|
|
2018-09-30 14:44:08-0500
|
|
|
------------------------
|
|
|
|
|
|
Julius leads a discussion about Tor and the GDPR
|
|
|
|
|
|
notetaker: dkg
|
|
|
|
|
|
----------------
|
|
|
|
|
|
|
|
|
* You have to use state-of-the-art tech for privacy
|
|
|
|
|
|
* You can sue your competitor if they don't use it
|
|
|
|
|
|
(can we imagine a future where competitors sue each other for not
|
|
|
including Tor in their products?)
|
|
|
|
|
|
|
|
|
Whenever you process user personal data, you need explicit consent of
|
|
|
the owner of the data, and you can only use the data within the scope
|
|
|
of that consent.
|
|
|
|
|
|
|
|
|
Unclear exactly what "owner" means here.
|
|
|
|
|
|
How does GDPR affect Tor?
|
|
|
|
|
|
* an organization has to document where it processes personal data of
|
|
|
humans.
|
|
|
|
|
|
e.g., TPI uses a payroll service. They transmit employee
|
|
|
information to the payroll service.
|
|
|
|
|
|
The result is that we need to create a directory of all the places
|
|
|
where they store data
|
|
|
|
|
|
* TPI is an American organization, but it processes data about
|
|
|
Europeans, so GDPR is probably still relevant
|
|
|
|
|
|
* We don't see a high likelihood of risk -- no competitors looking to
|
|
|
sue tor
|
|
|
|
|
|
* But we could be using this process out of best-practices anyway.
|
|
|
|
|
|
What are the steps TPI could take?
|
|
|
|
|
|
* make a directory
|
|
|
|
|
|
* write down specific guidelines (e.g. never transmit cleartext data,
|
|
|
weekly backups, deleted at specific time, hardware shredded in some
|
|
|
other way)
|
|
|
|
|
|
* enforce these guidelines among staff
|
|
|
|
|
|
what does TPI have?
|
|
|
|
|
|
* Donors
|
|
|
* revision control
|
|
|
* payroll
|
|
|
* HR
|
|
|
* Meeting logistics
|
|
|
|
|
|
What about non-TPI impacts on the Tor community?
|
|
|
|
|
|
* exoneraTor
|
|
|
* metrics
|
|
|
* relay operators
|
|
|
* consensus
|
|
|
|
|
|
You need processes for deleting data under right to be forgotten
|
|
|
(RTBF). do we even have a process for someone to ask for removal?
|
|
|
|
|
|
* policies about website operation?
|
|
|
|
|
|
* double-opt-in for newsletters?
|
|
|
|
|
|
* mailing lists?
|
|
|
|
|
|
* how are we constraining addresses gained in one channel from use in
|
|
|
another channel?
|
|
|
|
|
|
* Companies need to name a specific privacy officer. What does this
|
|
|
entail? What kinds of liability do they have to assume? Is this
|
|
|
required of an American company?
|
|
|
|
|
|
* if an official privacy officer isn't necessary, is it still a
|
|
|
position we want to have?
|
|
|
|
|
|
* Roger has been asked regularly for a privacy policy about Tor
|
|
|
software itself.
|
|
|
|
|
|
what about ContactInfo, as published by the directory authorities?
|
|
|
|
|
|
"safe logging policy" keeps nothing, compared with EFF's logging policy which exposes data in the past 24 hours.
|
|
|
|
|
|
* Services that we run on torproject hosts
|
|
|
|
|
|
- backups for services?
|
|
|
|
|
|
- backups of end-user devices?
|
|
|
|
|
|
- blog, including comments -- who hosts the blog? it's a friend
|
|
|
hosting it on pantheon.
|
|
|
|
|
|
- bridgedb -- internal logs for maintenance or debugging? we talked
|
|
|
earlier in the meeting about how important it is to get good
|
|
|
logs from bridgedb
|
|
|
|
|
|
- build hosts
|
|
|
|
|
|
- network scanner, bandwidth scanner (check)
|
|
|
|
|
|
- consensus
|
|
|
|
|
|
- CRM, donor.torproject.org
|
|
|
|
|
|
- deb.torproject.org
|
|
|
|
|
|
- fp -- submits browser attribute information
|
|
|
|
|
|
- e-mails to gettor@torproject.org -- how is that inbox cleared?
|
|
|
is there an @gmail address?
|
|
|
|
|
|
- some non-technical staff forward their @torproject.org e-mails to
|
|
|
gmail. this might be an issue for donors, hr, etc.
|
|
|
|
|
|
- git
|
|
|
|
|
|
- helpdesk
|
|
|
|
|
|
- support database?
|
|
|
|
|
|
- rt queue -- previous policy was to keep all helpdesk requests,
|
|
|
people wanted to get rid of it, but that process stalled.
|
|
|
|
|
|
- jabber server, contains registration information, but it uses LDAP
|
|
|
for login. some recent attempts to use it failed. can we turn it
|
|
|
off?
|
|
|
|
|
|
- jenkins CI
|
|
|
|
|
|
- jumphost
|
|
|
|
|
|
- kvm hosts
|
|
|
|
|
|
- mailservers for forwarding -- do they use TLSRPT, MTA-STS?
|
|
|
|
|
|
- mailing lists
|
|
|
|
|
|
- schleuder installations
|
|
|
|
|
|
- metrics: this might be diametrically opposed to the kind of
|
|
|
minimization we're talking about.
|
|
|
|
|
|
- nagios
|
|
|
|
|
|
- nameservers
|
|
|
|
|
|
- onionbalance
|
|
|
|
|
|
- onionperf
|
|
|
|
|
|
- *OONI needs its own GDPR meeting* -- they might also use a lot of
|
|
|
3rd party services like slack, etc.
|
|
|
|
|
|
- people.torproject.org -- more websites
|
|
|
|
|
|
- puppetmaster
|
|
|
|
|
|
- sandstorm, which has lots of info about meetings, etc.
|
|
|
|
|
|
- shell server
|
|
|
|
|
|
- staff and contractor database -- note: how do we handle job
|
|
|
applications? Julius sas that some stuff there needs to be
|
|
|
|
|
|
meeting information, and employee spreadsheets have been found in
|
|
|
google docs.
|
|
|
|
|
|
need a data retention policy.
|
|
|
|
|
|
Clearly needed more time. Erin Wyatt will drive this discussion
|
|
|
forward within TPI. |