[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: A note from GitHub about your repository

To: Kurt Seifried <kurt@seifried.org>, cve-editorial-board-list <cve-editorial-board-list@mitre.org>
Subject: RE: A note from GitHub about your repository
From: Lisa Olson <elolson@microsoft.com>
Date: Wed, 10 Oct 2018 17:52:51 +0000
Accept-language: en-US
Authentication-results: spf=fail (sender IP is 198.49.146.235) smtp.mailfrom=microsoft.com; imc.mitre.org; dkim=pass (signature was verified) header.d=microsoft.com;imc.mitre.org; dmarc=pass action=none header.from=microsoft.com;
Authentication-results-original: spf=none (sender IP is ) smtp.mailfrom=elolson@microsoft.com;
Delivery-date: Wed Oct 10 14:01:37 2018
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PF2Ps3sTIjpcZLefoqzertz1/CRpXGm2p8Um9Moqo3M=; b=QYiOEGAGWHBahYsTSUWynpZe/iQxW2is8shBkk9UGqalkKG2wUshDyKnrnYpTjEUhOm8U1IZYYeXAH8N5JceKM8r1OLfAEaJcHFL9BPneG8c7NVmi1/mZtBebp9QpwLFcgPugS8bJtjFuzP7p1IIdTzaGP38TRsh9CfEedXPj0c=
In-reply-to: <CABqVa3-YrMWNcYo2-MyRhh-US7KJDLode1C+1f-1US=OofWZ1A@mail.gmail.com>
Msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=elolson@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2018-10-10T17:52:48.6774221Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
References: <discussions/2f1b8ac0c56511e894cb05b41a397422/comments/5400971@github.com> <CABqVa3_n8gjtLYCQCnv=xw_bXGu842=8=oD+mWF+NFDN0J3g=A@mail.gmail.com> <CABqVa3-3Fiy+XJoTf+X14-Br6j0ebWAsqjpJqRQupe0MjwXObw@mail.gmail.com> <discussions/2f1b8ac0c56511e894cb05b41a397422/comments/5431634@github.com> <CABqVa3-YrMWNcYo2-MyRhh-US7KJDLode1C+1f-1US=OofWZ1A@mail.gmail.com>
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:99
Thread-index: AQHUWZ59hQa/5COmd06dsH/z5HA+MaUKjqaAgA4lkcOAABe04A==
Thread-topic: A note from GitHub about your repository

Hi Kurt,

Is the information that this person wants to be removed in the https://github.com/CVEProject repository? Is there a specific CVE that contains his/her email address?

Is there are strong reason for not removing this personal information? If the vulnerability has been fixed and documented by the CVE, why would we need to maintain the personal information. Microsoft has taken the position that if someone wants their acknowledgement information removed, we will honor that request.

Is the repository that Morgan/GitHub will be required to remove the https://github.com/CVEProject repository?

Sorry if my questions show my ignorance, just trying to catch up.

Lisa

From: Kurt Seifried <kurt@seifried.org>
Sent: Wednesday, October 10, 2018 9:08 AM
To: Greg Ose (GitHub Staff) <support@github.com>
Cc: cve-editorial-board-list <cve-editorial-board-list@mitre.org>; miskander@github.com; Robert Schultheis <rschultheis@github.com>
Subject: Re: A note from GitHub about your repository

On Wed, Oct 10, 2018 at 9:50 AM Morgan (GitHub Support) <support@github.com> wrote:

Hi Kurt,

Thanks for your reply, and apologies for the delay in coming back to you.

We appreciate that you may have properly obtained consent from the user to public their information publicly; but at this time, the user has withdrawn that consent, as they are permitted to under GDPR.

This isn't entirely true. You can't for example call your local tax authority and tell them you're withdrawing consent from being processed. For a variety of business process and technology and legal reasons it is possible for this "right to be forgotten" to not universally apply.

We feel that it's in everyone's best interests to have you and the user connect to figure out what's an appropriate solution. Since you

I already did, I thought it was at an end and then they made this complaint. I think an appropriate solution is "you consented, TWICE, to publishing your email address publicly, you could have chosen NOT to give consent and used an alternate email address specifically for this purpose, as such we are not removing your data".

already have the user's information, we'd recommend you reach out to them directly to discuss a resolution. Please be advised that, until you're able to work out an alternative with the user, we need you to remove the user's personal information, or we'll be required to remove the repository. We'll check back in a week to see if this has been resolved. If not, we will need to disable the repository. Please let us know if you have any other questions.

To the board: it looks like the CVE community will need to stop using GitHub until this is resolved as their current interpretation of GDPR essentially makes it impossible for the DWF to use the CVE data people submit (as they can revoke it, even after agreeing in a positive manner). I will be transitioning the DWF off of GitHub when I have time. I also suspect this means MITRE and others cannot use GitHub safely as well.

Cheers,
Morgan

Kurt Seifried
kurt@seifried.org

Follow-Ups:
- Re: A note from GitHub about your repository
  - From: Kurt Seifried <kurt@seifried.org>

References:
- Re: A note from GitHub about your repository
  - From: Kurt Seifried <kurt@seifried.org>
- Re: A note from GitHub about your repository
  - From: Kurt Seifried <kurt@seifried.org>
- Re: A note from GitHub about your repository
  - From: Kurt Seifried <kurt@seifried.org>

Prev by Date: Re: DoD and CVE
Next by Date: Re: A note from GitHub about your repository
Previous by thread: Re: A note from GitHub about your repository
Next by thread: Re: A note from GitHub about your repository
Index(es):
- Date
- Thread