[00:42:30] There are quite a lot of "interesting" situations going on right now where legal requirements are conflicting with internet services. Service providers are now increasingly responsible for the content on their sites, which has caused Craigslist and Backpage to shut down their sexual advertising services amid accusations of sex trafficking, the GDPR is coming very soon to the EU and requires radical changes in organisations' data-handling policies, upcoming copyright laws may be widely-drawn enough that they require Github to Content-ID everything that's uploaded. Are these laws good in concept? More importantly, are they good in execution? Are we as a society treating the symptoms rather than the disease? Are the consequences of these laws reaching way beyond where they should, and is this accidental overreach by non-tech-savvy legislators or a deliberate attempt to curtail the spread of free culture and bring the internet under control? Lots of angles in this one...
I don’t think the assumptations about the Right to be forgotten case were quite right. I’m not sure if it’s better or worse, but I thought the simpletons version (from a UK point of view) was:
The EU created the legislation.
The countries enacted it nationally.
Individuals complain / make claims to Google (and I assume Bing etc. but no-one mentions them)
If the individual disagrees, they take it to court and the judge decides.
Originally I thought it was solving a reasonable problem in the wrong place: If these things should not be findable, then take down the original version and it will disappear from the search engines naturally.
However, I thought the explanation of it being about the harm being greater than the public interest was useful.
The way search engines work makes this necessary, these two extreme scenarios demonstrate it:
Someone does something really bad (e.g. murder, mass fraud), makes the front-page of the NYT. That demonstrates public interest, but does not make that article (much) more findable for their name (after 10 years) than any other.
Someone does something slightly bad, never makes the front-page there’s little public interest, but that article comes up first for their name 10 years later because there’s little else about them.
Both articles are likely to come up first for that person, but the public interest is massively different.
One thing that was lost in the heated discussion of github is how git actually works. You can’t really change the email address of an existing commit in git. The git history is like a blockchain, each commit depends on the previous commit plus its own content, including the author’s email. If you were to change a commit in the middle, that would screw up all commits after it.
To change/delete someone’s email completely from the git history, you would either have to delete all history and start over, or make a program that goes through each commit and recreates everything but changes the email that should be removed.
But that also doesn’t remove it completely, because like a blockchain, everyone that has cloned the git repo also have the complete history.
GDPR is a regulation, which means that it’s up to each country in the EU to implement it as a law. But in this case, it’s strongly suggested by EU to implement it the way they have written the regulation. But in case of law suits, it will still first be up to the country to interpret the law and make a ruling. The ruling can then be appealed to the EU court if some party wants to. It’s the rulings and prejudices that actually defines the law in the end, so let’s hope everyone involved in this understands how git works internally… that’s not too much to ask, is it? right?
I think that the discussion about the GDPR, particularly Jeremy’s concerns about the Right to Erasure are missing a key point: the right to erasure is not absolute.
For example, I work at a university. If one of our students is half way through their degree and sends us an erasure request, we can reject the request (I am told by our data controller) on the grounds that they are still studying with us, and therefore we need to continue processing their data.
There are several exemptions listed in the GDPR. In the “remove my email address from the Git history” argument, I could imagine arguments being made on a couple of those points in the context of a FOSS project, and indeed in a mailing list.
With regards to the concerns over copyright infringement claims, if someone wants their address removed from the git history and then wants to claim use of their code infringes their copyright, the onus is on them to have other proof of copyright ownership. If someone is claiming “removed@gdpr” has infringed their copyright, then that’s an issue for the project maintainers, and something that their governance framework should already have provision for.
To conclude, from a FOSS point of view, I think this makes Contributor License Agreements all the more important. That document should make the necessary provisions to deal with copyright claims against contributed code (anonymized or not), and gain consent for data processing.
As a footnote to this, I think it was alluded to in the show but most of the stuff in the GDPR is stuff that we had to do anyway under existing data protection law (in the UK at least), but people didn’t take it seriously because there weren’t astronomically high penalties if you didn’t.
Firstly I’d like to agree with @sil that embedding data in a download is immoral if it is done secretly. I can see a case for embedding data into a download but this needs to be open. I may for example legitimately own a piece of CAD software which is paid for and the licence may allow me to run it on more than one machine but for example if this software phones home to establish It is only on a reflexively small number of computers as fair use. That’s OK, most people won’t care: I would, but I can see a legitimate case for this and I would be able to make a decision on the terms of use before I downloaded it. But it is my choice.
Embedding data without my knowledge is totally different however.
Also I am intrigued the picture of a keyboard with this episode, where did it come from? It does not fit any keyboard I’ve ever seen. The ‘Z’ and ‘Y’ are swapped.
