ "human subjects
research"?
In the legal sense, it is whatever a court of competent jurisdiction
determines it to be. In general, our basic web-stats do not appear to
have the characteristics one typically associates with human subjects
research, some characteristics, like aggregation, anonymization, etc.
are in fact steps taken to deliberately place certain research
activities outside of the scope of human subjects protections (like
requirements for institutional review board approval, etc.).
If you start drilling down to collecting IP numbers (say for
geo-location) and other bits of data that *might* be mapped (alone or
in combination with any other information sitting around) to the
identifiable user level, you are getting into much deeper water.
Even if you can figure out a way to accomplish your goals in
compliance with the law, you should also ask yourself 'How would this
look from the point of view of the fairly stringent privacy
expectations held by the people that Sugar Labs aligns itself in the
world of FOSS". While generally not a matter of legal consequence, we
do operate in an ecosystem where we are very dependent of people and
organizations who take a dim view of anything that could be construed
as "snooping", and that should probably be taken into account.
One should never read the CFR and
make a determination that it "does not apply to me" without consulting
with a lawyer. That way lies madness as well as potential fines and
imprisonment.
Has anyone involved with Sugar Labs consulted with any lawyers on any legal
topics?
As a Sugar Labs Member, how do I consult with a lawyer?
In general, the same way any one else would, a) get the yellow pages
b) turn to the "L" section, then back to the "A" section because
lawyers are listed as attorneys. . . etc., etc. You seem to be
proposing a personal activity, not one undertaken collectively by the
corporate Sugar Labs entity, so knock yourself out and be careful,
lawyers are expensive, but in some cases not as expensive as not
having one.
Our fiscal sponsorship agreement with the SFC provides for some
specific cases where the SFC might provide legal assistance, but I'm
not really sure if this is one of them. You could ask the SLOB to
communicate on your behalf with the SFC to see if this is an area
where they can provide any advice.
cjl
------------------------------
Message: 2
Date: Tue, 17 May 2016 14:21:12 -0400
From: Dave Crossland <d...@lab6.com>
To: Samuel Greenfeld <sam...@greenfeld.org>
Cc: sugar-...@lists.sugarlabs.org, iaep <iaep@lists.sugarlabs.org>
Subject: Re: [IAEP] Sugar network / School Network
Message-ID:
<CAEozd0zXpGfO0VWo+pcy9fKf0LL=5f2pwmkkuym7+cogjp-...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hi Sam
On 17 May 2016 at 13:55, Samuel Greenfeld <sam...@greenfeld.org> wrote:
I think there may be a difference between research studies and privacy law
related to collecting general user statistics.
I assert there is :)
This might be untested though, and for Sugar, both studies on how children
use it as well generic statistics straight from the application(s) may be
useful.
I'm sure they are.
I'm not interested in age/grade, or their specific IP addresses :)
What information do you think is safe to collect?
At this point in time, I'm not going to speculate. It's too easy to take
multiple identifiers (such as Name and Zip/Postal Code) and uniquely
identify someone the vast majority of the time.
Sure, I wouldn't want to collect either of those.
IP Addresses, Serial numbers, GUIDS/UUIDs, etc. all could be considered
uniquely or near-uniquely identifying of a person depending on the country.
Yep, if those can not be avoided in transmission (eg IPs) then they should
not be retained.
Leah at OLPC might be able to tell you some things. But at the same time
she likely would have to point out she isn't your lawyer and cannot provide
you or Sugar Labs legal advice.
I couldn't find her contact details from a quick search; please ping me how
can I contact her offline :)
If you want to know the gritty details of how this all works, you really
need to speak to a compliance specialist (which the Conservancy might be
able to point Sugar Labs to), and not ask for legal advice in a public
forum :)
I am not worried nor very interested in the details; since so many of you
appear to be worried, I think it is worth following your advice to speak
with a lawyer.
I want to understand which activities are used, in which languages, and in
which countries. None of the above is needed for that.
As long as you don't care about which machine(s) calls in how often and
carefully toss away (& don't log) anything which could identify a user, I
believe this is feasible.
Great!
What the criteria would be in order to get an application that calls home
in various distros would gave to be determined, although many distros have
things like Firefox which do this already.
Exactly :)
There would be some bias the results based on how well any particular
user/country has Internet access.
I think that's easy to design around: the usage data can be logged locally
and then exported from an XO in an offline deployment to a USB drive/SD
card and make its way over the sneakernet to Sugar Labs.
How this gets disclosed to users would have to be determined.
Since you have a clear idea about this, please draft something :)
Sugar already asks for user's grade and gender on first boot even if no
statistics engine is in place, so there may have to be some sort of privacy
policy or other explanation of what's going on
Where can I read more about that from the time it was introduced?
