On 05/14/2018 06:33 AM, Andrew Hodgson wrote:
- Archive purge requests. We have discussed the same items as on the
list to date. I am looking at doing a simple grep for the relevant
person's details and changing that. The main reason for doing this is
that if we just remove the author's messages they will be in a thread
of other messages and our users typically don't remove quoted material.
ACK
This seems like the lowest common denominator.
Current advice from the GDPR people is we may have to delete the whole
thread.
What‽
What is their working definition of "thread"?
Consider this scenario: a LONG running thread and the person exercising
their right to be forgotten simply adds a "me to" or an insult at the
very end.
Does that thread, which obviously had a lot of value to the thread
participants need to be deleted?
Why can't just the individual's message(s) be delete? Or better
redacted to not reflect them?
Still under discussion, this is also complex because threads and subjects
change, if we delete the whole thread there may be messages from the
same author in other threads that don't have correct atribution etc.
What does GDPR have to say, if anything, about subscribers having their
own archives, which will not be redacted in any way? — Is the mailing
list owner / administrator in any way, shape, or form, responsible for
expunging those records too?
- Audit logs for data access. it is not clear who is accessing
subscription data for the list as there is just a single owner and
moderator account. Unsure if current logging data in either MM2 or MM3 is
"good enough" for this. MM3 may solve the issue about single accounts.
I guess I don't understand the problem and / or make invalid assumptions
about MM.
I see six modes of access to the data:
1) List subscribers
2) List owners / administrators
3) Host system administrators
4) Administrators that are in the downstream SMTP / HTTP path and can
track things.
5) Backups.
6) Ongoing Discovery.
I would expect that #1 requires authentication to MM for subscribers to
see data, and I expect that this is logged in some (indirect) capacity.
I would expect that #2 would have access to the data as part of their
role of owning / administering a mailing list.
I would also expect that #3 has the capability to access the data. But
I would also expect that #3 would not access the data in normal day to
day operations.
Are you saying that GDPR is going to complicate things related to #3 and
make it such that there is more of a union between #2 and #3? I.e.
exclude 3rd party site hosters from being able to be #3?
What say you / them about #4?
- Relevant people seem to be happy that running a discussion list not
used for marketing purposes should exempt us from some of the marketing
type rules regarding data processing.
What is their working definition of "marketing"?
Does someone saying "Hay, I've got a hand knitted blanket for sale,
contact me directly if you're interested." count as marketing? What
about a news list from a library saying "Bob is managing the sale of
used computer equipment."? They both refer to items for sale and how to
contact someone off list.
To be really ornery, what if Bob is the person exercising his right to
be forgotten. — Can you simply redact his name & contact info? Can
you replace it with someone else's? — Or do you need to delete the
entire thread and send out a new message / thread?
IMHO: History happened. (Some) People will remember (some) details
(for a while). Removing evidence of them does not mean that history did
not happen.
- People seem happy with the system default logs as long as we can audit
access to the logs (which we are able to as there is little access to
the boxes themselves).
Please forgive me for questioning if all of your bases are covered.
Are #5 and #6 accounted for? What about #4 downstream? Or something
like the NSA's PRISM program.
- Likely that I will have to move the lists to a host the charities
control themselves and a separate host for each charity. This will
increase costs so we may need to look at an alternative solution like
a hosted list service as I am not setting myself up as a list hosting
business.
I understand why you say this. But to me this is an unacceptable
solution. It certainly will not scale.
I fell like there should be a GDPR counterpart of reasonable level of
effort in good faith. — I.e. redacting things in existing files and
stating that backups are expunged after X number of days. — I'm
perfectly fine responding to someone saying "I've REDACTED you from live
files, and old backups will automatically expunge…" in a short time
frame after the ""amnesia request. Yet knowing that I can't mark
something as completely resolved until after the backups do expunge.
I'm not quite sure what to do in a situation of a litigation hold that
suspends expunging of backups.
¯\_(ツ)_/¯
Again all this up for interpretation. The largest ones for me at the
moment is regarding auditing access to the Mailman admin access and the
archive purging requests.
I'm not trying to come across as argumentative. I'm sorry if I am. I'm
simply bringing up things that I think are potential concerns that the
powers that be probably need to consider, and have a pat response to.
--
Grant. . . .
unix || die
------------------------------------------------------
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org