Privacy Policy

From Hive13 Wiki
Jump to navigation Jump to search

Last updated: May 14, 2020

Our philosophy

Hive13 is fundamentally a community of people who build things. We collect certain personal information to make the community possible. We don't collect personal data that is not useful for Hive13 or our members, we don't store personal data longer than we need to, and we tell you what we're doing with the personal data you give us. Note: Many technical aspects of how we handle personal information are almost always in flux.

Contact info for individuals

Names

If you routinely use a name that's different from your so-called "legal name", that's fine with us. Some of our automation needs to know both, such as systems that process payments. We will be as careful as we can not to confuse the two. Some individuals in the organization may need both names at once, such as our Treasurer and our CTO. They promise not to tell.

Email addresses

If you sign up for one of our mailing lists or ask to join one of our social media presences: Meetup, Slack, Trello, Facebook, Reddit, Twitter, Google or others they obviously have your information and share it with Hive13. They all have their own privacy policy which you should read. Even if you later unsubscribe, our log files may still reflect that we saw your email address at one time.

Email messages

We archive email messages that go to our mailing lists. Many of these archives are searchable by the public. If you unsubscribe, your messages will continue to be available, including to people who join later. In extreme cases, we can delete particular messages, but that's a manual and very labor-intensive process, so please don't ask unless it's truly important. (It also can't possibly delete any copies of your messages being held by people who were subscribers at the time you sent the message.)

Emergency contact info

Emergency contact info means (at least) a phone number for each member of someone who should be called in the event that the member has a medical emergency. Members are required to list a phone number; they may optionally provide the name & relationship of that person to the member. We store such information electronically. It is only accessible by Hive13 leadership.

Members

We will not distribute the names of our members to outside parties, nor, in general, will we do so en masse to our members. There are some exceptions, but these generally occur because of some action the member takes:

  • If you post to Hive13 members-only mailing lists, other members will know who you are.
  • If you've done some particularly noteworthy bit of volunteering, you may be publicly thanked in an update message to our members, unless you ask in advance not to be.
  • Some staff and volunteers need access to complete lists of members to do their jobs. Typically, this includes handling payments, subscriptions to mailing lists, elections, and so forth.
  • If you wish to tell anyone that you, yourself, are a member, that's up to you, of course. But we won't do it for you.

Students

We don't publish the names of students. However, if you sign up for a class through Meetup your Meetup ID will be public. If a student pays with a PayPal address that is different from their main address, what we generally give the instructor is that PayPal address, since that's what we typically have most readily at hand.

Instructors

If you'd like to teach at Hive13, we typically ask for biographical information and other similar information, so we can publicize a nice blurb on websites to attract students to your class. We will often also hand out your email address to students if they need to contact you.

Donors

We have contact information for donors, so we can thank and acknowledge them. Anyone who donates over $100 can be listed on our website; we ask for permission first.

Minors

Individuals under 18 are allowed on our mailing lists and Slack channel. However, you must be 18 to become a member.

Due to issues of COPPA compliance, we will not knowingly allow any data about individuals under age 13 on any of our websites, social media or mailing lists. (If such an individual signs themselves up to a mailing list but is otherwise not known to Hive13, we may well have no way to know unless they tell us, but we will not knowingly allow this.)

RFID card-swipe data

Hive13 members have an RFID access card. We record access card information indefinitely in your member record: The particular RFID card number tied to your member account. The last date your RFID card was used.
In addition, we record this data about your card use indefinitely: Each time the RFID card is used to enter the space. Each time you use the RFID card inside Hive13. Any of this data may appear in backups. Backup volumes are kept until the oldest are purged to free up space.

Video

Live video

"Live video" means video that is not stored at all. Hive13 doesn't use live video. We don't have anyone who can watch it. No one is available 24x7. Don’t count on cameras. You should have a safety buddy in the shop. A safety buddy who can see and hear things going wrong.

Stored video

"Stored video" means video that is stored for some length of time, such as by a surveillance camera. It also includes snapshots (photographs) taken by those cameras. Hive13 collects stored video to identify members who cause damage to equipment or to understand how some action led to an unsafe result. This video is kept until we run out of storage space. Stored video is only viewable by a small number of Hive13 Leadership. Selected camera freeze frames are posted to the web as ‘Spy’ cameras to allow the public to see what’s going on at Hive13.

