Skip to Main Content
ApacheCon 2021 Coming Soon! The Apache Software Foundation
Apache 20th Anniversary Logo

Community-led development "The Apache Way"

Apache Support Logo

This was extracted (@ 2022-07-20 15:10) from a list of minutes which have been approved by the Board.
Please Note The Board typically approves the minutes of the previous meeting at the beginning of every Board meeting; therefore, the list below does not normally contain details from the minutes of the most recent Board meeting.

Meeting times vary, the exact schedule is available to ASF Members and Officers, search for "calendar" in the Foundation's private index page (svn:foundation/private-index.html).

Data Privacy

15 Jun 2022

 Discuss https://whimsy.apache.org/board/agenda/2022-05-18/Data-Privacy
 with VP Data Privacy

 Privacy has received several "data removal requests" for mailing lists,
 but all of them were denied. In addition, we have asked for feedback for our
 upcoming new mailing policy:
 https://privacy.apache.org/policies/mailinglist-policy.html
 It was received positively and will be put into action very soon.

 The next policy to be done will be the contributors policy.

 The infra team has supported us to improve the wording on Bugzilla:
 https://issues.apache.org/jira/browse/INFRA-23326?filter=-2
 This was necessary due to a request of removal by a Bugzilla user (complaining about an email sent by Bugzilla).

 A similar issue can be found here:
 https://issues.apache.org/jira/browse/INFRA-23011?filter=-2
 which warns users about the public nature of our mailing lists.

 Other than that, no other notable incidents happened.

 @Christian: pursue a resolution for ratifying data privacy policy

15 Jun 2022

A report was expected, but not received

18 May 2022

Privacy has received several "data removal requests", but apart from that, no
bigger issues.

We have published our privacy policy for public services (for all visitors on
websites): https://privacy.apache.org/policies/privacy-policy-public.html

With the announcement we have received generally good feedback. At this point,
already 22 projects have migrated to Matomo, the new ASF service we provide:
https://analytics.apache.org/

VP Data Privacy is grateful for the help of some volunteers, specifically
Martijn Visser, who was recently elected as committer, but also helps a lot
with creating new accounts on Matomo.

One interesting question was raised on the mailing list regarding the
"enforcement" of those policies. If interested in the context:
https://lists.apache.org/thread/vf4drk82so4k4tcw188h9370grzy8wz1

As it was explained, the privacy office can only give recommendations to apply
privacy practices, but cannot enforce it. As per GDPR, the board is
responsible for ultimately enforcing the privacy policy. This is a duty which
cannot be outsourced.

If the privacy policy is not enforced to all projects, we cannot consider our
organisation GDPR compliant. I ask the board to give a recommendation how the
privacy policies worked on in the privacy office (as part of the president
office) should be enforced (or if).

At the moment privacy list is not yet cleared of all open requests, but once
the number of requests goes down, a proposal for the new "mailing list policy"
and also "committer policies" will follow.

Policy-wise, end of summer might be a good time think of the ASF as GDPR
compliant. Implementation wise, it will be difficult to convince all projects
to support the new privacy policy or have the work done. An answer to the
above question about enforcement of the GDPR will definitely help.

20 Apr 2022

A report was expected, but not received

16 Mar 2022

The ASF is on it's way to remove Google Analytics. As a replacement for
projects who need website analytics we have discussed to use Matomo.

The new Matomo instance is running (in beta) for some projects:
https://matomo.privacy.apache.org/

Thanks to Martijn Visser and Benjamin Marwell to make this happen.

A draft for the message of website policy changes can be found here:
https://docs.google.com/document/d/1HQibaSbfoioGAW4ugvo8meA_oDJ6Lz6VNUeOXtvnd7Y/edit
Some feedback was already worked in. In a few days this message will be sent,
except there is further feedback.

We have been granted with a "premium" account for free for a tool called
"Mine", which sends us user complaints. I am still undecided if this is a good
thing to use or if it is necessary to use it.

Usual discussions and daily operations aside, there is nothing more to report.
Once the above mentioned email is out, I expect the privacy list will have to
handle support questions.

