Open source project data is not open data

Open source project data is not open data

Open source works in the open, that means git log, email archives, etc. are open data, right? WRONG!

This talk walks through the legal and technical challenges for analyzing open source projects. Solutions and best practices will be shared. The audience is expected to have experience with open source projects and to have an interest in learning more about analyzing those projects. This can include maintainers, community managers, organizational open source program officers, academics, or data scientists with an interest in data from open source.

7dddc875546948b5b5094167c90dc10d?s=128

Bitergia

March 07, 2020
Tweet

Transcript

  1. 1.

    @GeorgLink @GeorgLink Open source project data is not open data

    Georg Link SCALE 18x 6pm, room 104 March 5-8, 2020, Pasadena, CA
  2. 3.

    @GeorgLink @GeorgLink About Georg Link Omaha, NE Ph.D. on Open

    Source Metrics Cofounder of CHAOSS Project Bitergia
  3. 5.

    @GeorgLink Thought Experiment: Contributor Imagine you are an open source

    contributor. You engage in an open source community to get work done (or other reasons). How would you react to the following scenarios? • The community creates contributor profiles that show how much everyone contributed. • The community regularly recognizes the most active contributors. • A dashboard shows how the level of contributions evolves over time to show how strong the community is.
  4. 6.

    @GeorgLink Thought Experiment: Company Now imagine you work at a

    company and developed a piece of software. Your company agrees to your proposal to open source the software but requires you to show the impact that this has for the company. How would you approach the following: • Ensure that a vibrant community forms around the software project. • Identify areas that need attention in the project. • Report progress to your manager.
  5. 7.

    @GeorgLink The role of Data In the thought experiments: What

    data did we talk about? Who were the data producers? Who were the data users?
  6. 8.

    @GeorgLink The role of Data In the thought experiments: What

    was the relationship between data, its producers, and its users?
  7. 9.

    @GeorgLink Community Data as Trace Data Created accidentally Contributions and

    their metadata Metadata typically has no license Contains personal identifiable information (PII) like names and emails
  8. 10.

    @GeorgLink Is community data open data? Open data is data

    that can be freely used, re-used and redistributed by anyone - subject only, at most, to the requirement to attribute and sharealike. -- https://opendatahandbook.org/
  9. 13.

    @GeorgLink A gist of GDPR Art 4. (1) ‘personal data’

    means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  10. 14.

    @GeorgLink A gist of GDPR Art 4. (2) ‘processing’ means

    any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  11. 15.

    @GeorgLink A gist of GDPR Art 4. (7) ‘controller’ means

    the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  12. 16.

    @GeorgLink A gist of GDPR Art 4. (11) ‘consent’ of

    the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  13. 17.

    @GeorgLink GDPR: Rights of the data subject (Chapter 3 excerpt)

    Section 1 -- Transparency and modalities Section 2 -- Information and access to personal data Section 3 -- Rectification and erasure • “Right to be forgotten” • Restriction of Processing • Notification obligation
  14. 18.

    @GeorgLink GDPR grey area: Open Source Was created for business

    and government organizations that collect data. Open source communities collect data for their own purpose, but not in the same sense that organizations do. Personal data is freely given to an open source project.
  15. 19.

    @GeorgLink Prior Informed Consent in Open Source GDPR is agnostic

    to the fact that data is already public! Two options for consent: • OPT-IN ◦ safe option • OPT-OUT ◦ requires demonstrating “legitimate interest”
  16. 20.

    @GeorgLink What we need to do Inform community members before

    processing data • How can we reach all community members and document that you informed them? Obtain consent • Provide means to OPT-IN or OPT-OUT
  17. 21.

    @GeorgLink CCPA: California Consumer Privacy Act 1798.140. (c) “business” means:

    ... • An open source project may not qualify as a business
  18. 22.

    @GeorgLink Inform community before processing data Demonstrate “legitimate interest” Provide

    OPT-IN or OPT-OUT Be transparent and communicative Recap: Legal Challenges
  19. 24.

    @GeorgLink Where is the data? Where is the community? Git

    GitHub GitLab BitBucket Jira Gerrit Confluence … Wiki Discourse Mailing List IRC Slack Meetup.com StackOverflow …
  20. 25.

    @GeorgLink @GeorgLink How to get the data Extract: • Get

    data from data sources Transform: • Unify data • Manage identities • Calculate metrics Load: • Visualize
  21. 27.

    @GeorgLink Transforming data Unify data • Date formats • Level

    of detail • Metadata about different contributions • Convert everything into the desired database structure Manage identities Calculate metrics
  22. 28.

    @GeorgLink Transforming data Unify data Manage identities • Who is

    who in the community • Who do contributors work for (now and before) • Different usernames and email • Assigning contributions to the correct person Calculate metrics
  23. 29.

    @GeorgLink Transforming data Unify data Manage identities Calculate metrics •

    Primary metrics - summarizing original data • Secondary metrics ◦ Calculation from different data fields ◦ Combining data from different data sources ◦ Value judgements on data - e.g., quality models
  24. 30.

    @GeorgLink Loading data Who is the data user? How should

    the data be presented? What visualizations are most meaningful? What story does the data tell?
  25. 51.

    @GeorgLink About CHAOSS Short for: Community Health Analytics Open Source

    Software Linux Foundation project Started in 2017 Focused on “creating analytics and metrics to help define community health” -- https://chaoss.community
  26. 53.

    @GeorgLink Defining Metrics in CHAOSS 5 Working Groups: • Common

    Metrics • Diversity and Inclusion • Evolution • Risk • Value https://chaoss.community/metrics
  27. 55.

    @GeorgLink Metric Best Practices Follow Goal-Question-Metric approach Use metrics to

    tell a story Evaluate the usefulness of metric strategy Minimize gaming of metrics Start small and “get off zero”