[gentoo-project] Date-of-birth in developer applications

[gentoo-project] Date-of-birth in developer applications

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 1101 bytes --]

Hello, everyone.

I'd like to revive the topic of requiring date-of-birth for developers. 
Currently, we 'require' this date in developer applications and store it
in our LDAP (it's not public).  However, I'm not aware of any good
justification for collecting this kind of personal information.

The Trustees are apparently 'researching' the topic since at least
Feb 2017 [1], and haven't reached anything yet [2].  In the meantime,
applicants are asked to provide their DoB with no clear explanation why
they need to do that or how it's going to be used (the last part of dev
quiz [3]).

So unless someone can provide *a really good reason* to request this
kind of information, I'd like to propose that we remove the question
from the developer quiz, and remove collected birthday dates from LDAP.

What do you think?

[1]:https://wiki.gentoo.org/wiki/Foundation:Meetings/2017/02#prometheanfire
[2]:https://wiki.gentoo.org/wiki/Foundation:Meetings/2018/06#alicef
[3]:https://projects.gentoo.org/comrel/recruiters/quizzes/developer-quiz.txt

-- 
Best regards,
Michał Górny

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

Re: [gentoo-project] Date-of-birth in developer applications

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 753 bytes --]

On 06/20/2018 10:16 AM, Michał Górny wrote:
> However, I'm not aware of any good
> justification for collecting this kind of personal information.

Immediately I can think of two good reasons for this information, (i) as
a disambiguifier for matching names, at least across europe it is common
to refer to an individual "A born DD.MM.YYYY", (ii) verify legal age for
entering into agreements. One can argue that without further
verification of (ii) it has less value, but at least that would be a
misrepresentation so shifting the question a bit if it ever becomes an
issue with FLA/DCO etc.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Date-of-birth in developer applications

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 1250 bytes --]

W dniu śro, 20.06.2018 o godzinie 10∶24 +0200, użytkownik Kristian
Fiskerstrand napisał:
> On 06/20/2018 10:16 AM, Michał Górny wrote:
> > However, I'm not aware of any good
> > justification for collecting this kind of personal information.
> 
> Immediately I can think of two good reasons for this information, (i) as
> a disambiguifier for matching names, at least across europe it is common
> to refer to an individual "A born DD.MM.YYYY",

Please tell me, how many times did we have to disambiguate two
developers using the same name?  Even if we ever have to do that, do you
really think we'd use one's birthday all over the place?

>  (ii) verify legal age for
> entering into agreements. One can argue that without further
> verification of (ii) it has less value, but at least that would be a
> misrepresentation so shifting the question a bit if it ever becomes an
> issue with FLA/DCO etc.

a. 'Legal age' may differ per country, so birth date alone is not very
useful.

b. There is no reason to store the full birth date if all we need is
a boolean whether someone is of 'legal age'.

c. We don't even have any clue what to do if someone is *not* of 'legal
age'.

-- 
Best regards,
Michał Górny

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

Re: [gentoo-project] Date-of-birth in developer applications

[Marek Szuba]

[-- Attachment #1.1: Type: text/plain, Size: 589 bytes --]

On 2018-06-20 09:16, Michał Górny wrote:

> So unless someone can provide *a really good reason* to request this
> kind of information, I'd like to propose that we remove the question
> from the developer quiz, and remove collected birthday dates from LDAP.

I agree with removing birthday dates from LDAP. As for the developer
quiz, the second point raised by Kristian is a good one so we might want
to either keep this (but add an explanation of why it is needed) or
simply replace it with a statement regarding being of legal age for
entering into agreements.

-- 
MS


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] Date-of-birth in developer applications

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 775 bytes --]

>>>>> On Wed, 20 Jun 2018, Michał Górny wrote:

> I'd like to revive the topic of requiring date-of-birth for
> developers. Currently, we 'require' this date in developer
> applications and store it in our LDAP (it's not public). However,
> I'm not aware of any good justification for collecting this kind of
> personal information.

IANAL, but won't this be relevant once we require Signed-off-by lines
with our commits?

Also, the information can be useful for statistical purposes. For
example, I had shown an age distribution of devs in a previous talk
of mine: https://dev.gentoo.org/~ulm/talks/intro_to_gentoo.tar.xz
(page 34 there).

Debian keeps dates of developers as well:
https://people.debian.org/~spaillard/developers-age-histogramm/

Ulrich

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-project] Date-of-birth in developer applications

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 448 bytes --]

On 06/20/2018 10:32 AM, Michał Górny wrote:
> Please tell me, how many times did we have to disambiguate two
> developers using the same name?

