On Fri, Apr 13, 2018 at 01:07:21PM +0200, Daniel Stone wrote:
We've been looking into GDPR compliance for fd.o, which has been ... fun.
Yeah. I've been involved with looking at it for Debian. Fun isn't the word I'd use; I've ended up with a lot of questions and no real answers at this stage.
The biggest stumbling block for us is probably Bugzilla and Mailman. Deleting messages and profiles from those just isn't practical for us, especially at any kind of scale. We could write a script to censor those, but once it has been posted to either, then it's all over the public internet anyway.
We don't control distribution once messages hit Mailman - it's forwarded raw to a potentially unlimited distribution list - and deleting messages from Mailman is also a manual nightmare. Rebuilding the archives is out since it breaks URLs. Hand-editing it all sucks beyond belief. And then people have quoted it in replies anyway ...
Does anyone know if there's some kind of GDPR 'out' for, 'by posting here you agree that everything is going to be made public, so as there's nothing we can do about its distribution, it's not useful or practical for us to undo that'? And are there any kind of credible Bugzilla/Mailman deletion tools?
For posting and distributing I think the "You posted to a list, therefore it's going to be sent out to anyone on the list" is reasonable - it's a point in time thing, it's the way lists work and there's no retention.
For archives if you rely on "you posted it, therefore we'll archive it and display it" you're using consent as the basis. GDPR says consent must be as easy to remove as grant, so you have to act on any deletion request. Which means it's much better to have an alternative basis for processing.
In a commercial environment I'd argue a bug tracking system is potentially part of a contractual obligation to fix bugs (or at least take some sort of notice of them), but I'm not sure that can apply to a Free software project in the general case. However there's potentially a public interest case to be made (we make the world a better place through Free software and it's in the interest of the public to see what is going on / historical information about why things are the way they are / interesting and informative technical discussions - Debian's Social Contract argues strongly that this applies) or just generally legitimate interests of the organisation; it's in the interest of fd.o to provide a bug tracking system that is public so that others with the same bug can come along and provide extra information to help solve it, or interested people can try to come up with fixes, or patterns across bugs that don't look related can be seen. Having to close access, or delete old bugs, removes those advantages.
Even assuming those are valid reasons (and no one I've spoken to has been able to tell me they definitely are or definitely aren't) you'll still need the ability to delete things, it's just that that deletion won't be an automatic thing the way it would be if consent was the only justification for public archives / bug tracking systems.
J.