Re: [Mailman-Users] [Mailman-cabal] GDPR
On 05/14/2018 06:33 AM, Andrew Hodgson wrote: - Archive purge requests. We have discussed the same items as on the list to date. I am looking at doing a simple grep for the relevant person's details and changing that. The main reason for doing this is that if we just remove the author's messages they will be in a thread of other messages and our users typically don't remove quoted material. ACK This seems like the lowest common denominator. Current advice from the GDPR people is we may have to delete the whole thread. What‽ What is their working definition of "thread"? Consider this scenario: a LONG running thread and the person exercising their right to be forgotten simply adds a "me to" or an insult at the very end. Does that thread, which obviously had a lot of value to the thread participants need to be deleted? Why can't just the individual's message(s) be delete? Or better redacted to not reflect them? Still under discussion, this is also complex because threads and subjects change, if we delete the whole thread there may be messages from the same author in other threads that don't have correct atribution etc. What does GDPR have to say, if anything, about subscribers having their own archives, which will not be redacted in any way? — Is the mailing list owner / administrator in any way, shape, or form, responsible for expunging those records too? - Audit logs for data access. it is not clear who is accessing subscription data for the list as there is just a single owner and moderator account. Unsure if current logging data in either MM2 or MM3 is "good enough" for this. MM3 may solve the issue about single accounts. I guess I don't understand the problem and / or make invalid assumptions about MM. I see six modes of access to the data: 1) List subscribers 2) List owners / administrators 3) Host system administrators 4) Administrators that are in the downstream SMTP / HTTP path and can track things. 5) Backups. 6) Ongoing Discovery. I would expect that #1 requires authentication to MM for subscribers to see data, and I expect that this is logged in some (indirect) capacity. I would expect that #2 would have access to the data as part of their role of owning / administering a mailing list. I would also expect that #3 has the capability to access the data. But I would also expect that #3 would not access the data in normal day to day operations. Are you saying that GDPR is going to complicate things related to #3 and make it such that there is more of a union between #2 and #3? I.e. exclude 3rd party site hosters from being able to be #3? What say you / them about #4? - Relevant people seem to be happy that running a discussion list not used for marketing purposes should exempt us from some of the marketing type rules regarding data processing. What is their working definition of "marketing"? Does someone saying "Hay, I've got a hand knitted blanket for sale, contact me directly if you're interested." count as marketing? What about a news list from a library saying "Bob is managing the sale of used computer equipment."? They both refer to items for sale and how to contact someone off list. To be really ornery, what if Bob is the person exercising his right to be forgotten. — Can you simply redact his name & contact info? Can you replace it with someone else's? — Or do you need to delete the entire thread and send out a new message / thread? IMHO: History happened. (Some) People will remember (some) details (for a while). Removing evidence of them does not mean that history did not happen. - People seem happy with the system default logs as long as we can audit access to the logs (which we are able to as there is little access to the boxes themselves). Please forgive me for questioning if all of your bases are covered. Are #5 and #6 accounted for? What about #4 downstream? Or something like the NSA's PRISM program. - Likely that I will have to move the lists to a host the charities control themselves and a separate host for each charity. This will increase costs so we may need to look at an alternative solution like a hosted list service as I am not setting myself up as a list hosting business. I understand why you say this. But to me this is an unacceptable solution. It certainly will not scale. I fell like there should be a GDPR counterpart of reasonable level of effort in good faith. — I.e. redacting things in existing files and stating that backups are expunged after X number of days. — I'm perfectly fine responding to someone saying "I've REDACTED you from live files, and old backups will automatically expunge…" in a short time frame after the ""amnesia request. Yet knowing that I can't mark something as completely resolved until after the backups do expunge. I'm not quite sure what to do in a situation of a litigation hold that suspends expunging of
[Mailman-Users] [Mailman-cabal] GDPR