Finally: If anyone can provide I link to when the boys discussed the the right to be forgotten before I’d be interested. I have every episode saved on my PC and would like to listen to it again but I don’t have time to listen to all the shows to find it.
Thoughts on the right to be forgotten when making commits on open source. Does this work?
I choose to work on a particular project. So I register to play a role. @sil says I can be trusted and get accepted to place commits: I have not worked closely enough with Stuart to suggest he would but I am just giving this an example.
I get a unique id from github for this project and use this to sign any commits or suggested patches. At a later date no-longer want to be associated with the project. My Commits remain active but I have to give up right to any copy-write if I want to remain anonymous.
There probably needs to be a mechanism to deal with someone claiming I have broken somebody else’s copy-write but it would be a requirement on them to show they had prior property.
On the photo of the drug dealer’s hand, I think the linked article played rather fast and loose with the facts. It did admit at one small place in the middle though that there was not in fact a useable fingerprint in the photo to match with any on file. What happened was that they already had a suspect, and they used the other visible features of the hand to confirm that he was the right one. No fingerprints were involved, despite the umpteen times the article asserted they were. (I had already heard about it on the news segment of the Security Now podcast.)
I recently installed dropbox on a Windows computer, using an installer that I downloaded after having signed up on the website. The installer obviously embedded something or other that allowed the installed dropbox client to log in without me doing anything. Very convenient for sure, but it did give me pause and I certainly hadn’t expected it.
Still listening to this episode (my commute’s not long enough for the news segment, never mind all the other stuff ) but this news piece from the BBC today seems a little relevant to the whole question of the social responsibility of tech companies:
What’s particularly interesting is that Martin Lewis has a wide following and a history of being able to engage people in discussion about otherwise slightly esoteric subjects. So I could see this getting a lot of mainstream attention, in the UK at least.
(Didn’t one of the podcasts have a prediction about social media privacy issues in the last year or so? I forget if it was BV or the Ubuntu podcast though).
With thanks to @sil for providing a link to the show where The Right to be Forgotten was discussed previously, I don’t think my thoughts have changed significantly.
I’m sure I have stuff online I would rather forget, please don’t search for it and point it out to me.
From that show @bryanlunduke pointed out the Three commandments.
Be excellent to each other
Don’t be Bogus
and where it doesn’t conflict with with the first two rules
Party on Dude
Specifically, I still feel that we need to show some common sense here. My daughter would probably not be keen on me sharing her taste in taste in music as a young girl. Don’t ask I am not going to tell you - Nor am I going to admit my love for certain bands. I assume @jono would agree with me here: we both have a certain taste in music and we probably disagree on several things but we should be free to a agree and disagree here, The same applies to @Jeremy, @bryanlunduke as well as you Stuart.
My thoughts on being forgotten are probably you don’t want to know what I was playing with 10 years ago but if I were crook. I should not
Eventually, maybe in the short term, maybe in the slightly longer term depending on how some of the recent cases go, I think these companies are going to end up being more heavily regulated. But the law moves much more slowly than sharing cat pictures, so it’s unfettered “innovation” and expansion until then (maybe some gaming of the system afterwards - cough - VW - cough) and legislation will always be a bit behind the curve.
I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my signoff) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved.
Fascinating! This is the point I was trying to get across: that yes this may involve some changes, but it’s not some impassable barrier; it’s just that we’ll have to change how we deal with things a little in some cases.
I’m no expert on this matter, but have been somewhat involved in going through the GDPR compliance process. It would seem to me like people are often mischaracterising the right to be forgotten. It doesn’t give you a carte blanche provision to just pull your data from everywhere.
There are actually fairly reasonable considerations on when you can reject a request - just check the link that @marxjohnson provided. You could cite that either there is no basis for erasure and that the data is still required for the purpose it was given for, that it is necessary as part of a contract (e.g. you can’t take a loan and ask the bank to forget its existence), that there is some other legal base for keeping the data around or that data use fits into one of the other exceptions listed in article 17.
Also, note that there are two roles in GDPR - processors and controllers. If you define, that each participant of a mailing list is an individual controller, you are only required to notify other participants to delete an email address. Not reach out into their machines and delete it for them. And this only if it’s reasonable “taking account of available technology and the cost of implementation”. From what I’ve talked to lawyers, in chained deletion cases, it might also be sufficient to point the user to all the other controllers and tell them to reach out to each one themselves with a separate “right to erasure” request.
So maybe it’s not quite as bad as people make it out to be.
Please respect our code of conduct which is simple: don't be a dick.