Re: A note from GitHub about your repository

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: A note from GitHub about your repository

Kurt Seifried-2


On Mon, Oct 1, 2018 at 4:31 AM Morgan (GitHub Staff) <[hidden email]> wrote:

Hello,

My name is Morgan, and I work on GitHub’s User Policy team. We received word that one of your repositories contains sensitive or personal information that you may not have intended to make public, namely: private email addresses:

https://github.com/distributedweaknessfiling/DWF-Legal-Acceptance/blob/master/Terms-Of-Use/lpu%40protonmail.ch

Lines 6, 12, 15, 26, 27, 28, and the file name itself.

We wanted to give you a heads-up in case the information was published accidentally. If you need any help removing sensitive information that was committed by mistake, just let me know! We also have a handy guide here:

https://help.github.com/articles/remove-sensitive-data

Please note that we may suspend repositories deemed to violate our Terms of Service, including those hosting sensitive or personal data. Please let us know if you have any questions and we'd be happy to help.


Nope it was published intentionally. In order to request a CVE Identifier, the person submitting the data has to be licensed so the CVE project and others can use it, thus you need to agree to the CVE Terms of Use (https://github.com/distributedweaknessfiling/DWF-Legal-Acceptance/blob/master/Terms-Of-Use.md). I must publish these publicly so I have proof that it was accepted properly. Additionally the email addresses submitted to the form at https://iwantacve.org/ are made public in a google spreadsheet, this is made OBVIOUSLY clear in the initial form. Additionally it is made clear that CVE is a PUBLIC database and information entered into it (like the description of the vulnerability, 

Furthermore CVE has a policy that when requesting a CVE you MUST use a working email address so that 

1) we can contact you to get acceptance of the Terms of Use
2) CVE users can contact the original requestor for clarification/details/etc

CC'ing the CVE board as I've brought this issue up (how do we handle GDPR related issues) as this provides a good example. Also CC'ing Robert/Marko as they had asked in a previous email how github can help the DWF (a major part would be ensuring trolls don't get people booted off of github).  Thanks!
 

Thanks,

Morgan
GitHub



--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: A note from GitHub about your repository

Kurt Seifried-2
Also to be clear if you look at the artifact it explicitly states that replying with "I accept" means it gets posted publicly (I even provide the URL):

Luka Pusic <[hidden email]>

Thu, Apr 6, 2017, 2:03 PM
to me
I accept



-------- Original Message --------
Subject: DWF/CVE - Acceptance of MITRE Terms of Use for CVE for [hidden email]
Local Time: 6 April 2017 10:01 PM
UTC Time: 6 April 2017 20:01

This is a confirmation email sent from CVE request form at https://iwantacve.org/ asking you to accept the MITRE CVE Terms of Use (assuming you filled out the CVE form and want one, we can't use the data until you accept the MITRE CVE Terms of Use). 

Simply quote the email and reply with "I accept" at the top if you agree to the MITRE CVE Terms of Use and we will add it to the DWF MITRE CVE Terms of Use acceptance data at https://github.com/distributedweaknessfiling/DWF-Legal-Acceptance/tree/master/Terms-Of-Use

If you did not submit a CVE request to the DWF you can safely ignore this message, however we may resend it at some point in the future, if you don't want any future emails simply reply with "unsubscribe" or "DON'T SEND ME THIS EMAIL EVER AGAIN" and I'll add your email address to the block list so we don't spam you with these, please note that this will prevent you from being able to accept the MITRE CVE Terms of Use via the DWF automatically in future (you'll have to manually ask). But again, if you have no idea what a CVE is then you can ignore this/ask to be added to the block list with no problems. 

MITRE CVE Terms of Use

LICENSE

Submissions: For all materials you submit to the Common Vulnerabilities and Exposures (CVE®), you hereby grant to The MITRE Corporation (MITRE) and all CVE Numbering Authorities (CNAs) a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute such materials and derivative works. Unless required by applicable law or agreed to in writing, you provide such materials on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.

CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy.

On Mon, Oct 1, 2018 at 9:48 AM Kurt Seifried <[hidden email]> wrote:


On Mon, Oct 1, 2018 at 4:31 AM Morgan (GitHub Staff) <[hidden email]> wrote:

Hello,

My name is Morgan, and I work on GitHub’s User Policy team. We received word that one of your repositories contains sensitive or personal information that you may not have intended to make public, namely: private email addresses:

https://github.com/distributedweaknessfiling/DWF-Legal-Acceptance/blob/master/Terms-Of-Use/lpu%40protonmail.ch

Lines 6, 12, 15, 26, 27, 28, and the file name itself.

We wanted to give you a heads-up in case the information was published accidentally. If you need any help removing sensitive information that was committed by mistake, just let me know! We also have a handy guide here:

https://help.github.com/articles/remove-sensitive-data

Please note that we may suspend repositories deemed to violate our Terms of Service, including those hosting sensitive or personal data. Please let us know if you have any questions and we'd be happy to help.


