Log of Board-meeting 2018-05-24-20:00 UTC Timestamp all UTC +02:00 {{{ 24.05.2018 [22:02:33] Hello Etienne 24.05.2018 [22:02:41] Good evenig Europe, Good morning Australia! 24.05.2018 [22:03:34] @decay and @enyc: Should we know who you are? 24.05.2018 [22:04:36] Hello Peter, welcome. 24.05.2018 [22:06:52] Peter 2 and Peter 3 cannot join today, neither bdmc who asked me to chair the meeting and hold his proxy. 24.05.2018 [22:08:17] So, we are just waiting for the treasurer and Ross. 24.05.2018 [22:09:16] and maybe Megan from the GDPR working group. 24.05.2018 [22:10:47] Does someone like to write the minutes? If not, I will do it with the log file after the meeting. 24.05.2018 [22:12:06] Do we need a time keeper today? 24.05.2018 [22:12:22] Salü egal 24.05.2018 [22:13:10] bon giorno 24.05.2018 [22:13:50] Until now, we do not have a quorum, but we can start with some general information and discussion. 24.05.2018 [22:14:19] 1.4. Chair asks whether cacert-board-private or cacert-board maillist includes any GDPR items that need to be disclosed to Members. 24.05.2018 [22:15:47] There was as information from Hubert how did it Stackoverflow: Here is the communication of Stackoverflow 24.05.2018 [22:15:47] 24.05.2018 [22:15:47] If the HTML did not arrive, here are the most relevant URLs 24.05.2018 [22:15:47] Privacy: https://stackoverflow.com/legal/privacy-policy 24.05.2018 [22:15:47] Security: https://stackoverflow.com/legal/gdpr 24.05.2018 [22:15:47] Cookies: https://stackoverflow.com/legal/cookie-policy 24.05.2018 [22:16:37] You can also have a look at this site: wiki.cacert.org/Privacy/DraftEU 24.05.2018 [22:17:18] There are two drafts, on in English, very (too) long, another in German, I tried to adapt as much as possible for CAcert. 24.05.2018 [22:17:34] https://wiki.cacert.org/Privacy/DraftEU 24.05.2018 [22:18:38] Hello 24.05.2018 [22:19:58] The English draft has no line ending or paragraphs. 24.05.2018 [22:21:26] AH! It has line endings but no HTML formatting. 24.05.2018 [22:24:20] Peter, now, it should be better. 24.05.2018 [22:24:40] I copied just 2 minutes before the meeting into the wiki 24.05.2018 [22:24:49] Salut Frédéric 24.05.2018 [22:25:11] Ouf, je suis là 24.05.2018 [22:26:09] Well, we startet some minutes ago and had a look to some papers we should discuss today. 24.05.2018 [22:26:25] it is formatted now. Readable. :-) 24.05.2018 [22:26:53] As bdmc is not here and he asked me to chair the meeting and we have now a quorum, I will open the meeting offically. 24.05.2018 [22:31:09] When I understood well all the long e-mails from the working groupe about the General Data protection Regulation, we need a Data Protection Declaration and a Data Protection Officer until tomorrow. 24.05.2018 [22:31:37] As we have "customers" in the European Union. 24.05.2018 [22:33:16] For the Data Protection Declaration, there is a draft (in german) here: https://wiki.cacert.org/Privacy/DraftEU#German_adaptet (to know what about it is, you can also reed the english verision on the same page, not adaptet for CAcert and 3x longer) 24.05.2018 [22:34:02] Hubert sent us this links from another organisation: Privacy: https://stackoverflow.com/legal/privacy-policy 24.05.2018 [22:34:02] 22:15:47 24.05.2018 [22:34:02] 24.05.2018 [22:34:02] 22:15:47 24.05.2018 [22:34:02] Security: https://stackoverflow.com/legal/gdpr 24.05.2018 [22:35:29] Would you like to discuss them or should we vote one of them as draft and made better with our Data Protection Officer during the next weeks? 24.05.2018 [22:36:44] I miss the knowledge to discuss yet 24.05.2018 [22:37:28] Me to. When I read the mails from Megan, Lambert and Hubert, I understood maybe half of it. 24.05.2018 [22:39:23] In short: We have to tell our "customers" in well understandable language the data we collect, keep and why and that they can ask us to remove it and what happens then. If we do not so, there will be a fine up tp 20 mio € = 31 Mio Au$. 