Open Letter: Call for a collaborative data protection FAQ

We call the international data protection and computer engineering community to found a collaborative data protection knowledge database (GDPR FAQ).

A programmer working alone from home
A programmer working alone from home.
Language Versions English French German Italian
Online :gb: open :fr: open :de: open :it: open
PDF :gb: open :fr: open :de: open :it: open
Brussels, the 6 June 2018

Dear Data Protection and IT Professionals,

The EU’s new law General Data Protection Regulation (GDPR for short) applies from 25 May 2018 onwards. It consists of 99 articles and 173 recitals that fill together 88 pages in the official publication. Different than a technical standardisation document, many of those articles must first be interpreted under consideration of case law from past judgements and published opinions of data protection authorities. As a result, even compliance questions for relatively simple applications such as a mailing list cannot be answered without profound study of many legal documents. Complex concepts such as privacy by design and pseudonymisation are the source for many questions yet to be answered.

At the same time, the tech industry has worked for many years on solutions to setup fairly easy personal data processing applications. Thanks to e.g. Google Sheets, Doodle, Mailchimp, or Wordpress, even non-experts can nowadays become data controllers with only few clicks or swipes. The development of peer-to-peer protocols for distributed databases, e.g. Bitcoin, Dat, or IPFS, has the potential to further lower the initial hurdle to become a data controller—up to the point of unconsciousness of the controller.

To allow for a rapid adoption of data protection obligations, and in turn an overall increase of data hygiene, training for data controllers and processors is needed and must be accessible not only for those who can afford to dedicate resources, but at best to all data controllers and processors. For this reason, we call for the foundation of a collaborative Internet knowledge database under a free creative commons license to ensure its broad and continuous availability.

So far, freely accessible practical advice is often, if not mostly, offered by stakeholders that may have conflicting business interests. Online service providers, law firms and training institutes may gear advice towards their own services. Restrictive licenses may prevent good advice from being freely shared. Erroneous or out-dated advice may not be updated. Especially, the latter is important as GDPR compliance is a moving target. New judgements or advances in state-of-the-art privacy engineering1 require continuous updates.

As data protection is an interdisciplinary field, the knowledge database should be co-authored jointly by legal experts and computer engineers and must accommodate the needs of both communities. The platform Stack Exchange provides communities with a software solution for collaborative freqently asked questions (FAQ). The platform is well-known to most computer engineers for offering stackoverflow.com and started more recently law.stackexchange.com2. The collaboration is organised as follows:

  • Questions, answers and meta-data are published in the Internet under a free license (cc by-sa) and are available for download in machine-readable form.
  • Anybody can ask or answer a question.
  • The best answers are voted to the top.
  • Users earn reputation points for every vote they receive.
  • Users unlock privileges as they earn reputation, like the ability to comment or vote.
  • Moderators are elected among users, and top users have access to special tools to help moderate.

To provide for an overall high quality of answers, references to primary sources shall be used where opinions are inevitable. This rule is also employed by Wikipedia and can be enforced by both moderators and top users.

The signatories support the foundation of such a collaborative data protection knowledge database in form of frequently asked questions.

Authors and Initial Signatories:

  • Robert Riemann, Brussels
  • Xavier Lavayssière, Paris
  • Franz Ritschel, Köln

Contact:

If you want to receive updates or if you have questions, please send your request to gdpr-faq@riemann.cc. If you want to become a signatory, send a mail to gdpr-faq-sign@riemann.cc. Requests in French language are answered at gdpr-faq@lesbricodeurs.fr and for signing at gdpr-faq-signer@lesbricodeurs.fr.

