Why does Weblate want to send me spam?

Today, I received a couple of e-mails about a few of MetaBrainz’ projects moving to Weblate, hosted on MetaBrainz.org. When I followed the link, I was presented with a Terms and Conditions with the following articles:

5.1 Within the meaning of Article 7 of the GDPR the User hereby gives consent to the collecting, storage and processing of the Personal Data provided by the User to the administrator, who is the Provider, through the use of the Service; the User gives consent to the processing and use of the User’s Personal Data by the Provider, the Provider’s employees and/or the Provider’s authorised business partners. This consent is given as long as User does not remove their account from the Service.
5.2 The purpose of the processing of Personal Data as determined by the Provider is the use of Personal Data for sending commercial communications to the subject of the data (the User) through electronic means under Act No. 480/2004 Coll., on certain services of the information society, as amended, and further for business needs of the Provider’s contractual partners and for statistical purposes of the Provider.

I don’t think MetaBrainz wants to send me spam, and the Terms and Conditions have likely just been copied over from Weblate, but in that case this should be cleared up. I’d also like to be sure that my personal information doesn’t end up with Weblate’s business partners anyway through some code in the software package that MetaBrainz uses.

P.S. I was presented with the T&C’s “translated” to Dutch, probably by a drunk Google Translate. Please just disable that translation, it’s completely useless.

It’s not spam. You have been registered on my personal Weblate server hosted at translate.uploadedlobster.com. Beside some of my own projects we had also test running the translation of picard-docs there.

Now we are moving this over to the new Weblate instance for MetaBrainz, and in preparation I already set the projects on my server to read only and also set up a notice about translations being moved. I was not aware this would go out by e-mail, but that’s where the e-mail you got was coming from.

If you are concerned about receiving such notifications from my weblate instance than you can configure your notification preferences in your user profile there.

1 Like

The way I read that, outsidecontext is the administrator\provider and their business partners would be MetaBrainz.

Not quite. So translate.uploadedlobster.com is a self-hosted instance managed by me and running on a Hetzner cloud server (so your data is on Hetzner infrastructure). MetaBrainz not being involved at all.

The MetaBrainz Weblate instance is managed by Weblate, hosted somewhere. So I think MetaBrainz is who provides this service, and Weblate and the providers hosting the service and data storage are the business partners.

No, the e-mails about the projects on metabrainz.org are not spam, that’s not what I’m worried about.

My concern is the parts of the T&C that say “the User gives consent to the processing and use of the User’s Personal Data by the Provider, the Provider’s employees and/or the Provider’s authorised business partners” and “the use of Personal Data for sending commercial communications to the subject of the data (the User)”. This implies that there are “business partners” who can send me “commercial communications” (aka spam) based on my personal data.

If you have no intention of allowing that, please remove those two articles from the Terms and Conditions or amend them.

1 Like

Those are the terms and conditions of weblate, see Terms and Privacy . I don’t think these can be changed by MetaBrainz unless they would self-host the software instead of using the service hosted by Weblate.

I don’t think this could be removed. the GDPR requires companies to inform the user what data they process.

The section “Personal Data processed by Weblate” gives detail what data is involved (name, e-mail address, hashed password, IP, and browser name and eventually billing information). Name and e-mail are required for Weblate to function, hashed password has no relevance to the MB setup because it uses SSO via MusicBrainz.org, IP and browser Weblate uses to warn about yet unknown new logins as a security measure (e.g. I received a notification just today about my login on my second laptop). Billing information only is of concern if you actually become a Weblate customer yourself.

The part about business partners is about other companies that are involved with processing this data. This most importantly involves the hoster providing the servers on which the application runs and where data is being stored. AFAIK Weblate also uses Hetzner (like MB does). The GDPR requires all of these companies to have a data processing agreement with Weblate.

If you ask Weblate about it I think they should also provide you a list what other companies gain access to this data.

Weblate will send you e-mails, e.g. you just had received some from my instance. Not all communication is spam, I think that’s a bit of an unfair misinterpretation from your side. Again I think the section " Purpose and legal basis of processing Personal Data" clarifies this. E.g. it says “with your express consent or instruction to carry out our business activities or send you newsletters”. So if you subscribe to a newsletter you might received newsletters. If you enable certain e-mail notifications about events in Weblate you might receive e-mails about this.

I mean you could ask Weblate to rephrase this, but I doubt they would like to completely remove this section. Informing the user that the e-mail might be used for communication and then sending them such e-mails is ok. Not telling them and sending e-mails potentially puts you into legal trouble, no matter how well-meant the intention of those e-mails. Changing Weblate to not be able to send e-mails makes it much less useful.

1 Like

The one part of that agreement that everyone really should read and understand to avoid surprises is actually:

6.5 The User agrees to use of own name and e-mail as authorship in the VCS commits. The User understands that this grant is non revocable due to nature of the VCS.

If you do translations your name and e-mail (as set in your Weblate user profile) will be recorded in the commit history of the projects and potentially also in the translation files themselves. That’s not revocable, so choose details here you are happy to use for this purpose.

E.g. commits might end up like this:

Hang on - so that means private email addresses will be publicly available? Why?

Is Picard translation moving into this system? Or will that stay on Transifex?

Yes, we will move the translations to Weblate. That’s why we do set this up.

