Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding

[Philip Hands]

Yao Wei  writes:

> Hi,
>
> I was publishing the announcement too haste. Should we do one of the
> followings:
>
> * not sending any personal data to the list
> * have an opt-in list instead of opt-out

I'd have thought that most of the people that are OK with the data being
handed over will also actually respond to say so (but maybe I'm over
optimistic).

To make sure that really happens, I'd have thought that one just needs
to explain that each "Yes" you get is likely to be worth however many
tens of thousands of TWD to Debconf, so people should not say "No"
simply out of habit.  Making it clear that it's only initials, or
whatever, also seems likely to help.

Obviously this change of strategy would need to be announced before the
previously mentioned deadline expires.

One could perhaps do neither opt-in nor opt-out, but instead say that
you actually want an answer one way or the other ... and will try asking
again, possibly via other channels, in order to get that answer simply
because getting the answer to that question is quite important to Debconf
finances.

BTW I'm happy to help chasing people on that if it helps, although I'll
be flying home to Germany on the 15th so it might be that my
availability is not great at the time that you need the most effort.

Cheers, Phil.
-- 
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,GERMANY


signature.asc
Description: PGP signature

Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding

[Paulo Henrique de Lima Santana]

Hi,

- Mensagem original -
> De: "Yao Wei" 
> Para: "phil" 
> Cc: data-protect...@debian.org, "debconf-team" 
> Enviadas: Sábado, 11 de agosto de 2018 21:32:58
> Assunto: Re: [DebConf18] About Personal Data Sent to Government Agencies and 
> University for Funding

> Hi,
> 
> I was publishing the announcement too haste. Should we do one of the
> followings:
> 
> * not sending any personal data to the list
> * have an opt-in list instead of opt-out
> 
> The difficulty I mentioned is to reach the minimum we need to report.
> 
> Also the data we are providing only has the initials of the name plus the
> country.  But combining the list of Debian developers and other facts
> that's already on the Internet it can still be used to identify an entity.
> 
> If they can accept only the aggregated data of nationality I would be happy
> to provide that instead.

i suggest you start doing a list with the speakers, because their names is 
already public.
https://debconf18.debconf.org/talks/

After that, you will know how many names you need.
you can ask for people from global team if they agree to give their names.

Best regards,

-- 
Paulo Henrique de Lima Santana (phls)
Curitiba - Brasil
Membro da Comunidade Curitiba Livre
Site: http://www.phls.com.br
GNU/Linux user: 228719  GPG ID: 0443C450

Apoie a campanha pela igualdade de gênero #HeForShe (#ElesPorElas)  
http://www.heforshe.org/pt

Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding

[Yao Wei]

Hi,

I was publishing the announcement too haste. Should we do one of the
followings:

* not sending any personal data to the list
* have an opt-in list instead of opt-out

The difficulty I mentioned is to reach the minimum we need to report.

Also the data we are providing only has the initials of the name plus the
country.  But combining the list of Debian developers and other facts
that's already on the Internet it can still be used to identify an entity.

If they can accept only the aggregated data of nationality I would be happy
to provide that instead.

Yao Wei

On Sun, Aug 12, 2018 at 07:26 Philip Hands  wrote:

> Yao Wei  writes:
>
> > Hi,
> >
> > I am thinking that this should be an opt-in rather than opt-out for
> > GDPR compliance.  However it is difficult to accomplish in my
> > opinion...  So opt-out can be really a compromise here.
>
> I don't think I've ever come across an opt-out list that didn't contain
> people that (if properly informed) would prefer not to be on that list.
>
> Is it really a compromise to ignore that fact?
>
> Personally, now that I'm aware of this, I will opt-out myself and my
> family from an opt-out list, simply because I think opt-out lists are
> fundamentally unethical.
>
> On the other hand, if I'm given the chance to opt-in, along with a
> full-disclosure description of exactly how opting-in will help DebConf
> fund itself, I will almost certainly opt in (for myself at least).
>
> If there is some option to fuzz the data a bit, I might[1] be able to
> persuade Gunde (my wife) that all four of us should opt in.
>
> Even if I don't get upset enough about "Debian" and "opt-in" being in
> the same sentence to blog about it, I'm pretty sure others will, and the
> resulting news reports will not be good for Debian's reputation.
>
> Is that aspect of our reputation worth more than 70k EUR?  If so, we
> should definitely prefer telling them "No!", and paying the money out of
> Debian funds.
>
> However I suspect that there is a way of proving that the attendees were
> sufficiently international without handing over an improperly authorised
> list.  I'd suggest that we should find out how that might be achieved.
>
> Cheers, Phil.
>
> [1] No guarantees about persuading Gunde though:
>
> She has initiated legal action in the past when someone used her
> data without proper permission.
>
> The saga of how/if one could discover if the UK's NHS had uploaded
> our kids data to "The Spine" is quite a long story -- Gunde tends
> not to give up on these things.
>
> I doubt she's unique among our attendees in this attitude.
> --
> |)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
> |-|  http://www.hands.com/http://ftp.uk.debian.org/
> |(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,GERMANY
>

Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding

[Philip Hands]

Yao Wei  writes:

> Hi,
>
> I am thinking that this should be an opt-in rather than opt-out for
> GDPR compliance.  However it is difficult to accomplish in my
> opinion...  So opt-out can be really a compromise here.

