I didn't want to be break this story over here but since no one else seems to be posting about it here I am sharing a screenshot from the other side with @scan's post.
-
@poohlaga hi Lauren, sorry to make your acquaintance on such an unpleasant matter. While I am glad to hear that you are using them only in "rare edge cases" it seems that their API is getting directly integrated into Open Collective's code base (https://github.com/opencollective/opencollective-frontend/pull/11988)
I think for the present moment there needs to be a very clear statement about *exactly* how you are using Persona and what data and what edge cases would end up triggering you to initiate sending *any data* to their API.
@liaizon Yes, I have a draft response on how we intend to use the platform connection, but I'd like the engineers to review it for accuracy, as the feature is still in development.
I will say it was fundamental for us that any personal data entered in Persona remain in Persona and any user information on the platform remain on the platform. We are not passing any user data from the platform to Persona. And if a user elects not to do our KYC with Persona, then we do our best to find another way. -
@liaizon @opencollective i don't understand any of this. is this one second away from them implementing a persona *killswitch*, and debating what "persona" actually *means*?
@malte which part don't you get? why they are shooting them selves in the foot?
-
@malte which part don't you get? why they are shooting them selves in the foot?
@liaizon what this "bridge" is, and who the hosts are that potentially need a kyc-persona. i'm lost when people start using abbreviations, and i'm doubly lost when they shroud those abbreviations in vague abstractions.
-
@poohlaga hi Lauren, sorry to make your acquaintance on such an unpleasant matter. While I am glad to hear that you are using them only in "rare edge cases" it seems that their API is getting directly integrated into Open Collective's code base (https://github.com/opencollective/opencollective-frontend/pull/11988)
I think for the present moment there needs to be a very clear statement about *exactly* how you are using Persona and what data and what edge cases would end up triggering you to initiate sending *any data* to their API.
@liaizon Regarding edge cases, the most common are when we are unable to verify the payee's identity or when they are in a jurisdiction flagged by US sanctions. Roughly .005% of expenses each month are flagged. Additionally, for each flagged expense, we communicate what is blocking us from moving the payment forward and offer alternatives so we can resolve the issue in a way the payee also feels comfortable with.
-
@liaizon @scan Hi, Lauren here. I'm the ED of OSC and happy to chat. In this expense, the payee was presented with options that would not require a KYC with Persona; they confirmed, so we will be able to pay them through this method. KYC's are a rare edge case for us and are not issued on all expenses.
I will publish a general statement on the OSC updates page - but yes. We started using Persona before the news broke. We are currently looking for non-US providers and are open to suggestions. -
@liaizon Yes, I have a draft response on how we intend to use the platform connection, but I'd like the engineers to review it for accuracy, as the feature is still in development.
I will say it was fundamental for us that any personal data entered in Persona remain in Persona and any user information on the platform remain on the platform. We are not passing any user data from the platform to Persona. And if a user elects not to do our KYC with Persona, then we do our best to find another way.@poohlaga the statement "We are not passing any user data from the platform to Persona" makes no sense in this context. You are integrating Persona's API into the platform. You are paying money to Persona to process the personal data of people on Open Collective. Why are you even considering using Persona at all? Using them is antithetical to every point that Open Source Collective lists in your "Values"
-
Because of Open Collective's belief in transparency, you can see directly how much @OpenSourceCollective is paying to use Persona and when those payments started:
https://opencollective.com/opensource/transactions?searchTerm=persona&kind=ALL
hey @Wtebbens have you seen this thread? seeing as you just set up a fiscal host on Open Collective and have been talking about the need to move away from Big Tech I would think chiming in, in this situation would be useful
-
Open Collective is adding KYC from Peter Thiel backed Persona. If you are not familiar with Persona: https://www.openrightsgroup.org/press-releases/roblox-reddit-and-discord-users-compelled-to-use-biometric-id-system-backed-by-palantir-co-founder-peter-thiel
Here is the github issue where its being worked on:
https://github.com/opencollective/opencollective/issues/8609@liaizon yikes! thanks for getting the word out about this!
-
@liaizon yikes! thanks for getting the word out about this!
@jdp23 your welcome, I wish I didn't have to be in the position to be posting about this at all. But open collective is super important as a funding source and the one that so much of the fediverse relies on. I think we really need to convince them to change course on this.
-
RE: https://social.wake.st/@liaizon/116206925371202010
I didn't want to be break this story over here but since no one else seems to be posting about it here I am sharing a screenshot from the other side with @scan's post.