It isn't necessarily limited to two developers of same name, but to
identify which one is the one that is the gentoo developer in broader
society.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Date-of-birth in developer applications

[Dale]

Michał Górny wrote:
> W dniu śro, 20.06.2018 o godzinie 10∶24 +0200, użytkownik Kristian
> Fiskerstrand napisał:
>> On 06/20/2018 10:16 AM, Michał Górny wrote:
>>> However, I'm not aware of any good
>>> justification for collecting this kind of personal information.
>> Immediately I can think of two good reasons for this information, (i) as
>> a disambiguifier for matching names, at least across europe it is common
>> to refer to an individual "A born DD.MM.YYYY",
> Please tell me, how many times did we have to disambiguate two
> developers using the same name?  Even if we ever have to do that, do you
> really think we'd use one's birthday all over the place?
>
>>  (ii) verify legal age for
>> entering into agreements. One can argue that without further
>> verification of (ii) it has less value, but at least that would be a
>> misrepresentation so shifting the question a bit if it ever becomes an
>> issue with FLA/DCO etc.
> a. 'Legal age' may differ per country, so birth date alone is not very
> useful.
>
> b. There is no reason to store the full birth date if all we need is
> a boolean whether someone is of 'legal age'.
>
> c. We don't even have any clue what to do if someone is *not* of 'legal
> age'.
>


Suggestion.  If potential devs don't want want to share their DOB with
everyone, why not do it this way.  The mentor asks for, and if needed
verifies the age, and then tells whoever is higher up that the person is
of age with nothing being recorded or shared except that the age
requirement has been met?  That one person would be the only one that
knows and that person has agreed to keep it confidential.  It could even
be destroyed if needed. 

Personally, I would not want to share my full DOB with everyone either. 
After all, that is one thing a identity thief needs.  Sharing the year
with one person is something I could agree too. Most of the time, the
year should be enough to know if a person is of whatever age requirement. 

This may not be a perfect solution but if not, maybe it will start a
path that leads to one.  Back to my hole!

Dale

:-)  :-) 

Re: [gentoo-project] Date-of-birth in developer applications

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 1063 bytes --]

On 06/20/2018 10:32 AM, Michał Górny wrote:

>>  (ii) verify legal age for
>> entering into agreements. One can argue that without further
>> verification of (ii) it has less value, but at least that would be a
>> misrepresentation so shifting the question a bit if it ever becomes an
>> issue with FLA/DCO etc.
> 
> a. 'Legal age' may differ per country, so birth date alone is not very
> useful.

Its useful but not complete

> 
> b. There is no reason to store the full birth date if all we need is
> a boolean whether someone is of 'legal age'.
> 

This might be sufficient, although would bring up interesting scenarios
if 'legal age' changes etc.

> c. We don't even have any clue what to do if someone is *not* of 'legal
> age'.
> 

They would likely require parental approval to be a gentoo dev to begin
with with some FLA co-signed by parent as they can't sign DCO themselves.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Date-of-birth in developer applications

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 1431 bytes --]

>>>>> On Wed, 20 Jun 2018, Michał Górny wrote:

> W dniu śro, 20.06.2018 o godzinie 10∶24 +0200, użytkownik Kristian
> Fiskerstrand napisał:
>> Immediately I can think of two good reasons for this information,
>> (i) as a disambiguifier for matching names, at least across europe
>> it is common to refer to an individual "A born DD.MM.YYYY",

> Please tell me, how many times did we have to disambiguate two
> developers using the same name? Even if we ever have to do that, do
> you really think we'd use one's birthday all over the place?

At least once. While we researched the copyright forms, we wondered
why there were two entries in LDAP with a different nick, but with the
same name and approximately the same location.

>> (ii) verify legal age for entering into agreements. One can argue
>> that without further verification of (ii) it has less value, but at
>> least that would be a misrepresentation so shifting the question a
>> bit if it ever becomes an issue with FLA/DCO etc.

> a. 'Legal age' may differ per country, so birth date alone is not
> very useful.

> b. There is no reason to store the full birth date if all we need is
> a boolean whether someone is of 'legal age'.

How would you determine when to flip that bit?

> c. We don't even have any clue what to do if someone is *not* of
> 'legal age'.

And closing our eyes would improve that situation?

