Needs feedback

[hugoroy]

Hi Frank. Remember these are just proposals, if they're something you don't like, please patch them ;-)

[karlitschek]

Thanks a lot for the improvements. In general this is great. What I don´t like is that the new document is a complete change to the old version. This is basically a new manifesto. I also find is difficult that it mainly talks a lot about how things should be. The main point of the manifesto is to define right and don´t talk about implementation details.

Regarding the concrete implementation. I don´t think encryption is mandatory. There are scenarios where it is not needed. For example if you host it yourself at home.

What do you think?

Frank

[hugoroy]

Hi Frank,

Thanks for having a look at last! :^)

↪ 2014-04-14 Mon 11:57, Frank Karlitschek notifications@github.com:

What I don´t like is that the new document is a complete change to the old version. This is basically a new manifesto.

New words, yes, but I have tried to stay true to the original intent of the manifesto. I'm sure I did not succeed in that, and that some parts were probably not intended in the original manifesto. It's worth discussing what to do with them, like cutting them out if they're not in scope.

I also find is difficult that it mainly talks a lot about how things should be. The main point of the manifesto is to define right and don´t talk about implementation details.

A declaration of rights, a manifesto, is always about how things should be.

I wrote these modifications in a way that rights are always emphasised, and that implementation and details are left out as details only. The manifesto is in 2 parts: the rights are enumerated first, then comes some details.

So the main point is still about the rights, but it's important to give more context I believe. I took a lot of inspiration from the Free Software Rights definition. Sometimes you need to explicit some things about implementation: e.g. free software requires the to be able to get access to source code.

Regarding the concrete implementation. I don´t think encryption is mandatory. There are scenarios where it is not needed. For example if you host it yourself at home.

I think it is absolutely mandatory, even if you self-host because sometimes you access your home server from other places or you could access it from a wifi, etc. Lots of other cases (like for instance making sure only THAT person is able to decrypt the file, and no one else… etc).

[hugoroy]

Hi Frank,

So, I’ve been trying for months now to improve the manifesto.

I need to know what you have in mind exactly. Are you willing to change it at some point or do you think it’s a static doc that won’t change? Otherwise I’m just going to put this somewhere else.

I could do a side by side comparison to show to you how the new version relates to yours if that helps you.

Thanks

[karlitschek]

Hi @hugoroy The problem seems to be that you insist in restructuring and changing the text completely. Which I don´t like as discussed above. It seems to be difficult to reach a compromise here. This is why we are stuck. Any ideas?

[hugoroy]

I insist that the current manifesto is not good enough, yes. For instance, the first point is very problematic as already pointed out.

Also, some points are very vague, like "7. Use it optimally. Everybody should be able to access and use their own data at all times with any device they choose and in the most convenient and easiest way for them."

If you leave out some of it, you end up with less points, and some of them can actually be merged (like free software, open standards + right to move out of the platform aka "choose the storage location") etc. In the end, it’s true that from 10 points, now it’s only 3. I think that it makes it better.

This is my proposal, but you can also edit it and comment it.

Do not hesitate to modify it so we can discuss what to modify what to leave etc. But just speaking around the text like this does not help me get this forward.

[hugoroy]

Hi Frank, I have published a blog post to state my reasons again: https://hroy.eu/posts/why-new-user-data-manifesto/

[jancborchardt]

Similar to Frank I have problems with »encryption« seemingly being mandatory:

On the contrary, cryptography should be enabled by default and be put under the users’ control with Free Software that is easy to use.

There is not a lot of easy-to-use free software crypto around yet. It’s getting better but I would say it’s an additional optional point.

[hugoroy]

Crypto is about implementation. The point itself is:

Data explicitly and willingly uploaded by a user should always be under the ultimate control of the user. Users should be able to decide whom to grant (direct) access to their data and under which permissions such access should occur.

Cryptography (e.g. a PKI) is necessary to enable this control.

Of course I am aware that encryption is still not easy. But the point still stands, no? It’s unclear to me what the problem is: please suggest a modification to the text itself :-) I am against deleting all references to encryption just because it’s not easy yet. However I agree about making it subtle and acknowledging that this is a technical implementation "detail."

[karlitschek]

@hugoroy are you in Berlin the next few days by any chance? :-)

[hugoroy]

Yes!

[raucao]

I find basically all of @hugoroy's explanations and changes reasonable, and I also think that some of the parts touched sorely need to be rewritten.

@karlitschek I don't understand the reason for preserving an existing "structure", when the goal should be to have the best possible user data manifesto, which makes the most sense, and is clear, correct and concise. Could you explain why it is important for reaching the goal? Or if I misread intent, maybe clarify the goals? Thanks!

[DDevine]

I like Hugo's proposed changes.

I particularly like the part about collection of metadata/social graph data. I think this is a huge problem that the original manifesto doesn't address. I found that when I analysed the Twitter T&C/Privacy Policy last year that they had made it fairly clear that they can/are selling such data to their partners. (http://contentmusings.ddevnet.net/posts/tc-privacy-twitter/)

Mandatory encryption doesn't sit well with me, but if I understand what Hugo has said here he is more concerned about the idea of access control rather than the implementation specifics such as cryptography. From this perspective I totally agree. As for directly mentioning cryptography I don't think it is necessary at all - everybody knows it exists and is a solution. Which leads me to my next point.

Further on in Hugo's post he says "the right to use cryptography should never be denied". I'd like to see that directly worked into his version of the manifesto. (Though I've not looked through the diffs - so if it has been, great!)

[raucao]

Further on in Hugo's post he says "the right to use cryptography should never be denied". I'd like to see that directly worked into his version of the manifesto. (Though I've not looked through the diffs - so if it has been, great!)

Good point. Encrypting data is something users can choose to do (or not), but the terms of a service/platform or the way it works must not prohibit it.