16 Feb 2022

We have installed Matomo (Google Analytics replacement) on a Privacy
maintained VM. Two projects are currently trying out if the software is
meeting our requirements (Apache Flink and Apache Shiro). Once we learn more
about the system, VP Privacy will send out a first email informing the
projects about the upcoming changes to privacy (and asking for feedback).

On another note we have received many privacy complaints from users who used
the Mine software (saymine.com). This software analyses emails and makes
assumption on unused "accounts". Because some users received emails from our
email lists, Mine recommended to contact us. These emails mentioned there "is
proof". I have looked into Mine and tried the "free account". All emails I
found where "false positives" and it looked like people unsubscribed at some
point. I contacted Mine so they don't recommend sending us further emails;
outcome is still open.

Another request to sign a DPA with Warner Bros was rejected; the law firm
contacting us where searching for "Apache Solutions Ltd".

Apart from that only routine work was done.

19 Jan 2022

Data Privacy is currently in the process of finishing the webpage privacy
statement. We are currently working in feedback and try to find a way to roll
out the new policy. The board can expect more on this in the next two, three
weeks.

According to the austrian and german DSB (data privacy agencies), Google
Analytics is no longer allowed in the EU because it is not compliant to the
GDPR:
https://gdprhub.eu/index.php?title=DSB_(Austria)_-_2021-0.586.257_(D155.027)

For this reason, I believe it is necessary to remove Google Analytics from our
websites. There is a proposal to use Matomo, which is compliant. The current
idea is to add ASF volunteers to a privacy committee, which is responsible for
maintaining and supporting a VM running Matomo for the whole ASF.

Apart from these next steps, there is only "business as usual". Some requests
for data removal, all of them not valid were made. A higher level of spam was
observed with moderation.

15 Dec 2021

A report was expected, but not received

17 Nov 2021

No items requiring board attention for now.

Discussion around "user website tracking" alá Google Analytics started at the
mailing list.

20 Oct 2021

A report was expected, but not received

15 Sep 2021

Due to relocation no progress policy-wise was made this month.

The mailing list was moderated and responses to deletion requests were given.

No other requests were made so far.

18 Aug 2021

Due to holiday seasons and personal changes not much has changed since the
last report and nothing which requires board attention.

For the next report I expect movement in applying the new policies mentioned
in the previous report.

21 Jul 2021

Data removals:

There was one serious request to remove data; however, it turned out the 18
year old emails are not hosted by the ASF.

General activities:

We have drafted the new website policy:
https://privacy.apache.org/policies/privacy-policy-public.html

There are also new draft versions of internal policies for mailing lists and
websites: https://privacy.apache.org/policies/

Initial work on the catalog of services was done as well
(with focus on public facing services).

Several data protection agreements (DPAs) were collected. We are well on our
way to have working privacy policies for our public webpages soon.

Next action items:

 - complete and communicate new policies
 - clarify with infra if self hosted plausible.io is a possible alternative to
   Google Analytics
 - work on contributor and committer privacy policies

16 Jun 2021

There is nothing new to report in this period.

Interesting items:

 - We had one data removal request, but the requestor did not clarify their
   country of origin

Next action items:

 - A discussion about member PI was "finished", but has not had any
   consequences yet.
 - collect more DPAs
 - discourage Google Analytics
 - Update privacy terms on the main website

19 May 2021

There were no issues requiring board attention so far.

Changes:

VP Privacy will maintain this directory for now:
https://svn.apache.org/repos/private/foundation/dataprivacy/
It will contain recent requests, TODOs, DPAs and general discussions.
"User requests" should be privacy-committee only.

A basic website was created here which will contain FAQ and policies:
https://privacy.apache.org/

Interesting items:

- one data removal request (Jira) was done without problems
- one data removal requests was denied since the request did not look legit
- discussion about ICLA and how to store it took place, no conclusion so far

Next action items:

- collect more DPAs
- discourage Google Analytics
- Update privacy terms on the main website

21 Apr 2021

A report was expected, but not received

17 Mar 2021

A report was expected, but not received

17 Feb 2021

A report was expected, but not received

20 Jan 2021

A report was expected, but not received

16 Dec 2020

A report was expected, but not received

18 Nov 2020

A report was expected, but not received

21 Oct 2020

A report was expected, but not received

16 Sep 2020

A report was expected, but not received

19 Aug 2020

A report was expected, but not received

15 Jul 2020

A report was expected, but not received

17 Jun 2020

A report was expected, but not received

20 May 2020

Dirk has been recruited as a Special Adviser to the Dutch and EC with regard
to architecture, privacy, anonymity and what not around the Corona response
effort. Including the public oriented app. So, he won't have any available
time for the ASF over the next 3 to 5 weeks.

