Phil6d ago
Nik | Klampfradler 🎸🚲

This evening has had a sad surprise for me.

Now, I am calling for #openSUSE to revert the recently imposed project-wide ban on young people:

https://lists.opensuse.org/archives/list/[email protected]/message/6PU6JU2IGKDANYNN3KIXDR2UQSVP6JI2/

(Update: Thanks for the overwhelming reactions! Please also consider https://toot.teckids.org/@nik/116550879189375534 .)

May 8 at 8:38pmWeb
Show threadIrenes (many)May 9
@nik whoa that's AWFUL. that betrays so many core ideals of the movement.
Show threadBilly O'NealMay 9
@nik I’m guessing they don’t want the liability of COPA and similar Acts. 😟
Show threadFuchsiii~~~May 9
@malwareminigun @nik Typical article 8 German GDPR problem. You need explicit parental permission to handle (note the “handle”, not just “save”) PII of ppl under 16 (and the IP address hitting Apache/NGINX counts as a PII, therefore every website is technically 16+ until someone wants to fight this in court).
Show threadNik | Klampfradler 🎸🚲May 9
@fuchsiii @malwareminigun This assessment is almost entirely wrong.
Show threadARGVMI~1.PIFMay 9

@nik

What exactly do you mean by “wrong”? Are you saying that that is not what the law actually means?

@fuchsiii @malwareminigun

Show threadNik | Klampfradler 🎸🚲May 9
@argv_minus_one @fuchsiii @malwareminigun Yep, that's exactly what I am saying.
Show threadARGVMI~1.PIFMay 9

@nik

Then I certainly hope you're correct, because yikes.

@fuchsiii @malwareminigun

Show threadVictoria 🏳️‍⚧️May 10
@nik @argv_minus_one @fuchsiii @malwareminigun Do you have any source to back it up? I'm curious what the law says here.
Show threadEmma Liv 🇨🇦May 10
@nik @argv_minus_one @fuchsiii @malwareminigun I boosted because this is important but if you want to engage with people you could try being a little less rude.
Show threadNik | Klampfradler 🎸🚲May 10

@not3ottersinacoat

Blocked for unwarranted tone-policing.

Show threadFuchsiii~~~May 10
@not3ottersinacoat @nik @argv_minus_one @malwareminigun The best explanation of someone who knows a bit more about GDPR stuff than I do: https://fosstodon.org/@wizzwizz4/116550568863635746
Show threadFuchsiii~~~May 10
@not3ottersinacoat @nik @argv_minus_one @malwareminigun (for the record)
Show threadARGVMI~1.PIFMay 9

@fuchsiii

And the EU Commission recently had the audacity to claim that, and I quote, “In the EU, you have the space to speak your mind without having to shrink who you are.”

Apparently that flowery little speech doesn't apply to young, eager programmers. 🤦‍♂️

https://ec.social-network.europa.eu/@EUCommission/116437170867569557

@malwareminigun @nik

European Commission (@[email protected])

Attached: 1 video Freedom of expression, academic freedom, and creative liberty should never be taken for granted. It's a collective achievement, reflected in your everyday actions: 🔷 Speaking up 🔷 Being respected for your choices 🔷️ Having artistic freedom In the EU, you have the space to speak your mind without having to shrink who you are. Learn more ➡️ https://link.europa.eu/RmRmfc #ProtectWhatMatters

European Commission on Mastodon
Show threadTill KleisliMay 10
@fuchsiii if this was true, I'm sure there would be a truck load of lawyers trying to make some money out of it. Maybe there are, but I never heard of it. @malwareminigun @nik
Show threadNik | Klampfradler 🎸🚲May 10

@kleisli @malwareminigun

The explanation is a bit too complex for a Mastodon thread.

Generally, I prefer the person who first put up a claim to prove it. It's also easier to prove something exists than the contrary.

So, @fuchsiii claims there were a law restricting the handling of information from people under 16 years. Show me the law.

Everything else will fall into place from there I think, we can clarify the misconception then.

Show threadFuchsiii~~~May 10
@nik 13-16: parental approval required. If we are lenient and say processing an IP address is not sufficient to be PII, the storing of the mail address on account creation sure is. There is an exception for services primarily target children (which has higher policing requirements anyway). I would rly love to be proven otherwise, yes this is very problematic, but its what I read here. @kleisli @malwareminigun
Show threadNik | Klampfradler 🎸🚲May 10

@fuchsiii @kleisli @malwareminigun

The headline solves your misconception: It is explicitly about **consent** given by a minor.

Consent by the subject is one of six rules allowing data processing. The others include technical or legal requirement. GDPR allows a lot of things without explicit consent, and AFAIAC, I never was in a situation where any consent was even necessary at all.

You cannot collect consent for targeted ad campaigns from minors. But you can certainly handle IP addresses.

Show threadFuchsiii~~~May 10
@nik In that case I'm out of ideas about what the reason could be, their Matomo tracker is according to the Terms of Site configured to anonymize. Maybe Czech law plays a role, as most openSUSE servers seems to be hosted in Prague https://en.opensuse.org/DigitalSovereignty/EU @kleisli @malwareminigun
Show threadNik | Klampfradler 🎸🚲May 10

@fuchsiii @kleisli @malwareminigun I think the answer is simply that they didn't care enough to take on the extra work of learning how legal things involving minors work.

Also note that this restriction is in the **terms of use**, not the privacy policy.

