[Mailman-Users] [Mailman-cabal] GDPR

Grant Taylor gtaylor at tnetconsulting.net
Thu May 17 13:53:30 EDT 2018

On 05/17/2018 02:56 AM, Bernd Petrovitsch wrote:
> FWIW and IMHO, I think we are in violent agreement here.


> In the old-school life: the sender (because s/he said it on her/his free 
> will) - I hope;-).  But the person who overheard it may tell the story 
> to a third person.  And it's just/only hear-say - even if it's actually 
> 100% correct (which it is almost never ever the case). And there starts 
> actually the real "forgetting" or "doubts" ...

I agree that fan-out can be a problem.  IMHO the root cause is the 
person that said it, the sender.

> But in a "everything is written" world, that is massively different: 
> In the old-school world, a "written proof" had a quite large value 
> because it wasn't trivial to have such a thing.  Nowadays - with almost 
> every communication over the Internet - it's the normal, that there is a 
> "written proof" aka recorded/logged/whatever.

That's an interesting point, but I'm not seeing who's at fault, the 
person who overheard what I said (the archive) or me for saying it in a 
non-secure manner (the sender)?

> I'm not diving into differences of "how some judge may value some so- 
> called proof" in some given (somewhat Western) country, but most people - 
> even in Spring 2018 - don't realize, what's really going on and try to 
> get back the world from the 1960s (or so;-) - well, "thinking before 
> talking" was always a hard job;-)


> A court order may "force" you to not tell it to anyone but it can't make 
> you forget it (or write it down and hide it somewhere safe).

Where force = order under some form of penalty, sure.

> So in general: No. And that's exactly the problem with the "right to 
> be forgotten".


Good ideas usually start to have problems when they are taken too far.

> Of course.  But only for (somewhat obvious) very good (including legal) 
> reason like really hard law issues like - at least in .at and .de - 
> Nazi stuff and/or (everywhere I hope) certain forms of pr0n.

Even with those issues, the court can only order you, under some 
penalty, to not do something.  They still can't cause you to unsee or 
forget something.

At least I'm not aware of any such technology yet.  (My ignorance of 
such technology does not preclude it from existing.)

> But for some claims of "please remove my email address?"?  If that email 
> address can be found (via Google) on hundreds of sites, the removal of one 
> instance doesn't change anything.  Ooops, and a chicken-egg problem ....

I think it does.

IMHO it's the issue of multiple people doing the same wrong thing does 
not make the thing in question correct.

Case and point, is it wrong to ask someone specific to stop spamming me 
when considering that multiple other people could be spamming me?

Or, more along the lines of your example, saluting in a Nazi-esq manner? 
  (I'm not saying I agree with anything there in, I'm just using it as 
an example.)

> That question should be answered by some copyright/authors right lawyer.


I would be interested in what their take is.

I suspect it's going to come down to misrepresentation.  Either trying 
to falsely claim credit for someone else's work, or trying to attribute 
something to someone who didn't say it.

Short of significant persuation to the contrary, I'm going to continue 
to believe that admins / owners of system have the right to modify what 
was said in very specific cases when it comes to what enters / passes 
through / is stored on their systems.  IMHO this MUST be done in a 
manner that makes it clear that this was done.

> Yes, and everyone writes that in the mailinglists charta (including 
> that all mails go into a public archive, are never edited, censored, 
> deleted, etc.).  Just from that point of view, everyone sending mails 
> to the mailinglist has implicitly agreed to the rules including the 
> publication in a Google-indexed archive.

I have some issues with that.

  - Corporate policy, regional laws, technical capabilities, etc. can 
  - Agreeing to a E.U.L.A. does not mean that you actually understand it.
    (I'm hearing where this is being starting to be challenged in courts.)
  - Index ability is independent of publicity.

> BTW: I cannot do everything I want with it because I cannot choose to 
> plain simply ignore modification requests from a court.

Hence regional laws above.

> Everyone can claim a lot of things - the hard question is how to proove 
> it;-)


> Any serious business won't send me any "newsletters" if I request that 
> without any legal backing (if only that I continue to buy from it in 
> the future and don't tell anyone that they ignore such simple things - 
> and because it's "just the right thing to do"(TM)).

Sadly, I've seen legitimate businesses fail and do exactly that.  Use 
contact details specifically for the contracted service inappropriately 
for marketing reasons.

> Yup, but there are other companies or folks using selling addresses and 
> other personal data (if only for "scientific purposes"[0]).

I feel like those companies should be required to collect the data from 
somewhere other than what was used explicitly for contracted business.

Much like how HIPAA affords us the restriction to say that the 
information can only be used for healthcare treatment, and the express 
process associated there in (billing, insurance, etc.).

This does not extend to marketing or sales as that's not expressly 
healthcare / treatment.

> Selling and buying "sales leads" (which are actually contact addresses 
> at best) or personal data (as covered by the spirit of the GDPR) as 
> such should be forbidden that would solve more problems and is easier 
> to enforce).

I'm going to disagree with you.

I've been around all sorts of people that won't give you their password 
if you ask them.  But if you offer to give them an ice cream cone to buy 
their password, they will happily trade with you.

The point being, I think there is a valid business model to legitimate 
collect information under pretense that it will be provided (read: sold) 
to marketers.

As long as that's clearly indicated up front, and I'm compensated (for 
my eventual hassle), I might consider doing so.  Especially if I have an 
easy way to tell the people that contact me in the future to bugger off. 
  Who knows, I might actually find something useful in the noise.

> ATM the companies are free to do (almost - also depending on the local 
> jurisdiction) anything with personal data and the effort to handle 
> misuse of it is shifted to the private person.  It should be the other 
> way around ....


I should be able to earmark that my contact information can ONLY be used 
for official business transactions and NOT for anything outside said 
explicit business transaction.

IMHO this should be something like a bit in the database that indicates 
if the info is available for other uses (read: marketing).  Perhaps it 
should be express contractual uses, general business uses, business 
partner uses, and general.

> No.


> Yeah, that's an interesting issue (which happen to apply to the next club 
> with normal member management): A member leaves (for whatever reason) 
> and - to minimize the data - expects that all data about him/her is 
> (really) deleted.

IMHO, expecting that it is deleted is asking too much in this day and 
age.  Expecting to not be contacted again might be too much.

I think that depends on the terms of the separation.  I.e. non-renewing 
a magazine subscription would likely be okay to offer renewal discounts 
in 3 / 6 / 9 / 12 / 18 months.  Conversely, asking a former member who 
has been forcibly excommunicated (read: voted out by other members) for 
a donation during the next fund raiser is probably a bad idea.

> But if the same person comes back two years later, doesn't the club (or 
> company) have the right to know that that person was already a member 
> (and in which years)?  And if a member is expelled, the club surely wants' 
> to remember that.

I think that the company has the right to know that information.

Note:  Knowing that does not translate to using said information for 
anything outside of the express business relationship.

I seem to keep coming back to the express business relationship.

> Of course, that completely invalidates any "request on forgetting" per se 
> (and reduces it to "act like you don't know it").

I think the spirit of requesting to be forgotten really translates to 
requesting to not be contacted in the future.  At least for most (but 
not all) situations.

> A completely other approach (and solution;-) to "mailinglist archive 
> and the GDPR": Is an automatically generated mailinglist archive in HTML 
> actually subject to the GDPR?  It's not that is really structured and/or 
> organized like e.g. some SQL- database.

I think that any data collection / aggregation is likely going to be 
subject to GDPR, for better or worse, in some way.

I also feel like the structure of the data, or lack there of, is 
somewhat immaterial.  Especially in this day and age where people are 
touting storing data in unstructured manner.  Plus, extracting email 
addresses (and associated names) from a mail archive, HTML or not, is 
relatively easy.  ;-)

Grant. . . .
unix || die

More information about the Mailman-Users mailing list