Ulrich

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-project] Date-of-birth in developer applications

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 902 bytes --]

W dniu śro, 20.06.2018 o godzinie 10∶47 +0200, użytkownik Ulrich Mueller
napisał:
> > > > > > On Wed, 20 Jun 2018, Michał Górny wrote:
> > I'd like to revive the topic of requiring date-of-birth for
> > developers. Currently, we 'require' this date in developer
> > applications and store it in our LDAP (it's not public). However,
> > I'm not aware of any good justification for collecting this kind of
> > personal information.
> 
> IANAL, but won't this be relevant once we require Signed-off-by lines
> with our commits?
> 
> Also, the information can be useful for statistical purposes. For
> example, I had shown an age distribution of devs in a previous talk
> of mine: https://dev.gentoo.org/~ulm/talks/intro_to_gentoo.tar.xz
> (page 34 there).
> 

I don't recall agreeing to my birth date being used for statistical
purposes.

-- 
Best regards,
Michał Górny

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

Re: [gentoo-project] Date-of-birth in developer applications

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 1988 bytes --]

W dniu śro, 20.06.2018 o godzinie 11∶04 +0200, użytkownik Ulrich Mueller
napisał:
> > > > > > On Wed, 20 Jun 2018, Michał Górny wrote:
> > W dniu śro, 20.06.2018 o godzinie 10∶24 +0200, użytkownik Kristian
> > Fiskerstrand napisał:
> > > Immediately I can think of two good reasons for this information,
> > > (i) as a disambiguifier for matching names, at least across europe
> > > it is common to refer to an individual "A born DD.MM.YYYY",
> > Please tell me, how many times did we have to disambiguate two
> > developers using the same name? Even if we ever have to do that, do
> > you really think we'd use one's birthday all over the place?
> 
> At least once. While we researched the copyright forms, we wondered
> why there were two entries in LDAP with a different nick, but with the
> same name and approximately the same location.
> 
> > > (ii) verify legal age for entering into agreements. One can argue
> > > that without further verification of (ii) it has less value, but at
> > > least that would be a misrepresentation so shifting the question a
> > > bit if it ever becomes an issue with FLA/DCO etc.
> > a. 'Legal age' may differ per country, so birth date alone is not
> > very useful.
> > b. There is no reason to store the full birth date if all we need is
> > a boolean whether someone is of 'legal age'.
> 
> How would you determine when to flip that bit?

See below.

> 
> > c. We don't even have any clue what to do if someone is *not* of
> > 'legal age'.
> 
> And closing our eyes would improve that situation?
> 

How is that different from the status quo where we request the date
and ignore it?  I'm all for figuring out a good way to deal with it. 
However, I'm against collecting information 'just in case' because we
have no clue how to deal with it.

In other words, dealing with people who are not legal age is not solved
by collecting their birth dates.

-- 
Best regards,
Michał Górny

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

Re: [gentoo-project] Date-of-birth in developer applications

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 548 bytes --]

>>>>> On Wed, 20 Jun 2018, Michał Górny wrote:

> I don't recall agreeing to my birth date being used for statistical
> purposes.

Not _your_ date of birth, but anonymised data from 231 developers,
and with a large binning, at that:

   # Age distribution of Gentoo devs (as of 2012-10-10), 5 year bins
   15  1
   20 27
   25 80
   30 67
   35 23
   40 16
   45  7
   50  7
   55  3

So what can be concluded is that in 2012 you were older than 15 and
younger than 60. Do you consider that sensitive information? :)

Ulrich

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-project] Date-of-birth in developer applications

[Rich Freeman]

On Wed, Jun 20, 2018 at 4:32 AM Michał Górny <mgorny@gentoo.org> wrote:
>
> Please tell me, how many times did we have to disambiguate two
> developers using the same name?  Even if we ever have to do that, do you
> really think we'd use one's birthday all over the place?

Even if we've had two people from the same location with the same
name, WHY would we ever have to use their date of birth to identify
them?  We already have their nicks which is what we use internally,
and those are always unique.

And if we DID have to identify a specific individual legally, then why
aren't we collecting government ID numbers, which actually do the job
a LOT better than DOB?

As far as I'm aware, under most privacy laws and policies I've seen,
name+DOB is just as sensitive as a government ID number.  If
collecting the latter makes you recoil in horror, then you should be
just as concerned about DOB collection.

I don't see the need to collect either for legal identification
purposes, so why do it?

> b. There is no reason to store the full birth date if all we need is
> a boolean whether someone is of 'legal age'.

++

Just ask put on the dev application a certification that they are
legally allowed to sign agreements.  That depends on more than just
age anyway.

