[arch-dev-public] AUR ToS (aka making AUR user names public)
bisson at archlinux.org
Sun Mar 5 21:54:07 UTC 2017
[2017-03-05 14:35:05 +0100] Lukas Fleischer:
> My original questions was: Are we fine with sharing the list of AUR
> accounts names (only user names, no real names or email addresses) with
> a researcher that seems trustworthy and agrees to not share the data in
> any form other than the resulting anonymized statistics?
I am strongly against this because it seems to me it would put us in a
very weak legal position (though as always IANAL).
The simple argument is that when users sign up for an AUR account they
have no expectation that any data they submit (including their username)
might be shared with a third-party.
Now as you've noticed with other Internet services, sharing data with
third-parties is kind of a big deal. To the point that many services can
only be used after you've agreed to some kind of EULA where you consent
to your data being shared. For us it's even worse, there's no EULA, just
what users might expect us to do with their data. So please let's err on
the safe side here.
Surely there's tons of other username lists on the Internet this
researcher can use...
More information about the arch-dev-public