This evening has had a sad surprise for me.
-
@fuchsiii @kleisli @malwareminigun
The headline solves your misconception: It is explicitly about **consent** given by a minor.
Consent by the subject is one of six rules allowing data processing. The others include technical or legal requirement. GDPR allows a lot of things without explicit consent, and AFAIAC, I never was in a situation where any consent was even necessary at all.
You cannot collect consent for targeted ad campaigns from minors. But you can certainly handle IP addresses.
@nik In that case I'm out of ideas about what the reason could be, their Matomo tracker is according to the Terms of Site configured to anonymize. Maybe Czech law plays a role, as most openSUSE servers seems to be hosted in Prague https://en.opensuse.org/DigitalSovereignty/EU @kleisli @malwareminigun
-
@nik In that case I'm out of ideas about what the reason could be, their Matomo tracker is according to the Terms of Site configured to anonymize. Maybe Czech law plays a role, as most openSUSE servers seems to be hosted in Prague https://en.opensuse.org/DigitalSovereignty/EU @kleisli @malwareminigun
@fuchsiii @kleisli @malwareminigun I think the answer is simply that they didn't care enough to take on the extra work of learning how legal things involving minors work.
Also note that this restriction is in the **terms of use**, not the privacy policy.
-
@nik Lunacy does not begin to describe this lunacy which is mad and bad and dumb. Not sure which is worse to be honest. Any under age user that stops using the site as a result of the tripe warning is likely not going to be into Linux because that requires a f%^& you watch me do it anyway mentality and frankly is it so stupid it is a non rule and makes stupid people look clever in comparison.
@adingbatponder @nik ...or just maybe they should be using Artix instead, or any other distro which rejects age verification. Also, openSUSE rely on systemd, anyone concerned about their privacy should avoid systemd like the plague.
Mind you, we're heading towards an era in which programmers might have to maintain multiple identities, and if you're an underage programmer, you'll have to start out anonymously.
(Someone blocked me for "systemd hate". systemd's founder literally runs his own company geared towards Linux corporate compliance. Years ago, they added /etc/machine-id on top of /var/lib/dbus/machine-id - guess what, Devuan (sysvinit) don't support /etc/machine-id and the dbus version of it is randomized on each boot. Details like this can make a difference to privacy-conscious users.)
-
@adingbatponder @nik ...or just maybe they should be using Artix instead, or any other distro which rejects age verification. Also, openSUSE rely on systemd, anyone concerned about their privacy should avoid systemd like the plague.
Mind you, we're heading towards an era in which programmers might have to maintain multiple identities, and if you're an underage programmer, you'll have to start out anonymously.
(Someone blocked me for "systemd hate". systemd's founder literally runs his own company geared towards Linux corporate compliance. Years ago, they added /etc/machine-id on top of /var/lib/dbus/machine-id - guess what, Devuan (sysvinit) don't support /etc/machine-id and the dbus version of it is randomized on each boot. Details like this can make a difference to privacy-conscious users.)
Please keep your unfounded systemd hate out of this.
-
@malwareminigun @nik Typical article 8 German GDPR problem. You need explicit parental permission to handle (note the “handle”, not just “save”) PII of ppl under 16 (and the IP address hitting Apache/NGINX counts as a PII, therefore every website is technically 16+ until someone wants to fight this in court).
@malwareminigun @nik is an IP address PII if it's NAT'ed? Surely not since numerous individuals could have that IP:port pair over a period of time. Would IPv6 count if not-NAT'ed? While it certainly can be used to get to a specific machine an IP with MAC address embedded (from SLAAC) hardly identifies the person on it's own. IANAL so I'm trying to be sensible, I accept that legal garbage might not be!
-
@malwareminigun @nik is an IP address PII if it's NAT'ed? Surely not since numerous individuals could have that IP:port pair over a period of time. Would IPv6 count if not-NAT'ed? While it certainly can be used to get to a specific machine an IP with MAC address embedded (from SLAAC) hardly identifies the person on it's own. IANAL so I'm trying to be sensible, I accept that legal garbage might not be!
@fionasboots IP addresses according to GDPR a definitively PII, static or not. That your ISP can link it to your person is enough. But according to @nik what I quoted only counts for data collection that needs consent, which this use apparently does not. @malwareminigun
-
@malwareminigun @nik is an IP address PII if it's NAT'ed? Surely not since numerous individuals could have that IP:port pair over a period of time. Would IPv6 count if not-NAT'ed? While it certainly can be used to get to a specific machine an IP with MAC address embedded (from SLAAC) hardly identifies the person on it's own. IANAL so I'm trying to be sensible, I accept that legal garbage might not be!
@fionasboots lets wait for the answer from openSUSE legal team, I'm getting more confused by the hour about this. I still think they had some good reason to write this ToS, I just don't know anymore what it could be. (And right now I would let them being confused about the legal situation count as an answer) @malwareminigun @nik
-
@malwareminigun @nik is an IP address PII if it's NAT'ed? Surely not since numerous individuals could have that IP:port pair over a period of time. Would IPv6 count if not-NAT'ed? While it certainly can be used to get to a specific machine an IP with MAC address embedded (from SLAAC) hardly identifies the person on it's own. IANAL so I'm trying to be sensible, I accept that legal garbage might not be!