@liaizon @scan
> you can see directly how much @OpenSourceCollective is paying to use PersonaI am more interested in the reverse flow. As I just can not imagine someone within the FLOSS environment did not due dilligence about "third party contribution". The first page of nojs DDG search is full of "persona" warnings so it flashes.
-
@liaizon Regarding edge cases, the most common are when we are unable to verify the payee's identity or when they are in a jurisdiction flagged by US sanctions. Roughly .005% of expenses each month are flagged. Additionally, for each flagged expense, we communicate what is blocking us from moving the payment forward and offer alternatives so we can resolve the issue in a way the payee also feels comfortable with.
-
@poohlaga the statement "We are not passing any user data from the platform to Persona" makes no sense in this context. You are integrating Persona's API into the platform. You are paying money to Persona to process the personal data of people on Open Collective. Why are you even considering using Persona at all? Using them is antithetical to every point that Open Source Collective lists in your "Values"
@liaizon Not antithetical at all. If someone chooses to not do the KYC with Persona, we respect their privacy and will offer other solutions. And no, we are not passing any user data to Persona. The integration is only intended for us (fiscal host admins) to copy/paste the persona inquiry ID into a reference field in the OC platform to make it easier for us to link into Persona later to check on the verification status. That's it. The ID# and the status is all we bring from Persona to OC.
-
@liaizon Not antithetical at all. If someone chooses to not do the KYC with Persona, we respect their privacy and will offer other solutions. And no, we are not passing any user data to Persona. The integration is only intended for us (fiscal host admins) to copy/paste the persona inquiry ID into a reference field in the OC platform to make it easier for us to link into Persona later to check on the verification status. That's it. The ID# and the status is all we bring from Persona to OC.
@liaizon and again, it's the user's choice, and they can always opt out.
-
@liaizon and again, it's the user's choice, and they can always opt out.
@poohlaga demanding users verify themselves by 'other means' is not "opting out", its asking them to choose if they want to be shot with a shotgun or a pistol, either way their still shot- where is the option to _not_ "verify my identity"
-
@nullagent @liaizon @scan
> build services in a heartbeatI believe that when I see it
@sef @nullagent @liaizon @scan big FOSS developers have no problem actively maintaining and contributing to mass survailence and fascism, its been shown time and time again at this point
like yknow i feel like we all got the gist of how these things will go.. we all say 'hey what the fuck why are you doing "identity verification" let alone with fucking surveillance state company
they give some speil about """safety""" and [insert scapegoat here].. and basically ends up with 'fuck you were doing it anyway' ..
this is how it goes every fucking time
-
@liaizon It's always nice to hear from users, and on behalf of the project, thanks for your kind words! I agree that this is an unfortunate decision - made independently by both Open Collective and Open Source Collective, it seems - that has the potential to harm lots of FOSS maintainers. I hope you can understand that it is, well, a delicate matter to raise complaints against the very organization that holds >80% of our funds, but I shall do my best to address this with sensitivity and expediency.
-
@opsocket @liaizon
We're indeed adding a persona integration on the platform to help Open Source Collective manage their KYC program. It is not something we're forcing on anyone, just a bridge we're creating for fiscal hosts relying on this service.For the rest, I'll let Open Source Collective comment.
They're aware of this thread and are preparing a reply as we speak.
oh boy i sure cant wait for the next round of 'we heard your concerns and we totally understand.. and listening to feedback .. anyway here is some spiel about ""safety"" and [insert scapegoat here] .. so fuck you were doing it anyway.'
-
RE: https://social.wake.st/@liaizon/116206925371202010
I didn't want to be break this story over here but since no one else seems to be posting about it here I am sharing a screenshot from the other side with @scan's post.
@liaizon @scan hey, uh, @OpenSourceCollective, what the fuck?
-
@wcbdata @liaizon @scan Thanks, we agree. We recognize that identity verification raises legitimate privacy concerns, especially in the open source ecosystem.
If you know of identity verification providers that operate outside the US, and align with strong privacy standards, we would love suggestions.
Handling funds responsibly while respecting the privacy of contributors and maintainers is a balance we take very seriously.
-
S snue@radikal.social shared this topic
-
@liaizon @jowek @ukrudt @tak @ruben @magnus
Yes haven't checked out the state of petition-software lately.
One low effort/complexity way of doing it would be to write a letter in ukrudt's hedgedoc and just ask projects to sign it if they agree - sign it by way of writing their name in the bottom: https://hedgedoc.ukrudt.net/ - we can then create a public read-only link and share that.
