GDPR compliance
Question asked by Petr Vogeltanz - May 14 at 1:51 AM
Answered
25th May is coming and there are no GDPR features(pseudonymization, user accounts changes log, etc.) implemented or planned?
Without these features your software will be hard to use in EU!
 
Thanks for answer!

11 Replies

Reply to Thread
1
Hi Petr. I had a customer ask the same question so I reached out to SM support on 3/21/2018 and here is what I was told:
 
"SmarterTools has not released any specific features for compliance with GDPR. GDPR regulations purely deal with consent and how hosting providers form their contracts with EU Citizens relating to data storage, data availability upon request, breach notification, etc, from what I understand, there wouldn't really be any 'Features' to be added into our products to comply with the new GDPR regulations."
 
I then asked a few questions my customer was asking. SM support reached out to their developers and then responded again with this...
 
"I've met with the SmarterMail team. Encryption is something that's on our radar and is being discussed but we have no ETA on approval\implementation.
 
Regarding the ability to hide personal info from logs, this is not something we can implement here on our as reviewing the IP and user info is needed to diagnose the issues within the logs. Without observing e-mail addresses and IP addresses the logs become a bit useless. Only system administrators and users who have the file system of the mail server itself have access to this information
 
I've passed the GDPR compliance documentation over to our COO as well so we can review further ways to implement features beneficial for GDPR in the future."
 
Btw Petr, I have written several articles about GDPR compliance. Please feel free to check them out here:http://know.mailsbestfriend.com/GDPR--030520181.shtml Please let me know if you have any questions about anything you read in the articles. Thanks!
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
 
2
One of the most overlooked, and difficult to implement aspect of GDPR is any EU-customer's right to be deleted from your database (aka 'being forgotten').
 
According to this law, in any system storing personal data you  MUST guarantee the unrestorable deletion of all personal data upon the customer's request within a reasonable time limit. This is meant retrospectively, so regards all data stored from his/her earlier transactions also.

You can of course do this manually by editing the records in hundreds of related SQL database tables, and try not to mess up the relations, indexes, key fields. The law allows this, no problem.
 
But I think it is the software developers duty to implement a Tool for this, like a 'Forget Customer' button in the admin area of each system that handles people's personal data after May 25th.
 
Further to that all currenlty stored data should also be deleted of all your customers who you don't have their consent by May 25th to store it further, So a 'Forget Selected Customers' (ie. with mass-effect) button is also missing.
 
How are we supposed to do it without the proper functionality in the systems?  
And why are software developers telling us: 'there wouldn't really be any 'Features' to be added into our products to comply with the new GDPR regulations'
 
Without these 'Features', just imagine, you have a SQL table with 92.254.554 records, and have to enter:
 
'DELETE FROM Customers WHERE CustomerName='John Doe'
or  'DELETE FROM Visitors WHERE IPaddress='111.111.111.111'
 
and now repeat that with 47.554.475 names or addresses you have not received consent from by May 25th checking manually all your emails, and when you are finished with this SQL table, then check all related tables also where any personal data may exist.
And keep doing that manually each day for the 2-3 thousands customers you might receive a 'Forget-Me' request each day. Good luck!
 
The most fearsome is how easily you could be provoked and caught if you violate this: a malicious customer/user or a tricky inspector/concurrent faking to be a customer/user would be enough to fine/prosecute you.
You may gain some time if you are lucky to have a database that is not seen from outside (however it does not exempt you from this) but what about for example the user viewable 'Ticket History' revealing immediately if you did not comply deleting their data,
 
PS. not to mention here the millions of webshops with their 'Order History'-ies.  I see very little worries about this in the industry. I can't imagine how are these supposed to comply by May 25th without requiring us, operators to manually tinker in the databases.
0
Back in Jan 2018 i asked the same question which was responded to by the COO suggesting new features were on the way? Although if true they are being left very late before release. I notice this portal is on v14 and has been for a number of weeks, perhaps it will be available to the masses soon?
 
1
Security principles are built around Confidentiality, Integrity, and Availability.   Europe's GDPR have raised a ruckus over the confidentiality piece.   But the email infrastructure is dominated by unsolicited content sent from malicious servers and non-malicious servers that host user accounts which were compromised by password-guessing techniques or other methods.   Quite simply, the Integrity requirements of the email infrastructure require some loss of confidentiality.
 
System administrators have a responsibility and an expectation to act on behalf of the user to protect them from hostile and unwanted mail, and this cannot be done successfully without occasional access to the message body.   If the user wants full privacy, he can use OpenPGP, S/MIME, or PKI certificates to ensure end-to-end encryption.   This can be documented with a statement of privacy practices to help with the legal issues. 
 
Hospital patients have privacy rights, but hospitals also have security cameras.  This means that a security guard may see Miss Celebrity in her bathrobe without makeup, and that picture may be recorded.  The existence of the picture does not constitute a privacy violation when it is part of a system for patient safety.    All of this applies as long as the photo is not leaked for unauthorized purposes.   The same applies to mail -- it is not the appropriate random inspection of mail for hostile content that it is a problem, it is inappropriate use that will create problems.
 