Guys, Thanks for all the discussion around this topic. I have been in further communication with the people working on GDPR with us. Background: I run Mailman lists for a couple of charities as a voluntary contribution to the charities, the charities have money that their disposal and we want to reduce exposure both for me personally and the charities involved. These are just rough notes: - Archive purge requests. We have discussed the same items as on the list to date. I am looking at doing a simple grep for the relevant person's details and changing that. The main reason for doing this is that if we just remove the author's messages they will be in a thread of other messages and our users typically don't remove quoted material. Current advice from the GDPR people is we may have to delete the whole thread. Still under discussion, this is also complex because threads and subjects change, if we delete the whole thread there may be messages from the same author in other threads that don't have correct atribution etc. - Audit logs for data access. it is not clear who is accessing subscription data for the list as there is just a single owner and moderator account. Unsure if current logging data in either MM2 or MM3 is "good enough" for this. MM3 may solve the issue about single accounts. - Relevant people seem to be happy that running a discussion list not used for marketing purposes should exempt us from some of the marketing type rules regarding data processing. - People seem happy with the system default logs as long as we can audit access to the logs (which we are able to as there is little access to the boxes themselves). - Likely that I will have to move the lists to a host the charities control themselves and a separate host for each charity. This will increase costs so we may need to look at an alternative solution like a hosted list service as I am not setting myself up as a list hosting business. Again all this up for interpretation. The largest ones for me at the moment is regarding auditing access to the Mailman admin access and the archive purging requests. Andrew. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] [Mailman-cabal] GDPR
Grant Taylor asked: > What does GDPR have to say, if anything, about subscribers having > their own archives, which will not be redacted in any way? > IMHO they would mostly fail under §18 and GDPR wouldn't apply: > This Regulation does not apply to the processing of personal data by a > natural person in the course of a purely personal or household > activity and thus with no connection to a professional or commercial > activity. Personal or household activities could include > correspondence and the holding of addresses, or social networking and > online activity undertaken within the context of such activities. > However, this Regulation applies to controllers or processors which > provide the means for processing personal data for such personal or > household activities. Of course, if a company was using the mailing list to process personal data, it should have been stated the whole time. Being nitpicky. What about sysadmins subscribed to this list as part of their professional activity ? (but otherwise interacting in the same way as a hobbyist) -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] [Mailman-cabal] GDPR
Hi all! On Mon, 2018-05-14 at 12:33 +, Andrew Hodgson wrote: [...] > These are just rough notes: > > - Archive purge requests. We have discussed the same items as on the > list to date. I am looking at doing a simple grep for the relevant > person's details and changing that. The main reason for doing this > is that if we just remove the author's messages they will be in a > thread of other messages and our users typically don't remove quoted > material. Current advice from the GDPR people is we may have to > delete the whole thread. Still under discussion, this is also While at it, why not delete the entire archive just to be sure? SCNR Seriously, these folks don't know what they imply. And to be honest: If person X fullquotes and the email ends in an archive, who's fault is it? Obviously the archive's (or more it's owners), not? For the author's rights side to it: I answer an email (and happen to quote just the relevant parts of other emails) to a public mailinglist with a public archive. I don't think that the archive's admin or anyone else should have the right (let alone the duty) to *edit* or *change* *my* email in there - or even worse: *remove* it completely. MfG, Bernd PS: The whole "right to be forgotten" idea is absurd per se - think about private archives (and I don't think about 3-letter organizations only). Can't we define the public archive to be an *necessary* and *important* part of a public mailinglist and be done with it?! For almost everyone else, some "important reason" is good enough too. -- Bernd Petrovitsch Email : be...@petrovitsch.priv.at LUGA : http://www.luga.at -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] [Mailman-cabal] GDPR
On 05/14/2018 05:02 PM, Ángel wrote: > Being nitpicky. What about sysadmins subscribed to this list as part of > their professional activity ? (but otherwise interacting in the same way > as a hobbyist) How do hobbyists interact? Enquiring minds want to know. -- Dimitri Maziuk Programmer/sysadmin BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu signature.asc Description: OpenPGP digital signature -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] [Mailman-cabal] GDPR
