On 27 Feb 2018, at 15:47, Matt Parker <mparker@ripe.net> wrote:
if a user submits unsolicited email attachments that are deemed to be sensitive/confidential in nature, the RIPE NCC is able to redact these documents, removing them completely from any third-party servers.
Matt, this misses the point completely. IMO, nothing member-related should be getting stored or processed on third-party services. Ever. [Well, OK encrypted backups can be held off-site by a reputable provider.] What happens when $cloud-provider-du-jour goes bust or changes its T&Cs (all your data are belong to us) or does stuff to that data unknown to either the NCC or the member? Will it be possible to switch providers or bring it back in-house once the NCC’s finds out it’s been locked in? At the very least, there should have been a considered discussion about this in the NCC services WG (and the GM) before a decision was taken. Some stuff in Zendesk’s privacy policy is downright alarming: "Our Websites may contain links to other websites and the information practices and the content of such other websites are governed by the privacy statements of such other websites. We encourage you to review the privacy statements of any such other websites to understand their information practices.” "We and our authorized partners may use cookies and other information gathering technologies for a variety of purposes.” "Third parties with whom we partner to provide certain features on our Websites or to display advertising based upon your Web browsing activity.” "We collect analytics information..... We may also share anonymous data about your actions on our Websites with third-party service providers of analytics services.” "We may use the information we collect about you (including personal information, to the extent applicable) for a variety of purposes, including to ... (e) send promotional communications, such as providing you with information about products and services, features, surveys, newsletters, offers, promotions, contests, and events; and provide other news or information about us and our partners. ... (f) process and deliver contest or sweepstakes entries and rewards; (g) monitor and analyze trends, usage, and activities in connection with the Websites and Services and for marketing or advertising purposes; ... (i) personalize the Websites and Services, including by providing features or advertisements that match your interests and preferences" "We may also obtain other information, including personal information, from third parties and combine that with information we collect through our Websites. For example, we may have access to certain information from a third party social media or authentication service if you log into our Services through such a service or otherwise provide us with access to information from the service.” "We share information, including personal information, with our third-party service providers” I can’t imagine why anyone would sign up to this or think it was culturally compatible with the membership and RIPE community. I wonder too how this US company intends to comply with GDPR. I am saddened that the NCC does not appear to have learned from past mistakes. Some years ago, the NCC tried to use some (here today gone tomorrow?) third-party Web2.0 cloud thing or other for storing and presenting RIPE meeting materials. There was no prior consultation. IIRC it turned out the provider asserted copyright/IPR over anything that was uploaded to their systems. They also imposed other conditions which would have made it impossible for some speakers to provide content.