List of Recipients:

  1. The GDPR mandates in Art. 25 on data protection by design and by default controllers of data processing to take into account among others the state of the art when defining means for data processing and during the data processing itself. ↩︎

  2. law.stackexchange.com covers already questions on GDPR and data protection. However, we feel that data protection deserves its own platform that encompasses also other disciplines such as computer engineering or ethics. ↩︎

Lettera aperta: appello per uno spazio collaborativo di FAQ sulla protezione dei dati

Chiediamo alla comunità internazionale di esperti in materia di privacy e IT di stabilire una base di conoscenze collaborative su Internet per la protezione dei dati (GDPR FAQ).

A programmer working alone from home
Un programmatore che lavora da solo da casa.
Versione in lingua Inglese Francese Tedesco Italiano
on-line :gb: aperto :fr: aperto :de: aperto :it: aperto
PDF :gb: aperto :fr: aperto :de: aperto :it: aperto
Bruxelles, 6 giugno 2018

Cari professionisti della protezione dei dati e dell’IT,

Il nuovo Regolamento Generale sulla Protezione dei Dati (in breve RGPD) si applica a decorrere dal 25 maggio 2018. È costituito da 99 articoli e 173 considerando che occupano 88 pagine nella pubblicazione ufficiale. A differenza di un documento di normalizzazione tecnica, molti di questi articoli devono essere prima interpretati alla luce della giurisprudenza già consolidata e dei pareri precedentemente emanati dalle autorità di protezione dei dati. Di conseguenza, persino questioni di conformità per applicazioni relativamente semplici come una mailing list non possono essere risolti senza uno studio approfondito di diversi documenti giuridici. Concetti complessi come la privacy by design e la pseudonimizzazione sono fonte di molte domande a cui si deve ancora rispondere.

Allo stesso tempo, da molti anni nel settore dell’alta tecnologia si lavora a soluzioni agili che permettano la raccolta e il trattamento dei dati personali. Grazie a Google Sheets, Doodle, Mailchimp, o Wordpress, anche i non esperti, oggigiorno, possono diventare responsabili del trattamento di dati personali in pochi clic o passaggi. Lo sviluppo di protocolli peer-to-peer per database modulabili, come Bitcoin, Dat o IPFS, è in grado di ridurre ulteriormente le difficoltà iniziali per diventare responsabile del trattamento di dati, fino ad uno stadio di inconsapevolezza del responsabile.

Per consentire una rapida adozione degli obblighi di protezione dei dati e, di conseguenza, un aumento generale della qualità dei dati, è necessaria una formazione per i responsabili del trattamento dei dati e gli incaricati del trattamento e deve essere accessibile non solo a coloro che possono permettersi di dedicarvi le risorse. Per questo motivo, chiediamo la creazione di una banca dati di conoscenze collaborativa su internet sotto la licenza Creative Commons per garantire la sua ampia e continua disponibilità.

Finora, i consigli pratici liberamente accessibili sono spesso, se non per lo più, offerti da parti interessate che possono avere interessi commerciali in conflitto. Fornitori di servizi online, studi legali e istituti di formazione possono orientare la consulenza verso i propri servizi. Le licenze restrittive possono impedire che un buon consiglio venga condiviso liberamente. I consigli errati o datati potrebbero non essere aggiornati. Quest’ultimo punto è particolarmente importante in quanto la conformità al RGPD è un obiettivo mobile. Nuove sentenze o avanzamenti tecnici in materia di protezione della vita privata1 richiedono aggiornamenti continui.

Poiché la protezione dei dati è un settore interdisciplinare, la banca dati di conoscenza dovrebbe essere redatta congiuntamente da giuristi e ingegneri informatici e soddisfare le esigenze di entrambe le comunità. La piattaforma Stack Exchange fornisce alle comunità una soluzione software per domande frequenti (FAQ) collaborative. La piattaforma è ben nota alla maggior parte degli ingegneri informatici via stackoverflow.com e ha avviato più recentemente law.stackexchange.com2. La collaborazione è organizzata come segue:

  • Le domande, le risposte e i loro metadati sono pubblicati su internet sotto una licenza gratuita (cc by-sa) e sono scaricabili e leggibili da dispositivo elettronico.
  • Chiunque può chiedere o rispondere a una domanda.
  • Le risposte migliori vengono votate.
  • Gli utenti guadagnano in reputazione per ogni voto che ricevono.
  • Gli utenti sbloccano dei vantaggi attraverso la reputazione guadagnata, così come la possibilità di commentare o votare.
  • I moderatori sono eletti tra gli utenti e i principali utenti hanno accesso a strumenti speciali per aiutare a moderare.