On 05/14/2018 04:11 PM, Bernd Petrovitsch wrote: Seriously, these folks don't know what they imply. Nope. Politicians (almost) never fully understand what's going on. And to be honest: If person X fullquotes and the email ends in an archive, who's fault is it? Obviously the archive's (or more it's owners), not? I don't think so. Who's at fault in this scenario: The person who overheard what I said (the archive) or me for saying it in a non-secure manner (the sender)? Is there any legal method that I can use to compel a person to forget what they overheard me say? For the author's rights side to it: I answer an email (and happen to quote just the relevant parts of other emails) to a public mailinglist with a public archive. I don't think that the archive's admin or anyone else should have the right (let alone the duty) to edit or change my email in there - or even worse: remove it completely. I disagree. I believe that the admins / owners of the archive have the right to remove something from the archive (or prevent it from going into the archive in the first place). I don't believe that admins / owners have the general right to modify what was said. I do believe that the admins / owners have the right to modify what was said in very specific cases, like REDACTING something. As long as they do so in a manner that is clearly identifiable that something was REDACTED. After all, it is their system, they administer / own it and can do what ever they want to with it. They should go out of their way to not misrepresent what you said / did. They could also claim that your message was modified before it got to them. Enter rabbit hole. PS: The whole "right to be forgotten" idea is absurd per se - think about private archives (and I don't think about 3-letter organizations only). Can't we define the public archive to be an necessary and important part of a public mailinglist and be done with it?! For almost everyone else, some "important reason" is good enough too. I feel like the idea that you can compel someone to forget something is absurd. I think you can compel businesses to no longer use your contact information. — Which is my naive understanding of part of what the spirit of GDPR is. I can see a scenario where a company completely removes any and all traces of someone, then buys sales leads which contain said person, and ultimately contact said person again. — Is the company in violation of GDPR? They did (and can prove *) that they removed the person's contact information and thus forgot about them. Or should the company have retained just enough information to know that they should not contact the person again? I.e. a black list. (* Don't talk to me about proving the negative. Assume a 3rd party oversight of some sort.) -- Grant. . . . unix || die -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] [Mailman-cabal] GDPR
Grant Taylor via Mailman-Users wrote: ... lots of good examples ... well done ! I too dont think any complainer should have the right to kill a thread, just cos he/she wrote something they later wish to retract. Killing a thread would be gross abuse of all other posters' rights, & would invite worse abuse: anyone could write to a thread knowing they could leverage it later to kill a whole thread. My guess is GDPR (& later similar elsewhere) will probably have been drafted by, & interpreted by mostly politicians & lawyers clueless of our sort of mail lists, who will not have thought through most nasty edge cases we could easily present. Most probably they wont know more than nasty anonymous low grade abusive cases on commercial [anti-]social web chat forums. ( As a crude test I'd expect most drafters to be top posters, gratuitously breaking context, not our sort of list people. (I only know one lawyer professionaly, & typicaly he top posts, & thinks tech style bottom posters weird & they should confirm to his Normal standards, - never occurs to such `Normal' people that they are un-educated, & are contravening Internet procedures techs evolved for good reasons. )). So no faith in GDPR or similar being anything other than drafted by & interpreted by ignorant `Normal' people who will bring us nothing but trouble, & who will seek to waste time of unpaid admins. Hence my intent is to reduce the threat of time wasters as much as pos.: to draft something that says all those who don't conform to our norms are breaching the domains terms of unpaid service, & they lose all rights to waste our time. It wont be water- tight, but if it reduces time wasters, it's sufficient. Most unpaid volunteer admins aren't about to pay their own money to get lawyers to write water tight clauses to protect us from wasters, so I see no better option. Cheers, Julian -- Julian Stacey, Computer Consultant, Systems Engineer, BSD Linux Unix, Munich Brexit Referendum stole 3,700,000 votes, inc. 700,000 from British in EU. UK Govt. lied it's "democratic" in Article 50 letter to EU paragraph 3. Petition for votes: http://berklix.eu/queen/ -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] [Mailman-cabal] GDPR
