[Mailman-Users] [Mailman-cabal] GDPR

Grant Taylor gtaylor at tnetconsulting.net
Mon May 14 15:46:38 EDT 2018 

On 05/14/2018 06:33 AM, Andrew Hodgson wrote:
> - Archive purge requests. We have discussed the same items as on the 
> list to date.  I am looking at doing a simple grep for the relevant 
> person's details and changing that.  The main reason for doing this is 
> that if we just remove the author's messages they will be in a thread 
> of other messages and our users typically don't remove quoted material.

ACK

This seems like the lowest common denominator.

> Current advice from the GDPR people is we may have to delete the whole 
> thread.

What‽

What is their working definition of "thread"?

Consider this scenario:  a LONG running thread and the person exercising 
their right to be forgotten simply adds a "me to" or an insult at the 
very end.

Does that thread, which obviously had a lot of value to the thread 
participants need to be deleted?

Why can't just the individual's message(s) be delete?  Or better 
redacted to not reflect them?

> Still under discussion, this is also complex because threads and subjects 
> change, if we delete the whole thread there may be messages from the 
> same author in other threads that don't have correct atribution etc.

What does GDPR have to say, if anything, about subscribers having their 
own archives, which will not be redacted in any way?  —  Is the mailing 
list owner / administrator in any way, shape, or form, responsible for 
expunging those records too?

> - Audit logs for data access.  it is not clear who is accessing 
> subscription data for the list as there is just a single owner and 
> moderator account.  Unsure if current logging data in either MM2 or MM3 is 
> "good enough" for this.  MM3 may solve the issue about single accounts.

I guess I don't understand the problem and / or make invalid assumptions 
about MM.

I see six modes of access to the data:

1)  List subscribers
2)  List owners / administrators
3)  Host system administrators
4)  Administrators that are in the downstream SMTP / HTTP path and can 
track things.
5)  Backups.
6)  Ongoing Discovery.

I would expect that #1 requires authentication to MM for subscribers to 
see data, and I expect that this is logged in some (indirect) capacity.

I would expect that #2 would have access to the data as part of their 
role of owning / administering a mailing list.

I would also expect that #3 has the capability to access the data.  But 
I would also expect that #3 would not access the data in normal day to 
day operations.

Are you saying that GDPR is going to complicate things related to #3 and 
make it such that there is more of a union between #2 and #3?  I.e. 
exclude 3rd party site hosters from being able to be #3?

What say you / them about #4?

> - Relevant people seem to be happy that running a discussion list not 
> used for marketing purposes should exempt us from some of the marketing 
> type rules regarding data processing.

What is their working definition of "marketing"?

Does someone saying "Hay, I've got a hand knitted blanket for sale, 
contact me directly if you're interested." count as marketing?  What 
about a news list from a library saying "Bob is managing the sale of 
used computer equipment."?  They both refer to items for sale and how to 
contact someone off list.

To be really ornery, what if Bob is the person exercising his right to 
be forgotten.  —  Can you simply redact his name & contact info?  Can 
you replace it with someone else's?  —  Or do you need to delete the 
entire thread and send out a new message / thread?

IMHO:  History happened.  (Some) People will remember (some) details 
(for a while).  Removing evidence of them does not mean that history did 
not happen.

> - People seem happy with the system default logs as long as we can audit 
> access to the logs (which we are able to as there is little access to 
> the boxes themselves).

Please forgive me for questioning if all of your bases are covered.

Are #5 and #6 accounted for?  What about #4 downstream?  Or something 
like the NSA's PRISM program.

> - Likely that I will have to move the lists to a host the charities 
> control themselves and a separate host for each charity.  This will 
> increase costs so we may need to look at an alternative solution like 
> a hosted list service as I am not setting myself up as a list hosting 
> business.

I understand why you say this.  But to me this is an unacceptable 
solution.  It certainly will not scale.

I fell like there should be a GDPR counterpart of reasonable level of 
effort in good faith.  —  I.e. redacting things in existing files and 
stating that backups are expunged after X number of days.  —  I'm 
perfectly fine responding to someone saying "I've REDACTED you from live 
files, and old backups will automatically expunge…" in a short time 
frame after the ""amnesia request.  Yet knowing that I can't mark 
something as completely resolved until after the backups do expunge.

I'm not quite sure what to do in a situation of a litigation hold that 
suspends expunging of backups.

¯\_(ツ)_/¯

> Again all this up for interpretation.  The largest ones for me at the 
> moment is regarding auditing access to the Mailman admin access and the 
> archive purging requests.

I'm not trying to come across as argumentative.  I'm sorry if I am.  I'm 
simply bringing up things that I think are potential concerns that the 
powers that be probably need to consider, and have a pat response to.



-- 
Grant. . . .
unix || die

More information about the Mailman-Users mailing list