lj3954
commented
1 month ago I'll wait for @flexiondotorg to provide a response for this. I have no knowledge as to what is being referred to here.
Open tomchiverton opened 1 month ago
lj3954
commented
1 month ago I'll wait for @flexiondotorg to provide a response for this. I have no knowledge as to what is being referred to here.
tomchiverton
commented
1 month ago Alan Popey demonstrated this at Ogg Camp, UK, over the last weekend. per https://www.savannahhq.com/privacy-policy/ "importing certain personally identifiable information about your community members from 3rd party services, including but not limited to names, email address, and public communications."
It seems this can happen without the community being aware of it.
Now you are and can make an informed choice.
If you do decide to stick with it, I suggest making it's continued use explicitly stated somewhere so that current and future contributors are informed. Either way, maybe the project needs something like an explicit privacy policy or something, stating the community preference for being ingested into 3rd party tools
mhall119
commented
1 month ago Savannah doesn't get any information out of GitHub that I can't get simply by looking at GitHub
philclifford
commented
1 month ago "Other Users and the Public: Depending on your account settings, we may share Personal Data with other users of the Services and the public. You control what information is made public. To adjust your settings, visit User Settings in your profile. Please be aware that any information you share in a collaborative context may become publicly accessible."
tomchiverton
commented
1 month ago True.
But it's copy of the data won't be removed if it's removed.
Merged identities also persist.
Savannah has no privacy policy worthy of name, no data impact statement, and no right of removal process I can find.
I'm unable to tell from their website where they are even copying the data to. -- †øღ Sent from a super computer that fits in my pocket and is connected to the sum total of all human knowledge
On 18 October 2024 12:19:38 BST, Michael Hall @.***> wrote:
Savannah doesn't get any information out of GitHub that I can't get simply by looking at GitHub
-- Reply to this email directly or view it on GitHub: https://github.com/quickemu-project/quickemu/issues/1476#issuecomment-2422235364 You are receiving this because you authored the thread.
Message ID: @.***>
mhall119
commented
1 month ago I'm unable to tell from their website where they are even copying the data to.
It's stored in a Postgres database in AWS
tomchiverton
commented
1 month ago Any particular continent? Holding derived data (such as linking identities across platforms) of EU persons in the US, for instance, might be problematic. Even doing this in the EU without notice to the community might be seen as, at best, poor form.
At least we know now. And if Quick EMU is going to keep doing it, it's now more exploit than it was. -- †øღ Sent from a super computer that fits in my pocket and is connected to the sum total of all human knowledge
On 18 October 2024 22:29:57 BST, Michael Hall @.***> wrote:
I'm unable to tell from their website where they are even copying the data to.
It's stored in a Postgres database in AWS
-- Reply to this email directly or view it on GitHub: https://github.com/quickemu-project/quickemu/issues/1476#issuecomment-2423258607 You are receiving this because you authored the thread.
Message ID: @.***>
theophilusx
commented
4 weeks ago Savannah is justg one example of the many data broker companies that are doing this sort of data collection. There is no point in specifically calling them out as for every one you know about, there are another 10 you don't. Bottom line, you put stuff in a public forum, it will be collected and processed and combined with data from other sources to generate data of value to the brokers. No legislation, privacy laws, data retention rules are going to have any impact here. You put it out there, its out there.
This is NOT a quickemu issue. All repositories in github, gitlab, sourcehut or any public repository as well as all social media platforms are data sources for companies like savannah.
The community may not be ware, but this project has been connected to data aggregator savannahhq.com
This aggregates and merges the community activity across multiple platforms; processing data in novel ways that are not expected and not strictly required, such as linking diverse identities across different platforms, copying participated thread/issue data out of GitHub etc.
The use of this tool should be declared so participants are aware of this data processing, and can opt out or delete their data if required. It's not clear this is even possible, even by registering at Savannah, IANAL, but this may be illegal in the EU.