Could somebody lie?  Sure, just as they can lie today about their DOB.

This is just reasonable care.  I don't think there is any expectation
by anybody that we have a higher level of certainty that our
developers are able to sign things (DCOs or otherwise - which are also
just reasonable care, unless we intend to start doing in-depth reviews
of every commit).

If we did need a higher level of certainty, then just asking for DOB
won't cut it.  We'd need to verify IDs, take at least some level of
care that they aren't mentally incapacitated, and know the local age
of being able to sign such agreements.

I think we need to take a step back and consider the threat model
here.  What is the threat we need to protect against?  Is collecting
DOB an effective but least-intrusive way of mitigating that threat?

-- 
Rich

Re: [gentoo-project] Date-of-birth in developer applications

[Rich Freeman]

On Wed, Jun 20, 2018 at 4:56 AM Kristian Fiskerstrand <k_f@gentoo.org> wrote:
>
> On 06/20/2018 10:32 AM, Michał Górny wrote:
>
> > c. We don't even have any clue what to do if someone is *not* of 'legal
> > age'.
>
> They would likely require parental approval to be a gentoo dev to begin
> with with some FLA co-signed by parent as they can't sign DCO themselves.

Since the DCO is still a new concept, I wanted to point out that the
FLA and the DCO are fairly orthogonal, and signing either doesn't
really eliminate the need for the other.

The DCO "certifies" that the underage kid wrote the code, or verified
that it is legal for us to redistribute.

An FLA signed by the parent would give Gentoo the rights to use code
written by the underage kid, but does nothing to ensure that any
particular commit actually was written by the kid or obtained from a
legal source.

If we are going to go down that road, then you'd really want the
parent to sign the DCO for every commit, and to ensure the parent
actually understands what the DCO means.

Now, you can argue whether or not DCOs on every commit are essential
for reasonable care, but if they are then they really need to be
signed on every commit by an adult.  If they aren't, well, then we
probably shouldn't be requiring them.

-- 
Rich

Re: [gentoo-project] Date-of-birth in developer applications

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 3222 bytes --]

On 06/20/2018 12:52 PM, Rich Freeman wrote:
> On Wed, Jun 20, 2018 at 4:32 AM Michał Górny <mgorny@gentoo.org> wrote:
>>
>> Please tell me, how many times did we have to disambiguate two
>> developers using the same name?  Even if we ever have to do that, do you
>> really think we'd use one's birthday all over the place?
> 
> Even if we've had two people from the same location with the same
> name, WHY would we ever have to use their date of birth to identify
> them?  We already have their nicks which is what we use internally,
> and those are always unique.

One morbid example would be someone getting a stone in the back of their
head, at which point the nick will likely not help much... But the
underlying need is likely to arise more due to other circumstances for
needing to contact, say a retired dev needs to provide evidence in a
copyright case and we need to track them down to get said statement.

> 
> And if we DID have to identify a specific individual legally, then why
> aren't we collecting government ID numbers, which actually do the job
> a LOT better than DOB?

Storing those would require much higher security than a simple DOB

> 
> As far as I'm aware, under most privacy laws and policies I've seen,
> name+DOB is just as sensitive as a government ID number.  If
> collecting the latter makes you recoil in horror, then you should be
> just as concerned about DOB collection.

I'm not, but views of truestees might differ on that; we have reasons to
collect it, it is part of recruiting process known to developer, so the
legal matter wouldn't be on the collecting part but the storage part,
and here they differ quite a lot in practice (although it shouldn't as
even SSN is just a Primary Key in theory).


> Just ask put on the dev application a certification that they are
> legally allowed to sign agreements.  That depends on more than just
> age anyway.

The latter is an interesting point.

> 
> Could somebody lie?  Sure, just as they can lie today about their DOB.

I'm not too concerned about misrepresentation, there are other ways to
pursue that, but at least there is an element of CYA.

> 
> This is just reasonable care.  I don't think there is any expectation
> by anybody that we have a higher level of certainty that our
> developers are able to sign things (DCOs or otherwise - which are also
> just reasonable care, unless we intend to start doing in-depth reviews
> of every commit).
> 
> If we did need a higher level of certainty, then just asking for DOB
> won't cut it.  We'd need to verify IDs, take at least some level of
> care that they aren't mentally incapacitated, and know the local age
> of being able to sign such agreements.

