Ethics and Data Protection in Open Source, Community Based Projects

[Editor note: The following notes were made during the “Ethics and Data Protection in Open Source, Community Based Projects”, of OpenVillage Festival (19th October 2017). Quotes are not verbatim but summarize what was said. If you feel something is mis-represented, please tell us in a comment or with the “Flag → Something Else” feature and a mod will fix it. – @anu]

In 2018 a new law is going to enter in function in eu , regulate data

The issue is the 1st time focuses Europe accountability and responsibility.
Tiy would be clear to justify why this data is needed for your service.

A person that will be independent from the board, and with his/her team is responsible for your data.

Small organisations will have it harder to comply with the law, because it does not make sense for them to have an independent manager of privacy.

Eg. now that the WAP2 protocol has been exposed as vulnerable, as a small business, you would need to get a new router right away, not wait for an update from the seller. Otherwise, by a literal interpretation of the law, you would be liable if data is leaked through a hack. But this does not make sense, there will need to be precedents in court, that interpret the law considering the scale of the organisation and the scale of the vulnerability or breach.

The law applies to everyone that is active in the European region, even those based outside of it. The US does not have a data protection responsible.

It’s hard for the government to do open date, because it is always possible to make links by cross referencing with other data sets. Basically, they would need to anonymize it to the extent that it is not usable.

The telecom companies think about the data they collect as ‘their data’. According to the law, however, it is your data.

Telecom companies for example thinks about the traffic data as its own data on how they work, although by law they are personal data.

How to enforce?

About privacy, it seems like a fragile system, if only one goes down, then you are also at risk. Everyone needs to be watertight for it to be work.
This could be done by the new law you must identify why you are collecting your data.

Is there a way to broker in a market way the data?
Exchange consent to use your data in return for a payment (phone, $5, …).

  • More of a question of exploiting vulnerability than a matter of exchange.
    The example of phones for homeless people in USA is mainly a simple exchange just names in order to make sure everyone got only one phone.

In practical ( alberto), not having emails in spreadsheets for example, unless you tell people and enable a methodology for them to delete, as this is going to be pricy, [ encrypt or if you don’t do it if you don’t need it ]

How to check where data is going?
As a small person blogger, where do you go for help in safing up your data handling ?

1st, question, the companies should appoint someone to do so according to the new law.

As a blogger, then this should be done by the company that runs the blogs, ( wordpress or so ) unless you are self hosted, then you have to do it yourself. You would have to monitor your infrastructure and this is not easy, but I presume if taken to court, a judge would rule you have no responsibility, but if you are running a platform with 200 contributor
May be it is about what data you are collecting
You are responsible equally on personal data, whatever it is.
Then if you have no obligation in collecting actual names and emails then you have no sensitive data.

If a company is taken to court for not giving someone his data?, can they go for many people ?
Depends on the percentage, if the whole europe brought Fb to court , that’s something but if one person, then its one person.

Recenlty there was an experiment in us uni, over 90% of students express extreme importance of data security …and outside 100% gave all there data to get a free pizza at a stand just outside.

On the IOT, barcelona ?

The problem of IOT , like environmental sensors that are inside homes,

Rise of citizen science projects and DIY data connection
If they work with Europeans according to law they should abeid by the new law, if applicable.

Citizen science has an advantage, as they are communities not companies. As you will find lots of experts in between communities.

Even if the community has their own rules and ethics, but once they publish something then they become visible and must justify the process.

##Trust and credibility

  • For audience “How do you a trust an organization ( or not ) ?
  • What’s your criteria ?
  • Do i know the people , can I talk to them?
  • If a friend vouches for them, Where is the money come from or who owns them?

In data ethics , 1st
The commitment of doing no harm.
This can not be trusted

But if they are enforced ?

The issue of they are committed and must do this.
When you are running an activity making sure to be transparent that you commit to protect the data from risks that can be now or in the future, in a transparent process.

So GDRP is extremely paralyzing in one way, but there is a rational behind it, and transparency and being open is a part from a plausible plan.

FROM now till May, what is being done?
We are now already in a grey zone, the text was published last year.
Currently, lawyers are making some consultancies.
Brussels for example data and groups come together every 2 weeks to discuss , including data experts, lawyers and so, and possibly in every other place.

What about the open source software and platform, like discourse, but what happens in these situation?

Open Source in principle says it comes as it is, unfortunately it becomes the problem of who’s running it. Otherwise you will have to do it yourself.

How did this law came about to be ? ( John Coate as this didn’t pull up in the US )

Value chain map as a better alternative for SWOT.