Nope it was published intentionally. In order to request a CVE Identifier, the person submitting the data has to be licensed so the CVE project and others can use it, thus you need to agree to the CVE Terms of Use (https://github.com/distributedweaknessfiling/DWF-Legal-Acceptance/blob/master/Terms-Of-Use.md). I must publish these publicly so I have proof that it was accepted properly. Additionally the email addresses submitted to the form at https://iwantacve.org/ are made public in a google spreadsheet, this is made OBVIOUSLY clear in the initial form. Additionally it is made clear that CVE is a PUBLIC database and information entered into it (like the description of the vulnerability, 

Furthermore CVE has a policy that when requesting a CVE you MUST use a working email address so that 

1) we can contact you to get acceptance of the Terms of Use
2) CVE users can contact the original requestor for clarification/details/etc

CC'ing the CVE board as I've brought this issue up (how do we handle GDPR related issues) as this provides a good example. Also CC'ing Robert/Marko as they had asked in a previous email how github can help the DWF (a major part would be ensuring trolls don't get people booted off of github).  Thanks!
 

Thanks,

Morgan
GitHub



--
Kurt Seifried
[hidden email]


--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: A note from GitHub about your repository

Kurt Seifried-2


On Wed, Oct 10, 2018 at 9:50 AM Morgan (GitHub Support) <[hidden email]> wrote:

Hi Kurt,

Thanks for your reply, and apologies for the delay in coming back to you.

We appreciate that you may have properly obtained consent from the user to public their information publicly; but at this time, the user has withdrawn that consent, as they are permitted to under GDPR.


This isn't entirely true. You can't for example call your local tax authority and tell them you're withdrawing consent from being processed. For a variety of business process and technology and legal reasons it is possible for this "right to be forgotten" to not universally apply.
 

We feel that it's in everyone's best interests to have you and the user connect to figure out what's an appropriate solution. Since you


I already did, I thought it was at an end and then they made this complaint. I think an appropriate solution is "you consented, TWICE, to publishing your email address publicly, you could have chosen NOT to give consent and used an alternate email address specifically for this purpose, as such we are not removing your data". 

 

already have the user's information, we'd recommend you reach out to them directly to discuss a resolution. Please be advised that, until you're able to work out an alternative with the user, we need you to remove the user's personal information, or we'll be required to remove the repository. We'll check back in a week to see if this has been resolved. If not, we will need to disable the repository. Please let us know if you have any other questions.


To the board: it looks like the CVE community will need to stop using GitHub until this is resolved as their current interpretation of GDPR essentially makes it impossible for the DWF to use the CVE data people submit (as they can revoke it, even after agreeing in a positive manner). I will be transitioning the DWF off of GitHub when I have time. I also suspect this means MITRE and others cannot use GitHub safely as well. 
 

Cheers,
Morgan



--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: A note from GitHub about your repository

Kurt Seifried-2
The artifact in question is their agreement with the CVE terms of use:


They were explicitly notified in the email, that they then had to reply to with "I accept" typed in. By removing the artifact I'd also have to revoke the CVE and REJECT it. I would also note that their email data is in a variety of other places like the cvelist git repo (in a branch), and in MITRE's backend database. 

As I said before GDPR has a variety of aspects, one of which is often referred to as "the right to be forgotten", but this is not absolute (my favourite example being the tax avoidance strategy =). If we acquiesce to this demand then the DWF cannot exist in GitHub.

What happens if I withdraw my consent for [hidden email]?

This is a major problem that we need to actually solve in some way. Part of it will be finding providers that are "Safe". 

On Wed, Oct 10, 2018 at 11:52 AM Lisa Olson <[hidden email]> wrote:

Hi Kurt,

Is the information that this person wants to be removed in the https://github.com/CVEProject repository? Is there a specific CVE that contains his/her email address?

Is there are strong reason for not removing this personal information? If the vulnerability has been fixed and documented by the CVE, why would we need to maintain the personal information.  Microsoft has taken the position that if someone wants their acknowledgement information removed, we will honor that request.

 

Is the repository that Morgan/GitHub will  be required to remove the https://github.com/CVEProject repository?

 

Sorry if my questions show my ignorance, just trying to catch up.

 

Lisa

 

From: Kurt Seifried <[hidden email]>
Sent: Wednesday, October 10, 2018 9:08 AM
To: Greg Ose (GitHub Staff) <[hidden email]>
Cc: cve-editorial-board-list <[hidden email]>; [hidden email]; Robert Schultheis <[hidden email]>
Subject: Re: A note from GitHub about your repository

 

 

On Wed, Oct 10, 2018 at 9:50 AM Morgan (GitHub Support) <[hidden email]> wrote:

Hi Kurt,

Thanks for your reply, and apologies for the delay in coming back to you.