Christian Grobmeier has volunteered the following report for the privacy
effort:

So far, we have one missing report and also one open privacy incident (basic
request from deleting user data from the OOo forums). The incident has not
been responded so far.

I have asked on feedback of how I'd handle this request, but no response. I am
not happy with performing any actions without approval.

Does the board have any input/ideas/suggestions here?

15 Apr 2020

Apologies for a late report - Corona related things took over.

No substancial process on the organisational side.

Few RQ related things got processed in time, commmunicated timely to
requestor, etc. Currently no tickets open that require action or have
deadlines. One ticket 'dead' where the requestors email ceased to work (and it
may have been a fluff/experimental/vigiliante style request).

18 Mar 2020

Operational: First genuine GDPR request (removal) handled; but actual
governance & long term recording not yet sorted properly (e.g. making sure
that the details of this request are automatically purged when they hit
delaware record law limits, etc).

Strategic: Not made as much progress as I wanted - largely due to the chair
(personally) being swamped & not enough delegation.  The latter should become
unstuck as we start creating deliverables.

Next: Define these deliverables/plan; find 3-6 volunteers for the operational
part & write down SOPs; talk to infra to figure out what is practically
possible around retention.

19 Feb 2020

My personal take is that there are now enough people on the list (-and- the 12
`sample' cases discussed sofar seem to all have headed for sufficient
consensus) that it is fair to now draft what should be our GDPR stance from
which we can derive a guideline and policy. And with that concept not coming
as a surprise.

We have about 6 more legal/complex points for expects sofar (such as to what
extent can you push things back for `self service' to the complainant). These
may require legal attention at some point.

Actual GDPR and similar requests: two in flight; neither contentious. Tracked
in JIRA.

15 Jan 2020

Progress: Work rekindled.

- Call for any interested members gone out to subscribe to privacy@; people
 moderated through.

- General approach mail gone out & slowly posting a list of around 20 example
 cases (most collected over the past 12 months).

- Speaking to pro-bono and specialist (but paid) legal folks to get the lay of
 the land (Delaware, but wanting to do this right in CA, EU and UK - despite
 conflicting rules).

- Dealing with one 'want to be forgotten' request; next step here is to get a
 private JIRA set up - or postpone & keep this in a president private SVN
 repo for now.

Problems: None yet

Plan: Go through a set of examples to derive what we value as a community and
then work top down again. Establish a private JIRA or similar. Establish a
private channel to operations. Figure out if some of our existing (iCLA filing
services) can be subverted to also handle the mechanical aspect of things and
what they need (beyond a runbook).

18 Dec 2019 [John Kinsella / Shane]

Having been unable to devote enough time to the role John Kinsella has
indicated privately that he wishes to stand down. Given the need for action to
unblock operational risks a proposal to move the VP role to the President has
been added to the agenda as item 7B. Dirk-Willem van Gulik has agreed to
volunteer. (danny@)

20 Nov 2019

A report was expected, but not received

16 Oct 2019 [John Kinsella / Shane]

(Apologies for delay in getting this report in. Setting reminder to go off a
 little earlier next month)

October was quieter than intended - got initial wiki page and call for
volunteers out. Intention is doing a "soft launch" to members@, then after a
week or two of hopefully wise Member feedback, opening volunteer call to wider
committers@.

Outside, engaging with privacy/legal contacts with hope of getting them to
contribute in some manner, as well.

As requested in last month's (good) feedback, will list goals for the coming
months for the next quarter or so as momentum is established.

October Goals
* Grow privacy-discuss subscribers
* Gather feedback on initial topics/priorities for Data Privacy to address
* Build out wiki with assistance from others - I can write this, but intent is
  to get community to contribute.

