[Mailman-Users] GDPR

[Grant Taylor]

On 05/22/2018 07:46 PM, Stephen J. Turnbull wrote:
> Many posts will include their names in CCs, especially on lists that 
> munge Reply-To.

Don't forget the munged reply.  }:-)

> Some of these may be hidden (eg, Reply-To is normally not displayed; 
> I don't know offhand if it's in the mbox files).

Yes, Reply-To: is a standard header and included in mbox files.

> However, I think that what that clause means is not "all data items 
> that mention you," but rather "what personally identifying information 
> (PII) is stored," ie, name, email, postal address (.sig!), phone number 
> (.sig!), blog and other website URLs, etc.  The right to be forgotten 
> would imply at least redacting *all* instances of such PII.

Agreed.

> If the archives are private, this is seriously problematic if it provides 
> access to nonsubscribers who "are afraid" they were mentioned.  Do you 
> really want a stalker trawling through your private lists just because 
> somebody "might" have called him out by name?

Yep.  There are all sorts of implications here.

> What "disproportionate" means will have to be decided by courts or 
> further legislation (I'm not familiar with how this works in the EU). 
> I suspect that a sed script redacting name, nickname, email addresses, 
> SNS aliases, phone, postal address, and geographical address (perhaps 
> even as minimal as city) will be the bare minimum expected for mailing 
> list archives to the extent that they are covered by GDPR.

The technical implications of that in and of itself astound.

What if part of the data is wrapped across lines?  What if it's quoted 
printable encoded with =20 breaking sed scripts trying to deal with line 
breaks?  What if it's base 64 encoded?  What if it's hosted on an 
Exchange server (or something else that uses as massive SIS type DB)?

... trying to think about ways to do this ...
...
... failing ...
...
... giving up

Nope.  I want to NOT go there.

> This could easily be thousands of posts in a long-running mailing list. 
> Really, you'd want it done in bulk, using sed on an mbox or SQL on a 
> database, rather than URL by URL in the HTML.

Wasn't it the owner of Lavabit that gave the master decryption key to 
the courts in tiny font printed on hundreds of pages of paper?  —  He 
complied with the court order, but did not make it easy.

> Consider the example provided later in the thread of a private email 
> forwarded to the list by a subscriber.  Through no action of their 
> own, the private mail's author's PII was distributed over dozens (and 
> in really extreme cases it could be 100s) of posts in a long thread.

Or if it's Gmail (or the likes) where the messages being replied to are 
hidden and perpetually added to in each reply.  *HEAVYsigh*

> Anyway, as pointed out above, I'm pretty sure GDPR envisions *all* 
> instances of PII being redacted.

It's my (mis)understanding that it's the right for $individual to be 
forgotten, which means anything and /everything/ that identifies them. 
Emphasis on "everything".

> Because if it turns out later that that PII was found in your archives, 
> you will definitely be considered guilty of negligence or worse.  You 
> really cannot expect either users who want their PII redacted or courts 
> to be at all sympathetic to the mailing list managers on this point.

I mostly agree.

I think there is some small room for good faith effort.  I.e. we found 
and removed 10,000 instances of $plaintiff's PII.  We're sorry for 9 
that we missed.  We've removed them and contracted with 
$external3rdparty to see if we missed anything.

> The proverb, "the law is an ass", applies.  But that doesn't mean people 
> of ill-will can't abuse it, and people in a panic (eg, stalking victims) 
> may not care about your problems when they are literally at risk of 
> being murdered if found out.

I would hope there is some small room....

> GDPR is not reasonable for mailing list operators who maintain archives, 
> period.  The problem is not the intent of lawmakers, who mostly are 
> horrified by the abuses that hackers have made of private information 
> leaked from various databases, and want to address those problems as 
> well as stalkers of various types.

I agree that it's black hat hackers that do a lot of the exfiltration. 
But I think it's more the B2B selling of information that causes more 
concern (to me) than what hackers do with it.

I think we've seen enough breaches here in the US (I'm not up on the 
rest of the world) where little if anything makes the news about what is 
done with our the outcome there of the leaked information.

I've heard more about businesses using contact info for marketing.

I follow someone on Twitter who was complaining about Yubico and Linode 
because they used his information from business consumer / contractual 
information for pure marketing purposes.  —  IMHO that's a breach of 
intended use of the information.  —  That being said, it's within the 
CAN-SPAM Act in that there is an established business relationship.

> The problem is that people who would use such querying and redaction 
> facilities are likely to be in an "unreasonable" state of mind, as 
> described above.

I would hope that the cogs of the legal machine and it's process would 
help slow some of that down.  I also hope that there would be protection 
for people that feel they are in immediate danger while said cogs, 
mechanisms, and processes work.

> Unless we somehow have a blanket exemption, or "click-wrap" "I waive my 
> GDPR rights with respect to posts to this list" Subscriber Agreements are 
> deemed valid, I half-expect GDPR will kill volunteer- maintained mailing 
> lists in Europe, and likely get Europeans banned from lists elsewhere.

I can't reasonably say that you're wrong.

> I don't agree with the scams currently being promoted that ban 
> subscriptions or even commercial transactions simply because the IP 
> address is allocated to Europe.

Agreed.

I think multiple court cases here in the US have shown that an IP 
address is not PII.  It's a contributing piece of information, but it is 
not PII in and of itself.  (At least that's my understanding.)

> What does "verify" mean here?  The problematic address may have been 
> deleted or pwned, and not available to the person wanting redaction.

Technical complications.  :-D



-- 
Grant. . . .
unix || die