I plea completely ignorant to the international legalities and look forward to RedHat's guidance, but as a former infosec professional I find negative comfort in security / privacy through security. It is a *false* sense of safety, making people perceive safety where there is none and avoid action where it is warranted. In other words, it is a dangerous lie that we tell ourselves.
If the reality of the situation makes people uncomfortable then they should change that reality, rather than pretend that it is something else. Deleting Hatlas would be the equivalent of choosing anaesthesia without actually healing the wound. (And inviting others to create more unfelt wounds.) The wound would only fester, and the harm would spread. I apologize that this is deeply unsatisfying. Discomfort is motivating -- that is why it exists, and it's motivating me to focus on solving the root of the issue. I hope that others are able to see that I'm asking the legal experts here to help with that diagnosis, and I ask for patience as we work through it. Michael Winters On November 12, 2025 9:57:56 AM CST, "Daniel P. Berrangé" <[email protected]> wrote: >On Wed, Nov 12, 2025 at 08:49:29AM -0600, Michael Winters wrote: >> But since this data is currently "published" by >> Fedora, I believe that any entity is at minimum allowed to "read" this >> information, and that no obligations exist thereafter regarding what >> they've "learned". Meaning - any evil entity (especially one outside >> of GDPR jurisdiction) can currently ingest this data and do whatever >> they want with it within their own system, and would be under zero >> obligation to execute PDRs. Ironically, it's the re-publishing that >> Hatlas does which is most obviously protected by default copyright >> etc, to my understanding. It's easier to be evil than open, as it >> stands today. > >NB, wrt jurisdiction, the important criteria is the location of the >person whose data is being processed, not the location of the entity >doing the processing. > >IOW, if the data processor is in the US, but are handling PII related >to a person in the EU, the GDPR applies. How violations can be enforced >is more questionable, but the rules are none the less intended to apply. >IIUC the GDPR would even apply to any data about non-EU citizens for >periods when they are travelling in the EU. > >> I also want people to understand that if they see something in >> Hatlas they don't like, deleting it from Hatlas does nothing >> to protect it -- it has to get deleted "upstream". I'll make >> that more explicit in the FAQ. > >That is certanly true, but at the same time, I don't find that to be >a particularly compelling rationale to put forward to justify Hatlas >continue to hold the data. It comes across badly as a message IMHO. > > >Even when all the source data is publically available, there is a >material difference between that data being spread around 100's of >individual systems, vs a system which proactively collects & aggregates >the data from 100's systems into 1 place, and provides a data mining >frontend. > >In the former case one has privacy-through-obscurity. Not perfect & >vulnerable to malicious exploitation, but none the less a meaningful >level of privacy for many people, much of the time. > >In the latter case one potentially has a form of dragnet surveillence >in the extreme case. NB I'm not saying that's what Hatlas is, just >talking in general terms about data aggregation & mining systems that >process public data. > >People can quite reasonably be ok with the former situation, but be >unhappy with the latter situation. > > >There is data privacy precedent here with search engines. They can be >required to remove results that are personally related to individuals, >even if the article(s) indexed by the search engine were all public & >continue to remain public & could in theory be indexed by a different >search engine. > > >With regards, >Daniel >-- >|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| >|: https://libvirt.org -o- https://fstop138.berrange.com :| >|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
-- _______________________________________________ legal mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
