Re: [GNC-dev] GDPR and gnucash as a project

[Wm via gnucash-devel]

On 22/05/2018 18:14, Geert Janssens wrote:

Op dinsdag 22 mei 2018 16:36:47 CEST schreef David T.:

Geert,

I am not fluent with the issues of the GDPR, but I have had a lifetime of
considering intellectual property issues (as a librarian). Personal
contributions of ideas, thoughts, or intellectual content are IMHO NOT
personal data, even when signed by an individual’s name*.



Those would fall
under intellectual property/copyright rules rather than personal data.



It is my understanding also that use of GPL addresses the question of IP
rights in code and documentation; if a user contributes to the GC project
in these areas, they do so with this release understood.


I had given this some more thought as well. And I agree that our code and
documentation licenses handle this.
Because of these licenses I see a code/documentation contribution as happening
under a contract. So the GDPR doesn't apply there as far as I'm concerned.
Or put differently in my own simplified words: our code is regulated by
copyright law. In order to be able to assert copyright (even in copyleft form)
the author of the protected work must be known. So if someone contributes a
patch that person must be identified together with the patch or copyright
can't work. So "the right to be forgotten" doesn't apply due to the legal
framework in which the personal data (user's name/email) is used.


that is how most of our software works, a person gives it freely

we have had a number of people offer paid contributions but so far as I 
remember we have always refused them



It is also my
understanding that unless someone explicitly states otherwise, their
posting of information in a public place (such as a website, wiki, mailing
list, etc.) would constitute permission to release that information
generally.


Sounds reasonable to me. Though we may be required to mention this more
explicitly in various places.


Yes, we might need to tighten up the guidelines but we are a tiny 
project compared to wikipedia, let's see what they do first.




* - I would be extremely surprised to find that a user’s name, in and of
itself, would constitute protected personal information.


That does sound reasonable to me as well.


A name is not protected.

--
Wm

___
gnucash-devel mailing list
gnucash-devel@gnucash.org
https://lists.gnucash.org/mailman/listinfo/gnucash-devel

Re: [GNC-dev] GDPR and gnucash as a project

[Wm via gnucash-devel]

On 22/05/2018 18:14, Geert Janssens wrote:

Op dinsdag 22 mei 2018 16:36:47 CEST schreef David T.:

Geert,

I am not fluent with the issues of the GDPR, but I have had a lifetime of
considering intellectual property issues (as a librarian). Personal
contributions of ideas, thoughts, or intellectual content are IMHO NOT
personal data, even when signed by an individual’s name*.



Those would fall
under intellectual property/copyright rules rather than personal data.



It is my understanding also that use of GPL addresses the question of IP
rights in code and documentation; if a user contributes to the GC project
in these areas, they do so with this release understood.


I had given this some more thought as well. And I agree that our code and
documentation licenses handle this.
Because of these licenses I see a code/documentation contribution as happening
under a contract. So the GDPR doesn't apply there as far as I'm concerned.
Or put differently in my own simplified words: our code is regulated by
copyright law. In order to be able to assert copyright (even in copyleft form)
the author of the protected work must be known. So if someone contributes a
patch that person must be identified together with the patch or copyright
can't work. So "the right to be forgotten" doesn't apply due to the legal
framework in which the personal data (user's name/email) is used.


also that the work is given freely

Geert, I want you, one of our leaders to understand that this is 
something you should put  in front of us and hopefully forget.


We can't all code (I have said why) it doesn't mean we can't think or 
don't work.



It is also my
understanding that unless someone explicitly states otherwise, their
posting of information in a public place (such as a website, wiki, mailing
list, etc.) would constitute permission to release that information
generally.


Sounds reasonable to me. Though we may be required to mention this more
explicitly in various places.


That may be part of it, I have seen someone say that a young person's 
idea must be acknowledged by an older person and I'm not in favour of 
that.  Original ideas, yes, please  Good ideas, certainly.  All ideas, no.


Meanwhile, who the fuck is sitting on my messages?

Why are we so old fashioned that only a few people can acknowledge my 
existence or anyone else's?


Is it Liz or one of the old men?

I have time

But in the middle of GDPR we must ask who the FUCK ARE YOU TO STOP MY 
POST ?


And, of course, consider what the lists have been doing wrong and right 
over time.


I think my view is at odds ...

