Re: [DebConf18] Privacy and govermental funds

2018-05-13 Thread 陳昌倬 
On Sun, May 13, 2018 at 12:11:52PM +0530, shirish शिरीष wrote:
> at bottom :-
> 
> On 12/05/2018, ChangZhuo Chen (陳昌倬)  wrote:
> I would suggest having an example web-page somewhere as and when possible
> before the official reconfirmation message goes out (whenever that happens) so
> we know how much information would be leaked.

Good idea.

> As far as e-mail address and mobile number masking is concerned, just the 
> first
> four number themselves give lot of info.
> 
> For instance see India's mobile telephone numbering system.
> 
> https://en.wikipedia.org/wiki/Mobile_telephone_numbering_in_India
> 
> Just the first four numbers themselves tells anybody both my operator and the
> region from where I belong. I dunno about other countries but probably each 
> may
> have a different numbering system, how do we ensure that people who might be 
> ok
> with partially masked numbers do not give more than intended ?
> 
> for email addresses, the same thing how would those be partially masked ?

I think in this case, we can just let user to mask these information.
For example, I can provide the following information to DebConf for
fund:

* phone: +88690016
* email: c***e...@debian.org

In this case, I can ensure the information I gave does not breach the
privacy.


-- 
ChangZhuo Chen (陳昌倬) czchen@{czchen,debconf,debian}.org
http://czchen.info/
Key fingerprint = BA04 346D C2E1 FE63 C790  8793 CC65 B0CD EC27 5D5B


signature.asc
Description: PGP signature

Re: [DebConf18] Privacy and govermental funds

2018-05-13 Thread shirish शिरीष 
at bottom :-

On 12/05/2018, ChangZhuo Chen (陳昌倬)  wrote:
> On Fri, May 11, 2018 at 12:30:39AM +0800, Yao Wei wrote:
>> However, we do care about the privacy of attendees, and would like to
>> take opt-in approach.  During the global team meeting this week we
>> discussed to ask attendees on the website if they are willing to give
>> such information to the government and the university for us to gather
>> more funds to cover the expense.
>
>
> The insurance for day trip [insurance] also require the following
> privacy information:
>
> * Taiwanese: name, personal id, date of birth
> * Foreigner: passport name, passport number, date of birth.
>
> But this one is easy, we can just write a statement about insurance and
> people can opt-in to provide these information for day trip insurance.
>
>
> [insurance]
> https://salsa.debian.org/debconf-team/public/data/dc18/blob/master/insurance/insurance.md
>
>

I would suggest having an example web-page somewhere as and when possible
before the official reconfirmation message goes out (whenever that happens) so
we know how much information would be leaked.

As far as e-mail address and mobile number masking is concerned, just the first
four number themselves give lot of info.

For instance see India's mobile telephone numbering system.

https://en.wikipedia.org/wiki/Mobile_telephone_numbering_in_India

Just the first four numbers themselves tells anybody both my operator and the
region from where I belong. I dunno about other countries but probably each may
have a different numbering system, how do we ensure that people who might be ok
with partially masked numbers do not give more than intended ?

for email addresses, the same thing how would those be partially masked ?

Looking forward to answers.

> --
> ChangZhuo Chen (陳昌倬) czchen@{czchen,debconf,debian}.org
> http://czchen.info/
> Key fingerprint = BA04 346D C2E1 FE63 C790  8793 CC65 B0CD EC27 5D5B
>

-- 
  Regards,
  Shirish Agarwal  शिरीष अग्रवाल
  My quotes in this email licensed under CC 3.0
http://creativecommons.org/licenses/by-nc/3.0/
http://flossexperiences.wordpress.com
EB80 462B 08E1 A0DE A73A  2C2F 9F3D C7A4 E1C4 D2D8

Re: [DebConf18] Privacy and govermental funds

2018-05-12 Thread 陳昌倬 
On Fri, May 11, 2018 at 12:30:39AM +0800, Yao Wei wrote:
> However, we do care about the privacy of attendees, and would like to
> take opt-in approach.  During the global team meeting this week we
> discussed to ask attendees on the website if they are willing to give
> such information to the government and the university for us to gather
> more funds to cover the expense.


The insurance for day trip [insurance] also require the following
privacy information:

* Taiwanese: name, personal id, date of birth
* Foreigner: passport name, passport number, date of birth.

But this one is easy, we can just write a statement about insurance and
people can opt-in to provide these information for day trip insurance.


[insurance] 
https://salsa.debian.org/debconf-team/public/data/dc18/blob/master/insurance/insurance.md


-- 
ChangZhuo Chen (陳昌倬) czchen@{czchen,debconf,debian}.org
http://czchen.info/
Key fingerprint = BA04 346D C2E1 FE63 C790  8793 CC65 B0CD EC27 5D5B


signature.asc
Description: PGP signature

Re: [DebConf18] Privacy and govermental funds

2018-05-10 Thread Yao Wei 
We aren't asking their passport number. Also email and phone number can be
masked partially.

