carols10cents
commented
7 years ago You're absolutely right.
Closed M2Ys4U closed 5 years ago
carols10cents
commented
7 years ago You're absolutely right.
steveklabnik
commented
6 years ago The core team discussed this, and we are fine just wholesale removing GA. We thought it was more useful than it actually is in practice.
PRs welcome, and if nobody gets to it, ill do it next week.
Sorry about the wait here.
M2Ys4U
commented
6 years ago Hi folks,
I know that hacking on code, evolving the language, and providing Rustaceans with better documentation and community tools is infinitely more interesting than getting privacy notices like this published, but it has been over a year since I opened this issue. It has also been almost 3 months since the widely-discussed GDPR came in to force.
I know that you removed Google Analytics from the site, and that was a great first start, but you are still not providing information about how crates.io processes personal data and I am strongly considering lodging a complaint about the members of the Core Team with the UK Information Commissioner's Office (ICO). However, before I do so, I should give you another opportunity to provide me (and crates.io's other users) with the information you are required by law to provide.
You can find guidance on your obligations under information rights legislation on the ICO’s website as well as information on their regulatory powers and the enforcement action they can take.
Thanks.
aidanhs
commented
6 years ago Hi there, thanks for getting back in touch.
Currently much of the Core team is busy with RustConf-related things, so we'd like to request a couple of weeks to discuss the 'official' next steps on this.
Informally:
Aidan
aidanhs
commented
6 years ago Just as an update - we discussed this and we are going to meet with lawyers to figure out our full obligations (your link to the ICO website is useful, but perhaps not designed for non-company 'groups' of people).
Reviewing the guidance, I (personally, from a non-lawyer stance) believe we only fall afoul of not informing users of personal information collection on registration.
We believe the list in my previous comment to be complete. As a note, you can also 'follow' crates, but I can't see any way that this would fall under 'personally identifiable information' without other details to associate it with.
aidanhs
commented
6 years ago We're still in conversation with lawyers and are hashing out the precise wording around this - we anticipate having something 'soon'.
(I am setting regular reminders to check in on where we're up to and will keep this issue updated)
aturon
commented
6 years ago Update: as our legal counsel has looked at this issue, the scope has expanded a bit to cover the policy pages for the internals and users forum as well. We are actively working with counsel on developing a single set of language that will cover all our web properties, and intend to roll out a revamped policy page together with the web site refresh that's part of Rust 2018 -- no later than December 6.
M2Ys4U
commented
5 years ago Hi folks,
Congratulations on the Rust 2018 release, and the new websites looks great! :tada:
I can't help but notice that there's still no privacy notice on crates.io or rust-lang.org, though.
As such, it is with regret that I have now submitted a complaint to the ICO.
I will update this issue with the ICO case number when I receive a reply from them (presumably on Monday).
Mark-Simulacrum
commented
5 years ago Thank you for the reminder -- we've re-surfaced this issue and are actively working on fixing it. We'll work to keep this thread updated and hope to get this issue resolved soon.
aidanhs
commented
5 years ago Hi @M2Ys4U
Just wanted to follow up on your mention of no privacy policy on rust-lang.org. Under the definition in the GDPR for 'personal data', we don't collect or process any and so I don't believe there is any necessity for privacy notices there.
(we do store IP addresses, but the relevant case I'm aware of indicates that IP addresses are only considered personal data if the user has otherwise identified themselves to the website (points 20 and 21), which is not possible on rust-lang.org)
We will continue work on crates.io.
M2Ys4U
commented
5 years ago Hi @aidanhs
As I read that judgment, paras 20 and 21 are outlining the position of a lower court.
If you read further in to that judgment - at paragraph 49 and repeated again as a ruling on the question referred to it - the court states a different interpretation:
Having regard to all the foregoing considerations, the answer to the first question is that Article 2(a) of Directive 95/46 must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.
The case also appears to have revolved around the fact that the IP address(es) in question were dynamic. Many people - myself included - have static IP addresses which would more obviously identity us as individuals. In my case my IP address is also registered with RIPE under my name which is trivially available if one were to look up my IP address.
