Hi everyone,
I want to make you aware of a potential privacy problem in Mailman's Hyperkitty. Under the upcoming EU General Data Protection Regulation (GDPR)1, which will be in force as of 2018-05-25, it is illegal to transmit data to third parties without a right to do so. Without going into the details, the inclusion of third party services into one's website is usually deemed such a transmission, and unless one has explicit consent of the user (e.g., by an optional (!), unticked ticking box) this is normally illegal (if one targets EU users).
The GDPR does not affect private and family use (Art. 2(2)(c) GDPR), but the exact reach of that clause is yet to be determined; it certainly does not exclude company use of Mailman.
I've found it's possible to disable the social login providers quite easily (we had this discussion here on the mailinglist recently), but I don't see an option to disable Gravatar. If there is one, please enlighten me, but anyway I want to propose this as a feature request against Hyperkitty. A GDPR-compliant implementation of Gravatar in Mailman would look like this:
- In order to not transmit website visitor's data (IP address, browser info, etc) to Gravatar, Hyperkitty has to request the avatar image itself and not leave that to the user's browsers to do. In other words, the HTTP GET request needs to come from the server running Hyperkitty and the user's browser then just requests the avatar from the Hyperkitty server. Most likely easiest way to do this is to pre-download the avatar when an email is archived.
- In order to not transmit the subscribers' data (email address, allows Gravatar to track the subscriber) to Gravatar illegally, the retrieval of the avatar image from Gravatar has to be disabled by default. Instead, an option needs to be added to the subscriber's control panel which he has to actively enable in order to have his Gravatar downloaded and thus used (privacy-by-default rule).
I'm not saying Gravatar tracks people and sells the information gathered, though I have doubts on how Automattic makes money with the service. I'm just outlining the legal duties under the upcoming GDPR for service owners, which are independant of how Automattic processes the data in this specific case.
Please don't dismiss this as some side feature not needed. The fines that can be imposed on service owners due to violation of the GDPR are very high (up to 20,000,000 € [that's 20 million euros, really]).
Marvin
-- Blog: https://www.guelkerdev.de PGP/GPG ID: F1D8799FBCC8BC4F