P.S.  I think from now on if you *don't* post my message you have to 
tell me why and that is going to be tricky.



--
Wm



___
gnucash-devel mailing list
gnucash-devel@gnucash.org
https://lists.gnucash.org/mailman/listinfo/gnucash-devel

Re: [GNC-dev] GDPR and gnucash as a project

[Wm via gnucash-devel]

On 22/05/2018 15:36, David T. via gnucash-devel wrote:


* - I would be extremely surprised to find that a user’s name, in and of 
itself, would constitute protected personal information.


There are some unusual circumstances where a person's name may be 
protected in UK and EU law


I doubt they will be invoked here, move on

--
Wm




___
gnucash-devel mailing list
gnucash-devel@gnucash.org
https://lists.gnucash.org/mailman/listinfo/gnucash-devel

Re: [GNC-dev] GDPR and gnucash as a project

[Wm via gnucash-devel]

On 22/05/2018 15:36, David T. via gnucash-devel wrote:

Geert,

I am not fluent with the issues of the GDPR,


relatively few people are
but they have been thought about
they are not harmful to you or I

I am not accepting the offered changes in T+C unless it is a bank or 
business I know, then I look at them and usually agree, I mean, I gave 
them my business to start with and checked at the beginning.


A BBC News report say around 5% of people are agreeing to the new terms 
for smaller companies.  This is backwards, the smaller companies are the 
ones that need the contacts.  The big ones haven't said what they are 
going to do if people don't agree.


That is why the European Court is a good thing, USA people, it cares 
about you too.



> but I have had a lifetime of considering intellectual property issues 
(as a librarian).


Librarians are some of my favourite people

Personal contributions of ideas, thoughts, or intellectual content are 
IMHO NOT personal data, even when signed by an individual’s name*. Those 
would fall under intellectual property/copyright rules rather than 
personal data. It is my understanding also that use of GPL addresses the 
question of IP rights in code and documentation; if a user contributes 
to the GC project in these areas, they do so with this release understood.


I don't think that is in doubt, it would be odd for someone to withdraw 
a positive contribution.


More realistic is (I will use myself) I said a bad thing, possibly rude 
(I do that for free) but it was not only wrong (I don't mind being 
wrong) but I also said someone else was wrong ...


... keep going ...

... and someone noticed and complained to someone that the fucking idiot 
Donald Trump doesn't believe can sign an agreement <-- yes it is 
necessary to point out that the people of the USA voted an incompetent 
as their leader and he is stopping them getting their rights.  Why would 
anyone vote for him other than a being a racist or a bedroom russian? 
<-- hello do you know there are girls out there american incel voters?


It is also my understanding that unless someone explicitly states 
otherwise, their posting of information in a public place (such as a 
website, wiki, mailing list, etc.) would constitute permission to 
release that information generally.


yes


David T.

* - I would be extremely surprised to find that a user’s name, in and of 
itself, would constitute protected personal information.


it isn't


___
gnucash-devel mailing list
gnucash-devel@gnucash.org
https://lists.gnucash.org/mailman/listinfo/gnucash-devel

Re: [GNC-dev] GDPR and gnucash as a project

[Geert Janssens]

