Hi all, I'm wading in with my Fedora Council hat on. I don't have much to add, but I want to acknowledge the work that Michael is doing as part of the Community Ops Team[1] / Data Working Group. It extends from work that began with me and Robert Wright in 2024[2] to organize a community analytics team to help us better understand our contributor community and better measure whether we are growing our community or not through investments like events that we fund or campaigns that we run to onboard new contributors.
The work that Michael is doing is strategically important to Fedora. While it is true that Michael has built a new way to access this data, anyone who has a Fedora Account System account, is familiar with a Fedora Account System account, knowledge of data concepts, Python or R experience, and has a lot of patience could also do the things he is already doing. I believe there is also some historical context in this from ten-ish years ago when GDPR first came into effect, about how the data we collect to make and build an operating system in the public is essential. However, I am not a lawyer and cannot give legal advice here. Mostly, I want to acknowledge this as useful, helpful work, and if we can provide a sanctioned pathway for Michael to move forward, it would take some anxiety and stress off his and others' shoulders. Thanks! [1] — https://docs.fedoraproject.org/en-US/commops/ [2] — https://fedoraproject.org/wiki/Initiatives/Community_Ops_2024_Reboot On Wed, Nov 12, 2025 at 12:48 PM Michael Winters via legal < [email protected]> wrote: > I plea completely ignorant to the international legalities and look > forward to RedHat's guidance, but as a former infosec professional I find > negative comfort in security / privacy through security. It is a *false* > sense of safety, making people perceive safety where there is none and > avoid action where it is warranted. In other words, it is a dangerous lie > that we tell ourselves. > > If the reality of the situation makes people uncomfortable then they > should change that reality, rather than pretend that it is something else. > Deleting Hatlas would be the equivalent of choosing anaesthesia without > actually healing the wound. (And inviting others to create more unfelt > wounds.) The wound would only fester, and the harm would spread. > > I apologize that this is deeply unsatisfying. Discomfort is motivating -- > that is why it exists, and it's motivating me to focus on solving the root > of the issue. I hope that others are able to see that I'm asking the legal > experts here to help with that diagnosis, and I ask for patience as we work > through it. > > Michael Winters > > > On November 12, 2025 9:57:56 AM CST, "Daniel P. Berrangé" < > [email protected]> wrote: > >> On Wed, Nov 12, 2025 at 08:49:29AM -0600, Michael Winters wrote: >> >>> But since this data is currently "published" by >>> Fedora, I believe that any entity is at minimum allowed to "read" this >>> information, and that no obligations exist thereafter regarding what >>> they've "learned". Meaning - any evil entity (especially one outside >>> of GDPR jurisdiction) can currently ingest this data and do whatever >>> they want with it within their own system, and would be under zero >>> obligation to execute PDRs. Ironically, it's the re-publishing that >>> Hatlas does which is most obviously protected by default copyright >>> etc, to my understanding. It's easier to be evil than open, as it >>> stands today. >>> >> >> NB, wrt jurisdiction, the important criteria is the location of the >> person whose data is being processed, not the location of the entity >> doing the processing. >> >> IOW, if the data processor is in the US, but are handling PII related >> to a person in the EU, the GDPR applies. How violations can be enforced >> is more questionable, but the rules are none the less intended to apply. >> IIUC the GDPR would even apply to any data about non-EU citizens for >> periods when they are travelling in the EU. >> >> I also want people to understand that if they see something in >>> Hatlas they don't like, deleting it from Hatlas does nothing >>> to protect it -- it has to get deleted "upstream". I'll make >>> that more explicit in the FAQ. >>> >> >> That is certanly true, but at the same time, I don't find that to be >> a particularly compelling rationale to put forward to justify Hatlas >> continue to hold the data. It comes across badly as a message IMHO. >> >> >> Even when all the source data is publically available, there is a >> material difference between that data being spread around 100's of >> individual systems, vs a system which proactively collects & aggregates >> the data from 100's systems into 1 place, and provides a data mining >> frontend. >> >> In the former case one has privacy-through-obscurity. Not perfect & >> vulnerable to malicious exploitation, but none the less a meaningful >> level of privacy for many people, much of the time. >> >> In the latter case one potentially has a form of dragnet surveillence >> in the extreme case. NB I'm not saying that's what Hatlas is, just >> talking in general terms about data aggregation & mining systems that >> process public data. >> >> People can quite reasonably be ok with the former situation, but be >> unhappy with the latter situation. >> >> >> There is data privacy precedent here with search engines. They can be >> required to remove results that are personally related to individuals, >> even if the article(s) indexed by the search engine were all public & >> continue to remain public & could in theory be indexed by a different >> search engine. >> >> >> With regards, >> Daniel >> >> -- > _______________________________________________ > legal mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- *Justin* (*he/him*) || 📧 [email protected] || 🔗 jwheel.org *Upcoming Absences:* 18 Nov–2 Dec (*Bereavement*) TZ=America/Atlanta (UTC-4) 🕗 *Fedora is a registered Digital Public Good <https://app.digitalpublicgoods.net/a/12003>* While I may be sending this email outside my normal office hours, I have no expectation to receive a reply outside yours.
-- _______________________________________________ legal mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
