[squeak-dev] Ideas for web hosting for squeak.org?
Ben Coman
btc at openinworld.com
Sun Oct 15 13:06:09 UTC 2017
On Sun, Oct 15, 2017 at 4:48 PM, Bruce O'Neel <bruce.oneel at pckswarms.ch>
wrote:
> Hi,
>
> Thanks to Stephan's pointer to the eugdpr.org website. I've spent some
> time with this and have some comments below.
>
> First, the GDPR will apply if we let EU residents go to the Squeak
> websites. Given the popularity of Squeak in the EU that means GDPR
> regardless of where we physically host it.
>
> Second I think we're going to run into a computer geek view of the world
> not agreeing with the EU view of the world. Ie, you sent an email to a
> public mailing list with your full contact info that is archived forever.
> What words in that last sentence did you not understand?
>
>
> The things I think we have to comply with are:
>
> 1. Consent. The users have to know what they are giving us. Cookie
> notifications on the main webpage and some sort of page that describes what
> we log for access like IP addresses, etc. We also have to make clear how
> long info is stored. So if the webserver keeps that last 30 days of IP
> address logs than that has to be clear. We also have an age problem. We
> will need parental consent if there are users under 16. For the wiki,
> mailing lists etc we need to be clear what additional info is gathered.
> This is probably the easy one.
>
> 2. Breach notification, Right to Access, and Right to be forgotten are
> going to be harder.
>
> The places where we collect more personal info than just IP address are
> for the Wiki, the Mailing lists, and the bug tracker. In all three cases
> we would need to have enough info that:
>
> 1. For breach notification we can actually notify folks. We would need
> to collect email addresses in all cases for that to work.
>
Increasing the amount of personal data held by collecting additional email
address solely to advise of a breach seems counter productive to the GDPR's
spirit of data minimisation.
I can't imagine that normal traffic to public mail lists could be construed
to pose "high risk to the rights and freedoms of natural persons". So 34.1
[1] might not apply, and a public mail list announcement may suffice
rather than a personalise notice.
[1] https://gdpr-info.eu/art-34-gdpr/
> 2. For right to access we would have to be able to show ALL the info
> we've kept on a particular user. All posts to the email lists, all swiki
> entries, etc.
>
This information is already publicly available. Don't subjects implicitly
already have "access" ?
> 3. And for right to be forgotten we would have to allow users to delete
> ALL the data we've captured. All swiki entries, all archived email, etc.
> This is probably the hardest.
>
Balancing this is the "right to freedom of expression and information,
including processing for journalistic purposes" [2] and "archiving purposes
in the public interest" [3].
[2] https://gdpr-info.eu/art-85-gdpr/
[3] https://gdpr-info.eu/art-89-gdpr/
cheers -ben (ianal)
> For number 2, the right to access, would all be easiest if the wiki, email
> and bug trackers had a unified account, but, it probably would be ok if one
> had three accounts. None the less you have to be able to see all your
> entries in all three.
>
> Number 3 is the trickiest especially with the mailing list archive.
> People's postings and signatures get copied into other threads and other's
> emails. It might be hard to keep the archives in that case. Getting this
> one right starts sounding like an AI research problem.
>
>
> Someone asked about the DPO (Data Protection Officer). The way I read
> http://www.eugdpr.org/gdpr-faqs.html is no, we do not need this.
> There are other issues but I think these are the most important.
>
> NB: I am not an expert, though I do spend some time professionally on
> this, and, will be spending more time in the future. This advice is worth
> every centime you've paid for it as well.
>
> cheers
>
> bruce
>
>
>
>
> *13 October 2017 20:18 Peter Crowther <peter at ozzard.org
> <peter at ozzard.org>> wrote:*
>
> I'd also favour EU, but then *somebody* will have to ensure that we comply
> with GDPR for any personal information that we store - and I don't know who
> that would be. Hence my question.
>
> I wouldn't recommend UK at the moment due to the regulatory turbulence of
> Brexit.
> - Peter
>
> On 13 October 2017 at 15:37, Tobias Pape <Das.Linux at gmx.de> wrote:
>
>>
>> > On 06.10.2017, at 10:35, Peter Crowther <Peter at ozzard.org> wrote:
>> >
>> > What personal information is stored, if any?
>> >
>>
>> What?
>>
>> > What regulatory environment do we wish to be in?
>>
>> Dunno. I'm just trying to keep things running.
>>
>> I'd favour EU, but that's actually none of my business…
>>
>>
>> >
>> > Cheers,
>> >
>> > - Peter
>> >
>> > On 4 October 2017 at 19:29, tim Rowledge <tim at rowledge.org> wrote:
>> > We have been informed that our sponsored servers are virtually certain
>> to go away at the end of the year. Rackspace has been providing space via
>> the Software Conservancy Foundation but are withdrawing and we cannot
>> afford their normal fees.
>> >
>> > So, tell us where we can get space and support to run squeak.org, the
>> swiki, etc.
>> >
>> > tim
>> > --
>> > tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim
>> > All computers run at the same speed...with the power off.
>> >
>> >
>> >
>> >
>> >
>>
>>
>>
> <>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/squeak-dev/attachments/20171015/f5687b28/attachment.html>
More information about the Squeak-dev
mailing list
|