On Sun, 05 Mar 2017 at 22:54:07, Gaetan Bisson wrote:
[2017-03-05 14:35:05 +0100] Lukas Fleischer:
My original questions was: Are we fine with sharing the list of AUR accounts names (only user names, no real names or email addresses) with a researcher that seems trustworthy and agrees to not share the data in any form other than the resulting anonymized statistics?
I am strongly against this because it seems to me it would put us in a very weak legal position (though as always IANAL).
The simple argument is that when users sign up for an AUR account they have no expectation that any data they submit (including their username) might be shared with a third-party.
Now as you've noticed with other Internet services, sharing data with third-parties is kind of a big deal. To the point that many services can only be used after you've agreed to some kind of EULA where you consent to your data being shared. For us it's even worse, there's no EULA, just what users might expect us to do with their data. So please let's err on the safe side here. [...]
I gave this a second thought and I still do not see how publishing the list of user names would lead to a very weak legal position, especially if you consider our legal position relative to the current situation. If we *really* think that we need to keep user names secret, I think we should take down the whole AUR website because we already share this information everywhere without explicitly telling our users we do so. Or at least censor the user names on every single page they appear on which would be a lot of work. Maybe we should do what Phil suggested in the email I just forwarded to the list (forgot to fix the In-Reply-To and References headers, sorry). Write ToS as soon as possible, make users accept them when logging in and send notifications to all users. Then delete all remaining accounts after a grace period. A nice side benefit of this is that we would make sure all passwords are migrated from MD5 to bcrypt, see [1, 2]. Opinions? Regards, Lukas [1] https://lists.archlinux.org/pipermail/aur-dev/2017-February/004291.html [2] https://git.archlinux.org/aurweb.git/commit/?id=29a4870