Op dinsdag 22 mei 2018 16:35:24 CEST schreef John Ralls:
> > On May 22, 2018, at 6:02 AM, Geert Janssens 
> > wrote:
> > 
> > Yesterday John raised some concerns about GDPR compliance of the gnucash
> > project itself.
> > 
> > This is a different question from the one Mike Evans asked in April this
> > year about GDPR compliance by people *using* gnucash.
> > 
> > This requires some thought as the GDPR has many aspects.
> > 
> > The essence of the GDPR (global data protection regulation) is to regulate
> > the processing of EU citizen's personal data.
> > 
> > The first question this raises is which personal data does the gnucash
> > project process ? So far I have come up with:
> > - e-mail addresses on the gnucash mailing lists
> > - user accounts in bugzilla
> > - user accounts in our wiki
> > - user accounts on Uservoice
> > The above are pretty clear. There are others that are less clear to me
> > whether they constitute personal data or not:
> > - the actual messages people send to mailing lists and which are stored in
> > a public archive
> > - the actual comments on bugs
> > - the actual page edits in wiki
> > And also what about things like our irc channel ? Does that fall under
> > processing personal data ? We don't really run the irc channel, we only
> > use
> > it. But on the other hand we do publish irc logs. Does GDPR apply to those
> > ? I can't tell really.
> > And the same question could be asked about our code itself in a way. Does
> > a
> > code contribution represent personal data ? Each commit logs an e-mail
> > address of a committer which can't easily be removed.
> > 
> > Once we have established what constitutes personal data we need to
> > formulate a "privacy policy" in which we explain how we process this data
> > and whether third parties are involved (think github, uservoice,
> > travis-ci, our social media presence,...).
> > 
> > An open source project is a bit in an odd situation because we do almost
> > everything in public so there's very little being kept private. We publish
> > archives of our mailing list conversations, irc logs, commits and so on.
> > We
> > have to inform our users of this in a clear manner. The good thing is we
> > only do keep the absolute minimum amount of information to function: a
> > username (which can be an e-mail address) and a password is usually
> > sufficient. Unless the message content also falls under personal data.
> > 
> > We also require explicit consent to use the personal data. We're
> > reasonably
> > good in this respect as for all services we offer we require the user to
> > opt- in. We will never use for example mail addresses gathered from
> > bugzilla user accounts to automatically enroll the same people in a
> > mailing list. We probably should more clearly indicate what people
> > subscribe to in each case while they are registering. So when registering
> > for a mailing list, it should be pretty clear that anything the person
> > contributes will end up on a public web page. The same goes for all other
> > services we offer and make use of.
> > 
> > Next a person should be allowed to make corrections to the personal data
> > we
> > were provided with and "the right to be forgotten". For user accounts in
> > the various services we offer this is not really a problem. Most of these
> > do allow the user to change passwords, user names or e-mail addresses.
> > However if the message content is also part of private data it becomes
> > much harder. In that case the question becomes whether a user can request
> > a mail message to be removed from our mailing list archive. I have no
> > answer to this.
> > 
> > Next there is the requirement to protect children. I don't know for sure
> > if
> > this applies to us. If it does our registration processes should ask a
> > minimum age and require consent of a parent or equivalent in order to
> > continue with the registration. This is mostly mentioned in the context
> > of social networks. But as we publish all communication in public it may
> > apply to us as well.
> > 
> > And finally in case of data breaches we should inform the affected people
> > of this. Again one I don't know exactly how to deal with.
> > 
> > This mail is meant as a kick-off to start thinking about this. Any
> > feedback is very welcome.
> 
> Some more considerations:
> 
> Uservoice data lives on Uservoice’s servers, not ours, and so GDPR
> compliance there is their problem.

Probably correct. As we don't use the personal data we collect from say 
bugzilla accounts to populate uservoice accounts, we are not passing 
information to a third party here. We do use the service but not likely to be 
responsible for the personal data they collect.
> 
> We have copied from Gnome’s BZ a bunch of names and email addresses for
> reporters, commenters, and developers on GnuCash bugs without those
> people’s permission. The GDPR permits collecting information without
> permission for “business 

Re: [GNC-dev] GDPR and gnucash as a project

[Geert Janssens]

Op dinsdag 22 mei 2018 16:36:47 CEST schreef David T.:
> Geert,
> 
> I am not fluent with the issues of the GDPR, but I have had a lifetime of
> considering intellectual property issues (as a librarian). Personal
> contributions of ideas, thoughts, or intellectual content are IMHO NOT
> personal data, even when signed by an individual’s name*.

> Those would fall
> under intellectual property/copyright rules rather than personal data.

> It is my understanding also that use of GPL addresses the question of IP
> rights in code and documentation; if a user contributes to the GC project
> in these areas, they do so with this release understood.

I had given this some more thought as well. And I agree that our code and 
documentation licenses handle this.
Because of these licenses I see a code/documentation contribution as happening 
under a contract. So the GDPR doesn't apply there as far as I'm concerned.
Or put differently in my own simplified words: our code is regulated by 
copyright law. In order to be able to assert copyright (even in copyleft form) 
the author of the protected work must be known. So if someone contributes a 
patch that person must be identified together with the patch or copyright 
can't work. So "the right to be forgotten" doesn't apply due to the legal 
framework in which the personal data (user's name/email) is used.

> It is also my
> understanding that unless someone explicitly states otherwise, their
> posting of information in a public place (such as a website, wiki, mailing
> list, etc.) would constitute permission to release that information
> generally.