Indeed

> 
> I think we need to take a step back and consider the threat model
> here.  What is the threat we need to protect against?  Is collecting
> DOB an effective but least-intrusive way of mitigating that threat?
> 

This is always a good question, discussions are always helpful to
determine that.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Date-of-birth in developer applications

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 1004 bytes --]

On 06/20/2018 01:09 PM, Rich Freeman wrote:
> On Wed, Jun 20, 2018 at 4:56 AM Kristian Fiskerstrand <k_f@gentoo.org> wrote:
>> On 06/20/2018 10:32 AM, Michał Górny wrote:
>>
>>> c. We don't even have any clue what to do if someone is *not* of 'legal
>>> age'.
>> They would likely require parental approval to be a gentoo dev to begin
>> with with some FLA co-signed by parent as they can't sign DCO themselves.
> Since the DCO is still a new concept, I wanted to point out that the
> FLA and the DCO are fairly orthogonal, and signing either doesn't
> really eliminate the need for the other.

Right, I wasn't precise enough.. the DCO alone isn't sufficient, and an
agreement that is co-signed by parent where it grants a power of
attorney of sorts for the kid to assert the DCO... But the details on
that would have to be ironed out :)

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Date-of-birth in developer applications

[Rich Freeman]

On Wed, Jun 20, 2018 at 7:14 AM Kristian Fiskerstrand <k_f@gentoo.org> wrote:
>
> Right, I wasn't precise enough.. the DCO alone isn't sufficient, and an
> agreement that is co-signed by parent where it grants a power of
> attorney of sorts for the kid to assert the DCO... But the details on
> that would have to be ironed out :)
>

A power of attorney assigning authority to somebody who isn't of legal
age?  While I haven't done a comprehensive analysis, I'd be utterly
shocked if that is legally allowed in any country sophisticated enough
to have a concept of a power of attorney.

-- 
Rich

Re: [gentoo-project] Date-of-birth in developer applications

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 1133 bytes --]

On 06/20/2018 01:23 PM, Rich Freeman wrote:
> On Wed, Jun 20, 2018 at 7:14 AM Kristian Fiskerstrand <k_f@gentoo.org> wrote:
>>
>> Right, I wasn't precise enough.. the DCO alone isn't sufficient, and an
>> agreement that is co-signed by parent where it grants a power of
>> attorney of sorts for the kid to assert the DCO... But the details on
>> that would have to be ironed out :)
>>
> 
> A power of attorney assigning authority to somebody who isn't of legal
> age?  While I haven't done a comprehensive analysis, I'd be utterly
> shocked if that is legally allowed in any country sophisticated enough
> to have a concept of a power of attorney.
> 

The initial agreement would be the legally binding part, the sign-off-by
can be seen as only asserting the points of the first DCO contribution,
this is also why you see other projects requiring developers to send in
the first DCO in OpenPGP signed format before further commits are having
regular signed off by.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Date-of-birth in developer applications

[Rich Freeman]

On Wed, Jun 20, 2018 at 7:12 AM Kristian Fiskerstrand <k_f@gentoo.org> wrote:
>
> On 06/20/2018 12:52 PM, Rich Freeman wrote:
> > On Wed, Jun 20, 2018 at 4:32 AM Michał Górny <mgorny@gentoo.org> wrote:
> >>
> >> Please tell me, how many times did we have to disambiguate two
> >> developers using the same name?  Even if we ever have to do that, do you
> >> really think we'd use one's birthday all over the place?
> >
> > Even if we've had two people from the same location with the same
> > name, WHY would we ever have to use their date of birth to identify
> > them?  We already have their nicks which is what we use internally,
> > and those are always unique.
>
> One morbid example would be someone getting a stone in the back of their
> head, at which point the nick will likely not help much... But the
> underlying need is likely to arise more due to other circumstances for
> needing to contact, say a retired dev needs to provide evidence in a
> copyright case and we need to track them down to get said statement.

The "underlying need" is what I'm getting at.  Do we REALLY need to
track developers post-retirement?  If we do, is DOB really the best
way to do this?

And what are we going to do when some retired developer asks us to
forget about them?  I don't think legally we need to go retract
published info, but that DOB seems very much the sort of thing that
would be risky to hold on to if somebody explicitly told us they don't
want us to retain it.  We'd probably need justification to do so.

> >
> > As far as I'm aware, under most privacy laws and policies I've seen,
> > name+DOB is just as sensitive as a government ID number.  If
> > collecting the latter makes you recoil in horror, then you should be
> > just as concerned about DOB collection.
>
> I'm not, but views of truestees might differ on that; we have reasons to
> collect it, it is part of recruiting process known to developer, so the
> legal matter wouldn't be on the collecting part but the storage part,
> and here they differ quite a lot in practice (although it shouldn't as
> even SSN is just a Primary Key in theory).

