Re: [Mailman-Users] [Mailman-cabal] GDPR
On 05/11/2018 04:55 PM, Julian H. Stacey wrote: ... I think the basic inconvenient truth is nobody's going to come after you unless you have money to pay the settlement. I expect the impact on "smaller lists run by Unpaid Volunteers" to be about on par with that of the right to be forgotten. How many people here had to delete messages and rebuild the archives because of it? And besides, I've done that a few times cleaning up spam that got past the filters -- it's not *that* hard. -- Dimitri Maziuk Programmer/sysadmin BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu signature.asc Description: OpenPGP digital signature -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] [Mailman-cabal] GDPR
Alain D D Williams wrote: > On Sat, May 12, 2018 at 01:06:15AM +0900, Stephen J. Turnbull wrote: > > I hate to disagree with everybody, but ... > > > > We need to get an articulare European lawyer, or at least find someone > > who has studied the subject. If you or employer have money & time for that, do share results of - paying a lawyer to read those 88 EU pages, & answering questions - paying a programmer for development time for patches to Mailman. Maybe other major users of Mailman might afford to share costs. I won't. It's just EU law so far, but laws & interpretations vary by time & geography, This list is global, 191 countries in https://en.wikipedia.org/wiki/List_of_sovereign_states Best action for least effort, IMO is first someone to agree to commit a big default legal disclaimer in the Mailman source distribution, as a seperate localy served clickable link from top of http://mailman.YOUR-DOMAIN/mailman/listinfo That default Legal page would include a further clickable link to a dummy page for site local extra legal waffle. Once that's agreed t would be worth some of us workng on content. My suggestion, approx: Generic Preamble: Why Mailman Rules Are Necessary & Mandatory To All Users While Big [Anti-]Social Web providers, may get enough advertising revenue to employ people to deal with various legal pains ... Many Mailman sites have smaller lists, run Free by Unpaid volunteers with No free time for boring, annoyiny, risky legal hastles wasting their of time, (eg: logging & adjudcating internal or external complainers, users & authorities, discipling posters, editing archives, etc). Many Mailman sites & list admins would rather close down their free service rather than have their time forcibly wasted unpaid to provide & host free levels of "service" & abuse control, that users might be accustomed to have provided on larger commercial )often advert paid) [Anti-]Social web sites, (as first targeted by regulators etc). Some issues one might then cover in the generic, or leave to local site: eg: Those from previous posters to this thread + Liability Copyright Secrecy Security Posting means irrevocable publishing No right to use lists if you waste unpaid admins time. Incitement to this & that Right to inform authorities Non obligation of admins to have to waste time monitoring/ censoring etc. Anti hate crime/ adjitation laws V. free speach (eg As considered in Germany, reported in: Economist Jan 13-19th 2018 Page 21 "Freedom & its discontents") site owner doesnt necessarily agree views of archived posters etc Policy if members of a by default private archived list vote to make their archive public ? What if someone had posted, archived, then left list, sees it public, & now objects ? ) How to even technicaly & legaly establish objector is same person (or their rep. or inheritor or purchaser of copyright of initial postera or litigant against poster, or recipient of court order against poster ? Local server operator & global Mailman org disclaim liability, & no insurance to tempt lawyesr to sue (another can of worms ;-) Optionaly & asynchronously while some are drafting a generic legal page: A python programmer (or HTML editor, depending where) could add a switch so new users had to agree before joining list[s]. Whether switch should be per list or global, to be decided by who does the work. Switch might be a null string, updated to latest date when terms agreed. ? Cheers, Julian -- Julian Stacey, Computer Consultant, Systems Engineer, BSD Linux Unix, Munich Brexit Referendum stole 3,700,000 votes, inc. 700,000 from British in EU. UK Govt. lied it's "democratic" in Article 50 letter to EU paragraph 3. Petition for votes: http://berklix.eu/queen/ -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] [Mailman-cabal] GDPR