Stats for September 2019:
* 1 still open Jira ticket (Intention is to move LEGAL-383 to PRIVACY)
* 0 closed issues
* Next report will start to report on subscription/discussion stats.

18 Sep 2019 [John Kinsella / Ted]

After too long a period of silence (emailed last report April 2019[1] - just
noticed it doesn’t seem to have made it to whimsy), renewing push to get Data
Privacy up and running.

Structure for data-privacy has been set up - mailing lists[2][3], jira
group[4], and wiki[5] created.

Since last board report, have talked with others with previous
experience/thoughts on ASF data privacy topics. Short-term goal is to start
outlining topics to address and areas of help needed on the wiki, then send
call for volunteers to members@a.o.

Goal right now is to start to get volunteers involved, come up with list of
priorities, and start being more useful to requests from projects.

I've been reviewing report formats from others, will be adding a bit more
structure to this in coming months, along with several calendar reminders.
Also planning a chat room for more interactive and regularly scheduled
discussions to continue to drive movement.

Stats for August, 2019:
 * 1 still open Jira ticket (Intention is to move LEGAL-383 to PRIVACY)
 * 0 closed issues

1: https://lists.apache.org/thread.html/6ac38660931f60d3634aaab569967c5261004c78ff070a56a1be3655@%3Coperations.apache.org%3E
2: privacy@apache.org - 1 person has already organically found and subscribed.
3: privacy-discuss@apache.org
4: https://issues.apache.org/jira/projects/PRIVACY/issues
5: https://cwiki.apache.org/confluence/display/PRIVACY/Home

21 Aug 2019 [John Kinsella / Joan]

There has been no report from the VP.

Activity: I have kicked off call for volunteers on board@ and reached out to
incumbent VP today 21-Aug

Next steps: Engage volunteers and agree definition of done, define next
steps/mechanism to clarify the role, report back to the board.

danny@

17 Jul 2019

A report was expected, but not received

19 Jun 2019

A report was expected, but not received

15 May 2019 [John Kinsella / Roman]

Working on setting up structure for data-privacy. Modified
personnel-duties/vp-data-privacy.txt, will update further once mailing lists
are set up. Stalled on setting up mailing lists as I was going to start
conversation on legal ML first, but just going to create lists and run with
it.

Working on syncing up with others who have worked on data-privacy matters over
the last year and talked to counsel. Once that's accomplished, will stat work
to review data privacy policy and engage with projects looking for assistance.

Stats for April, 2019:
 * 2 open Jira tickets
 * 0 closed issues

17 Apr 2019

A report was expected, but not received

20 Mar 2019

A report was expected, but not received

20 Feb 2019

A report was expected, but not received

16 Jan 2019

A report was expected, but not received

19 Dec 2018

A report was expected, but not received

21 Nov 2018 [Chris Mattmann / Shane]

The RFC period is underway for our draft privacy policy. Several members and
VP infrastructure have weighed in. I will continue to collect feedback through
the CY, and publish the draft in Jan 2019 with whatever feedback and comments
received by then. Keep them coming.

17 Oct 2018 [Chris Mattmann / Rich]

This month we will send an RFC to the board and legal on our updates to the
ASF data privacy policy that VPs Infrastructure and Privacy worked on. The
draft is currently in GDocs and we should move it to a draft ASF page on the
web site.

19 Sep 2018 [Chris Mattmann / Isabel]

Nothing much to report this month other than still working on the Privacy
Draft. For those interested, contact myself or VP, Infra to see a draft.

15 Aug 2018 [Chris Mattmann / Phil]

VP, Infra, VP, Data Privacy & Legal, and our counsel had a telecon on 7/19 and
discussed ASF strategy with respect to the EU's General Data Protection
Regulation (GDPR).

We have decided to continue with our updates to the infrastructure
team's mail archival policy and our policy and procedures for how we deal
with removal requests. The policy updates are currently under review by
Legal, and Data Privacy and we expect to publish them in the next month.

We have received a few GDPR requests, with only one current request being
actively worked, and few queued as far as I can tell (less than 5).