Sounds reasonable to me. Though we may be required to mention this more 
explicitly in various places.

> 
> David T.
> 
> * - I would be extremely surprised to find that a user’s name, in and of
> itself, would constitute protected personal information.

That does sound reasonable to me as well.

Geert


___
gnucash-devel mailing list
gnucash-devel@gnucash.org
https://lists.gnucash.org/mailman/listinfo/gnucash-devel

Re: [GNC-dev] GDPR and gnucash as a project

[David T. via gnucash-devel]

Geert,

I am not fluent with the issues of the GDPR, but I have had a lifetime of 
considering intellectual property issues (as a librarian). Personal 
contributions of ideas, thoughts, or intellectual content are IMHO NOT personal 
data, even when signed by an individual’s name*. Those would fall under 
intellectual property/copyright rules rather than personal data. It is my 
understanding also that use of GPL addresses the question of IP rights in code 
and documentation; if a user contributes to the GC project in these areas, they 
do so with this release understood. It is also my understanding that unless 
someone explicitly states otherwise, their posting of information in a public 
place (such as a website, wiki, mailing list, etc.) would constitute permission 
to release that information generally.

David T.

* - I would be extremely surprised to find that a user’s name, in and of 
itself, would constitute protected personal information. 

> On May 22, 2018, at 6:02 PM, Geert Janssens  
> wrote:
> 
> Yesterday John raised some concerns about GDPR compliance of the gnucash 
> project itself.
> 
> This is a different question from the one Mike Evans asked in April this year 
> about GDPR compliance by people *using* gnucash.
> 
> This requires some thought as the GDPR has many aspects.
> 
> The essence of the GDPR (global data protection regulation) is to regulate 
> the 
> processing of EU citizen's personal data.
> 
> The first question this raises is which personal data does the gnucash 
> project 
> process ? So far I have come up with:
> - e-mail addresses on the gnucash mailing lists
> - user accounts in bugzilla
> - user accounts in our wiki
> - user accounts on Uservoice
> The above are pretty clear. There are others that are less clear to me 
> whether 
> they constitute personal data or not:
> - the actual messages people send to mailing lists and which are stored in a 
> public archive
> - the actual comments on bugs
> - the actual page edits in wiki
> And also what about things like our irc channel ? Does that fall under 
> processing personal data ? We don't really run the irc channel, we only use 
> it. But on the other hand we do publish irc logs. Does GDPR apply to those ? 
> I 
> can't tell really.
> And the same question could be asked about our code itself in a way. Does a 
> code contribution represent personal data ? Each commit logs an e-mail 
> address 
> of a committer which can't easily be removed.
> 
> Once we have established what constitutes personal data we need to formulate 
> a 
> "privacy policy" in which we explain how we process this data and whether 
> third parties are involved (think github, uservoice, travis-ci, our social 
> media presence,...).
> 
> An open source project is a bit in an odd situation because we do almost 
> everything in public so there's very little being kept private. We publish 
> archives of our mailing list conversations, irc logs, commits and so on. We 
> have to inform our users of this in a clear manner. The good thing is we only 
> do keep the absolute minimum amount of information to function: a username 
> (which can be an e-mail address) and a password is usually sufficient. Unless 
> the message content also falls under personal data.
> 
> We also require explicit consent to use the personal data. We're reasonably 
> good in this respect as for all services we offer we require the user to opt-
> in. We will never use for example mail addresses gathered from bugzilla user 
> accounts to automatically enroll the same people in a mailing list. We 
> probably should more clearly indicate what people subscribe to in each case 
> while they are registering. So when registering for a mailing list, it should 
> be pretty clear that anything the person contributes will end up on a public 
> web page. The same goes for all other services we offer and make use of.
> 
> Next a person should be allowed to make corrections to the personal data we 
> were provided with and "the right to be forgotten". For user accounts in the 
> various services we offer this is not really a problem. Most of these do 
> allow 
> the user to change passwords, user names or e-mail addresses. However if the 
> message content is also part of private data it becomes much harder. In that 
> case the question becomes whether a user can request a mail message to be 
> removed from our mailing list archive. I have no answer to this.
> 
> Next there is the requirement to protect children. I don't know for sure if 
> this applies to us. If it does our registration processes should ask a 
> minimum 
> age and require consent of a parent or equivalent in order to continue with 
> the registration. This is mostly mentioned in the context of social networks. 
> But as we publish all communication in public it may apply to us as well.
> 
> And finally in case of data breaches we should inform the affected people of 
> this. Again one I don't know 

Re: [GNC-dev] GDPR and gnucash as a project

[Adrien Monteleone]

Psuedonymization can be used in most if not all cases of removal requests to 
maintain data but render it ’not personal’.

