[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Andreas Barth: How to (not) protect privacy

>From <http://blogs.turmzimmer.net/2010/03/02#privacy-how-not-1>:
On 02/03/10 at 08:31 -0000, Andreas Barth wrote:
> Protecting our privacy is important. For example, I wouldn't like if
> my mailing list subscriptions get known to anybody else (except the
> relevant listmasters of course as part of their job), for the simple
> reason that this is just my own decisions which lists I get mail
> from (and read, but that's not necessarily the same). This is an
> classical example of "personal information are handed out on a
> need-to-know-basis" (like to listmasters if necessary), and is also
> in line with european laws (I don't know the legal situation in
> other parts of the world enough).
> Now, publishing mailing list subscriptions hased sounds like an good
> idea to protect privacy. But if thinking twice, this just doesn't
> work. Most peoples subscription addresses could be known by other
> means or are even the addresses they use for sending mails (some
> systems even enforce this). So this is a huge privacy fail.
> Getting back to debian, and speaking the obvious out: The new
> interface to udd is just broken and wrong. Please remove all my
> adresses from being displayed, either in direct or hashed form, even
> in restricted mode. Thanks.

For context, Andreas is replying to http://www.lucas-nussbaum.net/blog/?p=453
I'm not sure why people start discussions on blogs, when we have mailing
lists for that.

So, here is the status.
To make progress towards a web interface for DDPO-by-mail, which was
asked in [1], and a way to generate the email automatically (instead of
manually[2]), I imported the list of PTS subscribers into UDD.
[1] http://lists.debian.org/debian-devel/2010/02/msg00302.html
[2] http://lists.debian.org/debian-devel/2010/02/msg00341.html

The list of (package, subscribers) is already available to DDs on
master.d.o (/org/packages.qa.debian.org/bin/get-summary-subscribers.pl),
so the fact that this information is also available to DDs in UDD is
nothing new.

However, data stored in UDD is also available to a wider public:
- people with an alioth SSH access can access UDD even if they are not
- data is exposed on the web at http://udd.debian.org/

When importing the PTS subscribers in UDD, I made a compromise between
privacy and usefulness, similar to the ones we already make elsewhere in
Debian (PTS, DDPO, BTS, even Sources/Packages files).

To protect us from potential email harvesters, the "public" version (the
one you see when connecting to UDD without using the passwords that only
DDs can now) of the data only contains hashes of the email addresses.
This mainly protects the email addresses of people subscribed on the PTS
who are not Debian maintainers or uploaders.

The CGI that is being discussed in Andreas' blog only exposes, for a
given email address, the list of packages where the mail is Maintainer:
or Uploader:, but is not subscribed on the PTS.

So, the worst thing that can happen using this CGI is that someone,
knowing the email address of a Debian contributor (easy), can get the
list of packages that this contributor maintains or co-maintains, but is
NOT subscribed to on the PTS.

Additionally, there is more information available if you have access to
UDD through alioth. Knowing the email address that a Debian contributor
uses to subscribe to the PTS, you can compute its hash, and then see the
list of packages that this email is subscribed to (or not subscribed to)
on the PTS.

That sounds like an acceptable compromise to me. Of course, it can be
revisited, but I'm not sure of what would be an acceptable compromise,
so I'm not going to propose anything here.
| Lucas Nussbaum
| lucas@lucas-nussbaum.net   http://www.lucas-nussbaum.net/ |
| jabber: lucas@nussbaum.fr             GPG: 1024D/023B3F4F |

Reply to: