TSC Voting: Show/Hide email in user profiles for StackStorm_Community Slack

[arm4b]

During one of the previous TSC meetings we stated that StackStorm community base will not be shared outside of the Open Source project. For example, it can be used to send an email newsletter about StackStorm release, User Survey, Community building or any StackStorm project news or updates.

However everyone StackStorm_Community Users Emails in Slack are currently visible to any Slack member. From one side there might be cases when visible user emails in Slack can stimulate making the connections between the users or allow easier community building/interaction. From the other side anyone can join StackStorm Slack and parse the community emails for potential improper use (irrelevant marketing, spam, 3rd party product campaigns, research, parsing and selling the user base by bad actor).

@StackStorm/tsc please vote:

• Option 1 - Show users email field publicly in Slack
• Option 2 - Hide users email field in Slack

According to the GOVERNANCE.md (https://github.com/StackStorm/st2/blob/master/GOVERNANCE.md#how-decisions-are-made), the voting period is one week, where decision needs a majority.

---

• [x] @dzimine
• [x] @m4dcoder
• [x] @blag
• [x] @Kami
• [ ] ~@bigmstone~
• [x] @armab
• [x] @nmaludy
• [x] @amanda11
• [x] @punkrokk
• [x] @mickmcgrath13

Update: Voting Results

• Option 1: 6 points out of 15 = 40%
• Option 2: 9 points out of 15 = 60%

Option 2 was collectively decided by the majority votes of TSC, which means we'll hide user's email in StackStorm Community Slack.

[nmaludy]

Do we vote by just responding here?

[arm4b]

Yep

[nmaludy]

I vote Option 1

[arm4b]

I vote Option 2.

[mickmcgrath13]

Option 1

[m4dcoder]

Option 2

[amanda11]

Option 2

[arm4b]

@dzimine @punkrokk Voting? This was originally started due to your initial claims. Feel free to describe your concerns here too.

[dzimine]

Option 1

[Kami]

Option 2.

[punkrokk]

I vote option 1. But as I communicated privately, we are not following the charter:

The process of voting on other Issues, Proposals and Changes is performed by creating an open Github Discussion. For decisions making history reasons and to stimulate brainstorming, it's recommended to write a detailed research/description that covers possible outcomes and pros/cons behind the change to give comprehensive context

We have not done this.

While I am voting, I am voting in protest of my belief that a more formal assessment of this and related topics is required as this particular topic is merely a symptom of a higher level set of needs that the project and its constituents all have.

For the record, my friction here is not around building email lists, it's about alignment of all parties.

[arm4b]

As team had difficulty to decide on this topic, - such cases are resolved via TSC voting. Here we go.

This is an Open Github Discussion with pros/cons described for the each option. This is according to the Governance.

We also had enough debates and arguments from the each vision in #tsc and so members had enough time to form their opinion. You're also free to describe your concerns about option1 or option2 here as well which you did in Slack.

[blag]

I vote option 2, but I do think JP points out an unaddressed issue.

[cognifloyd]

I'm not on the TSC - but are there any cases of known bad actors? ie Has anyone already abused the availability of emails in Slack?

The only time I've had my email used by someone outside the ST2 community, was a survey about ST2 usage. But they gathered emails from the contributors list on github (emails in git commits), not from Slack.

[punkrokk]

As team had difficulty to decide on this topic, - such cases are resolved via TSC voting. Here we go.

This is an Open Github Discussion with pros/cons described for the each option. This is according to the Governance.

We also had enough debates and arguments from the each vision in #tsc and so members had enough time to form their opinion. You're also free to describe your concerns about option1 or option2 here as well which you did in Slack.

@armab I do not recall debates or arguments from each vision relating to this atomic topic. This particular issue is an atomic symptom of a bigger issue. Can you please point me to where we discussed? I do not believe we have actually had the discussion I think you are referring to.

[arm4b]

@blag @punkrokk Sure, as I suggested in other conversation and still suggest to open a dedicated Github issue with the bigger picture and higher set of needs described in more detail for Community and TSC to chime in. This may become a highly valuable one for everyone and the project. We're deciding here about hiding/showing users email in Slack.

[arm4b]

@cognifloyd Welcome and thanks for the info about someone sending the "ST2 usage" survey! I didn't know, that's very interesting. Do you recall the details and can share more?

In Github settings there is at least an option to anonymize email via proxy github email alias. When users join StackStorm Slack there is no option to hide their email, it's on by default. Nobody gave their consent to make their email public and most users don't realize it's public.

Do we need to wait when someone will parse our Slack user base? As more businesses appearing around StackStorm as it joined the LF and showing signs of community recovery it could be just a matter of time when this happens. I've also heard arguments like "nobody complained yet". Just yesterday we got the following incoming message to one of the @stackstorm.com emails:

PagerDuty Contacts

Hi,
Would you be interested in acquiring the Contacts of PagerDuty users?
If you are interested please let me know your target criteria, so that I can filter the counts and revert with pricing options.

Nobody complained.

[m4dcoder]

To be honest, this really shouldn't be an issue. If we can protect community members by hiding their email addresses, let's do our part and do that. If someone wants to contact a member outside of slack via email, what's the problem with asking for the information directly from the member thru a direct message? Why do we need to expose everyone else email address in the public? The only reason why we are having this debate here is because there are ulterior motives at play here.

[punkrokk]

@armab @StackStorm/tsc I'm not sure how else to say that I don't think that this atomic issue has had a full discussion and should not be brought to a vote prior to the higher level discussion taking place. It's premature given the nature of it. It also feel like a solution with out a problem.