On 05/14/2018 04:02 PM, Ángel wrote: IMHO they would mostly fail under §18 and GDPR wouldn't apply: Okay. What happens if a subsequent data breach (malware / infection) causes said individual archives to become public information? }:-) Of course, if a company was using the mailing list to process personal data, it should have been stated the whole time. I half way suspect this happens much more commonly than you might think. I've seen info@ or sales@ or the likes positional addresses be front ends for mailing lists (of one form or another) that redistributes the email to multiple (usually) internal (usually) employees. I have never seen these types of expansion contacts disclosed as such. Being nitpicky. What about sysadmins subscribed to this list as part of their professional activity ? I know that this happens. But I would argue that the SA should not subscribe themselves. Instead there should be an additional monitoring email address specifically for that purpose. I'd really like to see an intelligent Mailing List Manager have the ability to subscribe an address like this that is used as a feedback loop. I.e. Did the MLM receive a copy of the message that it sent yesterday. I'd assume that it would be something like <$list>-fbl@<$list_domain> to avoid recursive loops. That would allow the MLM to self monitor and escalate if there's a problem. -- Grant. . . . unix || die -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] [Mailman-cabal] GDPR
On 2018-05-13 at 05:39 +0900, Stephen J. Turnbull wrote: > It would be a much more annoying matter if they claimed the right to > be deleted from third party posts that quoted and identified them, > though. If there is a "right to be forgotten" that impinges on > mailing list archives, that seems plausible to me, though who knows > what the High Court would rule. I see a few points here. First of all, and I think it hasn't been mentioned yet is the Right to access, ie. of letting people know which data you have about them. I would consider that listing all post by email address X would fulfill it, plus a search feature (*) in case they want to search by other terms, like looking for posts with their name in it. (*) It is my understanding that just providing the mbox and expecting them to grep through it just as the sysadmin would have to do would be sufficient (OTOH if you had an advanced system for completely tracking a guy, and provide him just a crude interface that's probably not ok). Having to find out "anything and everything" where the user was mentioned may imho require what the GDPR calls "a disproportionate effort", and could even result into some liability for not finding some instance. Whereas providing the tools with which it can be done, takes that issue back to the requestor, by providing the tools by which they can do it. As such, wrt redacting archives my view is that they should provide all the urls to the content they want removed (which they should have been able to easily found per above). They provide a list of urls for consideration, only those need to be looked at. I would assume they are ok with other mentions to them if they didn't provide them. If I detected that there was a follow-up top-posting email containing the original content I would probably also truncate it, but strictly as a courtesy matter and with no guarantees that I would do that. If they failed to find themselves, why would I need to dig through the archives, not even knowing what I am looking for? There are too many ways to refer to someone, the email address, different names and abbreviations (and misspellings!), which would not even be unique, plus all kind of references (just suppose that the people to which Julian referred claimed that his email contains PII about them!). Requests to remove on-topic inline replies would be quite a different matter, as they involve removing or altering messages by other people, which could significantly modify the meaning of what third users say by changing the context of the rest of the thread (which isn't necessarily well-defined in a machine readable way). Plus, changing that may infringe some protected speech rights by the subsequent poster (ouch!). Not to mention the multiple jurisdictions typically found on the user base many mailing lists. I would expect reasonable requests not to be a problem, though (eg. just removing an address from a mail signature). As an actionable for the mailman project, I think it could facilitate the implementation of §59: > Modalities should be provided for facilitating the exercise of the > data subject's rights under this Regulation, including mechanisms to > request and, if applicable, obtain, free of charge, in particular, > access to and rectification or erasure of personal data and the > exercise of the right to object. The controller should also provide > means for requests to be made electronically, especially where > personal data are processed by electronic means. The controller should > be obliged to respond to requests from the data subject without undue > delay and at the latest within one month and to give reasons where the > controller does not intend to comply with any such requests. > The user could be browsing a mailing list archive (as noted above) that provides a link to "report content to remove" (automatically verifying the reporter provided email address), which can then be automatically removed (if it's his own email message and configured that way by the list admin) or goes into a queue for admin reviewing (where it can be easily hidden) or replied. NB: this process is more ample than mere "Right to be forgotten" requests, as that would also work for copyright infringement, virus, etc. Best regards Ángel -- Just another non-lawyer looking for his way through the GDPR. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
