[gdpr-discuss] Undeleteable data

Fri Apr 13 14:03:51 BST 2018

On Fri, Apr 13, 2018 at 01:07:21PM +0200, Daniel Stone wrote:
> We've been looking into GDPR compliance for fd.o, which has been ... fun.

Yeah. I've been involved with looking at it for Debian. Fun isn't the
word I'd use; I've ended up with a lot of questions and no real answers
at this stage.

> The biggest stumbling block for us is probably Bugzilla and Mailman.
> Deleting messages and profiles from those just isn't practical for us,
> especially at any kind of scale. We could write a script to censor
> those, but once it has been posted to either, then it's all over the
> public internet anyway.
> 
> We don't control distribution once messages hit Mailman - it's
> forwarded raw to a potentially unlimited distribution list - and
> deleting messages from Mailman is also a manual nightmare. Rebuilding
> the archives is out since it breaks URLs. Hand-editing it all sucks
> beyond belief. And then people have quoted it in replies anyway ...
> 
> Does anyone know if there's some kind of GDPR 'out' for, 'by posting
> here you agree that everything is going to be made public, so as
> there's nothing we can do about its distribution, it's not useful or
> practical for us to undo that'? And are there any kind of credible
> Bugzilla/Mailman deletion tools?

For posting and distributing I think the "You posted to a list,
therefore it's going to be sent out to anyone on the list" is reasonable
- it's a point in time thing, it's the way lists work and there's no
retention.

For archives if you rely on "you posted it, therefore we'll archive it
and display it" you're using consent as the basis. GDPR says consent
must be as easy to remove as grant, so you have to act on any deletion
request. Which means it's much better to have an alternative basis for
processing.

In a commercial environment I'd argue a bug tracking system is
potentially part of a contractual obligation to fix bugs (or at least
take some sort of notice of them), but I'm not sure that can apply to a
Free software project in the general case. However there's potentially a
public interest case to be made (we make the world a better place
through Free software and it's in the interest of the public to see what
is going on / historical information about why things are the way they
are / interesting and informative technical discussions - Debian's
Social Contract argues strongly that this applies) or just generally
legitimate interests of the organisation; it's in the interest of fd.o
to provide a bug tracking system that is public so that others with the
same bug can come along and provide extra information to help solve it,
or interested people can try to come up with fixes, or patterns across
bugs that don't look related can be seen. Having to close access, or
delete old bugs, removes those advantages.

Even assuming those are valid reasons (and no one I've spoken to has
been able to tell me they definitely are or definitely aren't) you'll
still need the ability to delete things, it's just that that deletion
won't be an automatic thing the way it would be if consent was the only
justification for public archives / bug tracking systems.

J.

-- 
  Beware of programmers carrying   |  .''`.  Debian GNU/Linux Developer
           screwdrivers.           | : :' :  Happy to accept PGP signed
                                   | `. `'   or encrypted mail - RSA
                                   |   `-    key on the keyservers.