24.05.2018 [22:40:18] Every tick box has to be empty, that the "customer" has to tick it and to confirm by clicking OK and a 3rd time by clicking on the link of double opt in. 24.05.2018 [22:41:04] Peter, do you want a discussion this early morning? 24.05.2018 [22:42:49] I am reading the Google translation of the German version. 24.05.2018 [22:43:15] OK to read for a while. I do not know the requirements. 24.05.2018 [22:43:16] dont we have this click box with our acceptance of the CCA? 24.05.2018 [22:43:17] OK, no problem. If it is not well translated, try deepl.com 24.05.2018 [22:44:46] It has to, since there is a time limit 24.05.2018 [22:45:13] GukkDevel: Yes, there is an empty tick box for the CCA. 24.05.2018 [22:45:44] does the CCa fit in for our needs? 24.05.2018 [22:46:18] I don't no. 24.05.2018 [22:47:04] I mean, it fits for CAcert's needs, yes, but I do not know, what an european court will think about it. 24.05.2018 [22:47:39] the "empty" box for CCA-agreement is not only there for joining CAcert (since ages) but is there whenever you want to create a certificate or enter an assurance ... 24.05.2018 [22:49:02] (whenever data is entered by user) 24.05.2018 [22:49:20] As we have strict rules and a privacy policy, we are in general ready for the GDPR, but maybe not for every small detail regulated in this regulation. 24.05.2018 [22:51:00] Agreed for what I know from my company legal 24.05.2018 [22:52:00] Especially with.what we do with the datas and the awareness of the members 24.05.2018 [22:52:49] That should also be in a hudge list from the Data Protection Officer. 24.05.2018 [22:54:09] Nonetheless, a lot of companies are late for complying the rules. This lower the legal immediate risk 24.05.2018 [22:54:54] egal: Who can make changes at the wiki o the bottom (frame)? and at the privacy policy on svn? 24.05.2018 [22:54:55] ... unless somebody has CAcert in the focus ... ;-( 24.05.2018 [22:55:07] From France point of view 24.05.2018 [22:55:22] for wiki i should be able (as i've root access there) 24.05.2018 [22:55:31] You are right 24.05.2018 [23:00:17] But then we have allways 30 days to answer (and maybe made some changes in between). And the have to go the complicated way, asking an Australian court to execute it. 24.05.2018 [23:01:14] don't forget that the servers are at BIT and "rented" by secure-u ... 24.05.2018 [23:01:44] privacy policy can only be changed by policy group, there by the policy officer, with nearly consens by the group 24.05.2018 [23:02:12] consent 24.05.2018 [23:02:29] BIT is in netherlands, secure-u in germany ... if the way to australia is tooo long, BIT and/or secure-u may be forced to shutdown the servers ... 24.05.2018 [23:02:39] (very unlikely, i think) 24.05.2018 [23:02:51] GuKKDevel: I know, it is only, as PP is linked on the bottom of the main page, to put over the PP a link to the EU data protection declaration. 24.05.2018 [23:03:07] Not to change the PP. 24.05.2018 [23:04:01] bottom of the mail page (www.cacert.org) or wiki? 24.05.2018 [23:04:12] s/mail/main/ 24.05.2018 [23:04:22] sorry: main page: www.cacert.org 24.05.2018 [23:04:32] main page -> Datenschutzrichtlinien 24.05.2018 [23:04:50] Datenschutzrichtlinien -> Privacy Policy 24.05.2018 [23:04:59] could be done by Software 24.05.2018 [23:05:10] We have to have both. 24.05.2018 [23:05:27] done until midnight? 24.05.2018 [23:05:45] (in two hours) 24.05.2018 [23:05:53] egal? 24.05.2018 [23:07:38] Are there any more comments about the Data Protection Declaration or should we decide and vote? 24.05.2018 [23:08:41] No more 24.05.2018 [23:08:49] add a link on the main page pointing to a specific wiki-location? 