[OpenID] Shade's questions - Privacy for Foundation members

[Eran Hammer-Lahav]

The foundation should not be handing out personal information for any other purposes than to obey its bylaws (for example, sending notifications as legally required will mean giving someone with an administrative capacity access to the mailing lists). Members should have an opt-in way to allow their name and city/country to be listed, with optionally their employer. But this should not imply I care much about privacy either way (since pretending such a thing exists online is a fantasy).

This is not the same for those wishing to contribute to an actual specification. There should be no anonymity or privacy in that process. Standards work requires IPR policies, which in turn require you sign some sort of a license. If you are employed (or otherwise do not control your IP), you must disclose it and that information must be made public to anyone asking for it. It is reasonable to hide your personal home address when publishing such documents online, but since these are legal documents, must be provided unchanged to those who make an official request for them.

Personally, I will not allow you to contribute anonymously to any specification I am the editor of. This does not meet my requirement for worthwhile and legally sound participation.

I cannot imagine any reason for you to hide behind an alias. So to answer your original question about anonymity in the foundation, yes, I would tell such people their contribution isn't welcome.

EHL

> -----Original Message-----
> From: SitG Admin [mailto:sysadmin at shadowsinthegarden.com]
> Sent: Sunday, December 14, 2008 1:57 AM
> To: Eran Hammer-Lahav
> Cc: general at openid.net
> Subject: RE: [OpenID] Shade's questions - Privacy for Foundation
> members
>
> >Beside the legal requirement of running a corporation (which is what
> >the OpenID foundation is),
>
> So, if I get hired on at Microsoft as a janitor ("sanitation
> engineer"), I join the elite group of Microsoft-employed stalkers who
> can acquire the personal information of other stalkers who work at
> Microsoft?
>
> Sharing with law enforcement *when a subpoena has been granted by the
> judge* is one thing. Giving away a user's personal information in
> response to a faxed-in request made on Law Enforcement letterhead
> (*cough* eBay), a claim to be that person's employer (*cough*
> Facebook - sorry), or during the simple course of handing out
> publicity materials (*cough* OIDF?!?), is quite another.
>
> Running a corporation does not require management to readily yield
> the personal information of their employees to any interested party.
> I'm not sure what other "legal requirement" could prevent a
> corporation from having ANY policy about its employee's privacy.
> (Since we are not "employed" by the OIDF in any traditional/monetary
> paying sense, this analogy does not quite work. But it seems the
> closest equivalent.)
>
> >How can you find common ground with someone who will not reveal
> >their identity and intentions?
>
> How can you know the identity of someone who does not tell you
> everything about themselves, reveal to you every handle they have
> ever used, and share their hopes and dreams for the future with you?
>
> I submit that it is sufficient to know *some* of who a person is;
> that, in lieu of certainty (proof) that the compartmentalized
> identity they have presented to you is their "primary" identity
> (possessing the lion's share of their identifying data), it would be
> adequate to, after interaction/evaluation, treat that "less than
> everything" "identity" as a person just as real as others about whom
> you know just as much (little).
>
> Okay, more simply put - unless you are in the habit of running
> background checks on everyone you interact with, just to find out
> whether they are keeping any secrets from you (i.e. not telling you
> everything; leaving out, ANYthing), you probably won't know the
> difference when you *do* encounter "partial" individuals.
>
> If dishonest as well as private, you almost *certainly* won't,
> because they'll give a real-sounding name that simply happens to not
> be theirs. And who can tell? Is someone going to step forward and say
> "I looked but there is NOONE in the geographical area we can assume
> this person to live in, who has that name."? I may look around and
> see one blog giving this person's name, another 20 or so referring to
> it - but where did *they* get *their* information? Did *anyone* know,
> did anyone confirm this identity outside the (network) channels used
> to advertise it?
>
> Is the difference here between incidentally "not revealing" all of
> their identity/intentions (but not telling anyone), and
> *deliberately* (with privacy aforethought!) withholding the
> identity/intentions that aren't relevant to the situation? (In one's
> own judgement, of course - but note, this is the same rationale that
> goes into *incidentally* not revealing such things!) If so, the
> process seems to favor those who are secretive - only the innocent
> would single themselves out for such punishment. Hardly the
> environment designed to encourage/foster honesty!
>
> -Shade (an obvious pseudonym, not a real-sounding name)