[Mailman-Users] [Mailman-cabal] GDPR

Alain D D Williams addw at phcomp.co.uk
Fri May 11 13:53:51 EDT 2018

On Sat, May 12, 2018 at 01:06:15AM +0900, Stephen J. Turnbull wrote:
> I hate to disagree with everybody, but ...
> We need to get an articulare European lawyer, or at least find someone
> who has studied the subject.  I don't know the credentials of anyone
> who has posted on this list, so I would be careful.  There was a post
> a few months back listing a bunch of stuff that person claimed we
> needed to support for our users (ie, list owners) to be able to
> conform to GDPR.  (Sorry, on a plane right now, search is painful.)
> I have no idea if that person was clueful, but I suspect he was a
> privacy activist and so would be biased toward stringent
> interpretation.  Still that post is where I'd start.
> On the FUD end of the spectrum, there are claims that the IPs in your
> webserver log are subject to redaction on request.  There are
> counterclaims that that is FUD. ;-)

[ first: IANAL ]

It is FUD.

Yes, you could argue that an IP address is a form of 'personal information'
(PI), in that it might identify someone. But you are allowed to keep such
information for the purposes of debugging server problems, tracking down
attempted break ins, etc. So you can keep the logs for a reasonable time to
allow you to do that.

How long: the default log recycling times (eg a few weeks to a couple of months)
would be reasonable. Some have suggested 2 days - but it is easy to justify
that that is not long enough since many problems do not become known for some

One confusion is that the GDPR does not prevent you keeping PI (eg as above),
but there are strictures on *processing* it, eg with the purpose of sending

*processing* it to trace a break in would be allowed - you are not seeking to
identify or act on the individual -- unless s/he was the reprobate who attacked
your machine.

A huge number of organisations are now seeking reaffirmation that you want to
receive email from them, this is because they do not have adequate documentation
that you want to receive email. My view is that the mailman log files show when
a user requested to join a mail list (eg the subscribe file); if they asked to
be subscribed and someone else did it, then the email/signup-form should be


> I don't know the credentials of
> either claimant.  It is my understanding that you may need to remove
> posts from archives on request.  AFAIK neither Mailman 2 nor Mailman 3
> supports that in the sense of making it possible to do it without
> editing the archives by hand (and in Mailman 2's case, rebuilding the
> archives), which requires login access to the host.

There is a right to be forgotten


> There are also claims that if you don't profit from the data stored in
> your host's records, you're safe.  Some people have posted "all posts
> yours are automatically permanently ours" rules of usage -- but I
> don't think EU law necessarily allows that, because GDPR rights may
> very well be inalienable "creator's rights".  I have no way to
> evaluate these claims, but at the very least you have to worry about
> frivolous claims (insert Michael Cohen/Rudy Guiliani joke here).
> Footnotes: 
> [1]  If someone reading this thinks they know GDPR well enough to (1)
> present basic concepts and risks (while liberally sprinkling IANALs and
> TINLAs around) and


> (2) point people at real lawyer blogs,

But beware: there is a mini-industry of people who try to worry organisations
and seek to advise you (at a fee - of course).

Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  https://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: https://www.phcomp.co.uk/contact.php
#include <std_disclaimer.h>

More information about the Mailman-Users mailing list