GDPR and CVE

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

GDPR and CVE

Kurt Seifried-2
So I had someone request their PII (email address) be removed from the CVE Terms of Use acceptance data I have for DWF, luckily there's no CVE associated with the address (I think it turned out to be an invalid request). 

But this does raise the question, under GDPR, even with positive affirmation (e.g. they filled out the form, then replied to an email) they would still be within their rights (as I understand GDPR) to then request at a later date that we remove their PII from the system. 

Which... let's be honest, we can't really do, because git, we can "remove" it but it still exists in previous branches/etc. And short of rolling git back in time to before that info existed, re-applying all the other changes and so on... and then having every fork go bonkers... 

So in short I think we need to ensure we have some legal/privacy language that makes it REALLY clear that once they submit their data and it gets into git (e.g. a CVE request) that we cannot remove it fully, and I'm not sure, but can we disclaim that we will remove it at all (I don't know enough about the internals of GDPR/how exactly it is interpreted). 


--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: GDPR and CVE

Millar, Thomas

GDPR does not take effect until May, so we have some time to figure it out.

 

Does MITRE have counsel already looking into GDPR implications for its projects?

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kurt Seifried
Sent: 8 March, 2018 16:20
To: cve-editorial-board-list <[hidden email]>
Subject: GDPR and CVE

 

So I had someone request their PII (email address) be removed from the CVE Terms of Use acceptance data I have for DWF, luckily there's no CVE associated with the address (I think it turned out to be an invalid request). 

 

But this does raise the question, under GDPR, even with positive affirmation (e.g. they filled out the form, then replied to an email) they would still be within their rights (as I understand GDPR) to then request at a later date that we remove their PII from the system. 

 

Which... let's be honest, we can't really do, because git, we can "remove" it but it still exists in previous branches/etc. And short of rolling git back in time to before that info existed, re-applying all the other changes and so on... and then having every fork go bonkers... 

 

So in short I think we need to ensure we have some legal/privacy language that makes it REALLY clear that once they submit their data and it gets into git (e.g. a CVE request) that we cannot remove it fully, and I'm not sure, but can we disclaim that we will remove it at all (I don't know enough about the internals of GDPR/how exactly it is interpreted). 


 

--

Kurt Seifried
[hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: GDPR and CVE

Coffin, Chris

Not sure… but I will pass it along and see what is being done.

 

Chris C

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Millar, Thomas
Sent: Thursday, March 8, 2018 3:32 PM
To: Seifried, Kurt <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: RE: GDPR and CVE

 

GDPR does not take effect until May, so we have some time to figure it out.

 

Does MITRE have counsel already looking into GDPR implications for its projects?

 

From: [hidden email] [[hidden email]] On Behalf Of Kurt Seifried
Sent: 8 March, 2018 16:20
To: cve-editorial-board-list <[hidden email]>
Subject: GDPR and CVE

 

So I had someone request their PII (email address) be removed from the CVE Terms of Use acceptance data I have for DWF, luckily there's no CVE associated with the address (I think it turned out to be an invalid request). 

 

But this does raise the question, under GDPR, even with positive affirmation (e.g. they filled out the form, then replied to an email) they would still be within their rights (as I understand GDPR) to then request at a later date that we remove their PII from the system. 

 

Which... let's be honest, we can't really do, because git, we can "remove" it but it still exists in previous branches/etc. And short of rolling git back in time to before that info existed, re-applying all the other changes and so on... and then having every fork go bonkers... 

 

So in short I think we need to ensure we have some legal/privacy language that makes it REALLY clear that once they submit their data and it gets into git (e.g. a CVE request) that we cannot remove it fully, and I'm not sure, but can we disclaim that we will remove it at all (I don't know enough about the internals of GDPR/how exactly it is interpreted). 


 

--

Kurt Seifried
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: GDPR and CVE

Landfield, Kent

Add to the terms of use that if a submission is provided, all information is considered opt’ed in. This would allow us to maintain the info long term.  Assure lawyers approve. There are opt-in considerations.

 

Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!ありがとうधन्यवाद!

-- 

Kent Landfield

+1.817.637.8026

[hidden email]

 

From: <[hidden email]> on behalf of "Coffin, Chris" <[hidden email]>
Date: Thursday, March 8, 2018 at 3:40 PM
To: "Millar, Thomas" <[hidden email]>, "Seifried, Kurt" <[hidden email]>, cve-editorial-board-list <[hidden email]>
Subject: RE: GDPR and CVE

 

Not sure… but I will pass it along and see what is being done.

 

Chris C

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Millar, Thomas
Sent: Thursday, March 8, 2018 3:32 PM
To: Seifried, Kurt <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: RE: GDPR and CVE

 

GDPR does not take effect until May, so we have some time to figure it out.

 

Does MITRE have counsel already looking into GDPR implications for its projects?

 

From: [hidden email] [[hidden email]] On Behalf Of Kurt Seifried
Sent: 8 March, 2018 16:20
To: cve-editorial-board-list <
[hidden email]>
Subject: GDPR and CVE

 

So I had someone request their PII (email address) be removed from the CVE Terms of Use acceptance data I have for DWF, luckily there's no CVE associated with the address (I think it turned out to be an invalid request). 

 

But this does raise the question, under GDPR, even with positive affirmation (e.g. they filled out the form, then replied to an email) they would still be within their rights (as I understand GDPR) to then request at a later date that we remove their PII from the system. 

 

Which... let's be honest, we can't really do, because git, we can "remove" it but it still exists in previous branches/etc. And short of rolling git back in time to before that info existed, re-applying all the other changes and so on... and then having every fork go bonkers... 

