[IAEP] IAEP Digest, Vol 98, Issue 52

[Tony Anderson]

The information collected at first boot is not relevant to any personal 
research. At deployments I am
familiar with, the first boot is done at installation time to check the 
install and perform configuration.
At this time, the laptop has not been assigned to a user. For 
deployments I work with, the gender is
to male and the age to grade 4 to save time.

Tony

On 05/17/2016 10:00 PM, iaep-request at lists.sugarlabs.org wrote:
> Send IAEP mailing list submissions to
> 	iaep at lists.sugarlabs.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.sugarlabs.org/listinfo/iaep
> or, via email, send a message with subject or body 'help' to
> 	iaep-request at lists.sugarlabs.org
>
> You can reach the person managing the list at
> 	iaep-owner at lists.sugarlabs.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of IAEP digest..."
>
>
> Today's Topics:
>
>     1. Re: Sugar network / School Network (Chris Leonard)
>     2. Re: Sugar network / School Network (Dave Crossland)
>     3. Fwd:  Sugar network / School Network (Sean DALY)
>     4. Re: Sugar network / School Network (Dave Crossland)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 17 May 2016 14:10:10 -0400
> From: Chris Leonard <cjlhomeaddress at gmail.com>
> To: Dave Crossland <dave at lab6.com>
> Cc: "sugar-sur at lists.sugarlabs.org" <sugar-sur at lists.sugarlabs.org>,
> 	"iaep at lists.sugarlabs.org" <iaep at lists.sugarlabs.org>, Samuel
> 	Greenfeld <samuel at greenfeld.org>, Laura Vargas <laura at somosazucar.org>
> Subject: Re: [IAEP] Sugar network / School Network
> Message-ID:
> 	<CAHdAatbGHo3jJ_5XB5xKfoXuJqFaeb-Qr2iypfxjirHLZZ+Vrg at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> On Tue, May 17, 2016 at 12:52 PM, Dave Crossland <dave at lab6.com> wrote:
>> Hi
>>
>> Thanks for the lengthy explanation :) I think I understand your position
>> better now :)
>>
>> On 17 May 2016 at 12:14, Chris Leonard <cjlhomeaddress at gmail.com> wrote:
>>>
>>> any form of human subjects research
>>
>> Is https://activities.sugarlabs.org/en-US/statistics/ "human subjects
>> research"?
> In the legal sense, it is whatever a court of competent jurisdiction
> determines it to be.  In general, our basic web-stats do not appear to
> have the characteristics one typically associates with human subjects
> research, some characteristics, like aggregation, anonymization, etc.
> are in fact steps taken to deliberately place certain research
> activities outside of the scope of human subjects protections (like
> requirements for institutional review board approval, etc.).
>
> If you start drilling down to collecting IP numbers (say for
> geo-location) and other bits of data that *might* be mapped (alone or
> in combination with any other information sitting around) to the
> identifiable user level, you are getting into much deeper water.
>
> Even if you can figure out a way to accomplish your goals in
> compliance with the law, you should also ask yourself 'How would this
> look from the point of view of the fairly stringent privacy
> expectations held by the people that Sugar Labs aligns itself in the
> world of FOSS".  While generally not a matter of legal consequence, we
> do operate in an ecosystem where we are very dependent of people and
> organizations who take a dim view of anything that could be construed
> as "snooping", and that should probably be taken into account.
>
>>> One should never read the CFR and
>>> make a determination that it "does not apply to me" without consulting
>>> with a lawyer.  That way lies madness as well as potential fines and
>>> imprisonment.
>>
>> Has anyone involved with Sugar Labs consulted with any lawyers on any legal
>> topics?
>>
>> As a Sugar Labs Member, how do I consult with a lawyer?
> In general, the same way any one else would, a) get the yellow pages
> b) turn to the "L" section, then back to the "A" section because
> lawyers are listed as attorneys. . .  etc., etc.  You seem to be
> proposing a personal activity, not one undertaken collectively by the
> corporate Sugar Labs entity, so knock yourself out and be careful,
> lawyers are expensive, but in some cases not as expensive as not
> having one.
>
> Our fiscal sponsorship agreement with the SFC provides for some
> specific cases where the SFC might provide legal assistance, but I'm
> not really sure if this is one of them.  You could ask the SLOB to
> communicate on your behalf with the SFC to see if this is an area
> where they can provide any advice.
>
> cjl
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 17 May 2016 14:21:12 -0400
> From: Dave Crossland <dave at lab6.com>
> To: Samuel Greenfeld <samuel at greenfeld.org>
> Cc: sugar-sur at lists.sugarlabs.org, iaep <iaep at lists.sugarlabs.org>
> Subject: Re: [IAEP] Sugar network / School Network
> Message-ID:
> 	<CAEozd0zXpGfO0VWo+pcy9fKf0LL=5F2PWmKkuym7+cogjp-3ZQ at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Sam
>
> On 17 May 2016 at 13:55, Samuel Greenfeld <samuel at greenfeld.org> wrote:
>
>> I think there may be a difference between research studies and privacy law
>> related to collecting general user statistics.
>>
> I assert there is :)
>
>
>> This might be untested though, and for Sugar, both studies on how children
>> use it as well generic statistics straight from the application(s) may be
>> useful.
>>
> I'm sure they are.
>
>
>> I'm not interested in age/grade, or their specific IP addresses :)
>>> What information do you think is safe to collect?
>>>
>> At this point in time, I'm not going to speculate.  It's too easy to take
>> multiple identifiers (such as Name and Zip/Postal Code) and uniquely
>> identify someone the vast majority of the time.
>>
> Sure, I wouldn't want to collect either of those.
>
>
>> IP Addresses, Serial numbers, GUIDS/UUIDs, etc. all could be considered
>> uniquely or near-uniquely identifying of a person depending on the country.
>>
> Yep, if those can not be avoided in transmission (eg IPs) then they should
> not be retained.
>
>
>> Leah at OLPC might be able to tell you some things.  But at the same time
>> she likely would have to point out she isn't your lawyer and cannot provide
>> you or Sugar Labs legal advice.
>>
> I couldn't find her contact details from a quick search; please ping me how
> can I contact her offline :)
>
>
>> If you want to know the gritty details of how this all works, you really
>> need to speak to a compliance specialist (which the Conservancy might be
>> able to point Sugar Labs to), and not ask for legal advice in a public
>> forum :)
>>
> I am not worried nor very interested in the details; since so many of you
> appear to be worried, I think it is worth following your advice to speak
> with a lawyer.
>
>
>> I want to understand which activities are used, in which languages, and in
>>> which countries. None of the above is needed for that.
>>>
>> As long as you don't care about which machine(s) calls in how often and
>> carefully toss away (& don't log) anything which could identify a user, I
>> believe this is feasible.
>>
> Great!
>
>
>> What the criteria would be in order to get an application that calls home
>> in various distros would gave to be determined, although many distros have
>> things like Firefox which do this already.
>>
> Exactly :)
>
>
>> There would be some bias the results based on how well any particular
>> user/country has Internet access.
>>
> I think that's easy to design around: the usage data can be logged locally
> and then exported from an XO in an offline deployment to a USB drive/SD
> card and make its way over the sneakernet to Sugar Labs.
>
>
>> How this gets disclosed to users would have to be determined.
>>
> Since you have a clear idea about this, please draft something :)
>
>
>> Sugar already asks for user's grade and gender on first boot even if no
>> statistics engine is in place, so there may have to be some sort of privacy
>> policy or other explanation of what's going on
>>
> Where can I read more about that from the time it was introduced?
>