This was extracted (@ 2023-09-20 21:10) from a list of minutes
which have been approved by the Board.
Please Note
The Board typically approves the minutes of the previous meeting at the
beginning of every Board meeting; therefore, the list below does not
normally contain details from the minutes of the most recent Board meeting.
WARNING: these pages may omit some original contents of the minutes.
Meeting times vary, the exact schedule is available to ASF Members and Officers, search for "calendar" in the Foundation's private index page (svn:foundation/private-index.html).
# General No issue requiring board attention at this time. - We published our first guide to help with ASF event photography: https://privacy.apache.org/guides/event-photography.html
A report was expected, but not received
# General No issues requiring board attention at this time. ## First online meeting on 28 Jun 2023 One of the roles of the DPO is to educate. I am trying a new format in the form of an online meeting to respond to all questions committers might have around their projects, websites or just in general. # Recommendations ## Add subscription information to every new subscriber of a mailing list Tracked as: https://issues.apache.org/jira/browse/INFRA-23011?filter=-2 (open since 18/Mar/22) Adding this kind of information will tell users how mailing lists work and we can act based on user consent. ## Access to ICLAs should be more restrictive This task is currently work in progress.
No issues requiring board attention. Few emails were received on the VPs address, but most of them were spam
No specific issue which requires board attention. Usual activities: requests for data erasure requests were responded to, Matomo IDs were added. There were no conversations that needed specific highlighting. The ASF Trademarks team has reported a 3rd party has used our logo without permission after being added to the privacy policy. To avoid these kind of things, VP privacy will add a note to 3rd parties to contact ASF Trademarks when there is an idea to use our brands. Also, we will make sure to notify trademarks@ and operations@ three days before we add a provider to the privacy policy. This planned change to process will be documented in the privacy website for future VPs and will probably be adjusted with the input of the privacy@ mailing list once it will publish it there for discussion.
A report was expected, but not received
There was almost no activity in the past month. One data removal request was fulfilled.
Privacy Policy: We have submitted a new try for getting the privacy policy for public websites ratified. Some projects expressed to only apply those privacy policy if approved from the board. As there always might be a language barrier, here is the intent of what I am trying to achieve: to have a common, generic privacy policy all projects follow. This of course has some impact. In example, Google Analytics cannot be used anymore. Instead, the policy provides an alternative in terms of Matomo. Question: Updates to this policy may be necessary, when new data processors are added or services are altered. I would like to send updates to the board so they can be vetoed in a lazy way. Is this process acceptable for you? Operations: I have added Scarf and DinoSource ApS to the list of vendors. Scarf is a new service asked by some project to track their download statistics. The service supports the GDPR and also was cooperative when working with them. DinoSource is providing PonyMail and was known as Quenda before. The DPA was filed earlier, but without signature and adding DinoSource was just a formality. We had some removal requests. Automated requests where rejected. One person request was rejected as well since it implied mailinglist removals. So far, no rejections received any follow ups. Next goals: The privacy office will work harder on the committer privacy once the public privacy policy was ratified. Also, I'd like to find a system to help projects migrate to the new policy.
There is a proposed privacy resolution on the agenda. We were receiving many requests for data deletion from a tool called "Mine". I have decided to ignore those requests as they are unjustified in most cases and automatically sent. From a privacy perspective, I am also very happy to see the Infrastructure team supporting our efforts greatly by proactively working on better privacy for LDAP and taking over control of the Matomo (Web Analytics) instance. The latter one will not only lead to more professionally cared services but also help to handle additional load which we might have from applying the privacy policy to our websites. There is minor activity around a new DPA with Scarf and working on further policies.
A report was expected, but not received
Currently a draft of an upcoming resolution was posted here for review: https://lists.apache.org/thread/zh3hpzqbk677ttotltjyqqmm3r824kp8 I did not yet submit it yet, since I hope for more feedback first. A first draft for the committer exists here: https://privacy.apache.org/policies/privacy-policy-committer.html I am also trying to collect all open issues in a document now as current issues are hard to track as it is now. We keep getting requests from tools like "Mine" which basically search email inboxes and complain if you ever received an email from the ASF, like a subscription confirmation or similar. I will need to read if these kind of "mass complaints" have to be handled or can be ignored. Apart from that, no unusual activities.
