Log of Board-meeting 2018-05-24-20:00 UTC

Timestamp all UTC +02:00

24.05.2018 [22:02:33] <Peter> Hello Etienne
24.05.2018 [22:02:41] <Etienne> Good evenig Europe, Good morning Australia!
24.05.2018 [22:03:34] <Etienne> @decay and @enyc: Should we know who you are?
24.05.2018 [22:04:36] <Etienne> Hello Peter, welcome.
24.05.2018 [22:06:52] <Etienne> Peter 2 and Peter 3 cannot join today, neither bdmc who asked me to chair the meeting and hold his proxy.
24.05.2018 [22:08:17] <Etienne> So, we are just waiting for the treasurer and Ross.
24.05.2018 [22:09:16] <Etienne> and maybe Megan from the GDPR working group.
24.05.2018 [22:10:47] <Etienne> Does someone like to write the minutes? If not, I will do it with the log file after the meeting.
24.05.2018 [22:12:06] <Etienne> Do we need a time keeper today?
24.05.2018 [22:12:22] <Etienne> Salü egal
24.05.2018 [22:13:10] <egal> bon giorno
24.05.2018 [22:13:50] <Etienne> Until now, we do not have a quorum, but we can start with some general information and discussion.
24.05.2018 [22:14:19] <Etienne> 1.4. Chair asks whether cacert-board-private or cacert-board maillist includes any GDPR items that need to be disclosed to Members.
24.05.2018 [22:15:47] <Etienne> There was as information from Hubert how did it Stackoverflow: Here is the communication of Stackoverflow
24.05.2018 [22:15:47] <Etienne>  
24.05.2018 [22:15:47] <Etienne> If the HTML did not arrive, here are the most relevant URLs
24.05.2018 [22:15:47] <Etienne>   Privacy: https://stackoverflow.com/legal/privacy-policy
24.05.2018 [22:15:47] <Etienne>   Security: https://stackoverflow.com/legal/gdpr
24.05.2018 [22:15:47] <Etienne>   Cookies: https://stackoverflow.com/legal/cookie-policy
24.05.2018 [22:16:37] <Etienne> You can also have a look at this site: wiki.cacert.org/Privacy/DraftEU
24.05.2018 [22:17:18] <Etienne> There are two drafts, on in English, very (too) long, another in German, I tried to adapt as much as possible for CAcert.
24.05.2018 [22:17:34] <Etienne> https://wiki.cacert.org/Privacy/DraftEU
24.05.2018 [22:18:38] <frederic> Hello
24.05.2018 [22:19:58] <Peter> The English draft has no line ending or paragraphs.
24.05.2018 [22:21:26] <Peter> AH! It has line endings but no HTML formatting.
24.05.2018 [22:24:20] <Etienne> Peter, now, it should be better.
24.05.2018 [22:24:40] <Etienne> I copied just 2 minutes before the meeting into the wiki
24.05.2018 [22:24:49] <Etienne> Salut Frédéric
24.05.2018 [22:25:11] <frederic> Ouf, je suis là
24.05.2018 [22:26:09] <Etienne> Well, we startet some minutes ago and had a look to some papers we should discuss today.
24.05.2018 [22:26:25] <Peter> it is formatted now. Readable. :-)
24.05.2018 [22:26:53] <Etienne> As bdmc is not here and he asked me to chair the meeting and we have now a quorum, I will open the meeting offically.
24.05.2018 [22:31:09] <Etienne> When I understood well all the long e-mails from the working groupe about the General Data protection Regulation, we need a Data Protection Declaration and a Data Protection Officer until tomorrow.
24.05.2018 [22:31:37] <Etienne> As we have "customers" in the European Union.
24.05.2018 [22:33:16] <Etienne> For the Data Protection Declaration, there is a draft (in german) here: https://wiki.cacert.org/Privacy/DraftEU#German_adaptet (to know what about it is, you can also reed the english verision on the same page, not adaptet for CAcert and 3x longer)
24.05.2018 [22:34:02] <Etienne> Hubert sent us this links from another organisation:   Privacy: https://stackoverflow.com/legal/privacy-policy 
24.05.2018 [22:34:02] <Etienne> 22:15:47
24.05.2018 [22:34:02] <Etienne>  
24.05.2018 [22:34:02] <Etienne> 22:15:47
24.05.2018 [22:34:02] <Etienne>   Security: https://stackoverflow.com/legal/gdpr
24.05.2018 [22:35:29] <Etienne> Would you like to discuss them or should we vote one of them as draft and made better with our Data Protection Officer during the next weeks?
24.05.2018 [22:36:44] <frederic> I miss the knowledge to discuss yet
24.05.2018 [22:37:28] <Etienne> Me to. When I read the mails from Megan, Lambert and Hubert, I understood maybe half of it.
