Hi Moritz,
On 13 April 2018 at 13:17, Moritz Bartl moritz@techcultivation.org wrote:
On 13.04.2018 13:07, Daniel Stone wrote:
The biggest stumbling block for us is probably Bugzilla and Mailman. Deleting messages and profiles from those just isn't practical for us, especially at any kind of scale. We could write a script to censor those, but once it has been posted to either, then it's all over the public internet anyway.
In many countries it has already been the case that if someone requests personal data to be deleted, you have to make that happen. This does not mean you have to delete the data from all the _other_ places it already went out to, so the only thing we're talking about in the Mailman case is the archives: Posts themselves and potentially quotes, yes, as long as it is personal identifiable data. My understanding there is that it would be enough in most cases to remove the sender information, and the quoted name above quotes, not the quoted statements themselves.
In almost all larger project that I've been involved in, we had such cases already: People mistakenly posting sensitive information to a list, or asking for removal later because they didn't understand their mail would be publicly archived. Few, yes, but still. Which meant exactly what you mentioned: the manual hacky way of censoring the archived post.
True. We have done it a couple of times, but those were quite extreme: copyright violation (posting proprietary code), and extreme content that would have been legally actionable for us.
I don't see how the GDPR changes that. You cannot argue your way out of it, the obligation exists that you do need to remove such personal content on request, but: How often will it happen, really? There is no obligation to fully and cleanly automate it.
OK, it's good to have your opinion that we cannot route around this. That is a very real change for us though, because of the claimed universal jurisdiction regardless of the location of the servers/processors (fd.o is not hosted in the EU, nor is it part of a European legal entity).
I don't care about being obligated to have the process automated, but quite the reverse: it's _extremely_ consuming. For Mailman archives, this means hand-editing mboxes, HTML mails, and all of author/date/thread indices. Even in advance of the GDPR, we get more requests for this than we can practically service given our limited admin time. Given a deluge of requests, we would be forced to either not comply and face any legal consequences, or just stop offering these services.
Cheers, Daniel