Yao Wei
On Fri, May 11, 2018 at 07:11 shirish शिरीष  wrote:

> On 11/05/2018, shirish शिरीष  wrote:
> > Reply in-line :-
> >
> > On 10/05/2018, Yao Wei  wrote:
> >> Hi,
> >>
> >
> > Hi,
> >
> >> (I would like to give a recap of previous email, since that information
> >> is not complete.)
> >>
> >> Some of our funds (MEET TAIWAN, NCTU and probably NCHC) requires us to
> >> give them a list of attendees.
> >>
> >> According to the information from MEET TAIWAN, this includes their
> >> nationality, phone number, email address, company and occupations to
> >> give them the proof that our conference meets their funding requirements
> >> (at least 30 foreign people in a conference) and is close to the number
> >> of expected attendees during application.
> >>
> >> NCTU also needs that list to apply funds to cover their own venue cost.
> >>
> >> However, we do care about the privacy of attendees, and would like to
> >> take opt-in approach.  During the global team meeting this week we
> >> discussed to ask attendees on the website if they are willing to give
> >> such information to the government and the university for us to gather
> >> more funds to cover the expense.
> >>
> >> If we agree on this, we have to implement this opt-in page in our
> >> registration system (or confirmation page), also tells attendees what
> >> data we are gathering, and to whom we are giving to.
> >>
> >
> > As a potential attendee, I do see minefields here as there isn't
> > clarity on few topics -
> >
> > a. How are attendees to know if the data shared would be limited to -
> >
> > 1. One government organization - in this case meet taiwan
> > 2. The University - in this case NCTU
> >
> > and is/would be there any privacy agreements between these parties and
> > debconf  to make sure that the information shared isn't spread (at the
> very
> > least). This would make at least some of the attendees sleep better at
> night if they
> > need/want to share the info.
> >
> > b. Some of the information asked is and would be pretty invasive for
> > e.g. asking people's mobile numbers, passport number, e-mail address
> etc. till we
> > don't have any clear idea many people would be hesitant as this data
> could be
> > easily put to nefarious uses e.g. 'identity theft' .
> >
>
> See my question asked on a similar topic at
>
> https://travel.stackexchange.com/questions/69473/what-damage-can-person-s-do-if-they-have-your-passport-number-and-visa-control-n
>
> > c. There is also no clarity about how much funds can be expected per
> person
> > from 'Meet Taiwan' in exchange of this info. and how that works with
> > the budget.
> >
> > d. On the University side, I can understand at least the part of the
> > name and the passport number as I would have to part with that info. if
> I were
> > staying either at a hotel/hostel or even a guest house for that matter
> but that's my
> > opinion.
> >
> > e. There were some other governmental organizations which are/were also
> > interested to share some of our expenses, do they similar requirements ?
> >
> >> This is partially influenced by GDPR requirements because we have many
> >> people coming from EU and Taiwan is not protected by the privacy shield.
> >>
> >> Best regards,
> >> Yao Wei
> >>
> >
> > Looking forward for some clarity.
> >
>
> --
>   Regards,
>   Shirish Agarwal  शिरीष अग्रवाल
>   My quotes in this email licensed under CC 3.0
> http://creativecommons.org/licenses/by-nc/3.0/
> http://flossexperiences.wordpress.com
> EB80 462B 08E1 A0DE A73A  2C2F 9F3D C7A4 E1C4 D2D8
>
>

Re: [DebConf18] Privacy and govermental funds

2018-05-10 Thread shirish शिरीष 
On 11/05/2018, shirish शिरीष  wrote:
> Reply in-line :-
>
> On 10/05/2018, Yao Wei  wrote:
>> Hi,
>>
>
> Hi,
>
>> (I would like to give a recap of previous email, since that information
>> is not complete.)
>>
>> Some of our funds (MEET TAIWAN, NCTU and probably NCHC) requires us to
>> give them a list of attendees.
>>
>> According to the information from MEET TAIWAN, this includes their
>> nationality, phone number, email address, company and occupations to
>> give them the proof that our conference meets their funding requirements
>> (at least 30 foreign people in a conference) and is close to the number
>> of expected attendees during application.
>>
>> NCTU also needs that list to apply funds to cover their own venue cost.
>>
>> However, we do care about the privacy of attendees, and would like to
>> take opt-in approach.  During the global team meeting this week we
>> discussed to ask attendees on the website if they are willing to give
>> such information to the government and the university for us to gather
>> more funds to cover the expense.
>>
>> If we agree on this, we have to implement this opt-in page in our
>> registration system (or confirmation page), also tells attendees what
>> data we are gathering, and to whom we are giving to.
>>
>
> As a potential attendee, I do see minefields here as there isn't
> clarity on few topics -
>
> a. How are attendees to know if the data shared would be limited to -
>
> 1. One government organization - in this case meet taiwan
> 2. The University - in this case NCTU
>
> and is/would be there any privacy agreements between these parties and
> debconf  to make sure that the information shared isn't spread (at the very
> least). This would make at least some of the attendees sleep better at night 
> if they
> need/want to share the info.
>
> b. Some of the information asked is and would be pretty invasive for
> e.g. asking people's mobile numbers, passport number, e-mail address etc. 
> till we
> don't have any clear idea many people would be hesitant as this data could be
> easily put to nefarious uses e.g. 'identity theft' .
>

See my question asked on a similar topic at
https://travel.stackexchange.com/questions/69473/what-damage-can-person-s-do-if-they-have-your-passport-number-and-visa-control-n

> c. There is also no clarity about how much funds can be expected per person
> from 'Meet Taiwan' in exchange of this info. and how that works with
> the budget.
>
> d. On the University side, I can understand at least the part of the
> name and the passport number as I would have to part with that info. if I were
> staying either at a hotel/hostel or even a guest house for that matter but 
> that's my
> opinion.
>
> e. There were some other governmental organizations which are/were also
> interested to share some of our expenses, do they similar requirements ?
>
>> This is partially influenced by GDPR requirements because we have many
>> people coming from EU and Taiwan is not protected by the privacy shield.
>>
>> Best regards,
>> Yao Wei
>>
>
> Looking forward for some clarity.
>

-- 
  Regards,
  Shirish Agarwal  शिरीष अग्रवाल
  My quotes in this email licensed under CC 3.0
http://creativecommons.org/licenses/by-nc/3.0/
http://flossexperiences.wordpress.com
EB80 462B 08E1 A0DE A73A  2C2F 9F3D C7A4 E1C4 D2D8