24.05.2018 [22:39:23] <Etienne> In short: We have to tell our "customers" in well understandable language the data we collect, keep and why and that they can ask us to remove it and what happens then. If we do not so, there will be a fine up tp 20 mio € = 31 Mio Au$.
24.05.2018 [22:40:18] <Etienne> Every tick box has to be empty, that the "customer" has to tick it and to confirm by clicking OK and a 3rd time by clicking on the link of double opt in.
24.05.2018 [22:41:04] <Etienne> Peter, do you want a discussion this early morning?
24.05.2018 [22:42:49] <Peter> I am reading the Google translation of the German version.
24.05.2018 [22:43:15] <Peter> OK to read for a while. I do not know the requirements.
24.05.2018 [22:43:16] <GuKKDevel> dont we have this click box with our acceptance of the CCA?
24.05.2018 [22:43:17] <Etienne> OK, no problem. If it is not well translated, try deepl.com
24.05.2018 [22:44:46] <frederic> It has to, since there is a time limit
24.05.2018 [22:45:13] <Etienne> GukkDevel: Yes, there is an empty tick box for the CCA.
24.05.2018 [22:45:44] <GuKKDevel> does the CCa fit in for our needs?
24.05.2018 [22:46:18] <Etienne> I don't no.
24.05.2018 [22:47:04] <Etienne> I mean, it fits for CAcert's needs, yes, but I do not know, what an european court will think about it.
24.05.2018 [22:47:39] <egal> the "empty" box for CCA-agreement is not only there for joining CAcert (since ages) but is there whenever you want to create a certificate or enter an assurance ...
24.05.2018 [22:49:02] <egal> (whenever data is entered by user)
24.05.2018 [22:49:20] <Etienne> As we have strict rules and a privacy policy, we are in general ready for the GDPR, but maybe not for every small detail regulated in this regulation.
24.05.2018 [22:51:00] <frederic> Agreed for what I know from my company legal
24.05.2018 [22:52:00] <frederic> Especially with.what we do with the datas and the awareness of the members
24.05.2018 [22:52:49] <Etienne> That should also be in a hudge list from the Data Protection Officer.
24.05.2018 [22:54:09] <frederic> Nonetheless, a lot of companies are late for complying the rules. This lower the legal immediate risk
24.05.2018 [22:54:54] <Etienne> egal: Who can make changes at the wiki o the bottom (frame)? and at the privacy policy on svn?
24.05.2018 [22:54:55] <egal> ... unless somebody has CAcert in the focus ... ;-(
24.05.2018 [22:55:07] <frederic> From France point of view
24.05.2018 [22:55:22] <egal> for wiki i should be able (as i've root access there)
24.05.2018 [22:55:31] <frederic> You are right
24.05.2018 [23:00:17] <Etienne> But then we have allways 30 days to answer (and maybe made some changes in between). And the have to go the complicated way, asking an Australian court to execute it.
24.05.2018 [23:01:14] <egal> don't forget that the servers are at BIT and "rented" by secure-u ...
24.05.2018 [23:01:44] <GuKKDevel> privacy policy can only be changed by policy group, there by the policy officer, with nearly consens by the group
24.05.2018 [23:02:12] <GuKKDevel> consent
24.05.2018 [23:02:29] <egal> BIT is in netherlands, secure-u in germany ... if the way to australia is tooo long, BIT and/or secure-u may be forced to shutdown the servers ...
24.05.2018 [23:02:39] <egal> (very unlikely, i think)
24.05.2018 [23:02:51] <Etienne> GuKKDevel: I know, it is only, as PP is linked on the bottom of the main page, to put over the PP a link to the EU data protection declaration.
24.05.2018 [23:03:07] <Etienne> Not to change the PP.
24.05.2018 [23:04:01] <egal> bottom of the mail page (www.cacert.org) or wiki?
24.05.2018 [23:04:12] <egal> s/mail/main/
24.05.2018 [23:04:22] <Etienne> sorry: main page: www.cacert.org
24.05.2018 [23:04:32] <GuKKDevel> main page -> Datenschutzrichtlinien
24.05.2018 [23:04:50] <Etienne> Datenschutzrichtlinien -> Privacy Policy
24.05.2018 [23:04:59] <GuKKDevel> could be done by Software
24.05.2018 [23:05:10] <Etienne> We have to have both.
24.05.2018 [23:05:27] <Etienne> done until midnight?
24.05.2018 [23:05:45] <Etienne> (in two hours)
24.05.2018 [23:05:53] <GuKKDevel> egal?
24.05.2018 [23:07:38] <Etienne> Are there any more comments about the Data Protection Declaration or should we decide and vote?
24.05.2018 [23:08:41] <frederic> No more
24.05.2018 [23:08:49] <egal> add a link on the main page pointing to a specific wiki-location?