WP has what appears to be a decent article, and it lists DOB as
explictly personally-identifying:
https://en.wikipedia.org/wiki/Personally_identifiable_information

The US law explicitly lists DOB (cited there):
Information which can be used to distinguish or trace an individual's
identity, such as their name, social security number, biometric
records, etc. alone, or when combined with other personal or
identifying information which is linked or linkable to a specific
individual, such as date and place of birth, mother’s maiden name,
etc.

It goes on to cite the EU:
Article 2a: 'personal data' shall mean any information relating to an
identified or identifiable natural person ('data subject'); an
identifiable person is one who can be identified, directly or
indirectly, in particular by reference to an identification number or
to one or more factors specific to his physical, physiological,
mental, economic, cultural or social identity;

You brought up the scenario of tracking somebody down in the real
world.  It seems to me that if we actually collect enough info to be
able to do this, then by definition we fall directly in the crosshairs
of both.

I'd start with the underlying issue: do we need to identify specific
individuals and retain this identity?  What exactly do we need
(starting from zero), and what is the least amount of info we need to
collect to get there?

My understanding is that these are the basic principles of most modern
privacy law, and if we stick to those we'll probably be fairly safe as
these laws change (assuming we sufficiently protect the info we do
need to collect).

The principles cited in that article actually raise other thorny
issues as well, such as name+location if the name is unique enough.  I
couldn't begin to tell you whether half of Oslo are named
Fiskerstrand, or if you're the only one in the phone book.

-- 
Rich

Re: [gentoo-project] Date-of-birth in developer applications

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 1039 bytes --]

>>>>> On Wed, 20 Jun 2018, Rich Freeman wrote:

> The "underlying need" is what I'm getting at.  Do we REALLY need to
> track developers post-retirement?  If we do, is DOB really the best
> way to do this?

I would presume that we do, if we need to clarify copyright or
licensing of any files in our repositories. I could provide several
examples where I had to contact retired devs because of license
issues.

But indeed, knowing their date of birth wouldn't have helped there.

> And what are we going to do when some retired developer asks us to
> forget about them?  I don't think legally we need to go retract
> published info, but that DOB seems very much the sort of thing that
> would be risky to hold on to if somebody explicitly told us they don't
> want us to retain it.  We'd probably need justification to do so.

The only justification I can think of is that we may need to know if
a developer was of legal age when committing any code. But that seems
very theoretical, since we don't even verify anybody's identity.

Ulrich

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-project] Date-of-birth in developer applications

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 506 bytes --]

On 06/20/2018 03:06 PM, Ulrich Mueller wrote:
> The only justification I can think of is that we may need to know if
> a developer was of legal age when committing any code. But that seems
> very theoretical, since we don't even verify anybody's identity.

And I agree with rich0 we're in a better position if asking them
outright about that anyways.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Date-of-birth in developer applications

[Rich Freeman]

On Wed, Jun 20, 2018 at 9:06 AM Ulrich Mueller <ulm@gentoo.org> wrote:
>
> >>>>> On Wed, 20 Jun 2018, Rich Freeman wrote:
>
> > The "underlying need" is what I'm getting at.  Do we REALLY need to
> > track developers post-retirement?  If we do, is DOB really the best
> > way to do this?
>
> I would presume that we do, if we need to clarify copyright or
> licensing of any files in our repositories. I could provide several
> examples where I had to contact retired devs because of license
> issues.
>
> But indeed, knowing their date of birth wouldn't have helped there.

Past developers may not be reachable, cooperative, or even alive.

If we need information or assurances from them, we should obtain it
BEFORE we accept commits, not try to chase it down years later.

I'd be interested in any cases where we felt this was necessary.  I
know that a lot of work was done recently to try to figure out the
license history of the tree, but honestly I'm not convinced it was
necessary, and legally digging into messy situations can sometimes
even be harmful.  In general I think forward-looking solutions tend to
be best unless there is a clear legal duty to look backwards.


>
> > And what are we going to do when some retired developer asks us to
> > forget about them?  I don't think legally we need to go retract
> > published info, but that DOB seems very much the sort of thing that
> > would be risky to hold on to if somebody explicitly told us they don't
> > want us to retain it.  We'd probably need justification to do so.
>
> The only justification I can think of is that we may need to know if
> a developer was of legal age when committing any code. But that seems
> very theoretical, since we don't even verify anybody's identity.
>

Even if we did verify somebody's identity, we could document that this
was done, and not retain any personally-identifying info.

