Re: [gentoo-project] Date-of-birth in developer applications

[Rich Freeman <rich0@gentoo.org>]

On Wed, Jun 20, 2018 at 4:32 AM Michał Górny <mgorny@gentoo.org> wrote:
>
> Please tell me, how many times did we have to disambiguate two
> developers using the same name?  Even if we ever have to do that, do you
> really think we'd use one's birthday all over the place?

Even if we've had two people from the same location with the same
name, WHY would we ever have to use their date of birth to identify
them?  We already have their nicks which is what we use internally,
and those are always unique.

And if we DID have to identify a specific individual legally, then why
aren't we collecting government ID numbers, which actually do the job
a LOT better than DOB?

As far as I'm aware, under most privacy laws and policies I've seen,
name+DOB is just as sensitive as a government ID number.  If
collecting the latter makes you recoil in horror, then you should be
just as concerned about DOB collection.

I don't see the need to collect either for legal identification
purposes, so why do it?

> b. There is no reason to store the full birth date if all we need is
> a boolean whether someone is of 'legal age'.

++

Just ask put on the dev application a certification that they are
legally allowed to sign agreements.  That depends on more than just
age anyway.

Could somebody lie?  Sure, just as they can lie today about their DOB.

This is just reasonable care.  I don't think there is any expectation
by anybody that we have a higher level of certainty that our
developers are able to sign things (DCOs or otherwise - which are also
just reasonable care, unless we intend to start doing in-depth reviews
of every commit).

If we did need a higher level of certainty, then just asking for DOB
won't cut it.  We'd need to verify IDs, take at least some level of
care that they aren't mentally incapacitated, and know the local age
of being able to sign such agreements.

I think we need to take a step back and consider the threat model
here.  What is the threat we need to protect against?  Is collecting
DOB an effective but least-intrusive way of mitigating that threat?

-- 
Rich