Photography

We may take photographs for publicity purposes. We will always try to ask any members who might be in range of the camera for their permission and will not distribute any photograph containing images of a member who does not wish to be photographed. (If a member is sufficiently far in the background as to be unrecognizable, it may not be feasible to ask, but a concerned member may still ask for the photo not to be used or for their image to be obscured in some way.) Anything left in Hive13 might be captured by a photograph---either one of ours, for publicity, or by any member or visitor, for their own uses---at any time. Even if someone is taking a shot of something else, your item might appear in the background by accident. If you have something that must not be photographed (a secret skunkworks project or the equivalent), we recommend that you cover it instead.

Blog posts and other written media

We will not mention you by name in print or in other publicity unless we get your permission to do so. Similarly, we will not knowingly photograph or describe your projects unless you give us permission. (We ask that members extend this courtesy to each other as well--- please ask before mentioning other members' projects to third parties or publicizing them on the net. This is part of the member-to-member privacy policy.)

Data transiting our internal networks

We maintain both a wired and a wireless network infrastructure.

Wired connections

The wired infrastructure communicates with

  • Access and surveillance systems
  • Computers that handle payments
  • Certain pieces of fixed heavy machinery
  • Certain classroom computers
  • ...and similar permanently- or semi-permanently-installed Hive13 property

Data sets that contain personal information are restricted to Hive13 personnel who need such access to do their jobs.

If we ever discard such machine(s), we will either securely overwrite all stored data before the machine is discarded or we will physically destroy the storage medium. Certain personal data is held on our Internet-facing web server, which is physically secure but does not use an encrypted filesystem.

Note that certain Hive13 devices, used to take member applications, talk to our regular network, but they do so over encrypted channels, since they are designed to be used over the Internet as well. Similarly, when we interact with payment systems on the Internet (such as PayPal, Stripe, Square), we use encrypted connections to the extent that those services support it. Not all such services use crypto very well--for example, many send acknowledgments in the clear via email, and we can't do anything about that because we don't run those services.

Wireless connections

Member and visitor access to Hive13 resources, and to the outside world, are provided by our wireless network. In general, we do not monitor or store the actual contents of communications. We will collect automatic data to diagnose problems with the wireless network, but that data is aggregated and not inspected unless we need to diagnose problems.

However, we reserve the right to inspect the actual data transiting our networks in the event of problems. For example, if one particular machine is swamping the net, we reserve the right to monitor traffic to figure out which machine is misbehaving.

For debugging purposes, we monitor the assignment of DHCP leases to machine MAC addresses. This information is typically kept for a short amount of time (on the order of 1-2 weeks). However, if we are put in the position of having to answer requests from law enforcement (for example, because members are downloading copyrighted content or otherwise drawing attention to themselves), we may change this policy, and will announce the change. If we have to change this policy, we may require individual authentication by every computer connecting to our network, and we may keep such records for extended periods of time (possibly months). Please do not act in a way that might force us to begin this policy. See also Acceptable use of our public network.

All wireless communications are encrypted. Unless we are required to authenticate individual users (see above), all such crypto uses a common shared key (WPA2 Personal, AES mode). This does not necessarily protect your data against someone with malicious intent who knows our wireless key. Since we cannot police what people do with their computers, if you value your privacy, please ensure that your own communications are encrypted end-to-end. (This also applies to any data you send to the Internet, of course, which is out of our control.)

Hive13 Leadership and Tech Team

If you are a Hive13 tech leader, your use of certain high-security Hive13 data may be subject to monitoring and periodic audits. This particularly applies to any Hive13 (a) personal information or (b) financial data. We do this as a security precaution, to decrease the chances that malware could leak personal or financial data to outside parties and to detect misuse of the machines. This monitoring and auditing may include, but is not limited to, examination of data stored anywhere on the machine, and any of its network traffic. If you use such machines, you consent to such monitoring. If you do not wish to be monitored, the solution is simple---do your browsing on one of our non-high-security machines, or on your own machine, but not on a high-security machine.

Other stored data

This section is a grab-bag of other ways we store data, and what we do with it.

Things that do wind up on computers

Some data is handled by computers inside the physical Hive13 building and some is handled by our Internet-facing public server, which is in a secure facility far away. Member applications and Liability Waivers are on paper and may be copied into the membership records.

Member data created inside Hive13

If you create a document on a shared computer, we cannot guarantee whether (or if) the data will ever be deleted. If you don't want other students or other people in general to see the data, please delete it. Places with such shared computers include, but are not necessarily limited to:

  • CNC machinery (and fabrication documents)
  • Backups of such machines

Note that it is a violation of our member-to-member privacy policy for members to attempt to recover the contents of others' deleted files without their permission.


