[Mailman-Users] [Mailman-cabal] GDPR

Grant Taylor gtaylor at tnetconsulting.net
Sat May 12 19:18:09 EDT 2018

On 05/12/2018 03:35 PM, Bernd Petrovitsch wrote:
> Well, it's the very nature of an archive that everything stays there 
> (similar to a backup).

Yes.  But I believe that GDPR has implications on expunging things from 
archives / backups too.  Not doing so is not within the spirit of 
forgetting someone.

> The other aspect of a mailing list archive is that one can find it and 
> may want to ask the original author something about the issue there.

Yes.  IMHO that's one of the wonderful things about public email archives.

> On the other hand deleting the mail address (on the mail server side by 
> the author) also kills that communication line.

I would rather have a GDPRed (read: anonymized) copy of a message than 
no message at all.

Consider if you will, someone publishing a How To for something quite 
rare, including all the necessary steps and minutia.  Then they 
subsequently leverage GDPR to be forgotten.  Would you want their how to 
to be removed (possibly taking the only / best source of said 
information with it) or simply anonymized so that it no longer reflects 
the sender?

I personally would STRONGLY prefer the latter.  The former causes 
destruction / loss of usable information that is not related to the sender.

> One other thing: And if someone (as a current or former mailing list 
> member) has the right to get the email address, name and signature removed 
> in one mail, does the mailing list admin has the right to delete *all* 
> the instances or only the actively requested/mentioned ones?  And what 
> about other mail addresses of the same person?

My understanding of (the pertinent part of) the spirit of is that the 
person has the right to be forgotten.  Thus, I would think that any and 
all references to the person would need to be modified so that the 
person is forgotten.

So I do believe that means that the mailing list admin would have the 
obligation to modify all instances of the requester in the archive.

Now, this brings up a question:  Is the mailing list administrator also 
responsible for my private archive of messages that I received while 
subscribed to a mailing list they administer?

> Does anyone know how the "blockckain is the solution to everything" 
> faction handles these issues?  It's not that they can ignore that either 
> - if only to discuss the question how personal the wallet address (or 
> whatever it is called) is.

First, IMHO blockchain is NOT the solution to everything.  It is a 
technique that happens to be a buzzword.

Further, blockchain is specifically designed to detect modification. 
What is done when something is detected is likely implementation dependent.

Remember that blockchain is a LOT more than just crypto currency. 
Crypto currency happens to be a heavy user of blockchain because it is 
possible to detect modifications.

Blockchain can be used for a LOT of other things.  I've heard references 
to using it for system logs as a way to prove that logs have not been 
modified after the fact.  Or at least detect if they have been modified.

My understanding is that blockchain is meant to make the historical 
portion of what it's used for be immutable.  (Or detectable.)

> Or can we kill the whole problem by using a blockchain for a mailinglist 
> archive archive?

I think using blockchain for mailing list archives would be the wrong 
way to go.

1)  We have no motivation (problem that needs to be fixed) to migrate 
away from what's been used for decades.
2)  Moving to blockchain would be seen as an attempt to avoid GDPR.
3)  The attempt would quite likely fail in and of itself.
4)  The bad motivation would be known (see #1) and as such, invalidate 
any attempt to migrate to blockchain for mailing list archives.
5)  We would still need to have a way to delete things.
6)  We would likely get into trouble with GDPR for going out of our way 
to snub our faces at GDPR.

I think most uses of blockchain are bogus and I'm ready for the buzz 
word to go away.

I mentioned it because GDPR and blockchain are sort of antipodes when it 
comes to the right to be forgotten.

Grant. . . .
unix || die

More information about the Mailman-Users mailing list