I don't think I've ever come across an opt-out list that didn't contain
people that (if properly informed) would prefer not to be on that list.

Is it really a compromise to ignore that fact?

Personally, now that I'm aware of this, I will opt-out myself and my
family from an opt-out list, simply because I think opt-out lists are
fundamentally unethical.

On the other hand, if I'm given the chance to opt-in, along with a
full-disclosure description of exactly how opting-in will help DebConf
fund itself, I will almost certainly opt in (for myself at least).

If there is some option to fuzz the data a bit, I might[1] be able to
persuade Gunde (my wife) that all four of us should opt in.

Even if I don't get upset enough about "Debian" and "opt-in" being in
the same sentence to blog about it, I'm pretty sure others will, and the
resulting news reports will not be good for Debian's reputation.

Is that aspect of our reputation worth more than 70k EUR?  If so, we
should definitely prefer telling them "No!", and paying the money out of
Debian funds.

However I suspect that there is a way of proving that the attendees were
sufficiently international without handing over an improperly authorised
list.  I'd suggest that we should find out how that might be achieved.

Cheers, Phil.

[1] No guarantees about persuading Gunde though:

She has initiated legal action in the past when someone used her
data without proper permission.

The saga of how/if one could discover if the UK's NHS had uploaded
our kids data to "The Spine" is quite a long story -- Gunde tends
not to give up on these things.

I doubt she's unique among our attendees in this attitude.
-- 
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,GERMANY


signature.asc
Description: PGP signature

Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding

[Yao Wei]

Hi Holger,

On Sat, Aug 11, 2018 at 00:51 Holger Levsen  wrote:

> i'm a bit puzzled, you ask the data-protection list for advice and then go
> against their advice. (they suggest to make this opt-in).


Jonathan (from Data Protection team) made a email template that we can go
with opt-out.  Also opt-in could impact the funding if we have too little
people on the list, even if we match the requirements.

then suddenly the government fundings went up from 50k USD to 80k USD,
> home come? (your 1st mail in this thread here vs what you just wrote on
> -announce.)
>

My first email on this thread is incorrect. The break down is below:

MEET TAIWAN: 504,040 TWD
NCHC: 550,000 TWD
NCTU: 1,500,000 TWD (this is unlisted in budget, but NCTU MIRC claimed such
venue fee to NCTU CS dept, and CS dept is seeking from other fundings like
MOST (Minister of Science and Technology) and MOE (Minister of Education)
etc.)

also you didnt reply to my question how many names they need.


I thought I already replied to that, but my email got filtered by spam
filter on the list.  That is put in the announcement. Copying from that:

> We need at least 100 attendees, and in which we need at least 30 attendees
not from Taiwan.  Note that even if we meet such requirement, it will also
affects fundings if we have much less people than we should report.

also you didnt explain this (that not everybody needs to give their
> names) and thus the people on -announce are not aware that them opting
> out is a serious option which will not impact the funding.
>
> last but not least, you make it sound dramatic, while according to what
> i have heard, dc18 will make 60k USD profit, so we could very well cover
> this from dc18 funds and not violate the rights of the people we love.


I am thinking about covering everything from SPI as well.  But not really
sure what we will lose other than money.  We can gain reputations on our
data policy if doing so.

not impressed. (perceived) urgency often gives bad advice. Debian needs
> people more than money.


Sorry for my haste action.  We have to give funds the report 1 months
within the end of event, and I am being pressured to hand over the list.

>
Best regards,
Yao Wei

Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding

[Holger Levsen]

On Fri, Aug 10, 2018 at 04:51:08PM +, Holger Levsen wrote:
> also you didnt explain this (that not everybody needs to give their
> names) and thus the people on -announce are not aware that them opting
> out is a serious option which will not impact the funding.

I was wrong, you explained this. I was just so annoyed by this opt-out
stuff already that I stopped reading.