Per fornire un’alta qualità globale delle risposte, i riferimenti alle fonti principali dovrebbero essere utilizzati laddove vi siano dei punti soggetti ad opinioni divergenti. Questa regola è anche utilizzata da Wikipedia e può essere applicata dagli moderatori e dagli utenti principali.

I firmatari supportano la creazione di tale banca dati collaborativa di conoscenze sulla protezione dei dati collaborativo sotto forma di domande frequenti.

Autori e firmatari iniziali:

  • Robert Riemann, Brüssel
  • Xavier Lavayssière, Paris
  • Franz Ritschel, Köln

Contatto:

Se si desidera ricevere aggiornamenti o se si hanno domande, si prega di inviare la richiesta a gdpr-faq@riemann.cc. Se si desidera diventare firmatario, si prega di inviare una mail a gdpr-faq-sign@riemann.cc. Le richieste in lingua francese sono da indirizzare a gdpr-faq@lesbricodeurs.fr e per la firma a gdpr-faq-signer@lesbricodeurs.fr.

Elenco dei destinatari:

  1. Il RGPD richiede all’art. 25, dedicato alla protezione dei dati fin dalla progettazione e protezione per impostazione predefinita, che i titolari del trattamento dei dati debbano tener conto, tra le altre cose, dello stato dell’arte al momento di determinare i mezzi del trattamento e all’atto del trattamento stesso. ↩︎

  2. law.stackexchange.com include già domande sul RGPD e la protezione dei dati. Tuttavia, riteniamo che la protezione dei dati personali meriti una sua propria piattaforma che comprenda anche altre discipline come l’ingegneria informatica o l’etica. ↩︎

Offener Brief: Aufruf zur Gründung einer kollaborativen FAQ für Datenschutz

Wir rufen die internationale Gemeinschaft der Datenschutz- und IT-Experten zur Gründung einer kollaborativen Internet-Wissensdatenbank zum Thema Datenschutz auf (GDPR FAQ/DSGVO FAQ).

A programmer working alone from home
A programmer working alone from home.
Sprachversionen Englisch Französisch Deutsch Italienisch
Online :gb: öffnen :fr: öffnen :de: öffnen :it: öffnen
PDF :gb: öffnen :fr: öffnen :de: öffnen :it: öffnen
Brüssel, den 6. Juni 2018

Sehr geehrte Datenschutz- und IT-Expert_innen,

Die neue EU-Datenschutz-Grundverordnung (DSGVO) gilt ab dem 25. Mai 2018. Sie besteht aus 99 Artikeln und 173 Erwägungsgründen und umfasst 88 Seiten in der amtlichen Fassung. Anders als technische Normen ist die DSGVO ein Gesetz und wird von der Rechtsprechung und den Rechtsanwender, allen voran den Datenschutzbehörden, durch Urteile bzw. Stellungnahmen ausgelegt. Dadurch können auch Fragen zu simplen Anwendungen wie Mailinglisten nicht ohne gründliches Studium vieler Rechtsdokumente beantwortet werden. Komplexe Konzepte wie Privacy by Design oder Pseudonymisierung sind erst recht Quelle vieler Fragen, die es zu beantworten gilt.

