top | item 45922651

(no title)

It most certainly was. You have someone outside your organization who accessed the data, and you know about it. Here's what you just wrote about the person who accessed this endpoint:

> - The author was ultimately banned from the community not for their opinions on this matter, but because of a long streak of unrelated conduct issues that culminated in a spree of saying horribly abusive things to multiple other members of the community.

> — They have been pursuing a grudge against the organization ever since. They are not a reliable narrator, this post is a fantasy version of events that casts them as a martyred hero.

Someone who has been acting maliciously against your organization accessed that data. And you think it's fine? They're a teenager. An angry teenager, who is acting out. You honestly believe you can trust they didn't distribute this data or tell anyone else about the problem before you found out about it?

When I was a teenager, someone in my year level gained access to a lot of personal data about a bunch of people in our year level. This was a smart individual who at least somewhat understood the gravity of the situation. But they were also a kid, of course they distributed some of the data — bragging rights and what not.

What about the section titled "the surveillance infrastructure (orpheus engine)" where the teenager claims children's data was intentionally being sent out to third parties, specifically to profile kids? What's that all about?

Look, no-one read this article and thought "Wow, this is well written article by a super mature well-adjusted individual. I'm taking this as gospel." The article is clearly written by an angry teenager. I feel far more invested in this now that I've seen your responses. The way you're handling this, and yourself, is just downright absurd. Stop.

discuss

VEBee|3 months ago

By the way, orpheus engine is available publicly at https://github.com/hackclub/orpheus-engine.

SigmaEpsilonChi|3 months ago

I never said anything was fine. I said it was a serious vuln, and we took it seriously.

We patched the vulnerability, quickly. We addressed it with the engineer and made clear that this is no joke. We have extensive refactoring happening within our infrastructure to move to a model where this information is handled as much as possible through secure, audited, centralized systems. Is there something else we should be doing?

The crux of the question here was about whether GDPR obligates us to email all 5,000 people signed up for this program about this vulnerability. The two lawyers we have consulted on this have both said no. One of them specifically specializes in privacy compliance. It's not a complicated legal question, the answer is just no.

Benjamin_Dobell|3 months ago

Look. This isn't on the front page of HN anymore. So I'm mostly writing this to you. You've work to do on your communication. This style of communication probably works just fine with teenagers, but it's not going to hold up to scrutiny with adults.

> The crux of the question here was about whether GDPR obligates us to email all 5,000 people signed up for this program about this vulnerability.

You are just not going to be able to control the narrative like this. Trying to tell someone else what the "crux of the issue is" will not allow you to shift the goal posts. The article described a pattern of issues, and in my previous comment I specifically raised one. No determined individual is going to just leave that thread dangling for you.

> Is there something else we should be doing?

Yes. Obviously. That's the point.

> The crux of the question here was about whether GDPR obligates us to email all 5,000 people signed up for this program about this vulnerability. The two lawyers we have consulted on this have both said no. One of them specifically specializes in privacy compliance.

It's not a great look for the leader of a children's organization to so blatantly flout that they lack a moral compass. You're currently interacting with the public, not the legal system. Sure, whether or not you're legally required to inform your kids is relevant. However, the law is quite literally the bare minimum of what you're obligated to do.

No-ones reading this thinking. "Oh great, they've done the bare minimum legally required of them." They're thinking, "Wait. Companies notify people of breaches all the time. You apologise, and explain what you're doing to rectify the situation. What have they got to hide? Are they worried they'll get an influx of outrage because this lack of care was something people in the community were already concerned about?" With the context given from the odd parent in this thread, it certainly comes across as the latter.

> It's not a complicated legal question, the answer is just no.

This detracts so much credibility from your communication. There is no lawyer on Earth that will describe this as "not a complicated legal question". No adult that's ever had any communication with a lawyer is going to believe this for a second. Lawyers are notorious for their non-committal attitude toward providing legal advice. Nothing is black and white — it's all grey. So this comes across as:

a. You've never interacted with a lawyer in your life. Or, b. You're telling porkies, or at the very least, are way too flippant with hyperbole.