But translations haven’t been anonymous on Transifex either, nor have they been on Launchpad (which was used in the beginning): picard/de.po at master · metabrainz/picard · GitHub

It’s also about properly attributing the contributors and about licensing. Translations are copyrightable, and the authors place them under the project’s license.

4 Likes

I did not realise my email address was visible. I don’t mind my username appearing, but less keen at my email address. This change would mean I will have to stop translating. Sorry, it had been fun to help out, but really didn’t realise how public my personal details were.

Transifex has this, which seems to show it does not publish my email address:

Also the Github link you supply to Launchpad show people optionally deleting email addresses.

I don’t mind MetaBrainz having my email address internally, but don’t want it on a public facing document that a spammer can scrape. This is how I understood Transifex worked with those above privacy options. And I can see that Picard just displays a link to my (private) Transifex page.

4 Likes

Oh my god, I didn’t know there was this checked by default in Transifex user settings!

image
Are they crazy defaulting such privacy breach to yes?!

I uncheck it right away but am wondering where my email has already appeared for years.
I logged in with GitHub, thinking I would avoid most hassle by not creating real account.
But Transifex… displays my email address by default!? Wow! :exploding_head: Boom!

I should not have gone there, I already found Transifex completely not convenient to manage translations, without knowing they would even do this to me…

Uupdate:
I have made a search and it seems my email was not published to those *.po files, hopefully!
Thanks @IvanDobsky for showing me this Transifex settings, anyway, to prevent my email being visible somewhere, starting from now!

3 Likes

I guess having an option to use a pseudonymous fake e-mail, maybe generated from the user name, would make sense. We could ask the Weblate team if they would consider that.

2 Likes

I am a little bit surprised that Weblate don’t realise this is will be a classic data collection target for spammers. Scraping sites like this would be gold. Look at how Transifex do it - they link to a profile which puts the user in control of their personal data. Until the privacy issue is fixed, I will step away from the translation.

I’m quite surprised by this, because the address is [edit by @yvanzo: not public yet]. I’d expect it to be hosted by MetaBrainz.

Obviously, if my personal data is being collected, this part can’t be removed. My problem is the collection of personal data in the first place.

No, but it explicitly says “commercial communication”.

That is actually quite important to point out. It’s also a big no from me.

Thank you for pointing that out! I had to untick that box myself.

2 Likes

Ok, that puzzles me a bit. The amount of personal data is very minimal, and nobody is even requesting to expose your real name or something. You also don’t seem to have a problem with Transifex having such data, or with MusicBrainz.org, but you have an issue with having this data on this Weblate instance? Why is this?

1 Like

@mfmeulenbelt (and the few other translators having received such e-mail): Sorry about these e-mails that have been unintentionally sent while we were testing setting up a new instance of Weblate. Please ignore it for now. We will ask for testers later on but it is premature at this point and will just make things messy.

This new instance will be dedicated to MetaBrainz projects and will be hosted by Weblate organization itself, as it has been discussed for the last time six months ago.

However, this incident raised legitimate questions about the upcoming service:

  1. Weblate ToS, as @outsidecontext wrote, are not worse than Transifex ToS. We will ask to Weblate if some clarification can be made to the ToS about the respective roles of MeB and Weblate orgs.

  2. Showing translator’s email address in translation files.

    • In Transifex, as @IvanDobsky demonstrated, showing your email address is optional.
      I have not seen anything similar in Weblate so far, still investigating the issue at the moment.
    • Projects have not been following the same policy so far. For example, email addresses are systematically omitted in MusicBrainz Server translation files, not in MusicBrainz Picard files.
      Once we know what would be technically feasible using Weblate, we should probably discuss the policy to be used for all MetaBrainz projects as these will be using the same Weblate instance.

More issues are likely to raise up as we are currently configuring and experimenting the new instance. Thanks for your patience and for reporting issues again. Stay tuned!

7 Likes

Single word - visibility. Anyone from the public can see it. So any Spammer’s bot can scrape the data and use it as a mailing list. When our personal data is with MetaBrainz or Transifex they are responsible to keep it private and out of public view. We trust those companies to protect our data based on their privacy policies.

Thank you @yvanzo for acknowledging this privacy issue. A privacy option like Transifex supplies would be great to see in the new system.

2 Likes

Yes, ok. That part I understand (I brought this up initially). It just sounded like there was a general concern of providing any of the personal data (which is username, e-mail and IP + browser name for login history) to that service. And in this regard Weblate uses much less data then most other services. E.g. Transifex integrates no less than 9 external tracking services into their pages, Weblate none.

For the anonymozing of e-mail addresses I have found an open issue for Weblate on GitHub private email address · Issue #4988 · WeblateOrg/weblate · GitHub . So this is definitely something they are considering, maybe they can be convinced to handle this soon.

5 Likes

The way I see it is some of us just needed clarity as to who those business partners were and what would happen to our personal details. For me that means not selling my email address for marketing use. And I don’t think Weblate is in that dodgy business, so I would happily agree to those Ts n Cs.

Yes, there are tracking bugs on the sites. Always are. This is why many of us walk into sites like that with AdBlocks and PiHoles in use (but not wanting to go OT).

Once my email address is hidden from the public I would be a happy bunny.

BTW - that was a very useful “accidental email” you triggered as it has helped flush out this issue early on. :slightly_smiling_face:

3 Likes

Does it mean that my email address is publicly available? I do not want that.