> -----Original Message-----
> From: Clark Boylan [mailto:cboy...@sapwetik.org]
> Sent: Tuesday, February 17, 2015 6:06 PM
> To: openstack-dev@lists.openstack.org
> Subject: Re: [openstack-dev] The root-cause for IRC private channels (was
> Re: [all][tc] Lets keep our community open, lets fight for it)
> 
> On Tue, Feb 17, 2015, at 09:32 AM, Stefano Maffulli wrote:
> > Changing the subject since Flavio's call for openness was broader than
> > just private IRC channels.
> >
> > On Tue, 2015-02-17 at 10:37 +0000, Daniel P. Berrange wrote:
> > > If cases of bad community behaviour, such as use of passwd protected
> > > IRC channels, are always primarily dealt with via further private
> > > communications, then we are denying the voters the information they
> > > need to hold people to account. I can understand the desire to avoid
> > > publically shaming people right away, because the accusations may be
> > > false, or may be arising from a simple mis-understanding, but at
> > > some point genuine issues like this need to be public. Without this
> > > we make it difficult for contributors to make an informed decision
> > > at future elections.
> >
> > You got my intention right: I wanted to understand better what lead
> > some people to create a private channel, what were their needs. For
> > that objective, having an accusatory tone won't go anywhere and
> > instead I needed to provide them a safe place to discuss and then I
> > would report back in the open.
> >
> > So far, I've only received comments in private from only one person,
> > concerned about public logging of channels without notification. I
> > wished the people hanging out on at least one of such private channels
> > would provide more insights on their choice but so far they have not.
> >
> > Regarding the "why" at least one person told me they prefer not to use
> > official openstack IRC channels because there is no notification if a
> > channel is being publicly logged. Together with freenode not
> > obfuscating host names, and eavesdrop logs available to any spammer,
> > one person at least is concerned that private information may leak.
> > There may also be legal implications in Europe, under the Data
> > Protection Directive, since IP addresses and hostnames can be
> > considered sensitive data. Not to mention the casual dropping of
> > emails or phone numbers in public+logged channels.
> >
> > I think these points are worth discussing. One easy fix this person
> > suggests is to make it default that all channels are logged and write
> > a warning on wiki/IRC page. Another is to make the channel bot
> > announce whether the channel is logged. Cleaning up the hostname
> > details on join/parts from eavesdrop and put the logs behind a login
> > (to hide them from spam harvesters).
> >
> > Thoughts?
> >
> It is worth noting that just about everything else is logged too. Git repos 
> track
> changes individuals have made, this mailing list post will be publicly 
> available,
> and so on. At the very least I think the assumption should be that any
> openstack IRC channel is logged and since assumptions are bad we should be
> explicit about this. I don't think this means we require all channels 
> actually be
> logged, just advertise than many are and any can be (because really any
> individual with freenode access can set up public logging).
> 
> I don't think we should need to explicitly cleanup our logs. Mostly because
> any individual can set up public logs that are not sanitized.
> Instead IRC users should use tools like cloaks or Tor to get the level of
> obfuscation and security that they desire. Freenode has docs for both, see
> https://freenode.net/faq.shtml#cloaks and
> https://freenode.net/irc_servers.shtml#tor
> 
> Hope this helps,
> Clark

Hi Clark,

Sorry to say, but the above is totally irrelevant regarding the current 
legislation.
The legal system does not care individual assumptions like "everybody should 
know we are breaking law here". What comes to individuals setting up such 
services, the responsibility of those records are on that individual and that 
individual could potentially get off the hook quite easy by claiming not 
knowing. What comes to OpenStack Foundation doing such activity, one could 
argue how far that "but we did not know"-attitude carries in court.

[1] The Directive is based on the 1980 OECD "Recommendations of the Council 
Concerning guidelines Governing the Protection of Privacy and Trans-Border 
Flows of Personal Data."

These recommendations are founded on seven principles, since enshrined in EU 
Directive 94/46/EC:

    Notice: subjects whose data is being collected should be given notice of 
such collection.
    Purpose: data collected should be used only for stated purpose(s) and for 
no other purposes.
    Consent: personal data should not be disclosed or shared with third parties 
without consent from its subject(s).
    Security: once collected, personal data should be kept safe and secure from 
potential abuse, theft, or loss.
    Disclosure: subjects whose personal data is being collected should be 
informed as to the party or parties collecting such data.
    Access: subjects should granted access to their personal data and allowed 
to correct any inaccuracies.
    Accountability: subjects should be able to hold personal data collectors 
accountable for adhering to all seven of these principles.



Currently only principle we are fulfilling is the "Access" and even that is 
breaking the principles "Security" and "Disclosure".

[2][Page 14] "Under EU law, data protection has been acknowledged as a 
fundamental right."

This does not contain any expectation one taking active measures to achieve 
such protection.

The [2]Handbook is good read for those interested of the data protection 
legislation in EU.

And before anyone takes a grasp of the EU part of this:
[3] The data protection rules are applicable not only when the controller is 
established within the EU, but whenever the controller uses equipment situated 
within the EU in order to process data. (art. 4) Controllers from outside the 
EU, processing data in the EU, will have to follow data protection regulation. 
In principle, any online business trading with EU citizens would process some 
personal data and would be using equipment in the EU to process the data (i.e. 
the customer's computer). As a consequence, the website operator would have to 
comply with the European data protection rules. The directive was written 
before the breakthrough of the Internet, and to date there is little 
jurisprudence on this subject.

[1] 
http://searchsecurity.techtarget.co.uk/definition/EU-Data-Protection-Directive
[2] http://www.echr.coe.int/Documents/Handbook_data_protection_ENG.pdf
[3] http://en.wikipedia.org/wiki/Data_Protection_Directive

Hopefully this insight helps you understand the responsibility of record 
keeping the current unanonymized logs sets. 

Best,
Erno
> 
> __________________________________________________________
> ________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-
> requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to