Ultimately it comes down to what constitutes reasonable care, and that
largely depends on why we're doing things in the first place.

I could elaborate a lot more, but IMO in a copyright case, Gentoo's
liability is going to come down a lot more to what Gentoo is doing
than what the developer from 10 years ago did.  Did Gentoo exercise
reasonable care and this is innocent infringement (which is NOT
without substantial liability, it just avoids the completely insane
statutory provisions in US law  cf. 17 USC 504(b) and (c)2)?

I'm actually pressed to think of how the testimony of the committing
dev could actually help us in a defensive copyright case as the burden
of proof is on our side when it comes to proving ownership, and if the
plaintiff can prove ownership I don't see how the testimony of a dev
would overturn that.  It might help more in an offensive one, but in
that case we can pick code for our lawsuit where the committing dev is
readily available, assuming we ever resorted to an offensive action.

-- 
Rich

Re: [gentoo-project] Date-of-birth in developer applications

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 1504 bytes --]

>>>>> On Wed, 20 Jun 2018, Rich Freeman wrote:

> Past developers may not be reachable, cooperative, or even alive.

> If we need information or assurances from them, we should obtain it
> BEFORE we accept commits, not try to chase it down years later.

Right, but we can do so only for the future, but not fix any past
mistakes.

> I'd be interested in any cases where we felt this was necessary.
> I know that a lot of work was done recently to try to figure out the
> license history of the tree, but honestly I'm not convinced it was
> necessary, and legally digging into messy situations can sometimes
> even be harmful.  In general I think forward-looking solutions tend
> to be best unless there is a clear legal duty to look backwards.

The tree may be the least of our problems, because all files have a
license notice there.

For other things like documentation, I had contacted some retired
devs. For example, parts of the devmanual were under CC-BY-SA-1.0 and
needed explicit relicensing by its author.

Another example, a few days ago I stumbled upon this:
https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo/xml/htdocs/dtd/
(It's in https://gitweb.gentoo.org/data/dtd.git/tree/ nowadays,
without its history.)

Assuming that these files are copyrightable (and I would say so, for
a file with 300+ lines and 10 kB size), they should really have a
license header. So, should we try to contact all authors, or continue
to ignore the issue? (Or even, rewrite everything from scratch?)

Ulrich

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-project] Date-of-birth in developer applications

[R0b0t1]

On Wed, Jun 20, 2018 at 9:19 AM, Ulrich Mueller <ulm@gentoo.org> wrote:
> Assuming that these files are copyrightable (and I would say so, for
> a file with 300+ lines and 10 kB size), they should really have a
> license header. So, should we try to contact all authors, or continue
> to ignore the issue? (Or even, rewrite everything from scratch?)
>
> Ulrich

Ignoring the problem may work best. It accounts for those developers
or contributors who don't want to sign a license agreement. It removes
any work that needs to be done to fix something. Gentoo probably has
some standing to enforce copyright of all code contributed to its
infrastructure assuming the original license holder does not come back
and wish to enforce their rights against Gentoo.

In most countries the law does not exist to cheat people. The human
element of these transactions taking place now will be considered,
probably in a very positive light considering the work was volunteer.


If someone wants to steal the code they will and there will be no way
to tell. Stop worrying about it. There is no point in trying to work
around bad law. Work to change the law instead of wasting time.

Cheers,
     R0b0t1

Re: [gentoo-project] Date-of-birth in developer applications

[Matthew Thode]

[-- Attachment #1: Type: text/plain, Size: 1472 bytes --]

On 18-06-20 10:16:01, Michał Górny wrote:
> Hello, everyone.
> 
> I'd like to revive the topic of requiring date-of-birth for developers. 
> Currently, we 'require' this date in developer applications and store it
> in our LDAP (it's not public).  However, I'm not aware of any good
> justification for collecting this kind of personal information.
> 
> The Trustees are apparently 'researching' the topic since at least
> Feb 2017 [1], and haven't reached anything yet [2].  In the meantime,
> applicants are asked to provide their DoB with no clear explanation why
> they need to do that or how it's going to be used (the last part of dev
> quiz [3]).
> 
> So unless someone can provide *a really good reason* to request this
> kind of information, I'd like to propose that we remove the question
> from the developer quiz, and remove collected birthday dates from LDAP.
> 
> What do you think?
> 
> [1]:https://wiki.gentoo.org/wiki/Foundation:Meetings/2017/02#prometheanfire
> [2]:https://wiki.gentoo.org/wiki/Foundation:Meetings/2018/06#alicef
> [3]:https://projects.gentoo.org/comrel/recruiters/quizzes/developer-quiz.txt
> 
> -- 
> Best regards,
> Michał Górny

I don't appreciate the whole 'researching' thing.  This keeps happening.
I'm cc'ing dilfridge as I'd prefer this type of behavior to stop.  I'll
respond to this request for info in a separate email so as to not
distract from it.

