Open Source Initiative (OSI) Privacy Fiasco in Detail: A "Deep Dive" Into the Complaint at the California Privacy Protection Agency
LAST month we published an introduction to this series and the following part explained the urgency/importance. The previous part gave a glimpse into the complaint which had been submitted to the CPPA, the California Privacy Protection Agency.
Today we take a "Deep Dive" - to borrow the words used by the OSI to describe its Microsoft-sponsored lobbying for GPL violations.
From the CPPA site: "Additionally, the CCPA imposes separate obligations on service providers and contractors (who contract with businesses to process personal information) and other recipients of personal information from businesses. The CCPA does not generally apply to nonprofit organizations or government agencies."
We'll deal with the status ("nonprofit organization") some other day.
"Note," the complainant told us, "since OSI is a Nonprofit benefits corporation and may not be considered under CPPA, and if so, I will file a complaint with California DOJ."
"If you have a consumer complaint related to something other than consumer privacy, please report your issue using the California Department of Justice's complaint system," it says.
The OSI is a California Corporation. Incorporated in 1999 by ESR and Ian Murdock. The OSI articles of incorporation:
ARTICLES OF INCORPORATION OF
OPEN SOURCE INITIATIVEA California Nonprofit Public Benefit Corporation
One: The name of the corporation is Open Source Initiative.
Two: This corporation is a nonprofit public benefit corporation and is not organized for the private gain of any person. It is organized under the Nonprofit Public Benefit Corporation Law for public purposes. This corporation is also organized for educational purposes within the meaning of Section 501(c)(3) of the Internal Revenue Code of 1954 or the corresponding provision of any future United States internal revenue law. The specific purposes of the corporation are to (1) educate the public about the advantages of open source software [software that users are free to modify and redistribute]; (2) encourage the software community to participate in open source software development; (3) identify how software users’ objectives are best served through open source software; (4) persuade organizations and software authors to distribute source software freely they otherwise would not distribute; (5) provide resources for sharing information about open source software and licenses; (6) assist attorneys to craft open source licenses; (7) manage a certification program to allow use of one or more certification marks in association with open source software; and (8) advocate for open source principles.
Here's the full thing in case they remove this page in the future for revisionism purposes:
CPPA continued: "Personal information is information that identifies, relates to, or could reasonably be linked to a particular consumer or household. For example, it could include a consumer’s name, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences about the consumer’s preferences and characteristics."
From the complaint:
L – Right to LIMIT the use and disclosure of sensitive personal information collected about them. 4 years and still showing as of yesterday!
O – Right to OPT-OUT of the sale of their personal information and the right to opt-out of the sharing of their personal information for cross-context behavioral advertising. Never had an option to opt-out of having my personal info showing for 4+ years or ever to my recollection.
C – Right to CORRECT inaccurate personal information that businesses have about them.
K – Right to KNOW what personal information businesses have collected about them and how they use and share it.
It's possible during voting they let me know. However, I didn't want it shared with the world for 4 years.
E – Right to EQUAL treatment. Businesses cannot discriminate against consumers for exercising their CCPA rights.
D – Right to DELETE personal information businesses have collected from them (subject to some exceptions).
Some time later this week we'll show the remainder of this complaint. There are many facets to it and it may be the first complaint of several. █