Gleichzeitig arbeiten Technologiefirmen schon seit Jahren an Lösungen, um die Verarbeitung von persönlichen Daten relativ einfach zu gestalten. Dank Google Sheets, Doodle, Mailchimp oder Wordpress können heutzutage auch Nicht-Experten mit wenigen Klicks zu Verantwortlichen im Sinne der DSGVO zu werden. Peer-to-Peer-Protokolle für verteilte Datenbanken, z.B. Bitcoin, Dat oder IPFS könnten die Zugangsbarrieren weiter abbauen—bis hin zur Unmerklichkeit der Verarbeitung seitens der Verantwortliche.

Um aber Datenschutzverpflichtungen schnell und wirksam übernehmen zu können und um damit insgesamt einen Beitrag zu einer höheren Datensicherheit zu leisten, sind wohl oder übel Schulungen für Verantwortliche und Auftragsverarbeiter nötig. Diese dürfen nicht nur wenigen Profis zugänglich sein, sondern sollten allen Verantwortlichen und Auftragsverarbeitern offen stehen. Aus diesem Grund rufen wir zur Gründung einer englisch-sprachigen, kollaborativen Internet-Wissensdatenbank auf, die unter freier Lizenz betrieben werden soll um eine hohe Reichweite zu ermöglichen.

Bislang wurden frei zugängliche praktische Ratschläge oft, wenn nicht sogar überwiegend, von Diensteanbietern angeboten, die eigene, eventuell entgegengesetzte, Geschäftsinteressen verfolgen. So geben etwa viele Online-Diensteanbieter, Anwaltskanzleien oder Ausbildungsinstitute Ratschläge um auch eigene Diensteistungen zu bewerben. Restriktive Lizenzen der Ratschläge verhindern, dass guter Rat kostenlos weitergegeben werden kann. Fehlerhafte und veraltete Ratschläge können zumeist nicht verbessert werden. Letzteres ist besonders wichtig, da die Einhaltung der DSGVO ein bewegliches Ziel ist, denn durch neue Urteile oder Fortschritte in der modernen Privatsphäre entwickelt sich der Datenschutz ständig weiter1. Ratschläge müssen deshalb kontinuierlich angepasst werden können.

Da Datenschutz ein interdisziplinäres Feld ist, sollte die Wissensdatenbank gemeinsam von Rechts- und IT-Experten angelegt werden und muss daher die Bedüfnisse beider Gruppen beachten. Die Plattform Stack Exchange bietet für die Beantwortung häufig gestellter Fragen (FAQ) eine passende Softwarelösung. Die Plattform ist den meisten IT-Experten bereits von der Seite stackoverflow.com vertraut und bietet mit law.stackexchange.com2 seit kurzem auch ein englisch-sprachiges Angebot für Rechts-Experten. Die Zusammenarbeit ist stets wie folgt organisiert:

  • Fragen, Antworten und Metadaten werden im Internet unter einer freien Lizenz (cc by-sa) veröffentlicht und stehen in maschinenlesbarer Form zum Download bereit.
  • Jede Person kann eine Frage stellen oder beantworten.
  • Die besten Antworten werden an die Spitze gewählt.
  • Nutzer_innen erhalten für jede abgegebene Stimme Reputationspunkte.
  • Benutzer entsperren Privilegien, wenn sie sich Reputation verdienen, und können dann zum Beispiel Inhalte kommentieren oder bewerten.
  • Moderatoren werden unter Benutzern ausgewählt, und Top-Benutzer bekommen die Möglichkeit bei der Moderation zu helfen.

Um eine insgesamt hohe Qualität der Antworten zu gewährleisten, soll auf Primärquellen verwiesen werden, wenn Meinungen unvermeidbar sind. Diese Regel wird unter anderem von Wikipedia angewendet und kann sowohl von Moderatoren als auch von Top-Benutzern durchgesetzt werden.

Die Unterzeichner unterstützen die Gründung einer solchen kollaborativen Wissensdatenbank zum Thema Datenschutz in Form von häufig gestellten Fragen (FAQ).