Data Privacy was out of office most of the August and partially in September. All important messages (mailing list and private messages) were responded too. I have recognised more messages coming in from tools like "privacy hawk" or similar. I am in contact with them if we can reduce the often unjustified messages. I am also in touch with "Scarf" to complete working on usage of this tooling too. Next tasks will be to submit the privacy resolution (as discussed) for the next board meeting and complete other privacy policy related tasks (committer policy, members policy etc)
A report was expected, but not received
A report was expected, but not received
Discuss https://whimsy.apache.org/board/agenda/2022-05-18/Data-Privacy with VP Data Privacy Privacy has received several "data removal requests" for mailing lists, but all of them were denied. In addition, we have asked for feedback for our upcoming new mailing policy: https://privacy.apache.org/policies/mailinglist-policy.html It was received positively and will be put into action very soon. The next policy to be done will be the contributors policy. The infra team has supported us to improve the wording on Bugzilla: https://issues.apache.org/jira/browse/INFRA-23326?filter=-2 This was necessary due to a request of removal by a Bugzilla user (complaining about an email sent by Bugzilla). A similar issue can be found here: https://issues.apache.org/jira/browse/INFRA-23011?filter=-2 which warns users about the public nature of our mailing lists. Other than that, no other notable incidents happened. @Christian: pursue a resolution for ratifying data privacy policy
A report was expected, but not received
Privacy has received several "data removal requests", but apart from that, no bigger issues. We have published our privacy policy for public services (for all visitors on websites): https://privacy.apache.org/policies/privacy-policy-public.html With the announcement we have received generally good feedback. At this point, already 22 projects have migrated to Matomo, the new ASF service we provide: https://analytics.apache.org/ VP Data Privacy is grateful for the help of some volunteers, specifically Martijn Visser, who was recently elected as committer, but also helps a lot with creating new accounts on Matomo. One interesting question was raised on the mailing list regarding the "enforcement" of those policies. If interested in the context: https://lists.apache.org/thread/vf4drk82so4k4tcw188h9370grzy8wz1 As it was explained, the privacy office can only give recommendations to apply privacy practices, but cannot enforce it. As per GDPR, the board is responsible for ultimately enforcing the privacy policy. This is a duty which cannot be outsourced. If the privacy policy is not enforced to all projects, we cannot consider our organisation GDPR compliant. I ask the board to give a recommendation how the privacy policies worked on in the privacy office (as part of the president office) should be enforced (or if). At the moment privacy list is not yet cleared of all open requests, but once the number of requests goes down, a proposal for the new "mailing list policy" and also "committer policies" will follow. Policy-wise, end of summer might be a good time think of the ASF as GDPR compliant. Implementation wise, it will be difficult to convince all projects to support the new privacy policy or have the work done. An answer to the above question about enforcement of the GDPR will definitely help.
A report was expected, but not received
The ASF is on it's way to remove Google Analytics. As a replacement for projects who need website analytics we have discussed to use Matomo. The new Matomo instance is running (in beta) for some projects: https://matomo.privacy.apache.org/ Thanks to Martijn Visser and Benjamin Marwell to make this happen. A draft for the message of website policy changes can be found here: https://docs.google.com/document/d/1HQibaSbfoioGAW4ugvo8meA_oDJ6Lz6VNUeOXtvnd7Y/edit Some feedback was already worked in. In a few days this message will be sent, except there is further feedback. We have been granted with a "premium" account for free for a tool called "Mine", which sends us user complaints. I am still undecided if this is a good thing to use or if it is necessary to use it. Usual discussions and daily operations aside, there is nothing more to report. Once the above mentioned email is out, I expect the privacy list will have to handle support questions.
We have installed Matomo (Google Analytics replacement) on a Privacy maintained VM. Two projects are currently trying out if the software is meeting our requirements (Apache Flink and Apache Shiro). Once we learn more about the system, VP Privacy will send out a first email informing the projects about the upcoming changes to privacy (and asking for feedback). On another note we have received many privacy complaints from users who used the Mine software (saymine.com). This software analyses emails and makes assumption on unused "accounts". Because some users received emails from our email lists, Mine recommended to contact us. These emails mentioned there "is proof". I have looked into Mine and tried the "free account". All emails I found where "false positives" and it looked like people unsubscribed at some point. I contacted Mine so they don't recommend sending us further emails; outcome is still open. Another request to sign a DPA with Warner Bros was rejected; the law firm contacting us where searching for "Apache Solutions Ltd". Apart from that only routine work was done.