-- 
cheers,
Holger


signature.asc
Description: PGP signature

Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding

[Holger Levsen]

hi Yao Wei,

i'm a bit puzzled, you ask the data-protection list for advice and then go
against their advice. (they suggest to make this opt-in).

then suddenly the government fundings went up from 50k USD to 80k USD,
home come? (your 1st mail in this thread here vs what you just wrote on
-announce.)

also you didnt reply to my question how many names they need.

also you didnt explain this (that not everybody needs to give their
names) and thus the people on -announce are not aware that them opting
out is a serious option which will not impact the funding.

last but not least, you make it sound dramatic, while according to what
i have heard, dc18 will make 60k USD profit, so we could very well cover
this from dc18 funds and not violate the rights of the people we love.

not impressed. (perceived) urgency often gives bad advice. Debian needs
people more than money.


-- 
cheers,
Holger

---
holger@(debian|reproducible-builds).org


signature.asc
Description: PGP signature

Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding

[Tollef Fog Heen]

]] ChangZhuo Chen "(陳昌倬)" 

(trimmed Cc)

> On Fri, Aug 10, 2018 at 12:27:39PM +0800, Yao Wei wrote:
> > We are requested by National Chiao Tung University (NCTU) and National
> > Centre of High-performance Computing (NCHC) for the list of attendees
> > along with their nationality for applying fundings.  NCTU also applies
> > government funds MEET TAIWAN [1] which they requires such information
> > for checking if our event matches their qualification for funding
> > (they requires more than certain number of foreign people attending
> > the event as one of the requirements).
> 
> Is this requirement the same as eCode for VISA [0], which is:
> 
> * Come from 3+ nations/regions
> * >100 attendees
> * >50 foreigner/China, or >30% foreigner/China.
> 
> In this case, I think group photo can easily prove that we meet the
> requirement. Since NCTU & NCHC also need to comply with Personal
> Information Protection Act [1] when receiving such data, maybe group
> photo is also better for them.

FWIW, in the context of the GDPR, the group photo is not necessarily
much (if at all) better.  One can argue that it's opt-in, but on the
other hand, it's just as much personal information as a list of names.

Like Matthew and Noodles, I agree it would have been preferable if we
could have given this information to attendees up front, but as that's a
bit late, let's work with the cards we have been dealt.

Cheers,
-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding

[Yao Wei]

Hi,

I am thinking that this should be an opt-in rather than opt-out for
GDPR compliance.  However it is difficult to accomplish in my
opinion...  So opt-out can be really a compromise here.

We can tell the attendees we are giving such info to these agencies.
I will ask MEET TAIWAN next week if having initials and nationality
per person is sufficient for their requirements.

Such as:
"Y. W.", "Taiwan"
"C. C.", "Taiwan"
etc.

Also along with the (partial) list of attendees, we can give
statistics of nationality to them to further telling them we have such
many people. (Though, I asked MEET TAIWAN and they don't accept us
giving statistics *instead of* list of attendees.)

Yao Wei
Sending the email again because mailing list considering my email spam.

Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding

[陳昌倬]

On Fri, Aug 10, 2018 at 12:27:39PM +0800, Yao Wei wrote:
> We are requested by National Chiao Tung University (NCTU) and National
> Centre of High-performance Computing (NCHC) for the list of attendees
> along with their nationality for applying fundings.  NCTU also applies
> government funds MEET TAIWAN [1] which they requires such information
> for checking if our event matches their qualification for funding
> (they requires more than certain number of foreign people attending
> the event as one of the requirements).

Is this requirement the same as eCode for VISA [0], which is:

* Come from 3+ nations/regions
* >100 attendees
* >50 foreigner/China, or >30% foreigner/China.

In this case, I think group photo can easily prove that we meet the
requirement. Since NCTU & NCHC also need to comply with Personal
Information Protection Act [1] when receiving such data, maybe group
photo is also better for them.


[0] 
https://www.meettaiwan.com/zh_TW/menu/M775/%E5%BD%88%E6%80%A7%E5%85%A5%E5%A2%83%E6%A9%9F%E5%88%B6.html?function=9ABFE646EAF7B357D0636733C6861689
[1] https://law.moj.gov.tw/Eng/LawClass/LawAll.aspx?PCode=I0050021


-- 
ChangZhuo Chen (陳昌倬) czchen@{czchen,debconf,debian}.org
http://czchen.info/
Key fingerprint = BA04 346D C2E1 FE63 C790  8793 CC65 B0CD EC27 5D5B


signature.asc
Description: PGP signature

Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding

[Matthew Vernon]

Hi,

On 10/08/18 09:28, Jonathan McDowell wrote:

> Legitimate interest should be a suitable basis for processing such
> information; it sounds like a reasonable chunk of the funding for
> DebConf was conditional on these government funds, so in order to run
> the conference it's required to hand the details over. However this is
> something that should have been made apparent to attendees up front, so
> they could make an informed decision about whether to attend or not.
> DebConf team, please note this for future DebConfs.