-- 
Matthew Thode (prometheanfire)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] Date-of-birth in developer applications

[Matthew Thode]

[-- Attachment #1: Type: text/plain, Size: 2213 bytes --]

On 18-06-20 10:16:01, Michał Górny wrote:
> Hello, everyone.
> 
> I'd like to revive the topic of requiring date-of-birth for developers. 
> Currently, we 'require' this date in developer applications and store it
> in our LDAP (it's not public).  However, I'm not aware of any good
> justification for collecting this kind of personal information.
> 
> The Trustees are apparently 'researching' the topic since at least
> Feb 2017 [1], and haven't reached anything yet [2].  In the meantime,
> applicants are asked to provide their DoB with no clear explanation why
> they need to do that or how it's going to be used (the last part of dev
> quiz [3]).
> 
> So unless someone can provide *a really good reason* to request this
> kind of information, I'd like to propose that we remove the question
> from the developer quiz, and remove collected birthday dates from LDAP.
> 
> What do you think?
> 
> [1]:https://wiki.gentoo.org/wiki/Foundation:Meetings/2017/02#prometheanfire
> [2]:https://wiki.gentoo.org/wiki/Foundation:Meetings/2018/06#alicef
> [3]:https://projects.gentoo.org/comrel/recruiters/quizzes/developer-quiz.txt
> 

This is my intrepretation / rememberance of events.

So, what originally brought this up was that the copyright assignment
currently done is essensially a legal agreement.  In order for it to be
legal we would like to verify that both parties are ABLE to enter into a
legal agreement.  We discussed assertation of that ability and I think
we were happy with that.  At that point the proposal of the FLA came up
and has since stalled us in rendering a final decision.  The reason for
the stall is that we'd prefer to use the FLA as guideance for
verification requirements.

So, at this point we still record the date of birth.  I don't think that
is needed.  Just the verification is needed (and even that is
questionable in the strict sense).  I think changing this to record the
result of the verification and preferably the method (ID checked,
assertation, etc) would be sufficient.  It'd also lessen our storage of
personal data (which is good from a 'less PII is better' and GDPR
perspective).

-- 
Matthew Thode (prometheanfire)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] Date-of-birth in developer applications

[Raymond Jennings]

On Wed, Jun 20, 2018 at 1:32 AM Michał Górny <mgorny@gentoo.org> wrote:
>
> W dniu śro, 20.06.2018 o godzinie 10∶24 +0200, użytkownik Kristian
> Fiskerstrand napisał:
> > On 06/20/2018 10:16 AM, Michał Górny wrote:
> > > However, I'm not aware of any good
> > > justification for collecting this kind of personal information.
> >
> > Immediately I can think of two good reasons for this information, (i) as
> > a disambiguifier for matching names, at least across europe it is common
> > to refer to an individual "A born DD.MM.YYYY",
>
> Please tell me, how many times did we have to disambiguate two
> developers using the same name?  Even if we ever have to do that, do you
> really think we'd use one's birthday all over the place?
>
> >  (ii) verify legal age for
> > entering into agreements. One can argue that without further
> > verification of (ii) it has less value, but at least that would be a
> > misrepresentation so shifting the question a bit if it ever becomes an
> > issue with FLA/DCO etc.
>
> a. 'Legal age' may differ per country, so birth date alone is not very
> useful.
>
> b. There is no reason to store the full birth date if all we need is
> a boolean whether someone is of 'legal age'.
>
> c. We don't even have any clue what to do if someone is *not* of 'legal
> age'.

As a logical issue, I will point out that point a, legal age differing
per country, directly contradicts point b, using a simple boolean.

The fact that there are multiple countries with possible disparate
concepts of "legal age" preempts the usefulness of a simple boolean,
and in my observation actually *increases* the viability of using DOB
as legal age.

Quite simply, if we WERE to use a single boolean the first question
we'd have on our hands when answering "is this developer of legal age"
is first to ask "of what country?"
>
> --
> Best regards,
> Michał Górny