[openstack-dev] The root-cause for IRC private channels (was Re: [all][tc] Lets keep our community open, lets fight for it)

Kuvaja, Erno kuvaja at hp.com
Thu Feb 19 12:12:30 UTC 2015


> -----Original Message-----
> From: Clark Boylan [mailto:cboylan at sapwetik.org]
> Sent: Tuesday, February 17, 2015 6:06 PM
> To: openstack-dev at lists.openstack.org
> Subject: Re: [openstack-dev] The root-cause for IRC private channels (was
> Re: [all][tc] Lets keep our community open, lets fight for it)
> 
> On Tue, Feb 17, 2015, at 09:32 AM, Stefano Maffulli wrote:
> > Changing the subject since Flavio's call for openness was broader than
> > just private IRC channels.
> >
> > On Tue, 2015-02-17 at 10:37 +0000, Daniel P. Berrange wrote:
> > > If cases of bad community behaviour, such as use of passwd protected
> > > IRC channels, are always primarily dealt with via further private
> > > communications, then we are denying the voters the information they
> > > need to hold people to account. I can understand the desire to avoid
> > > publically shaming people right away, because the accusations may be
> > > false, or may be arising from a simple mis-understanding, but at
> > > some point genuine issues like this need to be public. Without this
> > > we make it difficult for contributors to make an informed decision
> > > at future elections.
> >
> > You got my intention right: I wanted to understand better what lead
> > some people to create a private channel, what were their needs. For
> > that objective, having an accusatory tone won't go anywhere and
> > instead I needed to provide them a safe place to discuss and then I
> > would report back in the open.
> >
> > So far, I've only received comments in private from only one person,
> > concerned about public logging of channels without notification. I
> > wished the people hanging out on at least one of such private channels
> > would provide more insights on their choice but so far they have not.
> >
> > Regarding the "why" at least one person told me they prefer not to use
> > official openstack IRC channels because there is no notification if a
> > channel is being publicly logged. Together with freenode not
> > obfuscating host names, and eavesdrop logs available to any spammer,
> > one person at least is concerned that private information may leak.
> > There may also be legal implications in Europe, under the Data
> > Protection Directive, since IP addresses and hostnames can be
> > considered sensitive data. Not to mention the casual dropping of
> > emails or phone numbers in public+logged channels.
> >
> > I think these points are worth discussing. One easy fix this person
> > suggests is to make it default that all channels are logged and write
> > a warning on wiki/IRC page. Another is to make the channel bot
> > announce whether the channel is logged. Cleaning up the hostname
> > details on join/parts from eavesdrop and put the logs behind a login
> > (to hide them from spam harvesters).
> >
> > Thoughts?
> >
> It is worth noting that just about everything else is logged too. Git repos track
> changes individuals have made, this mailing list post will be publicly available,
> and so on. At the very least I think the assumption should be that any
> openstack IRC channel is logged and since assumptions are bad we should be
> explicit about this. I don't think this means we require all channels actually be
> logged, just advertise than many are and any can be (because really any
> individual with freenode access can set up public logging).
> 
> I don't think we should need to explicitly cleanup our logs. Mostly because
> any individual can set up public logs that are not sanitized.
> Instead IRC users should use tools like cloaks or Tor to get the level of
> obfuscation and security that they desire. Freenode has docs for both, see
> https://freenode.net/faq.shtml#cloaks and
> https://freenode.net/irc_servers.shtml#tor
> 
> Hope this helps,
> Clark

Hi Clark,

Sorry to say, but the above is totally irrelevant regarding the current legislation.
The legal system does not care individual assumptions like "everybody should know we are breaking law here". What comes to individuals setting up such services, the responsibility of those records are on that individual and that individual could potentially get off the hook quite easy by claiming not knowing. What comes to OpenStack Foundation doing such activity, one could argue how far that "but we did not know"-attitude carries in court.

[1] The Directive is based on the 1980 OECD "Recommendations of the Council Concerning guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data."

These recommendations are founded on seven principles, since enshrined in EU Directive 94/46/EC:

    Notice: subjects whose data is being collected should be given notice of such collection.
    Purpose: data collected should be used only for stated purpose(s) and for no other purposes.
    Consent: personal data should not be disclosed or shared with third parties without consent from its subject(s).
    Security: once collected, personal data should be kept safe and secure from potential abuse, theft, or loss.
    Disclosure: subjects whose personal data is being collected should be informed as to the party or parties collecting such data.
    Access: subjects should granted access to their personal data and allowed to correct any inaccuracies.
    Accountability: subjects should be able to hold personal data collectors accountable for adhering to all seven of these principles.



Currently only principle we are fulfilling is the "Access" and even that is breaking the principles "Security" and "Disclosure".

[2][Page 14] "Under EU law, data protection has been acknowledged as a fundamental right."

This does not contain any expectation one taking active measures to achieve such protection.

The [2]Handbook is good read for those interested of the data protection legislation in EU.

And before anyone takes a grasp of the EU part of this:
[3] The data protection rules are applicable not only when the controller is established within the EU, but whenever the controller uses equipment situated within the EU in order to process data. (art. 4) Controllers from outside the EU, processing data in the EU, will have to follow data protection regulation. In principle, any online business trading with EU citizens would process some personal data and would be using equipment in the EU to process the data (i.e. the customer's computer). As a consequence, the website operator would have to comply with the European data protection rules. The directive was written before the breakthrough of the Internet, and to date there is little jurisprudence on this subject.

[1] http://searchsecurity.techtarget.co.uk/definition/EU-Data-Protection-Directive
[2] http://www.echr.coe.int/Documents/Handbook_data_protection_ENG.pdf
[3] http://en.wikipedia.org/wiki/Data_Protection_Directive

Hopefully this insight helps you understand the responsibility of record keeping the current unanonymized logs sets. 

Best,
Erno
> 
> __________________________________________________________
> ________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-
> request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list