Autoren und Erstunterzeichner:

  • Robert Riemann, Brüssel
  • Xavier Lavayssière, Paris
  • Franz Ritschel, Köln

Kontakt:

Wenn Sie Updates erhalten möchten oder Fragen haben, senden Sie bitte Ihre Anfrage an gdpr-faq@riemann.cc. Wenn Sie Unterzeichner werden möchten, senden Sie eine E-Mail an gdpr-faq-sign@riemann.cc. Anfragen in Französischer Sprache werden von gdpr-faq@lesbricodeurs.fr beantwortet and von gdpr-faq-signer@lesbricodeurs.fr um Unterzeicher zu werden.

Liste der Empfänger:

  1. Die DSGVO verlangt von Verantwortlichen in Art. 25 über Datenschutz durch Technikgestaltung und durch datenschutzfreundliche Voreinstellungen den gegenwertigen Stand der Technik zu berücksichtigen, wenn Datenverarbeitung geplant wird oder bereits statt findet. ↩︎

  2. law.stackexchange.com listet bereits Fragen zur DSGVO und zu Datenschutz. Jedoch finden wir, dass Datenschutz eine eigene Plattform verdient um andere Fachbereiche wie Informatik und Ethik besser einzubeziehen. ↩︎

First Gem: jekyll-onebox

I published my first Ruby gem. The Liquid tag jekyll-onebox allows to display HTML previews (embeds) for links to popular websites.

Initially, I wanted to blog about my travels. In the end, I refactored old code on my computer to publish eventually my first Ruby gem in the official repo at RubyGems. Welcome now jekyll-onebox on Github and RubyGems! :tada: :clap:

So if you use Jekyll for blogging, you can install this plugin and add HTML previews for links to popular websites very easily.

{% onebox https://github.com/rriemann/jekyll-onebox/blob/master/README.md %}

The previews are rendered using the gem onebox that powers link previews for Discourse forums.

Have fun with it and let me know if you encounter problems!

Security Issues due to bad Mail Practices: The LyonMUN case

So many associations use GMail for their general communication with members. Often, this comprises the sending of newsletters. Recently, the organisers of the UN politics simulation MUN LyonMUN leaked this way by accident a large number of participants mail addresses (mine as well). I decided to raise awareness of the security risks by a little experiment and also to test the reaction of the organisers.

Incident

On Friday 0:251, I received a mail from the organisers of this year’s [Model United Nations] (MUN) conference in Lyon called LyonMUN. The mail has been sent from lyonmun2017@gmail.com to 222 people, that either participated in earlier editions in the conference or already signed up for this year’s edition. Purpose of the mailing: promote the upcoming edition and urge people to pay the conference fees.

The problems in here are:

  • The sender mail address is difficult to verify (I come back to this later).
  • All 222 people have now the mail addresses of all others. That means, many personal mail addresses have been assumably accidentally leaked by the organisers.

Due to the way mail works, you cannot undo a mail once it has been sent. The only possible measures are to inform the data subjects in a transparent manner on the incident and potential security implications and to take precautions to prevent future incidents.

I made a bad experience when I made during the last year’s edition LyonMUN 2016 in the role of a participant the remark that one aspect of their conference may intimidate the participants: They offered to allow sending anonymously roses to individual participants with a message read out loud by the organisers in front of the assembly without prior consent of the receiver. I thought this may open doors to potential bullying. The then president of LyonMUN Mélanie Villar and now secretary general just made a IMHO snide remark and that’s all what happened. I was certainly a bit disappointed and expected a debate taking into account that promoting debating is one of the purposes of MUN associations and events.

For that reason, I though of a more creative approach to initiate a discourse. It is not like security in the internet is not a topic for LyonMUN. On their website, the press team posted not even 2 weeks ago an article concerning cyber defence. Unfortunately, LyonMUN has apparently not adopted adequate measures on their own. Let’s see what happened!

  1. Maybe the sender was tired after working past midnight and less attentive of what s/he is doing. ↩︎

Pagination