Data Privacy is currently in the process of finishing the webpage privacy statement. We are currently working in feedback and try to find a way to roll out the new policy. The board can expect more on this in the next two, three weeks. According to the austrian and german DSB (data privacy agencies), Google Analytics is no longer allowed in the EU because it is not compliant to the GDPR: https://gdprhub.eu/index.php?title=DSB_(Austria)_-_2021-0.586.257_(D155.027) For this reason, I believe it is necessary to remove Google Analytics from our websites. There is a proposal to use Matomo, which is compliant. The current idea is to add ASF volunteers to a privacy committee, which is responsible for maintaining and supporting a VM running Matomo for the whole ASF. Apart from these next steps, there is only "business as usual". Some requests for data removal, all of them not valid were made. A higher level of spam was observed with moderation.
A report was expected, but not received
No items requiring board attention for now. Discussion around "user website tracking" alá Google Analytics started at the mailing list.
A report was expected, but not received
Due to relocation no progress policy-wise was made this month. The mailing list was moderated and responses to deletion requests were given. No other requests were made so far.
Due to holiday seasons and personal changes not much has changed since the last report and nothing which requires board attention. For the next report I expect movement in applying the new policies mentioned in the previous report.
Data removals: There was one serious request to remove data; however, it turned out the 18 year old emails are not hosted by the ASF. General activities: We have drafted the new website policy: https://privacy.apache.org/policies/privacy-policy-public.html There are also new draft versions of internal policies for mailing lists and websites: https://privacy.apache.org/policies/ Initial work on the catalog of services was done as well (with focus on public facing services). Several data protection agreements (DPAs) were collected. We are well on our way to have working privacy policies for our public webpages soon. Next action items: - complete and communicate new policies - clarify with infra if self hosted plausible.io is a possible alternative to Google Analytics - work on contributor and committer privacy policies
There is nothing new to report in this period. Interesting items: - We had one data removal request, but the requestor did not clarify their country of origin Next action items: - A discussion about member PI was "finished", but has not had any consequences yet. - collect more DPAs - discourage Google Analytics - Update privacy terms on the main website
There were no issues requiring board attention so far. Changes: VP Privacy will maintain this directory for now: https://svn.apache.org/repos/private/foundation/dataprivacy/ It will contain recent requests, TODOs, DPAs and general discussions. "User requests" should be privacy-committee only. A basic website was created here which will contain FAQ and policies: https://privacy.apache.org/ Interesting items: - one data removal request (Jira) was done without problems - one data removal requests was denied since the request did not look legit - discussion about ICLA and how to store it took place, no conclusion so far Next action items: - collect more DPAs - discourage Google Analytics - Update privacy terms on the main website
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
Dirk has been recruited as a Special Adviser to the Dutch and EC with regard to architecture, privacy, anonymity and what not around the Corona response effort. Including the public oriented app. So, he won't have any available time for the ASF over the next 3 to 5 weeks. Christian Grobmeier has volunteered the following report for the privacy effort: So far, we have one missing report and also one open privacy incident (basic request from deleting user data from the OOo forums). The incident has not been responded so far. I have asked on feedback of how I'd handle this request, but no response. I am not happy with performing any actions without approval. Does the board have any input/ideas/suggestions here?
Apologies for a late report - Corona related things took over. No substancial process on the organisational side. Few RQ related things got processed in time, commmunicated timely to requestor, etc. Currently no tickets open that require action or have deadlines. One ticket 'dead' where the requestors email ceased to work (and it may have been a fluff/experimental/vigiliante style request).
Operational: First genuine GDPR request (removal) handled; but actual governance & long term recording not yet sorted properly (e.g. making sure that the details of this request are automatically purged when they hit delaware record law limits, etc). Strategic: Not made as much progress as I wanted - largely due to the chair (personally) being swamped & not enough delegation. The latter should become unstuck as we start creating deliverables. Next: Define these deliverables/plan; find 3-6 volunteers for the operational part & write down SOPs; talk to infra to figure out what is practically possible around retention.
My personal take is that there are now enough people on the list (-and- the 12 `sample' cases discussed sofar seem to all have headed for sufficient consensus) that it is fair to now draft what should be our GDPR stance from which we can derive a guideline and policy. And with that concept not coming as a surprise. We have about 6 more legal/complex points for expects sofar (such as to what extent can you push things back for `self service' to the complainant). These may require legal attention at some point. Actual GDPR and similar requests: two in flight; neither contentious. Tracked in JIRA.
Progress: Work rekindled. - Call for any interested members gone out to subscribe to privacy@; people moderated through. - General approach mail gone out & slowly posting a list of around 20 example cases (most collected over the past 12 months). - Speaking to pro-bono and specialist (but paid) legal folks to get the lay of the land (Delaware, but wanting to do this right in CA, EU and UK - despite conflicting rules). - Dealing with one 'want to be forgotten' request; next step here is to get a private JIRA set up - or postpone & keep this in a president private SVN repo for now. Problems: None yet Plan: Go through a set of examples to derive what we value as a community and then work top down again. Establish a private JIRA or similar. Establish a private channel to operations. Figure out if some of our existing (iCLA filing services) can be subverted to also handle the mechanical aspect of things and what they need (beyond a runbook).
