Am Sun, 22 Apr 2018 13:41:10 -0600 schrieb Assaf Gordon: > Hello, > > On 22/04/18 12:55 PM, Uwe Scholz wrote: > > Am Sun, 22 Apr 2018 05:26:11 -0600 schrieb Assaf Gordon: > >> On 21/04/18 04:03 PM, Uwe Scholz wrote: > > I can also see all email-addresses in plain text of > > every single email.[...] This leads me to the next question: > > Regarding the GDPR, there should be the "Right to be forgotten". > > > > That means, if a user requests his personal data to be removed from > > the Savannah servers, (and this affects also his email address!), > > this should be possible somehow. > > I doubt this will happen on gnu mailing lists - almost every posted > message has been saved and is publicly available with a stable URL > for decades (and that is a point of pride).
I know, it definitely is! From a "right to be forgotten" perspective, the point that the email address is permanently, publicly available might still be a big problem.(*) I am not sure what is more important from a law perspective: an unchanged archive or a masked email-address in the archive. (*) I was really supprised that the mail address is not masked in the downloadable archive, as this is the case in the web front-end. > > Remark: I think the ability to be forgotten should be implemented > > here, otherwise Savannah might run in danger to become the aim of a > > greedy lawyer. > > Not sure I understand what you means, but remember that it is a > public mailing list - an email sent to it is store not only on gnu's > archive, but also sent to *every* other subscriber's email - and > stored on their account/computer. They is no "forgetting" it. Many of > these lists are also mirrored on other servers (e.g. gmane). With "greedy" I meant a lawyer being greedy for money, who can't wait the 25th of May, sending an email to a Savannah mailing-list and after that trying to have his data (email address) deleted from the servers again. If this doesn't happen in a certain amount of time it could result in high fines for Savannah. This is of course just a speculation of mine, but we all know lawyers and advocates... I have had a contact to one of them some time ago, and it was not the best acquaintance, I can tell you ;) And of cause I know and understand the concept of a public mailing list and I don't talk about the local, private copy of a list member. I am just talking about the public available archive here (or any other permanently stored data). > This is not the same situation as "google" or "facebook" where they > keep/manage the data themselves and (ostensibly) have the only copy > which can be deleted. I am not sure if this is the true, because instead of a Facebook or Google account, the GDPR treats the email address of a person to be individual-related data which is especially in the need of protection. Therefore it could be a problem to make this address publicly available without a proof that the sender who writes an email really, really understands what he is doing. Google, Facebook and all the others solve this with new terms and conditions one has to sign before continuing using their services. For example there are rumors that WhatsApp will be allowed in the future only for people beginning with the age of 16 because for younger children the GDPR requires special care from their parents which is to complicated to be implemented for WhatsApp. - Yes, GDPR is very complex... > > Currently it should be a good idea to let the users know that their > > mail addresses are public available in the archives when they send > > a mail to a mailing-list. > > These are *public mailing lists*. > If there are users who do not understand what that means - there is a > bigger problem here... We should focus on the public available archive (with plain text email addresses) which might be the problem here, not the lists themselves. > Lastly, > If you (or others) do want to pursue GDPR or any other internet > regulations - please contact the FSF directly ( > https://www.fsf.org/about/staff-and-board/ ). Thank you very much. I will reach out to them when I find the time. > Implementing such policies require access that savannah admins do not > have (see https://savannah.gnu.org/maintenance/NotSavannahAdmins/ ). Great, thank you for both links! > regards, > - assaf > > > > >