I feel that forcing the issue at this moment ignores the spirit of the charter as well as the recommendation of the charter have a discussion. The only way I can see myself agreeing to even asking this question is with a better discussion of all my prior points.

Regarding SPAM to stackstorm emails (like the Pagerduty email from above), that was sent to info AT stackstorm, which any good marketer/spammer has on their list. Also, the stackstorm domain has been around for years. This is no evidence that the pagerduty sender has a list of the community users.

Regarding:

In Github settings there is at least an option to anonymize email via proxy github email alias. When users join StackStorm Slack there is no option to hide their email, it's on by default. Nobody gave their consent to make their email public and most users don't realize it's public.

What was the privacy policy on user privacy before ST2 was donated to LF?

@m4dcoder I do not think there are hidden motives here. What I'm trying to identify is how are all parties can aligned in order for all parties and the project to succeed. Here is some reading that better communicates some of my and others thinking:

• https://www.fordfoundation.org/work/learning/research-reports/roads-and-bridges-the-unseen-labor-behind-our-digital-infrastructure/ (recent research, getting talked about alot)
• https://techcrunch.com/2018/06/23/open-source-sustainability/
• https://arxiv.org/abs/1912.12371
• https://aaronstannard.com/sustainable-open-source-software/ (interesting use case around OSS sustainability)
• https://dev.to/erikras/open-source-sustainability-3pjf

This issue is a very small part of, again, a much larger discussion. We should solve the bigger sustainability problem before we get in arguments about whether or not emails are visible in a community you sign up for. I don't want to spam the community? Who does? I potentially wish to find ways to monetize ST2 and in the process help to be a steward as well as have myself and my employees contribute to and help curate the project and community.

[cognifloyd]

@cognifloyd Welcome and thanks for the info about someone sending the "ST2 usage" survey! I didn't know, that's very interesting. Do you recall the details and can share more?

@armab If you or anyone else wants to see the email chain about ST2 usage, email me and I'll forward the chain of emails. My email is publicly available just about everywhere, feel free to ask. (my username @gmail.com) I'm not going to post the chain of emails here.

[m4dcoder]

What was the privacy policy on user privacy before ST2 was donated to LF?

Good point. Well, StackStorm is under new management now. So let's look forward. Maybe the question should be what's the user privacy policy that we have to follow under LF?

[m4dcoder]

@punkrokk Let's take your concern about OSS sustainability and TSC process in a separate discussion/issue. We are mixing the two here. Let's keep the discussion here on handling user emails in community Slack.

[punkrokk]

I am in favor of that, but I wish to table this until we have the bigger discussion. I think the separate discussion is needed for clarity on this issue.

[blag]

I don't think @armab is trying to say that people are scraping emails from our Slack community and sending them emails. I think his point is that somebody has scraped emails from PagerDuty communities and is now marketing those emails to other people. We don't want people to be able to scrape the emails of people in our Slack community and market them to other people.

@punkrokk I don't think anybody is expecting you to spam the community. I think the fear is that the mechanism that you would like for yourself (and other bonafide StackStorm contributors) can be misused by others to spam the community.

So to be clear here, there are two issues that we need to solve:

1. Prevent malicious third parties from scraping emails from the Slack community.
2. Allow bonafide contributors to reach out to community members who opt in to receiving offers of support.

Hiding emails solves issue 1. We still need to figure out how to solve issue 2.

We do already collect email addresses from people who visit https://stackstorm.com/#community:

The current checkbox is what lets users opt-in to receiving official, non-marketing, first-party updates about StackStorm itself. I don't think that implies consent for marketing or pre-sales solicitations.

I think we need to tweak that page to also include an opt-in checkbox for sharing the submitted email address with parties offering commercial support for StackStorm. Some people/companies need full support. Other just need nudges in the right direction and can handle the rest themselves. Others just need to hear that StackStorm is awesome and better than competitors before they choose StackStorm. Still others need a bit more help troubleshooting, fixing bugs, and submitting pull requests.

Usually there is a risk/reward balance that needs to be managed, but I don't think that's the case here. I think new community members should be able to consent to sharing their information in exchange for a helping hand, but I don't think that people should be forced into sharing their information - not even their email address. For existing users, or users who no longer wish to have their email shared, we can create ChatOps aliases to control their email address privacy settings.

But regarding my vote on this particular issue: we cannot consent to waive other people's privacy.

If enough TSC members are onboard then I'll create a separate issue to handle the new signup page and the ChatOps aliases.

Edit: Added blurb about existing checkbox.

[arm4b]

@punkrokk Yes, would be great to see another open Github Discussion about the bigger picture, sustainability and economy vision you have in mind.

[arm4b]

Alright, thanks everyone.

• Option 1: 6 points out of 15 = 40%
• Option 2: 9 points out of 15 = 60%

based on TSC Members vote points.

Option 2 was collectively decided by the majority votes of TSC, which means we'll hide user's email in StackStorm Community Slack.

[punkrokk]

Should I interpret the status:DECIDED tag as the TSC declines to table this vote until a larger discussion can be had? I have made the request in numerous comments above, but it has not been responded to.

[arm4b]

100% of the TSC members voted, the collective decision was made by the team. I'm hoping we're not trying to sabotage the TSC vote results.

There is more clarification from the LF comes in about data confidentiality, privacy and GDPR with specific requirements about how emails may be used and shared. It's one of the areas during their review of concern. I also couldn't find any LF or CNCF community example with email profiles being public by default in Slack so far.