Security data created inside Hive13

No surveillance of any kind (video or snapshots) transits the same logical network (wired or wireless) as any of our other data while it is being collected. It is also not stored on the same physical computer as any computer that normal members have access to. This means that even if a malicious member attempts to compromise the data network, or one of our general-use computers, it is unlikely that surveillance data can be recorded or retrieved.

If the data must be manipulated after it is collected, it is possible that some of it might traverse our data network, either inside Hive13 or to processing offsite. The data will always be encrypted both in transit and at rest if so.

Server logs for our public-facing server

We keep extensive logs on Hive13.org, our public-facing server. In particular, we keep web server logs indefinitely for debugging and for use in our security system. These logs, in general, identify IP addresses, but typically not which member is accessing the server.

Changes to this policy

We will announce substantive upcoming changes to this policy as far in advance of their implementation as is feasible. If you wish to ask a simple question about the policy, please send mail to leadership@hive13.org.

Please note that this is not a discussion list: if you have an issue you'd like to discuss related to our privacy policy, please start there, and if necessary, we can then schedule a face-to-face meeting with other members to figure out what to do. (We've found in the past that having such discussions over email is not an effective use of everyone's time compared to face-to-face discussions.)

Privacy Policy (members)

Rationale

In order to foster a safe and supportive member atmosphere, we ask all members to abide by these privacy policies. Please also see our Privacy Policy for how Hive13 itself protects members' personal data.

Personal responsibility

We expect our members to protect private and confidential information, especially that which affects the well-being of others, This can include pictures or names of our other members (some of whom go by names other than their so-called "legal" names), descriptions of their work, or the contents of their communications. The sections below expand on this philosophy.

We also expect you abide personally by the same provisions that Hive13 abides by in general. This means that the same sort of data that we take care to protect about our members should be protected by you as well. Use of Hive13 facilities are restricted to members in good standing and their guests. This includes email addresses ending in @hive13.org and G Suite Drive space. When your membership ends, your privilege to use these tools ends.

Note: All Hive13 data are managed by Hive13 and therefore subject to potential subpoena by law enforcement agencies. Do not use Hive13 facilities for intellectual property that you wish to protect and do not jeopardize Hive13 by storing or transmitting any material that violates the law.

Photography (still or video)

Not everyone shares the same attitude towards having their picture online. Please ask in advance before photographing people.

Additionally, some people may be working on projects that they don't wish to get publicized early. Please ask before photographing other members' work or before describing it in public. (If you have work that you absolutely don't want photographed while you're not around, consider covering it. Even with the best of intentions, it might otherwise wind up in the background of some unrelated shot.)

Surveillance

Do not set up any sort of surveillance or video system that might capture images of people in any area outside of your own personal space. If you set up any such system, we reserve the right to inspect it periodically to assure that this is the case. (If such a system were to record personal information outside of your own space, it would violate our own privacy policies, at least.) Any camera that even looks like it might be imaging space outside of your own studio area should be tagged with your name, contact information, and any explanatory information that would be useful in determining what it is that your camera is capturing. (The explanation is so that everyone who wonders about the camera doesn't have to individually track you down to ask about it.) Cameras with no identifying information may be covered or removed.

Data

Members may transmit data on a shared infrastructure (our wireless network) or leave it stored on various computers (such as classroom machines or CNC machinery). We expect that members will not deliberately eavesdrop on each others' communications. We similarly expect that members will not go to unusual lengths (such as forensic examination of unused disk areas on shared machines) to recover files deleted by other members. If a member leaves an undeleted file on a shared computer, you may look at it to figure out what it is or who to contact about it (especially if you think it might need to be saved, or if it might need to be deleted to free up space), but you do not necessarily have rights to copy it for your own use; please ask first.

Please do not swamp our local network. While the occasional large download is fine, routine or continuous high-rate usage can interfere with others' use. Similarly, anything that attracts the attention of law enforcement (such as downloading copyrighted works) is also not allowed. This is both a legal and a privacy issue---if we have problems with these sorts of things, we will be forced to deploy much more privacy-invasive technologies (such as individual authentication for every network connection, and much longer-lived logs of who does what) that degrade everyone's privacy and cost us time and effort. We'd rather not have to go there.

Members may not implement private wireless access points on Hive13 infrastructure.

Acceptable use of our public network

Why we have these policies

We need to make sure that we:

  • Are legally protected
  • Do not have to spend time policing members' behavior
  • Can offer a usable network for the convenience of our members

These guidelines are intended to keep our network functional and us out of legal trouble.