There are also exceptions for data deemed necessary for and that is still being 
used for its original intended purpose which should drastically reduce even 
those cases.

Regards,
Adrien


> On May 22, 2018, at 8:02 AM, Geert Janssens  
> wrote:
> 
> Yesterday John raised some concerns about GDPR compliance of the gnucash 
> project itself.
> 
> This is a different question from the one Mike Evans asked in April this year 
> about GDPR compliance by people *using* gnucash.
> 
> This requires some thought as the GDPR has many aspects.
> 
> The essence of the GDPR (global data protection regulation) is to regulate 
> the 
> processing of EU citizen's personal data.
> 
> The first question this raises is which personal data does the gnucash 
> project 
> process ? So far I have come up with:
> - e-mail addresses on the gnucash mailing lists
> - user accounts in bugzilla
> - user accounts in our wiki
> - user accounts on Uservoice
> The above are pretty clear. There are others that are less clear to me 
> whether 
> they constitute personal data or not:
> - the actual messages people send to mailing lists and which are stored in a 
> public archive
> - the actual comments on bugs
> - the actual page edits in wiki
> And also what about things like our irc channel ? Does that fall under 
> processing personal data ? We don't really run the irc channel, we only use 
> it. But on the other hand we do publish irc logs. Does GDPR apply to those ? 
> I 
> can't tell really.
> And the same question could be asked about our code itself in a way. Does a 
> code contribution represent personal data ? Each commit logs an e-mail 
> address 
> of a committer which can't easily be removed.
> 
> Once we have established what constitutes personal data we need to formulate 
> a 
> "privacy policy" in which we explain how we process this data and whether 
> third parties are involved (think github, uservoice, travis-ci, our social 
> media presence,...).
> 
> An open source project is a bit in an odd situation because we do almost 
> everything in public so there's very little being kept private. We publish 
> archives of our mailing list conversations, irc logs, commits and so on. We 
> have to inform our users of this in a clear manner. The good thing is we only 
> do keep the absolute minimum amount of information to function: a username 
> (which can be an e-mail address) and a password is usually sufficient. Unless 
> the message content also falls under personal data.
> 
> We also require explicit consent to use the personal data. We're reasonably 
> good in this respect as for all services we offer we require the user to opt-
> in. We will never use for example mail addresses gathered from bugzilla user 
> accounts to automatically enroll the same people in a mailing list. We 
> probably should more clearly indicate what people subscribe to in each case 
> while they are registering. So when registering for a mailing list, it should 
> be pretty clear that anything the person contributes will end up on a public 
> web page. The same goes for all other services we offer and make use of.
> 
> Next a person should be allowed to make corrections to the personal data we 
> were provided with and "the right to be forgotten". For user accounts in the 
> various services we offer this is not really a problem. Most of these do 
> allow 
> the user to change passwords, user names or e-mail addresses. However if the 
> message content is also part of private data it becomes much harder. In that 
> case the question becomes whether a user can request a mail message to be 
> removed from our mailing list archive. I have no answer to this.
> 
> Next there is the requirement to protect children. I don't know for sure if 
> this applies to us. If it does our registration processes should ask a 
> minimum 
> age and require consent of a parent or equivalent in order to continue with 
> the registration. This is mostly mentioned in the context of social networks. 
> But as we publish all communication in public it may apply to us as well.
> 
> And finally in case of data breaches we should inform the affected people of 
> this. Again one I don't know exactly how to deal with.
> 
> This mail is meant as a kick-off to start thinking about this. Any feedback 
> is 
> very welcome.
> 
> Regards,
> 
> Geert
> 
> 
> ___
> gnucash-devel mailing list
> gnucash-devel@gnucash.org
> https://lists.gnucash.org/mailman/listinfo/gnucash-devel
> 


___
gnucash-devel mailing list
gnucash-devel@gnucash.org
https://lists.gnucash.org/mailman/listinfo/gnucash-devel