Dear Fellows,
Many of you expressed frustration that an organization like FSFE was distributing your email addresses to other members. Not all of you were warned about that when you joined the mailing list. Anyhow, it turns out that there was a rather serious missed opportunity to review that policy in 2018. FSFE president Matthias Kirschner wrote an email to the GA mailing list on 15.03.2018 with the subject "[GA] Report about privacy problem with financial data" Kirschner goes on: "The archives of [email protected], and thereby all the information including full names, amount, credit card and bank details, were public from 18 December 2017 until 13 March 2018." It is incredulous that such data is managed on a mailing list, especially when the list runs on the same public server as Internet-accessible public lists. All financial organizations that I've ever worked for keep such data on servers in isolated subnets, with mail allowed in through an intermediate box in the DMZ. There is never direct access from the Internet to the box where sensitive data is stored. Privacy regulations in many countries require customers/members/donors to be informed about such hiccups. I don't believe FSFE sent any notice to Fellows like you at that time. Kirschner raised the possibility of informing possible victims and told the GA that council members had explicitly decided not to do so. They argued that the logs didn't show any conclusive evidence that the leak was exploited. Would you have wanted to be warned anyway, just in case? The email encouraged list admins to check list settings. But as FSFE confirmed[1] last week, the names of list subscribers were still available to all other subscribers to download freely more than a year after that previous incident. "as explained ..., this list was available to all list-subscribers as it is common practice. However, we now changed the settings and list-subscribers are only visible for list-admins from now on." Will FSFE tell us how many times the data was downloaded during the last 18 months? Or will they use that money you donated, with your potentially compromised credit card numbers, to hire an army of lawyers to savage the representative you voted for? It appears that FSFE missed the opportunity to revise privacy settings in March 2018. Regrettable? Repeating that quote from Kirschner, a summary of his plotting with Chris Lamb, former Debian Project Leader: "One general wish -- which I agreed with -- from Debian was to better share information about people" Is it correct to blame the people who download things that Kirschner shares? The same email included malicious assertions about the former Fellowship representative, myself, a coordinated attempt to cause me harm in a way that has compromised the privacy of numerous individuals. As that email has been circulated around various communities, a number of people have been shocked at the way Kirschner and Lamb were conspiring against the privacy of their own members. Some of the defamatory claims were even implausible, this was obvious to people familiar with the details. I want to thank all those people who quietly tipped me off about Kirschner and Lamb. I would encourage all of you to embrace the opportunity to vote in the first autonomous Fellowship elections. Faithfully, Your undead zombie Fellowship Representative who just didn't die correctly when backstabbed 1. https://lists.fsfe.org/pipermail/discussion/2019-May/012696.html _______________________________________________ Discussion mailing list [email protected] https://lists.fsfellowship.eu/mailman/listinfo/discussion
