Single word - visibility. Anyone from the public can see it. So any Spammer’s bot can scrape the data and use it as a mailing list. When our personal data is with MetaBrainz or Transifex they are responsible to keep it private and out of public view. We trust those companies to protect our data based on their privacy policies.
Thank you @yvanzo for acknowledging this privacy issue. A privacy option like Transifex supplies would be great to see in the new system.
Yes, ok. That part I understand (I brought this up initially). It just sounded like there was a general concern of providing any of the personal data (which is username, e-mail and IP + browser name for login history) to that service. And in this regard Weblate uses much less data then most other services. E.g. Transifex integrates no less than 9 external tracking services into their pages, Weblate none.
The way I see it is some of us just needed clarity as to who those business partners were and what would happen to our personal details. For me that means not selling my email address for marketing use. And I don’t think Weblate is in that dodgy business, so I would happily agree to those Ts n Cs.
Yes, there are tracking bugs on the sites. Always are. This is why many of us walk into sites like that with AdBlocks and PiHoles in use (but not wanting to go OT).
Once my email address is hidden from the public I would be a happy bunny.
BTW - that was a very useful “accidental email” you triggered as it has helped flush out this issue early on.
No as you do not seem to be a translator. Only translators who have not checked out this privacy setting in Transifex and those translations are used in projects that do not omit email addresses are affected.
The GDPR aimed to get some clarity into this, but the whole legal agreements every site is throwing at you are often causing more confusion than it helps. IANAL, but this is my understanding from my experience how it is handled in companies I’m involved with: One of the requirements of the GDPR is that you have to inform your users what personal data you process, and if and to what extend you give this to others. Most businesses must rely on other service providers for some stuff. The exact list of those providers is usually not part of the terms themselves, because that would be unpractical (as it can change). But I think it needs to be disclosed somewhere.
For a hosted weblate instance this is Hosted Weblate , so it’s Hetzner Online GmbH and a company called Functional Software, Inc.
Hetzner is the hoster, providing the servers the application and database run on. As you username and e-mail gets stored there Hetzner is technically and legally processing your personal data. Also all network requests go to their servers and that naturally involves them seeing your IP
Functional Software is offering a software called Sentry, which is used for error tracking. Whenever there is some kind of application error in Weblate it will be logged to Sentry, so the Weblate developers can inspect it. Such log messages and error messages potentially can contain e.g. usernames, so this company is also listed as a sub contractor.
There needs to be a data processing agreement between Weblate and the subcontractors, where they agree on handling data according to the law. I don’t know how Sentry handles that, but Hetzner has standard agreements for this purpose (where they basically say that they handle the data confidentially, restrict the access to such data also internally, keep it safe etc.).
Now things go of course deeper, because e.g. Hetzner might again have subcontractors. Hetzner discloses those at https://www.hetzner.com/AV/subcontractors.pdf . Note that that does not necessarily mean all these sub- and sub-subcontractors get your data. E.g. in case of the Hetzner list if the servers are in Germany none of the two subcontractors are involved. If servers are in Finland Hetzner Finland Oy is involved. It definitely also does not make it legal for Hetzner to search all the servers they provide to their customers for e-mail addresses and sell them to spammers or such. Btw, MusicBrainz servers are also hosted on Hetzner servers.
Overall I think Weblate got treated a bit harshly here, with claims that they will send spam and sell the data, which I’m really sure they won’t do. They are legally required to inform users that they process certain personal information and what data that is. In the end Weblate is one of the really open organizations, with all their software, including their website, being open source (Weblate · GitHub). Neither their software nor their website do contain any tracker or analytics tools, which I think is pretty remarkable for a business and shows that they care about privacy issues. They earn money by providing support and hosting for Weblate. Scraping their paying customer’s databases for the personal data of the translators to sell to spammers for sure would not help them with their business model (and wouldn’t be legal anyway).
Sorry, you are still missing what I mean. Yes, I understand GDPR. And how companies need to process data to do their job. Not a problem there. Totally agree what you are saying… right up to you missing the point at the end.
When personal email addresses are placed into publicly accessible source code as plain text, then Spamming-Emails-R-Us company will go and illegally pick up the data.
I am not talking about Weblate or their partners sending spam. I trust them not to send spam. I trust them with my data. I am talking about putting my personal details in a place where dodgy people can pick it up without permission.
No, I’m not missing that point, because I had previously already answered to this specifically. And because I fully agree with you here in discussing this further unless there is some more information how Weblate will be able to address these concerns.
My answer was specifically meant to give some information to the statement “needed clarity as to who those business partners were and what would happen to our personal details”
It was the tagging the scraping bit on the end of your reply that confused me. Sorry. Right with you up to that point. (This GDPR stuff is part of the day job, so I do get it. I am one of those weird people who read Ts n Cs. Your quality explanation will help other people) Thank you for the detail
Thanks a lot. Your expertise here gives me some confidence I did not get this completely wrong I had to deal with this multiple times in my job, but most of the part I’m scratching my head how to comply with all of this. It’s the stuff that gives me nightmares
I’m glad to give an update about these two above-mentioned points:
@outsidecontext and I thoroughly reviewed Weblate ToS and suggested some changes to the Weblate team which welcomed the initiative and made some clarifications of their own. Note that the ToS are generic to all Weblate instances. The section “Third-party sites” of our privacy policy has also been updated to link to it and to underline the next point.
By default the email address that will be used for publicly submitting your translations will be a custom no-reply based on your username (See this first commit for example). But you can still choose to make your own verified email address public through the settings of your MetaBrainz Weblate account. This was made possible thanks to the Weblate developer who implemented it after some demands including ours.
Our new translations platform is mostly set up and open for testing from https://translations.metabrainz.org/ ; please give it a try and report any issue or question that you might think about so we can look into it before the official announcement is made soon. We also made some documentation available at Internationalization - MusicBrainz Wiki whose main section is intended for translators to help with introducing to MetaBrainz projects and with coordinating translations between contributors.
Thank you all for the feedback so far, it was all about Weblate but mostly unrelated to the main topic (ToS & email disclosure) so I split it into separated topics. They can all be found under the new forum category “Internationalization” which should be used from now on instead of this topic for any other feedback about Weblate or any other topic about translation/localization/internationalization in general.
We keep making progress about setting up Weblate at https://translations.metabrainz.org/, some projects such as MusicBrainz (server and database), Picard, and Picard User Guide started using it already. Experienced translators are now welcome to join in. We will publish a blog post to welcome newcomers once ready for them.
About to dive into the Weblate account to update ENG(GB)(Aus)(Can) and am a little confused by the wording of one point on the privacy policy.
Can I confirm my email address is still private?
In the privacy policy I see this:
Name and e-mail address
These are used to identify you in the VCS commits.
Additionally, e-mail is used for notification of watched events.
Does that mean my email address will be available to other translators?
I’m happy to translate as Ivan Dobsky, but nothing RealWorld™
Yeah, I realise the WebAdmin can read the user database and extract my personal details. What I don’t want is my email address readable in any form to other translators. Nothing personal - I’m just an anti-social git.
Although, when I signed up it was set to “Use account e-mail address”. I wasn’t sure what that meant so I changed it to @users.noreply.translations.metabrainz.org for good measure.
Thanks. Sounds perfect… will now have a bit of a poke and see how I get on.
I see what you mean about the default being fully public - pretty well hidden that. Now fixed.
Now lets see how sensible this translator is. English(GB)(Aus)(Can) is never a “100%” translate from English(US) as only a small number of words change spelling. Just need to check off a small handful of words like colour.