I think we should be telling people in advance how we will use their
personal data. Even if this is legally OK, I think some Debconf
attenders will be (not unreasonably) unhappy about their data being used
like this without their consent.

> I would suggest that the best approach in the current circumstance is
> probably to email attendees saying something like:
> 
> | It has come to our attention that National Chiao Tung University, our
> | hosts for DebConf18, have an expectation that some of their costs will
> | be covered by funding from the Taiwanese government. As part of this
> | they need to prove that there were a certain percentage of foreign
> | attendees. To do so requires passing attendee name + nationality details
> | to the university and thus the government. As we did not make attendees
> | aware of this before they registered for the conference we are
> | contacting you now to give you an opportunity to request that we
> | withhold your information from the details we pass over. If you wish
> | to do so please contact us by .

I sort-of feel that this should be an opt-in rather than an opt-out, but
I see that is going to be more difficult.

> I don't know whether you also want to add that there will be a financial
> penalty if we don't provide this information; personally I can't think
> of a way to word it that doesn't sound a bit like coercion.

Your proposed text does mention the costs, although without explicitly
saying "if we refuse to provide these data, NCTU will expect us to cover
this funding shortfall". Does our contract with them let them do this?

> For those who don't want their details passed over it should be possible
> to provide aggregate data; a total number of foreign attendees to
> declined to have their data provided won't reveal anything. A breakdown
> per country might well leak such information however.

Yes; I would twitch if any of the relevant numbers were below, say, 5.

Regards,

Matthew

Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding

[Jonathan McDowell]

On Fri, Aug 10, 2018 at 07:30:39AM +0200, Tollef Fog Heen wrote:
> ]] Yao Wei 
> 
> > We are requested by National Chiao Tung University (NCTU) and National
> > Centre of High-performance Computing (NCHC) for the list of attendees
> > along with their nationality for applying fundings.  NCTU also applies
> > government funds MEET TAIWAN [1] which they requires such information
> > for checking if our event matches their qualification for funding
> > (they requires more than certain number of foreign people attending
> > the event as one of the requirements).
> 
> Is there a requirement that the list of names is complete (includes all
> attendees)? What is the number of non-Taiwan nationals required?  Can I
> read more about what the purpose of this is somewhere?  (It was not
> obvious to me where it is on the MEET TAIWAN site.)
> 
> If the answer to those is «no» and some not-unreasonable number, we
> might be able to get consent from enough people.  If not, we'll have to
> figure out if we have another legal basis for processing.

Legitimate interest should be a suitable basis for processing such
information; it sounds like a reasonable chunk of the funding for
DebConf was conditional on these government funds, so in order to run
the conference it's required to hand the details over. However this is
something that should have been made apparent to attendees up front, so
they could make an informed decision about whether to attend or not.
DebConf team, please note this for future DebConfs.

I would suggest that the best approach in the current circumstance is
probably to email attendees saying something like:

| It has come to our attention that National Chiao Tung University, our
| hosts for DebConf18, have an expectation that some of their costs will
| be covered by funding from the Taiwanese government. As part of this
| they need to prove that there were a certain percentage of foreign
| attendees. To do so requires passing attendee name + nationality details
| to the university and thus the government. As we did not make attendees
| aware of this before they registered for the conference we are
| contacting you now to give you an opportunity to request that we
| withhold your information from the details we pass over. If you wish
| to do so please contact us by .

I don't know whether you also want to add that there will be a financial
penalty if we don't provide this information; personally I can't think
of a way to word it that doesn't sound a bit like coercion.

For those who don't want their details passed over it should be possible
to provide aggregate data; a total number of foreign attendees to
declined to have their data provided won't reveal anything. A breakdown
per country might well leak such information however.

J.

-- 
I wish life had a scroll-back buffer.

Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding

[Tollef Fog Heen]

]] Yao Wei 

> We are requested by National Chiao Tung University (NCTU) and National
> Centre of High-performance Computing (NCHC) for the list of attendees
> along with their nationality for applying fundings.  NCTU also applies
> government funds MEET TAIWAN [1] which they requires such information
> for checking if our event matches their qualification for funding
> (they requires more than certain number of foreign people attending
> the event as one of the requirements).

Is there a requirement that the list of names is complete (includes all
attendees)? What is the number of non-Taiwan nationals required?  Can I
read more about what the purpose of this is somewhere?  (It was not
obvious to me where it is on the MEET TAIWAN site.)

If the answer to those is «no» and some not-unreasonable number, we
might be able to get consent from enough people.  If not, we'll have to
figure out if we have another legal basis for processing.

> Meanwhile, I am also requesting the website team to export the data [2].

I suggest we wait a little bit before doing this.

Thanks,
-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are