24.05.2018 [23:09:18] not possible within 2 hours ... as software can't change it on the live-system ... 24.05.2018 [23:09:37] and: we need a bugrequest for it ... so somebody can write the code so i can review it ... 24.05.2018 [23:10:05] (and ... of course ... to be tested on test-server before deploy) 24.05.2018 [23:10:42] That is the reason, why I prefer a link on the top of the privacy policy in SVN. Who can do this? 24.05.2018 [23:11:36] aehm ... the privacy-policy, which is linked from www.cacert.org is a static page ... it's not loaded from svn ... 24.05.2018 [23:12:27] you are right, egal. Is it easyer to put a link there? 24.05.2018 [23:12:29] changing this file needs a coding from "somebody else" and a review by me ... 24.05.2018 [23:12:59] (and probably a decision by policy group to change the policy-file ...) 24.05.2018 [23:13:26] adding a link in th footer line should be easier ... ;-) 24.05.2018 [23:13:52] but ... as i always say: i can't do it ... as i will have to review it ... ;-) 24.05.2018 [23:13:52] OK. Let's take decisions: continue or shut down? Vote a Data protection declaration? Details tomorrow. 24.05.2018 [23:14:24] frederic, what about the adaptet german draft? 24.05.2018 [23:15:26] What is expected from me? 24.05.2018 [23:16:04] We have to vote one of this declarations today to be GDPR ready. 24.05.2018 [23:16:21] I agree 24.05.2018 [23:16:35] Vote yes 24.05.2018 [23:17:47] I move to vote for the EU/EEE Data Protection Declaration as proposed at https://wiki.cacert.org/Privacy/DraftEU#German_adaptet (adjustet with real names, addresses, etc.) 24.05.2018 [23:18:04] (frederic, if you agree: write: I second) 24.05.2018 [23:18:14] (followed by "aye") 24.05.2018 [23:22:15] I second 24.05.2018 [23:22:19] Aye 24.05.2018 [23:22:42] aye 24.05.2018 [23:23:11] Thank you, maybe Peter will come back from reading in a few minutes. 24.05.2018 [23:24:59] Until then could we ask software to ad a pop up with a text like this "CAcert uses cookies, which are necessary for the functionality and the user behaviour on the website. By using this website, you agree to the use of cookies as described in detail in CAcert's privacy policy More information" with a link to the data potection declaration. 24.05.2018 [23:25:34] CAcert verwendet Cookies, die für die Funktionalität und das Nutzerverhalten auf der Webseite notwendig sind. Durch die Nutzung der Webseite stimmen Sie dem Einsatz von Cookies zu, wie sie in der Datenschutzerklärung der CAcert im Detail ausgeführt ist Mehr Infos 24.05.2018 [23:25:37] Back 24.05.2018 [23:25:54] CAcert utilise des cookies, qui sont nécessaires à la fonctionnalité et au comportement de l'utilisateur sur le site Web. En utilisant ce site Web, vous acceptez l'utilisation de cookies comme décrit en détail dans la politique de confidentialité de CAcert. 24.05.2018 [23:26:30] Etienne, what is the filename of link to the EU data protection declaration? 24.05.2018 [23:26:39] Peter, we just votet for the data protection declaration ("german adaptet"). You can ad your vote, if you want. 24.05.2018 [23:27:14] Aye 24.05.2018 [23:28:06] GuKKDevel: EU-EEE-DataProtectionDeclaration 24.05.2018 [23:28:21] OK, DPD is carried. 24.05.2018 [23:29:45] Next: For the cookies: German Text is OK, others have to be reviewed. I will file a bug, if there are no objections - or should we vote? 24.05.2018 [23:30:56] i would prefer a motion to add a popup to the main page ... 24.05.2018 [23:31:37] -*- egal wrote the last statement as software team lead ... ;-) 24.05.2018 [23:32:55] I move to ask the software team to implement a pop up an all page that uses cockies to inform users about the use of cockies and the Data Protection Declaration. 