On Sat, May 12, 2018 at 01:06:15AM +0900, Stephen J. Turnbull wrote: > I hate to disagree with everybody, but ... > > We need to get an articulare European lawyer, or at least find someone > who has studied the subject. I don't know the credentials of anyone > who has posted on this list, so I would be careful. There was a post > a few months back listing a bunch of stuff that person claimed we > needed to support for our users (ie, list owners) to be able to > conform to GDPR. (Sorry, on a plane right now, search is painful.) > I have no idea if that person was clueful, but I suspect he was a > privacy activist and so would be biased toward stringent > interpretation. Still that post is where I'd start. > > On the FUD end of the spectrum, there are claims that the IPs in your > webserver log are subject to redaction on request. There are > counterclaims that that is FUD. ;-) [ first: IANAL ] It is FUD. Yes, you could argue that an IP address is a form of 'personal information' (PI), in that it might identify someone. But you are allowed to keep such information for the purposes of debugging server problems, tracking down attempted break ins, etc. So you can keep the logs for a reasonable time to allow you to do that. How long: the default log recycling times (eg a few weeks to a couple of months) would be reasonable. Some have suggested 2 days - but it is easy to justify that that is not long enough since many problems do not become known for some time. One confusion is that the GDPR does not prevent you keeping PI (eg as above), but there are strictures on *processing* it, eg with the purpose of sending spam. *processing* it to trace a break in would be allowed - you are not seeking to identify or act on the individual -- unless s/he was the reprobate who attacked your machine. A huge number of organisations are now seeking reaffirmation that you want to receive email from them, this is because they do not have adequate documentation that you want to receive email. My view is that the mailman log files show when a user requested to join a mail list (eg the subscribe file); if they asked to be subscribed and someone else did it, then the email/signup-form should be kept. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ > I don't know the credentials of > either claimant. It is my understanding that you may need to remove > posts from archives on request. AFAIK neither Mailman 2 nor Mailman 3 > supports that in the sense of making it possible to do it without > editing the archives by hand (and in Mailman 2's case, rebuilding the > archives), which requires login access to the host. There is a right to be forgotten https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/ > There are also claims that if you don't profit from the data stored in > your host's records, you're safe. Some people have posted "all posts > yours are automatically permanently ours" rules of usage -- but I > don't think EU law necessarily allows that, because GDPR rights may > very well be inalienable "creator's rights". I have no way to > evaluate these claims, but at the very least you have to worry about > frivolous claims (insert Michael Cohen/Rudy Guiliani joke here). > > Footnotes: > [1] If someone reading this thinks they know GDPR well enough to (1) > present basic concepts and risks (while liberally sprinkling IANALs and > TINLAs around) and IANAL > (2) point people at real lawyer blogs, But beware: there is a mini-industry of people who try to worry organisations and seek to advise you (at a fee - of course). -- Alain Williams Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 https://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: https://www.phcomp.co.uk/contact.php #include -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] [Mailman-cabal] GDPR
I hate to disagree with everybody, but ... We need to get an articulare European lawyer, or at least find someone who has studied the subject. I don't know the credentials of anyone who has posted on this list, so I would be careful. There was a post a few months back listing a bunch of stuff that person claimed we needed to support for our users (ie, list owners) to be able to conform to GDPR. (Sorry, on a plane right now, search is painful.) I have no idea if that person was clueful, but I suspect he was a privacy activist and so would be biased toward stringent interpretation. Still that post is where I'd start. On the FUD end of the spectrum, there are claims that the IPs in your webserver log are subject to redaction on request. There are counterclaims that that is FUD. ;-) I don't know the credentials of either claimant. It is my understanding that you may need to remove posts from archives on request. AFAIK neither Mailman 2 nor Mailman 3 supports that in the sense of making it possible to do it without editing the archives by hand (and in Mailman 2's case, rebuilding the archives), which requires login access to the host. There are also claims that if you don't profit from the data stored in your host's records, you're safe. Some people have posted "all posts yours are automatically permanently ours" rules of usage -- but I don't think EU law necessarily allows that, because GDPR rights may very well be inalienable "creator's rights". I have no way to evaluate these claims, but at the very least you have to worry about frivolous claims (insert Michael Cohen/Rudy Guiliani joke here). Footnotes: [1] If someone reading this thinks they know GDPR well enough to (1) present basic concepts and risks (while liberally sprinkling IANALs and TINLAs around) and (2) point people at real lawyer blogs, *please* speak up. I'm not deprecating your knowledge, just I haven't seen such here. Pointing at the official lawyerly stuff isn't really helpful, I'm sure we can all google for that. What we need is a curated list of sane sources. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org