We ask that you abide by these policies in order to allow us to achieve these goals. If you do not abide by them, your use of the network, and/or of our entire space, may be revoked. You agreed to these policies by signing your membership agreement. We reserve the right to alter these policies at any time, and to ask you to change your network behavior if something about it is causing problems for us or any other members, even if it might seem to be strictly permitted---we're trying to make sure that everyone can communicate, and that we don't have to spend a lot of time dealing with it.

If you have any questions about how to be a good neighbor, or you'd like advice on how to put your particular device on the network, please ask the Hive13 CTO. We're here to help.

General considerations

Privacy

You are expected to honor our privacy policy, which includes not intercepting communications not intended for you, not disrupting others' communications, and so forth.

This also includes not trying to connect to machines for which you have no authorization. Such attempts, or use of scanning tools to discover such machines, is prohibited. If you'd like to know how the network works, please don't look like you're attacking it---just ask instead.

Availability

The network is run on a best-effort basis. This means that we will make every effort to keep it up at all times---Hive13 depends on it for its own operations as well, after all---but we cannot make any guarantees about its availability. If you have some business need for an absolutely-reliable network, you should arrange to pay someone for that service. We are not in that business.

Bandwidth

You are expected to use reasonable shared-bandwidth behavior. This means not continuously using large amounts of the shared bandwidth. We would like to do this on the honor system and not have to enforce limits. That means:

  • No unattended BitTorrent. (If you'd like to torrent down a Debian release and then turn it off, that's okay, but don't leave it serving after you're done.)
  • Don't be a Skype supernode. (Meaning, don't let Skype run in the background all the time.)
  • Nothing that could cause the RIAA or MPAA to serve us papers. (No violation of copyrights: don't torrent a movie.)
  • Nothing that could cause us to have to handle a DMCA takedown order. (Again, no violation of copyright: don't set up a warez site.)

If you know you're going to have to schlurp down something truly enormous, try to throttle it yourself, using client-side traffic shaping. ("rsync --bwlimit" is one approach; other protocol-agnostic shapers exist for Linux at least.) Please ask the Hive13 CTO for suggestions.

As a rule of thumb, expect that our total available bandwidth is equivalent to a low-to-medium-end cable-modem connection (because it is a cable-modem connection). But unlike your connection at home, this one is shared by dozens if not hundreds of people. Please do your high-volume downloading at home, and not here. Please use common sense.

Wireless network

All members and guests are welcome to use our wireless network, as long as you respect some simple guidelines. Ask another member or for the passphrase. No private wireless access points are allowed

Wired network

Our wired network nodes may be used like the wireless. Though it can encourage overuse of our bandwidth.

Fixed infrastructure

Some of our fixed infrastructure uses a wired network, but that network is not intended for use by members. These uses are typically large, immovable, computer-controlled equipment owned by Hive13, where running a wire is both feasible and perhaps necessary due to proximity to RF emitters like welders, and where any failures or problems are a matter internal to Hive13 staff and don't involve third parties.

If you have equipment of your own that you would like to put on our network, you are very strongly encouraged to use (for example) a USB-to-wifi dongle, or a PCI-to-wifi card. We can offer some advice on how to do that.

You may not at any time plug or unplug anything on our network without prior authorization from our CTO

If you own or lease hardware to Hive13 that has a hardwired drop, you may plug and unplug your hardware from that drop. Otherwise, you may not touch anything in the wired network without prior approval from the CTO. Absolutely no exceptions.

Servers

You may not run any servers here which rely on people being able to make unsolicited inbound connections. Not only do we not want the bandwidth, you also simply can't bind the port--- you are behind a NAT. You may run server-like software which works by first establishing an outbound connection somewhere, but that "server" must be intermittent, low-bandwidth, respectful of the rest of our network, and absolutely must not host any copyrighted content at all unless you personally hold that copyright or can demonstrate some Creative Commons, copyleft, or similar allowed use of the content. For example, if you have some device which might occasionally send an email elsewhere with its status, that's fine. Running a warez site, on the other hand, is absolutely prohibited, even if you could do so without inbound connections.

Doing things that expose us to legal liability (such as hosting copyrighted content, running a warez server, etc) will result in the immediate disconnection of your server, as will soaking all of our bandwidth for extended periods of time. Flagrant violation may result in termination of your access to our space (from us) and possible legal action (from others).

If you have any questions about what is appropriate, please ask the CTO. It would be a good idea to talk to the CTO first so we know what you're doing, because it saves us a lot of time if we don't have to hunt people down. We may also be able to suggest better alternatives, or even help you set it up.

Retrieved from "http://wiki.hive13.org/index.php?title=Privacy_Policy&oldid=20812"