We appreciate that you may have properly obtained consent from the user to public their information publicly; but at this time, the user has withdrawn that consent, as they are permitted to under GDPR.

 

This isn't entirely true. You can't for example call your local tax authority and tell them you're withdrawing consent from being processed. For a variety of business process and technology and legal reasons it is possible for this "right to be forgotten" to not universally apply.

 

We feel that it's in everyone's best interests to have you and the user connect to figure out what's an appropriate solution. Since you

 

I already did, I thought it was at an end and then they made this complaint. I think an appropriate solution is "you consented, TWICE, to publishing your email address publicly, you could have chosen NOT to give consent and used an alternate email address specifically for this purpose, as such we are not removing your data". 

 

 

already have the user's information, we'd recommend you reach out to them directly to discuss a resolution. Please be advised that, until you're able to work out an alternative with the user, we need you to remove the user's personal information, or we'll be required to remove the repository. We'll check back in a week to see if this has been resolved. If not, we will need to disable the repository. Please let us know if you have any other questions.

 

To the board: it looks like the CVE community will need to stop using GitHub until this is resolved as their current interpretation of GDPR essentially makes it impossible for the DWF to use the CVE data people submit (as they can revoke it, even after agreeing in a positive manner). I will be transitioning the DWF off of GitHub when I have time. I also suspect this means MITRE and others cannot use GitHub safely as well. 

 

Cheers,
Morgan


 

--

Kurt Seifried
[hidden email]



--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: A note from GitHub about your repository

Mark J Cox
> The artifact in question is their agreement with the CVE terms of use:
>
> https://github.com/distributedweaknessfiling/DWF-Legal-Acceptance/blob/master/Terms-Of-Use/lpu%40protonmail.ch

My intepretation of their request differs to yours -- if they are invoking
GDPR to have that entry removed then remove that entry[*], there doesn't
seem to be any reason why their acceptance of terms email needs to be
public as long as DWF have a copy.  Them asking for removal of their
personal data from the public doesn't mean they've revoked their
acceptance of those terms or you should alter any CVE they've filed.
This wouldn't in my mind trigger any of the clauses for why you'd be able
to reject the "right to forget".

> What happens if I withdraw my consent for
> [hidden email]?

Well, that wouldn't be defined as personal information under GDPR (and
you're not an EU citizen).

> This is a major problem that we need to actually solve in some way. Part of
> it will be finding providers that are "Safe".

Dealing with GDPR requests will be the same no matter where you store DWF.
Some providers might just not have figured out their process for handling
them yet.

Mark

[* "remove" has some interesting side effects in Git, depending on if
Github want you to rewrite history so it never happened (bleh!) or just
commit a removal (so it's actually still in the history)]
Reply | Threaded
Open this post in threaded view
|

Re: A note from GitHub about your repository

Kurt Seifried-2


On Thu, Oct 11, 2018 at 1:28 AM Mark J Cox <[hidden email]> wrote:
> The artifact in question is their agreement with the CVE terms of use:
>
> https://github.com/distributedweaknessfiling/DWF-Legal-Acceptance/blob/master/Terms-Of-Use/lpu%40protonmail.ch

My intepretation of their request differs to yours -- if they are invoking
GDPR to have that entry removed then remove that entry[*], there doesn't
seem to be any reason why their acceptance of terms email needs to be
public as long as DWF have a copy.  Them asking for removal of their
personal data from the public doesn't mean they've revoked their
acceptance of those terms or you should alter any CVE they've filed.
This wouldn't in my mind trigger any of the clauses for why you'd be able
to reject the "right to forget".

My workflow doesn't support long term private data, in that I do not host private secret infrastructure. Also their email is placed in the CVE assignment that I send to MITRE, it was decided a long time ago that CVE requestors should stand behind their CVE entries as it were, for classic vendor CNA's that means [hidden email] or whatever, but for DWF these requests are directly coming in from random third parties, and I feel it is important to make it clear that by requesting this CVE you are also expected to stand behind it, otherwise people contact me with questions about a CVE and I cannot do anything. This is why having the original requestor email in the request and the terms of use is so important. 
 

> What happens if I withdraw my consent for
> [hidden email]?

Well, that wouldn't be defined as personal information under GDPR (and
you're not an EU citizen).

So how do we know this protonmail email address is PII? How do we know that person is in Europe?
 

> This is a major problem that we need to actually solve in some way. Part of
> it will be finding providers that are "Safe".

Dealing with GDPR requests will be the same no matter where you store DWF.
Some providers might just not have figured out their process for handling
them yet.
 
The problem is GitHub appears to have an overly broad interpretation of GDPR which puts our data and project at risk. 
 

Mark

[* "remove" has some interesting side effects in Git, depending on if
Github want you to rewrite history so it never happened (bleh!) or just
commit a removal (so it's actually still in the history)]


--
Kurt Seifried
[hidden email]