Having been unable to devote enough time to the role John Kinsella has indicated privately that he wishes to stand down. Given the need for action to unblock operational risks a proposal to move the VP role to the President has been added to the agenda as item 7B. Dirk-Willem van Gulik has agreed to volunteer. (danny@)
A report was expected, but not received
(Apologies for delay in getting this report in. Setting reminder to go off a little earlier next month) October was quieter than intended - got initial wiki page and call for volunteers out. Intention is doing a "soft launch" to members@, then after a week or two of hopefully wise Member feedback, opening volunteer call to wider committers@. Outside, engaging with privacy/legal contacts with hope of getting them to contribute in some manner, as well. As requested in last month's (good) feedback, will list goals for the coming months for the next quarter or so as momentum is established. October Goals * Grow privacy-discuss subscribers * Gather feedback on initial topics/priorities for Data Privacy to address * Build out wiki with assistance from others - I can write this, but intent is to get community to contribute. Stats for September 2019: * 1 still open Jira ticket (Intention is to move LEGAL-383 to PRIVACY) * 0 closed issues * Next report will start to report on subscription/discussion stats.
After too long a period of silence (emailed last report April 2019[1] - just noticed it doesn’t seem to have made it to whimsy), renewing push to get Data Privacy up and running. Structure for data-privacy has been set up - mailing lists[2][3], jira group[4], and wiki[5] created. Since last board report, have talked with others with previous experience/thoughts on ASF data privacy topics. Short-term goal is to start outlining topics to address and areas of help needed on the wiki, then send call for volunteers to members@a.o. Goal right now is to start to get volunteers involved, come up with list of priorities, and start being more useful to requests from projects. I've been reviewing report formats from others, will be adding a bit more structure to this in coming months, along with several calendar reminders. Also planning a chat room for more interactive and regularly scheduled discussions to continue to drive movement. Stats for August, 2019: * 1 still open Jira ticket (Intention is to move LEGAL-383 to PRIVACY) * 0 closed issues 1: https://lists.apache.org/thread.html/6ac38660931f60d3634aaab569967c5261004c78ff070a56a1be3655@%3Coperations.apache.org%3E 2: privacy@apache.org - 1 person has already organically found and subscribed. 3: privacy-discuss@apache.org 4: https://issues.apache.org/jira/projects/PRIVACY/issues 5: https://cwiki.apache.org/confluence/display/PRIVACY/Home
There has been no report from the VP. Activity: I have kicked off call for volunteers on board@ and reached out to incumbent VP today 21-Aug Next steps: Engage volunteers and agree definition of done, define next steps/mechanism to clarify the role, report back to the board. danny@
A report was expected, but not received
A report was expected, but not received
Working on setting up structure for data-privacy. Modified personnel-duties/vp-data-privacy.txt, will update further once mailing lists are set up. Stalled on setting up mailing lists as I was going to start conversation on legal ML first, but just going to create lists and run with it. Working on syncing up with others who have worked on data-privacy matters over the last year and talked to counsel. Once that's accomplished, will stat work to review data privacy policy and engage with projects looking for assistance. Stats for April, 2019: * 2 open Jira tickets * 0 closed issues
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
The RFC period is underway for our draft privacy policy. Several members and VP infrastructure have weighed in. I will continue to collect feedback through the CY, and publish the draft in Jan 2019 with whatever feedback and comments received by then. Keep them coming.
This month we will send an RFC to the board and legal on our updates to the ASF data privacy policy that VPs Infrastructure and Privacy worked on. The draft is currently in GDocs and we should move it to a draft ASF page on the web site.
Nothing much to report this month other than still working on the Privacy Draft. For those interested, contact myself or VP, Infra to see a draft.
VP, Infra, VP, Data Privacy & Legal, and our counsel had a telecon on 7/19 and discussed ASF strategy with respect to the EU's General Data Protection Regulation (GDPR). We have decided to continue with our updates to the infrastructure team's mail archival policy and our policy and procedures for how we deal with removal requests. The policy updates are currently under review by Legal, and Data Privacy and we expect to publish them in the next month. We have received a few GDPR requests, with only one current request being actively worked, and few queued as far as I can tell (less than 5).