24.05.2018 [23:34:09] (who second? vote is open) 24.05.2018 [23:34:57] Does it have to be every page in a session or just the first page they visit in that session? 24.05.2018 [23:35:33] I second 24.05.2018 [23:35:36] Aye 24.05.2018 [23:35:37] I created a bug (1440) to add the link to EU-EEE-DataProtectionDeclaration at the homepage 24.05.2018 [23:36:43] Yes, Peter, the first page in a session. 24.05.2018 [23:38:00] (we have still to points) 24.05.2018 [23:38:31] (while waiting for the last vote, I will carry on) 24.05.2018 [23:39:51] Aye 24.05.2018 [23:40:20] our keyserver is connected to one from egal and one from secure-U = CAcert Germany. Both will shout down their key server today until some legal points about keyservers are more clear as today. Should we do the same (suspend the service) or continue with some risks and no more updates? 24.05.2018 [23:40:38] Thank you for voting, the motion has been accepted. 24.05.2018 [23:41:04] secure-u keyserver was shut down two or three days ago, my own keyserver were stopped around 1 hour ago ... 24.05.2018 [23:41:31] currently the CAcert-webserver is stopped, too ... (as i planned to go to bed) 24.05.2018 [23:41:50] i can start the CAcert-keyserver immediately if needed 24.05.2018 [23:41:56] s/webserver/keyserver/ 24.05.2018 [23:42:33] OK, so I move to suspend the keyserver service until new decisions for GDPR reasons. 24.05.2018 [23:43:04] (please vote) 24.05.2018 [23:43:32] Aye 24.05.2018 [23:43:37] aye 24.05.2018 [23:43:47] (and aye for the pop up) 24.05.2018 [23:43:49] Aye 24.05.2018 [23:44:10] and as bdmc's proxy aye for the declaration, the pop up and the keyserver 24.05.2018 [23:44:14] Thank you. 24.05.2018 [23:44:17] Last point: 24.05.2018 [23:44:45] We need a Data Protection Officer (DPO), that is not member of the board and living in the EU. 24.05.2018 [23:45:49] I asked Hubert from the working group. He is not available. I asked Lambert, but he has a CoI. Furthermore I asked Megan (the third member of the working group) and the community. No answer from both (Megan and community). 24.05.2018 [23:47:01] We have to appoint someone. 24.05.2018 [23:48:02] If we appoint someone present here, ha can accept or not. If we appoint someone not here, he is appointet for the moment. When he does not accept, we have some more time to appoint someone else. 24.05.2018 [23:48:23] Or are some candidates from CAcert France, frederic? 24.05.2018 [23:49:59] Not yet. I have some ideas to attract some non-technical people who will be perfict for that type of tarks. But not within months 24.05.2018 [23:50:56] Nonetheless, we can appoint a French fellow 24.05.2018 [23:52:28] So, propose him. 24.05.2018 [23:52:46] (or we appoint Megan until Brexit in some month) 24.05.2018 [23:53:55] let's do Megan first, it won't be a surprise 24.05.2018 [23:55:08] Lambert could do it for a short time, but this conflict his role as Arb - and as we need Arb, I would support frederic's proposition. 24.05.2018 [23:55:46] frederic, you can move to appoint Megan R., if you want. 24.05.2018 [23:56:17] I second 24.05.2018 [23:58:32] aye 24.05.2018 [23:58:59] First, we have to move: I move to appoint Megan R as Data Protection Officer. 24.05.2018 [23:59:03] aye 24.05.2018 [23:59:17] Aye 24.05.2018 [23:59:37] aye 24.05.2018 [23:59:39] bdmc: aye 25.05.2018 [00:00:18] Peter ? 25.05.2018 [00:00:49] Any other GDPR business? 25.05.2018 [00:01:11] 3. GDPR Question Time 25.05.2018 [00:01:19] Any questions about GDPR? 25.05.2018 [00:01:35] no 25.05.2018 [00:03:27] 4. Closing 25.05.2018 [00:03:30] Next Committee Meeting will be on June, 7th (June, 8th in Murwillumbah NSW) 25.05.2018 [00:03:55] Thank you very much for joining this meeting. 25.05.2018 [00:04:26] Bye 25.05.2018 [00:04:30] thank you for organizing and your minutes 25.05.2018 [00:04:39] Bye 25.05.2018 [00:04:43] The meeting is closed. Good bye. }}}