24.05.2018 [23:09:18] <egal> not possible within 2 hours ... as software can't change it on the live-system ...
24.05.2018 [23:09:37] <egal> and: we need a bugrequest for it ... so somebody can write the code so i can review it ...
24.05.2018 [23:10:05] <egal> (and ... of course ... to be tested on test-server before deploy)
24.05.2018 [23:10:42] <Etienne> That is the reason, why I prefer a link on the top of the privacy policy in SVN. Who can do this?
24.05.2018 [23:11:36] <egal> aehm ... the privacy-policy, which is linked from www.cacert.org is a static page ... it's not loaded from svn ...
24.05.2018 [23:12:27] <Etienne> you are right, egal. Is it easyer to put a link there?
24.05.2018 [23:12:29] <egal> changing this file needs a coding from "somebody else" and a review by me ...
24.05.2018 [23:12:59] <egal> (and probably a decision by policy group to change the policy-file ...)
24.05.2018 [23:13:26] <egal> adding a link in th footer line should be easier ... ;-)
24.05.2018 [23:13:52] <egal> but ... as i always say: i can't do it ... as i will have to review it ... ;-)
24.05.2018 [23:13:52] <Etienne> OK. Let's take decisions: continue or shut down? Vote a Data protection declaration? Details tomorrow.
24.05.2018 [23:14:24] <Etienne> frederic, what about the adaptet german draft?
24.05.2018 [23:15:26] <frederic> What is expected from me?
24.05.2018 [23:16:04] <Etienne> We have to vote one of this declarations today to be GDPR ready.
24.05.2018 [23:16:21] <frederic> I agree
24.05.2018 [23:16:35] <frederic> Vote yes
24.05.2018 [23:17:47] <Etienne> I move to vote for the EU/EEE Data Protection Declaration as proposed at https://wiki.cacert.org/Privacy/DraftEU#German_adaptet (adjustet with real names, addresses, etc.)
24.05.2018 [23:18:04] <Etienne> (frederic, if you agree: write: I second)
24.05.2018 [23:18:14] <Etienne> (followed by "aye")
24.05.2018 [23:22:15] <frederic> I second
24.05.2018 [23:22:19] <frederic> Aye
24.05.2018 [23:22:42] <Etienne> aye
24.05.2018 [23:23:11] <Etienne> Thank you, maybe Peter will come back from reading in a few minutes.
24.05.2018 [23:24:59] <Etienne> Until then could we ask software to ad a pop up with a text like this "CAcert uses cookies, which are necessary for the functionality and the user behaviour on the website. By using this website, you agree to the use of cookies as described in detail in CAcert's privacy policy More information" with a link to the data potection declaration.
24.05.2018 [23:25:34] <Etienne> CAcert verwendet Cookies, die für die Funktionalität und das Nutzerverhalten auf der Webseite notwendig sind. Durch die Nutzung der Webseite stimmen Sie dem Einsatz von Cookies zu, wie sie in der Datenschutzerklärung der CAcert im Detail ausgeführt ist Mehr Infos
24.05.2018 [23:25:37] <Peter> Back
24.05.2018 [23:25:54] <Etienne> CAcert utilise des cookies, qui sont nécessaires à la fonctionnalité et au comportement de l'utilisateur sur le site Web. En utilisant ce site Web, vous acceptez l'utilisation de cookies comme décrit en détail dans la politique de confidentialité de CAcert.
24.05.2018 [23:26:30] <GuKKDevel> Etienne, what is the filename of  link to the EU data protection declaration?
24.05.2018 [23:26:39] <Etienne> Peter, we just votet for the data protection declaration ("german adaptet"). You can ad your vote, if you want.
24.05.2018 [23:27:14] <Peter> Aye
24.05.2018 [23:28:06] <Etienne> GuKKDevel: EU-EEE-DataProtectionDeclaration
24.05.2018 [23:28:21] <Etienne> OK, DPD is carried.
24.05.2018 [23:29:45] <Etienne> Next: For the cookies: German Text is OK, others have to be reviewed. I will file a bug, if there are no objections - or should we vote?
24.05.2018 [23:30:56] <egal> i would prefer a motion to add a popup to the main page ...
24.05.2018 [23:31:37] -*- egal wrote the last statement as software team lead ... ;-)
24.05.2018 [23:32:55] <Etienne> I move to ask the software team to implement a pop up an all page that uses cockies to inform users about the use of cockies and the Data Protection Declaration.
24.05.2018 [23:34:09] <Etienne> (who second? vote is open)
24.05.2018 [23:34:57] <Peter> Does it have to be every page in a session or just the first page they visit in that session?