 

So in short I think we need to ensure we have some legal/privacy language that makes it REALLY clear that once they submit their data and it gets into git (e.g. a CVE request) that we cannot remove it fully, and I'm not sure, but can we disclaim that we will remove it at all (I don't know enough about the internals of GDPR/how exactly it is interpreted). 


 

--

Kurt Seifried
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: GDPR and CVE

Kurt Seifried-2
In reply to this post by Coffin, Chris
So one good bit of news is that we're not collecting much (mostly email address, possibly name), it's all mostly positively affirmed (e.g. they submitted it to us), we don't have geographical data explicitly (it could be implied by language/CNA used/etc), and we certainly shouldn't ever have judicial data and financial data. Additionally we do minimal processing on the data (e.g. I email them the terms of use and a copy of the CVE once assigned and that's about it).

So one thing I would suggest is that all instances of email addresses use a positive affirmation email (e.g. email them, they have to reply/click a link to agree, and also can disagree and say "I didn't ask for this! remove me!) prior to it getting into git. 

I think we're ok, but I'm also not a lawyer.

On Thu, Mar 8, 2018 at 2:38 PM, Coffin, Chris <[hidden email]> wrote:

Not sure… but I will pass it along and see what is being done.

 

Chris C

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Millar, Thomas
Sent: Thursday, March 8, 2018 3:32 PM
To: Seifried, Kurt <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: RE: GDPR and CVE

 

GDPR does not take effect until May, so we have some time to figure it out.

 

Does MITRE have counsel already looking into GDPR implications for its projects?

 

From: [hidden email] [[hidden email]] On Behalf Of Kurt Seifried
Sent: 8 March, 2018 16:20
To: cve-editorial-board-list <[hidden email]>
Subject: GDPR and CVE

 

So I had someone request their PII (email address) be removed from the CVE Terms of Use acceptance data I have for DWF, luckily there's no CVE associated with the address (I think it turned out to be an invalid request). 

 

But this does raise the question, under GDPR, even with positive affirmation (e.g. they filled out the form, then replied to an email) they would still be within their rights (as I understand GDPR) to then request at a later date that we remove their PII from the system. 

 

Which... let's be honest, we can't really do, because git, we can "remove" it but it still exists in previous branches/etc. And short of rolling git back in time to before that info existed, re-applying all the other changes and so on... and then having every fork go bonkers... 

 

So in short I think we need to ensure we have some legal/privacy language that makes it REALLY clear that once they submit their data and it gets into git (e.g. a CVE request) that we cannot remove it fully, and I'm not sure, but can we disclaim that we will remove it at all (I don't know enough about the internals of GDPR/how exactly it is interpreted). 


 

--

Kurt Seifried
[hidden email]




--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: GDPR and CVE

Levendis, Chris

Our lawyers are looking at the implications. I’ll report back once they get further along.

 

C

 

Chris Levendis

The MITRE Corporation

(W) 703-983-2801

(C) 703-298-8593

[hidden email]

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kurt Seifried
Sent: Thursday, March 8, 2018 4:47 PM
To: Coffin, Chris <[hidden email]>
Cc: Millar, Thomas <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: Re: GDPR and CVE

 

So one good bit of news is that we're not collecting much (mostly email address, possibly name), it's all mostly positively affirmed (e.g. they submitted it to us), we don't have geographical data explicitly (it could be implied by language/CNA used/etc), and we certainly shouldn't ever have judicial data and financial data. Additionally we do minimal processing on the data (e.g. I email them the terms of use and a copy of the CVE once assigned and that's about it).

 

So one thing I would suggest is that all instances of email addresses use a positive affirmation email (e.g. email them, they have to reply/click a link to agree, and also can disagree and say "I didn't ask for this! remove me!) prior to it getting into git. 

 

I think we're ok, but I'm also not a lawyer.

 

On Thu, Mar 8, 2018 at 2:38 PM, Coffin, Chris <[hidden email]> wrote:

Not sure… but I will pass it along and see what is being done.

 

Chris C

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Millar, Thomas
Sent: Thursday, March 8, 2018 3:32 PM
To: Seifried, Kurt <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: RE: GDPR and CVE

 

GDPR does not take effect until May, so we have some time to figure it out.

 

Does MITRE have counsel already looking into GDPR implications for its projects?

 

From: [hidden email] [[hidden email]] On Behalf Of Kurt Seifried
Sent: 8 March, 2018 16:20
To: cve-editorial-board-list <[hidden email]>
Subject: GDPR and CVE

 

So I had someone request their PII (email address) be removed from the CVE Terms of Use acceptance data I have for DWF, luckily there's no CVE associated with the address (I think it turned out to be an invalid request). 

 

But this does raise the question, under GDPR, even with positive affirmation (e.g. they filled out the form, then replied to an email) they would still be within their rights (as I understand GDPR) to then request at a later date that we remove their PII from the system. 

 

Which... let's be honest, we can't really do, because git, we can "remove" it but it still exists in previous branches/etc. And short of rolling git back in time to before that info existed, re-applying all the other changes and so on... and then having every fork go bonkers... 

 

So in short I think we need to ensure we have some legal/privacy language that makes it REALLY clear that once they submit their data and it gets into git (e.g. a CVE request) that we cannot remove it fully, and I'm not sure, but can we disclaim that we will remove it at all (I don't know enough about the internals of GDPR/how exactly it is interpreted). 


 

--

Kurt Seifried
[hidden email]



 

--

Kurt Seifried
[hidden email]