This evening has had a sad surprise for me.
-
@fuchsiii if this was true, I'm sure there would be a truck load of lawyers trying to make some money out of it. Maybe there are, but I never heard of it. @malwareminigun @nik
The explanation is a bit too complex for a Mastodon thread.
Generally, I prefer the person who first put up a claim to prove it. It's also easier to prove something exists than the contrary.
So, @fuchsiii claims there were a law restricting the handling of information from people under 16 years. Show me the law.
Everything else will fall into place from there I think, we can clarify the misconception then.
-
The explanation is a bit too complex for a Mastodon thread.
Generally, I prefer the person who first put up a claim to prove it. It's also easier to prove something exists than the contrary.
So, @fuchsiii claims there were a law restricting the handling of information from people under 16 years. Show me the law.
Everything else will fall into place from there I think, we can clarify the misconception then.
@nik 13-16: parental approval required. If we are lenient and say processing an IP address is not sufficient to be PII, the storing of the mail address on account creation sure is. There is an exception for services primarily target children (which has higher policing requirements anyway). I would rly love to be proven otherwise, yes this is very problematic, but its what I read here. @kleisli @malwareminigun
-
@nik 13-16: parental approval required. If we are lenient and say processing an IP address is not sufficient to be PII, the storing of the mail address on account creation sure is. There is an exception for services primarily target children (which has higher policing requirements anyway). I would rly love to be proven otherwise, yes this is very problematic, but its what I read here. @kleisli @malwareminigun
@fuchsiii @kleisli @malwareminigun
The headline solves your misconception: It is explicitly about **consent** given by a minor.
Consent by the subject is one of six rules allowing data processing. The others include technical or legal requirement. GDPR allows a lot of things without explicit consent, and AFAIAC, I never was in a situation where any consent was even necessary at all.
You cannot collect consent for targeted ad campaigns from minors. But you can certainly handle IP addresses.
-
This evening has had a sad surprise for me.
Now, I am calling for #openSUSE to revert the recently imposed project-wide ban on young people:
(Update: Thanks for the overwhelming reactions! Please also consider https://toot.teckids.org/@nik/116550879189375534 .)
@nik danke dir, Nik
-
@fuchsiii @kleisli @malwareminigun
The headline solves your misconception: It is explicitly about **consent** given by a minor.
Consent by the subject is one of six rules allowing data processing. The others include technical or legal requirement. GDPR allows a lot of things without explicit consent, and AFAIAC, I never was in a situation where any consent was even necessary at all.
You cannot collect consent for targeted ad campaigns from minors. But you can certainly handle IP addresses.
@nik In that case I'm out of ideas about what the reason could be, their Matomo tracker is according to the Terms of Site configured to anonymize. Maybe Czech law plays a role, as most openSUSE servers seems to be hosted in Prague https://en.opensuse.org/DigitalSovereignty/EU @kleisli @malwareminigun
-
@nik In that case I'm out of ideas about what the reason could be, their Matomo tracker is according to the Terms of Site configured to anonymize. Maybe Czech law plays a role, as most openSUSE servers seems to be hosted in Prague https://en.opensuse.org/DigitalSovereignty/EU @kleisli @malwareminigun
@fuchsiii @kleisli @malwareminigun I think the answer is simply that they didn't care enough to take on the extra work of learning how legal things involving minors work.
Also note that this restriction is in the **terms of use**, not the privacy policy.
-
@nik Lunacy does not begin to describe this lunacy which is mad and bad and dumb. Not sure which is worse to be honest. Any under age user that stops using the site as a result of the tripe warning is likely not going to be into Linux because that requires a f%^& you watch me do it anyway mentality and frankly is it so stupid it is a non rule and makes stupid people look clever in comparison.
@adingbatponder @nik ...or just maybe they should be using Artix instead, or any other distro which rejects age verification. Also, openSUSE rely on systemd, anyone concerned about their privacy should avoid systemd like the plague.
Mind you, we're heading towards an era in which programmers might have to maintain multiple identities, and if you're an underage programmer, you'll have to start out anonymously.
(Someone blocked me for "systemd hate". systemd's founder literally runs his own company geared towards Linux corporate compliance. Years ago, they added /etc/machine-id on top of /var/lib/dbus/machine-id - guess what, Devuan (sysvinit) don't support /etc/machine-id and the dbus version of it is randomized on each boot. Details like this can make a difference to privacy-conscious users.)
-
@adingbatponder @nik ...or just maybe they should be using Artix instead, or any other distro which rejects age verification. Also, openSUSE rely on systemd, anyone concerned about their privacy should avoid systemd like the plague.
Mind you, we're heading towards an era in which programmers might have to maintain multiple identities, and if you're an underage programmer, you'll have to start out anonymously.
(Someone blocked me for "systemd hate". systemd's founder literally runs his own company geared towards Linux corporate compliance. Years ago, they added /etc/machine-id on top of /var/lib/dbus/machine-id - guess what, Devuan (sysvinit) don't support /etc/machine-id and the dbus version of it is randomized on each boot. Details like this can make a difference to privacy-conscious users.)
Please keep your unfounded systemd hate out of this.
-
@malwareminigun @nik Typical article 8 German GDPR problem. You need explicit parental permission to handle (note the “handle”, not just “save”) PII of ppl under 16 (and the IP address hitting Apache/NGINX counts as a PII, therefore every website is technically 16+ until someone wants to fight this in court).
@malwareminigun @nik is an IP address PII if it's NAT'ed? Surely not since numerous individuals could have that IP:port pair over a period of time. Would IPv6 count if not-NAT'ed? While it certainly can be used to get to a specific machine an IP with MAC address embedded (from SLAAC) hardly identifies the person on it's own. IANAL so I'm trying to be sensible, I accept that legal garbage might not be!
-
@malwareminigun @nik is an IP address PII if it's NAT'ed? Surely not since numerous individuals could have that IP:port pair over a period of time. Would IPv6 count if not-NAT'ed? While it certainly can be used to get to a specific machine an IP with MAC address embedded (from SLAAC) hardly identifies the person on it's own. IANAL so I'm trying to be sensible, I accept that legal garbage might not be!
@fionasboots IP addresses according to GDPR a definitively PII, static or not. That your ISP can link it to your person is enough. But according to @nik what I quoted only counts for data collection that needs consent, which this use apparently does not. @malwareminigun
-
@malwareminigun @nik is an IP address PII if it's NAT'ed? Surely not since numerous individuals could have that IP:port pair over a period of time. Would IPv6 count if not-NAT'ed? While it certainly can be used to get to a specific machine an IP with MAC address embedded (from SLAAC) hardly identifies the person on it's own. IANAL so I'm trying to be sensible, I accept that legal garbage might not be!
@fionasboots lets wait for the answer from openSUSE legal team, I'm getting more confused by the hour about this. I still think they had some good reason to write this ToS, I just don't know anymore what it could be. (And right now I would let them being confused about the legal situation count as an answer) @malwareminigun @nik
-
@malwareminigun @nik is an IP address PII if it's NAT'ed? Surely not since numerous individuals could have that IP:port pair over a period of time. Would IPv6 count if not-NAT'ed? While it certainly can be used to get to a specific machine an IP with MAC address embedded (from SLAAC) hardly identifies the person on it's own. IANAL so I'm trying to be sensible, I accept that legal garbage might not be!
@fionasboots I had the question about IP addressees at a mandatory work GDPR training certification test. (very boring) @malwareminigun @nik
-
@argv_minus_one @nik @fuchsiii @malwareminigun GDPR Article 6(1)(b): Processing shall be lawful […] if […] processing is necessary […] in order to take steps at the request of the data subject […].
GDPR Article 8(1)(1): Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least [13 to] 16 years old.
Age restrictions do not apply under 6(1)(b).
-
@argv_minus_one @nik @fuchsiii @malwareminigun GDPR Article 6(1)(b): Processing shall be lawful […] if […] processing is necessary […] in order to take steps at the request of the data subject […].
GDPR Article 8(1)(1): Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least [13 to] 16 years old.
Age restrictions do not apply under 6(1)(b).
@argv_minus_one @nik @fuchsiii @malwareminigun GDPR Recital 38 is not directly relevant, but is common-sense advice (and worth reading).
You should also be aware that bases other than 6(1)(a) ("consent") are very narrow, and 6(1)(a) is the hardest basis to obtain: the loopholes that most companies use don't actually exist, and those companies are breaking the law.
If you're not doing bad stuff, though – where "hoarding people's secrets" counts as bad stuff – GDPR nearly always says it's fine.
-
@argv_minus_one @fuchsiii @malwareminigun Yep, that's exactly what I am saying.
@nik @argv_minus_one @fuchsiii @malwareminigun I boosted because this is important but if you want to engage with people you could try being a little less rude.
-
@nik @argv_minus_one @fuchsiii @malwareminigun I boosted because this is important but if you want to engage with people you could try being a little less rude.
Blocked for unwarranted tone-policing.
-
@nik @argv_minus_one @fuchsiii @malwareminigun I boosted because this is important but if you want to engage with people you could try being a little less rude.
@not3ottersinacoat @nik @argv_minus_one @malwareminigun The best explanation of someone who knows a bit more about GDPR stuff than I do: https://fosstodon.org/@wizzwizz4/116550568863635746
-
@nik @argv_minus_one @fuchsiii @malwareminigun I boosted because this is important but if you want to engage with people you could try being a little less rude.
@not3ottersinacoat @nik @argv_minus_one @malwareminigun (for the record)
-
@nik I’m guessing they don’t want the liability of COPA and similar Acts.
@malwareminigun @nik It’s the opposite. Part of the reason tech companies are lobbying for age verification laws is to get themselves out from under COPPA
-
This evening has had a sad surprise for me.
Now, I am calling for #openSUSE to revert the recently imposed project-wide ban on young people:
(Update: Thanks for the overwhelming reactions! Please also consider https://toot.teckids.org/@nik/116550879189375534 .)
I am surprised about the interest in this issue. Thanks!
Please consider two things:
* Communicate to the openSUSE project directly that, and why, you oppose. You could respond on the mailing list I linked.
* If you can, become a sponsor of @Teckids on Liberapay or through some other means, so we can handle such cases and help other projects with our experience in a more coordinated and less stressful way: https://liberapay.com/Teckids/Thanks!