24.05.2018 [23:35:33] <frederic> I second
24.05.2018 [23:35:36] <frederic> Aye
24.05.2018 [23:35:37] <GuKKDevel> I created a bug (1440) to add the link to EU-EEE-DataProtectionDeclaration at the homepage
24.05.2018 [23:36:43] <Etienne> Yes, Peter, the first page in a session.
24.05.2018 [23:38:00] <Etienne> (we have still to points)
24.05.2018 [23:38:31] <Etienne> (while waiting for the last vote, I will carry on)
24.05.2018 [23:39:51] <Peter> Aye
24.05.2018 [23:40:20] <Etienne> our keyserver is connected to one from egal and one from secure-U = CAcert Germany. Both will shout down their key server today until some legal points about keyservers are more clear as today. Should we do the same (suspend the service) or continue with some risks and no more updates?
24.05.2018 [23:40:38] <Etienne> Thank you for voting, the motion has been accepted.
24.05.2018 [23:41:04] <egal> secure-u keyserver was shut down two or three days ago, my own keyserver were stopped around 1 hour ago ...
24.05.2018 [23:41:31] <egal> currently the CAcert-webserver is stopped, too ... (as i planned to go to bed)
24.05.2018 [23:41:50] <egal> i can start the CAcert-keyserver immediately if needed
24.05.2018 [23:41:56] <egal> s/webserver/keyserver/
24.05.2018 [23:42:33] <Etienne> OK, so I move to suspend the keyserver service until new decisions for GDPR reasons.
24.05.2018 [23:43:04] <Etienne> (please vote)
24.05.2018 [23:43:32] <Peter> Aye
24.05.2018 [23:43:37] <Etienne> aye
24.05.2018 [23:43:47] <Etienne> (and aye for the pop up)
24.05.2018 [23:43:49] <frederic> Aye
24.05.2018 [23:44:10] <Etienne> and as bdmc's proxy aye for the declaration, the pop up and the keyserver
24.05.2018 [23:44:14] <Etienne> Thank you.
24.05.2018 [23:44:17] <Etienne> Last point:
24.05.2018 [23:44:45] <Etienne> We need a Data Protection Officer (DPO), that is not member of the board and living in the EU.
24.05.2018 [23:45:49] <Etienne> I asked Hubert from the working group. He is not available. I asked Lambert, but he has a CoI. Furthermore I asked Megan (the third member of the working group) and the community. No answer from both (Megan and community).
24.05.2018 [23:47:01] <Etienne> We have to appoint someone.
24.05.2018 [23:48:02] <Etienne> If we appoint someone present here, ha can accept or not. If we appoint someone not here, he is appointet for the moment. When he does not accept, we have some more time to appoint someone else.
24.05.2018 [23:48:23] <Etienne> Or are some candidates from CAcert France, frederic?
24.05.2018 [23:49:59] <frederic> Not yet. I have some ideas to attract some non-technical people who will be perfict for that type of tarks. But not within months
24.05.2018 [23:50:56] <frederic> Nonetheless, we can appoint a French fellow
24.05.2018 [23:52:28] <Etienne> So, propose him.
24.05.2018 [23:52:46] <Etienne> (or we appoint Megan until Brexit in some month)
24.05.2018 [23:53:55] <frederic> let's do Megan first, it won't be a surprise
24.05.2018 [23:55:08] <Etienne> Lambert could do it for a short time, but this conflict his role as Arb - and as we need Arb, I would support frederic's proposition.
24.05.2018 [23:55:46] <Etienne> frederic, you can move to appoint Megan R., if you want.
24.05.2018 [23:56:17] <frederic> I second
24.05.2018 [23:58:32] <frederic> aye
24.05.2018 [23:58:59] <Etienne> First, we have to move: I move to appoint Megan R as Data Protection Officer.
24.05.2018 [23:59:03] <Etienne> aye
24.05.2018 [23:59:17] <frederic> Aye
24.05.2018 [23:59:37] <Peter> aye
24.05.2018 [23:59:39] <Etienne> bdmc: aye
25.05.2018 [00:00:18] <Etienne> Peter ?
25.05.2018 [00:00:49] <Etienne> Any other GDPR business?
25.05.2018 [00:01:11] <Etienne> 3. GDPR Question Time
25.05.2018 [00:01:19] <Etienne> Any questions about GDPR?
25.05.2018 [00:01:35] <frederic> no
25.05.2018 [00:03:27] <Etienne> 4. Closing
25.05.2018 [00:03:30] <Etienne> Next Committee Meeting will be on June, 7th (June, 8th in Murwillumbah NSW)
25.05.2018 [00:03:55] <Etienne> Thank you very much for joining this meeting.
25.05.2018 [00:04:26] <Peter> Bye
25.05.2018 [00:04:30] <frederic> thank you for organizing and your minutes
25.05.2018 [00:04:39] <frederic> Bye
25.05.2018 [00:04:43] <Etienne> The meeting is closed. Good bye.