That judgment is also pre-GDPR (the reference to Directive 95/46/EC is to the Data Protection Directive which was repealed and replaced in May by the GDPR)
You point out the definition of personal data in the GDPR. That definition references "online identifiers" and as such should be read in the light of recital 30 of that Regulation:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them
(emphasis mine)
Of course, I am not a lawyer so I'll leave that final determination as to whether this situation constitutes processing of personal data to your legal counsel and to the supervisory authorities.
@aturon also mentioned that you were working on a set of language that would cover all of Rust's web properties, including the internals and users forums which are hosted on rust-lang.org (albeit on subdomains) which is why I mentioned rust-lang.org in my comment.
aidanhs
commented
5 years ago The case also appears to have revolved around the fact that the IP address(es) in question were dynamic. Many people - myself included - have static IP addresses which would more obviously identity us as individuals. In my case my IP address is also registered with RIPE under my name which is trivially available if one were to look up my IP address.
Thanks for pointing that out. I think in this case we will likely pursue something similar to https://support.google.com/analytics/answer/2763052?hl=en, which appears to be accepted best practice in the analytics world as it throws away the ability to uniquely identify a user.
(for crates.io I expect we will retain full collection of IP addresses (documented in privacy policy) under recital 49)
(emphasis mine)
Minor comment: the language in your extract is oriented around the 'traces' being used in combination with other information received by the servers, which is not the case. However, recital 26 does apply, requiring consideration of "all means reasonably likely to be used [...] to identify the natural person directly".
including the internals and users forums which are hosted on rust-lang.org (albeit on subdomains) which is why I mentioned rust-lang.org in my comment
Ah, understood.
M2Ys4U
commented
5 years ago Hi folks,
Happy Data Protection Day!
Has there been any progress on adding a privacy notice yet?
sgrif
commented
5 years ago @M2Ys4U It's been on the meeting agenda every week since December 12 (our meetings are open to attend every Thursday, and you can find agendas at https://github.com/rust-lang/crates-io-cargo-teams). After the 12th, we performed an audit of any PII we store, which was completed in early January. Shortly after the audit we discovered that our logs are being retained for longer than intended, and we're looking into what the original reason for that was. The person who is taking the lead on writing the final policy has also been away for the past week or so.
If you're interested in following the progress, I highly recommend attending our team meetings as an observer. Here are the results of the audit if you're interested.
PII you explicitly give us:
PII you implicitly give us:
All GitHub related data is stored indefinitely. It can be updated in our database by modifying it in GitHub, logging out of crates.io, and logging back in. It can be removed by emailing support (unless the account has published crates, which needs further discussion)
Stuff we log:
Logs are stored for 1 year.
We also intend to log additional information when a crate is uploaded, such as the username and crate name.
skade
commented
5 years ago We also store the crates themselves and their metadata in the crates.io product (which may include personal data in the authors field or any file included). As far as I see, there is no process to retroactively edit crates (intentionally).
M2Ys4U
commented
5 years ago When will this be resolved?
Let me remind you, this isn't me saying "oh it would be nice to have a privacy policy", this is me saying you are breaking the law by not providing information to data subjects when you collect their personal data.
carols10cents
commented
5 years ago We are currently working with lawyers to resolve this.
kellytk
commented
5 years ago As alternative registries are now supported, I think this issue should be addressed with a Cargo disclosure as well. Specifically what information leaves a computer, such as package name or other Cargo.toml keys, when running commands such as cargo build.
sgrif
commented
5 years ago Just to give an update on this -- We're in the process of finalizing the privacy policy, and we hope to publish it soon.
M2Ys4U
commented
5 years ago So, this issue is now more than two years old! :cake: Let's hope it can be closed before it turns three.
The case officer from the Information Commissioner's Office has been in touch with me to say that they have attempted to contact you as well. It's a shame that I had to get the regulator involved :(
It's also almost been two months since you said you hoped the privacy policy was going to be published "soon".
When can we expect it to actually be published?
carols10cents
commented
5 years ago There is a PR open on the website repo now that covers all Rust project websites: https://github.com/rust-lang/www.rust-lang.org/pull/919
When it is merged, we will add a link from crates.io to this document.
Crates.io does not currently display a privacy notice, and I am concerned that crates.io may be operating in violation of data protection legislation in the EU (and elsewhere).
A privacy notice should be added so that people know what data is collected about them when they use the crates.io website (I see that Google Analytics is used, for example, (see #460) with no notification to users that their personal data is being processed.) and/or use cargo to fetch crates listed by the service.