Show threadFiona BianchiMay 10

@fuchsiii

@malwareminigun @nik is an IP address PII if it's NAT'ed? Surely not since numerous individuals could have that IP:port pair over a period of time. Would IPv6 count if not-NAT'ed? While it certainly can be used to get to a specific machine an IP with MAC address embedded (from SLAAC) hardly identifies the person on it's own. IANAL so I'm trying to be sensible, I accept that legal garbage might not be!

Show threadFuchsiii~~~May 10
@fionasboots IP addresses according to GDPR a definitively PII, static or not. That your ISP can link it to your person is enough. But according to @nik what I quoted only counts for data collection that needs consent, which this use apparently does not. @malwareminigun
Show threadOlivier Mengué6d ago
@fuchsiii @fionasboots @nik @malwareminigun But the ISP for a landline doesn't link the IP to a kid.
On the other hand, the mobile phone network operator...
Show threadFuchsiii~~~May 10
@fionasboots lets wait for the answer from openSUSE legal team, I'm getting more confused by the hour about this. I still think they had some good reason to write this ToS, I just don't know anymore what it could be. (And right now I would let them being confused about the legal situation count as an answer) @malwareminigun @nik
Show threadFuchsiii~~~May 10
@fionasboots I had the question about IP addressees at a mandatory work GDPR training certification test. (very boring) @malwareminigun @nik
Show threadFiona Bianchi6d ago

@fuchsiii @malwareminigun @nik But IP addresses being PII makes no sense. For anything that is dynamnically annotated and NAT'ed the address itself will be used by thousands of people. The IP:port combination is only "you" for a brief time. Overall you could have multiple IP:port combinations over a day and someone else could be on these at other times.

If your ISP has fixed IPv4 the home router is *still* going to do NAT so the IP address only identifies an ISP account, not even a home location (my ISP, like many others, don't show up my location as where I live but a city where the peering connection is).

IPv6 without NAT would require you to know the MAC addresses of kit that an individual owns.

In all cases you need data from the ISP to map an IP address to a household or a specific user. So it's only law enforcement or hackers that could get that.

Show threadFuchsiii~~~5d ago
@fionasboots This goes back to a 2016 Court of Justice of the European Union ruling on request of Germany (the defender in this case) Reference Number C‑582/14 Some writeup in English: https://www.hunton.com/privacy-and-cybersecurity-law-blog/cjeu-rules-dynamic-ip-addresses-personal-data (the original court documents are only in German and French) @malwareminigun @nik
CJEU Rules That Dynamic IP Addresses Are Personal Data

Show threadFiona Bianchi5d ago
@fuchsiii @malwareminigun @nik Well that just sucks big time ... so presumably you can't log IP addresses then ... I wonder how this works with govt requiring the collection of IP addresses and similar tracking? I think this is nonsense though ... but it seems to be legel nonsense ... alot of that around these days!
Show threadNik | Klampfradler 🎸🚲5d ago

@fionasboots @fuchsiii @malwareminigun

Of course you can log IP addresses if you need it. Just do and write it down in your privacy policy. No consent is required (unless you do unethical things with the logged addresses).

Show threadBilly O'Neal5d ago
@nik @fionasboots @fuchsiii I think you all are missing the point. The question is not does the GDPR cover this. The question is will somebody sue you because they think that GDPR covers this.
Show threadNik | Klampfradler 🎸🚲5d ago

@malwareminigun @fionasboots @fuchsiii

GDPR *does* cover it. There is no doubt in that.

Something being covered by GDPR does not imply that it requires consent.

Fun fact, by the way: Asking for consent for something that does not require consent is something you can be sued for under GDPR ;).

Show threadBilly O'Neal5d ago
@nik @fionasboots @fuchsiii You are missing the point. The point is not what the law says. The point is will someone try to sue you for it. The fact that people believe the law says this is not allowed is enough.
Show threadNik | Klampfradler 🎸🚲5d ago

@malwareminigun

Oh dear. Mute…

Show threadMisuse CaseMay 10
@malwareminigun @nik It’s the opposite. Part of the reason tech companies are lobbying for age verification laws is to get themselves out from under COPPA
Show threadBitslingers-R-UsMay 9
@nik This is what corporations do.
Show threadLunar 🛸 ♾May 9
@nik Yeesh. Hopefully this is just a bone-headed, ill-informed mistake
Show threadRatsnakeMay 9
@nik ... as in, young people are no longer allowed to just visit the website and download openSuSE? Wut?
Show threadXelaMay 9

@nik what the...

It's about this page, right? https://en.opensuse.org/Terms_of_site

This must be a mistake. Or they're totally lost...

Show threadjtb6d ago

@xela @nik

"Age requirements on web services are typically driven by data protection law — in the UK and EU, GDPR/UK GDPR requires special handling for data of minors. "

Just slopping along here.

Show threadChaotically Chloe May 9
@nik dafuq. I get the ban for account creation, but it's also far from an actually good idea. The person who picked up Canonical's Unity DE and maintained it was a minor. Such a restriction could prevent people from doing such things.
Show threadRuchira S. DattaMay 9
@nik I got my first job programming for AT&T at 14. This ban is ridiculous and outrageous.
Show threadFernando F. ManceraMay 9

@nik I wonder where this come from, I recently noticed in Fedora too.

Not sure if it is new there, but in essence you need to confirm that you are at least 16 years old.