savannah-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-users] Savannah mailing-lists and GDPR

From: Uwe Scholz
Subject: Re: [Savannah-users] Savannah mailing-lists and GDPR
Date: Sun, 22 Apr 2018 22:53:05 +0200 
Am Sun, 22 Apr 2018 13:41:10 -0600 schrieb Assaf Gordon:
> Hello,
> 
> On 22/04/18 12:55 PM, Uwe Scholz wrote:
> > Am Sun, 22 Apr 2018 05:26:11 -0600 schrieb Assaf Gordon:  
> >> On 21/04/18 04:03 PM, Uwe Scholz wrote:  
> > I can also see all email-addresses in plain text of
> > every single email.[...] This leads me to the next question:
> > Regarding the GDPR, there should be the "Right to be forgotten".
> > 
> > That means, if a user requests his personal data to be removed from
> > the Savannah servers, (and this affects also his email address!),
> > this should be possible somehow.  
> 
> I doubt this will happen on gnu mailing lists - almost every posted 
> message has been saved and is publicly available with a stable URL
> for decades (and that is a point of pride).

I know, it definitely is! From a "right to be forgotten" perspective,
the point that the email address is permanently, publicly available
might still be a big problem.(*) I am not sure what is more important
from a law perspective: an unchanged archive or a masked email-address
in the archive.

(*) I was really supprised that the mail address is not masked in
the downloadable archive, as this is the case in the web front-end.

> > Remark: I think the ability to be forgotten should be implemented
> > here, otherwise Savannah might run in danger to become the aim of a
> > greedy lawyer.  
> 
> Not sure I understand what you means, but remember that it is a
> public mailing list - an email sent to it is store not only on gnu's
> archive, but also sent to *every* other subscriber's email - and
> stored on their account/computer. They is no "forgetting" it. Many of
> these lists are also mirrored on other servers (e.g. gmane).

With "greedy" I meant a lawyer being greedy for money, who can't wait
the 25th of May, sending an email to a Savannah mailing-list and after
that trying to have his data (email address) deleted from the servers
again. If this doesn't happen in a certain amount of time it could
result in high fines for Savannah. This is of course just a speculation
of mine, but we all know lawyers and advocates... I have had a contact
to one of them some time ago, and it was not the best acquaintance, I
can tell you ;)

And of cause I know and understand the concept of a public mailing
list and I don't talk about the local, private copy of a list member. I
am just talking about the public available archive here (or any other
permanently stored data).

> This is not the same situation as "google" or "facebook" where they 
> keep/manage the data themselves and (ostensibly) have the only copy 
> which can be deleted.

I am not sure if this is the true, because instead of a Facebook or
Google account, the GDPR treats the email address of a person to be
individual-related data which is especially in the need of protection.
Therefore it could be a problem to make this address publicly available
without a proof that the sender who writes an email really, really
understands what he is doing.

Google, Facebook and all the others solve this with new terms and
conditions one has to sign before continuing using their services.

For example there are rumors that WhatsApp will be allowed in the
future only for people beginning with the age of 16 because for younger
children the GDPR requires special care from their parents which is to
complicated to be implemented for WhatsApp. - Yes, GDPR is very
complex...

> > Currently it should be a good idea to let the users know that their
> > mail addresses are public available in the archives when they send
> > a mail to a mailing-list. 
> 
> These are *public mailing lists*.
> If there are users who do not understand what that means - there is a 
> bigger problem here...

We should focus on the public available archive (with plain text
email addresses) which might be the problem here, not the lists
themselves.

> Lastly,
> If you (or others) do want to pursue GDPR or any other internet 
> regulations - please contact the FSF directly ( 
> https://www.fsf.org/about/staff-and-board/ ).

Thank you very much. I will reach out to them when I find the time.

> Implementing such policies require access that savannah admins do not 
> have (see https://savannah.gnu.org/maintenance/NotSavannahAdmins/ ).

Great, thank you for both links!

> regards,
>   - assaf
> 
> 
> 
> 
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]