@fionasboots I had the question about IP addressees at a mandatory work GDPR training certification test. (very boring) @malwareminigun @nik
-
@argv_minus_one @nik @fuchsiii @malwareminigun GDPR Article 6(1)(b): Processing shall be lawful […] if […] processing is necessary […] in order to take steps at the request of the data subject […].
GDPR Article 8(1)(1): Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least [13 to] 16 years old.
Age restrictions do not apply under 6(1)(b).
-
@argv_minus_one @nik @fuchsiii @malwareminigun GDPR Article 6(1)(b): Processing shall be lawful […] if […] processing is necessary […] in order to take steps at the request of the data subject […].
GDPR Article 8(1)(1): Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least [13 to] 16 years old.
Age restrictions do not apply under 6(1)(b).
@argv_minus_one @nik @fuchsiii @malwareminigun GDPR Recital 38 is not directly relevant, but is common-sense advice (and worth reading).
You should also be aware that bases other than 6(1)(a) ("consent") are very narrow, and 6(1)(a) is the hardest basis to obtain: the loopholes that most companies use don't actually exist, and those companies are breaking the law.
If you're not doing bad stuff, though – where "hoarding people's secrets" counts as bad stuff – GDPR nearly always says it's fine.
-
@argv_minus_one @fuchsiii @malwareminigun Yep, that's exactly what I am saying.
@nik @argv_minus_one @fuchsiii @malwareminigun I boosted because this is important but if you want to engage with people you could try being a little less rude.
-
@nik @argv_minus_one @fuchsiii @malwareminigun I boosted because this is important but if you want to engage with people you could try being a little less rude.
Blocked for unwarranted tone-policing.
-
@nik @argv_minus_one @fuchsiii @malwareminigun I boosted because this is important but if you want to engage with people you could try being a little less rude.
@not3ottersinacoat @nik @argv_minus_one @malwareminigun The best explanation of someone who knows a bit more about GDPR stuff than I do: https://fosstodon.org/@wizzwizz4/116550568863635746
-
@nik @argv_minus_one @fuchsiii @malwareminigun I boosted because this is important but if you want to engage with people you could try being a little less rude.
@not3ottersinacoat @nik @argv_minus_one @malwareminigun (for the record)
-
@nik I’m guessing they don’t want the liability of COPA and similar Acts.
@malwareminigun @nik It’s the opposite. Part of the reason tech companies are lobbying for age verification laws is to get themselves out from under COPPA
-
This evening has had a sad surprise for me.
Now, I am calling for #openSUSE to revert the recently imposed project-wide ban on young people:
(Update: Thanks for the overwhelming reactions! Please also consider https://toot.teckids.org/@nik/116550879189375534 .)
I am surprised about the interest in this issue. Thanks!
Please consider two things:
* Communicate to the openSUSE project directly that, and why, you oppose. You could respond on the mailing list I linked.
* If you can, become a sponsor of @Teckids on Liberapay or through some other means, so we can handle such cases and help other projects with our experience in a more coordinated and less stressful way: https://liberapay.com/Teckids/Thanks!
-
-
This evening has had a sad surprise for me.
Now, I am calling for #openSUSE to revert the recently imposed project-wide ban on young people:
(Update: Thanks for the overwhelming reactions! Please also consider https://toot.teckids.org/@nik/116550879189375534 .)
@nik SuSE is driving towards slop addiction anyway. Better for kids to experiment with Gentoo or NetBSD, or maybe projects that maintain a good track record without having a strong no-slop policy like FreeBSD, Slackware, OpenBSD, Debian, etc. (Although if they get into Slackware, keep them away from IRC, or at least Libera. ##slackware on Libera.chat today is like #freebsd on Freenode was a decade ago, in some respects, and maybe worse in others.)
Having been a young hacker in the early 80s, I can lend you some comfort. People can and will become lifelong free software advocates and contributors without a community, and this includes community driven by a corporate project.
Also, look at it this way: If OpenSuSE wants to drive themselves to extinction, what better way than erasing their mindshare amongst the young?
All that aside, I'm not at all against people telling them how foolish this move is.
-
@nik SuSE is driving towards slop addiction anyway. Better for kids to experiment with Gentoo or NetBSD, or maybe projects that maintain a good track record without having a strong no-slop policy like FreeBSD, Slackware, OpenBSD, Debian, etc. (Although if they get into Slackware, keep them away from IRC, or at least Libera. ##slackware on Libera.chat today is like #freebsd on Freenode was a decade ago, in some respects, and maybe worse in others.)
Having been a young hacker in the early 80s, I can lend you some comfort. People can and will become lifelong free software advocates and contributors without a community, and this includes community driven by a corporate project.
Also, look at it this way: If OpenSuSE wants to drive themselves to extinction, what better way than erasing their mindshare amongst the young?
All that aside, I'm not at all against people telling them how foolish this move is.
-
@richlv @nik My primary reason for believing this isn't something that was published, but that's okay, as there are other sources:
SUSE Refines, Releases Open-Source LLM to Fuel Community Collaboration
Today, SUSE has released a new fine-tuned version of the language model, Cavil-Qwen3-4B, as open source on openSUSE’s Hugging Face in order to make legal com...
openSUSE News (news.opensuse.org)
There are a number of pieces out there talking about SUSE chasing "AI" as well, and remember that OpenSuSE is quite heavy driven by SUSE the same way Fedora is driven by Red Hat. It's not complete in either case but it's substantial. (Canonical doesn't drive Debian quite so much, but it's developers are still influential activists inside of Debian.)