Tactics
Encryption is a tactic, not a result.   It helps to ensure confidentiality by requiring a key to decrypt the content, but it is business processes that control who gets the key.   SmarterMail has to have access to all of its files, so you could potentially use the Encrypting File System to encrypt all of SmarterMail's files to the account in which the service runs.   This does not require SmarterMail changes.   This approach helps to ensure that only someone with the SmarterMail login can decrypt those files, but it does not say who will have the login.   Which is pretty comparable to the present situation -- someone can only see someone else's files if they have a login to the server which gives them permission to do so.
0
Thank you Douglas for the clarifying how encryption will solve most of the GDPR issues.
 
But I still have worries about the following GDPR other requirements involving handling of any user's data, and this is independent of how strong we have their data encrypted in our database.
 
I am quoting GDPR according rules in my own words for brevity here:
- any user may ask for information about what data is stored about him, for what purpose, how long
- any person (even if not a customer of you) has the right to a reply whether you are storing any data about him. So you must reply with "We have no stored data about you" , you can't simply ignore his question.
- any user may ask for full or partial deletion of his data, he can also ask you any time to modify his stored data (I suppose the modify regards only data that has error, however the law does not say this. It is still not clear for me what the law means by this, what would be the definition of an error, a misspelled name ?  does this regard all 2548 instances we might have during a single customer's earlier activities?)
- any user may ask for restricting his data or any part of his data from sharing it with any selected 3rd party, he can do it as many times and any time he wishes, even if he has given opposite instructions before
- any user may ask for the handing out of all his stored data for whatever reason he wants it for (e.g. to carry away them to another company if he wishes)
- in a case of a data breach / loss / tampering you must notify the authorities and the affected users within a short time. You must inform them about the exact range of the affected data.

this all may sound obvious, and most of you would think 'No problem, of course we will do it'
 
...but I had a dream tonight: our Mary in the PR department (being a small company she's alone with us in that 'department', it is just a desk) replies the 578 daily requests typing reply emails, she types fast:
 
- 78 times each day she writes 'Dear Sir, We received your inquiry, we have no data stored about you'    (you might think it is just copy-pasting email texts. No, she has to run 87 SQL queries on our 547 SQL tables in 12 different databases on 5 servers before each single reply, she manually inserts the person's name, possible nicknames, email adresses, IP addresses in those SQL queries WHERE clause. She does this manually because all our software guys and software vendors told us there's nothing they should improve regarding the new GDPR issues)
 
- she will reply 147 times each day like  'Dear Sir, upon your request we have deleted all data regarding your purchases before your divorce on 17th October 2017, but left intact all your data after this date you still wish to see in your Order History, so your current wife will not see the list of items you enjoyed with your earlier wives'   (no problem, she will write those 59 custom SQL query sentences runs them on 5 servers with in a remote terminal window just as fast as she types emails)

-  she will reply 194 times  'Dear Sir, we understand your concerns about company 'Lost Packages Co' inappropriate handling your data you have earlier given us consent to share, upon your instructions we are now revoking all data from them. At the same time upon your current request we are allowing company 'Safe Packages Co' to see your data but not your earlier purchases.
We have also received your request to retrieve a list of all your earlier purchases containing toiletry items you wish to share with 'Toilet Usage Analyzer Services Co', I am enclosing the requested data, it is a 5MB file in .csv .xlsx and a human-readable .pdf formats. At the same time we are allowing the Toilet company you chose to analyze your habits to access your future data online thru our website API, but this applies only to your purchases of toiletry articles. According to GDPR you may of course anytime change your preferences again'
(and Mary works fast, she modifies the 'MayShareWith' fields manually in 74 SQL tables like a breeze, writes the export queries and converts these files to any format our customers wish, although she is still learning how to manually binary code AutoCAD .dwg** files: a customer of us uploaded a drawing to our server in this format unfortunately with his full name and address (ie. GDPR-protected personal data) as  vector-graphics he wanted us to print on custom-made toilet papers he ordered, now he wants us to change that name in the file we store in our system, and we can't afford buying AutoCAD for her to edit the file easier)
 
But she misses one incoming request, she does not reply with a simple (No, Sir, we have no data) to Herr Dr. Anwalt Abmahnung*, and this request turned out coming from our concurrent's lawyer,
now we are facing a hefty fine. Luckily another law-firm offered their services to clean up the mess and train our Mary to 'Better GDPR Practices'. The counselling alone will costs us 7500 EURs, I don't know how it should help us to avoid further GDPR breaches, but the software guys still keep telling us they can do nothing to help Mary.
 
...and then I woke up to realize it is not yet 25th of May.
 
What about a standardized GDPR Submenu covering all the necessary user's requests (general info, data deletion, modify data, allow/deny sharing with X/Y/Z, data export, etc. functions in all Customer UIs in all systems, So it could take the burden of it, or at least a standardized kind-of ticketing system would give our users the impression that everything complies to the law and we gain some time to catch-up manually.
 
I may seem to exaggregate this,  (yes I did, for the sake of explanation) but I did not: we really do have a Mary in PR, and she does reply our customer's requests 'Please change the shipping address I have just placed an order to'  or  'Please change the color of the cat-litter I have ordered 17 minutes ago to pink',  etc. She does this now full-time, 8-9 hours a day.
 
To all her current duties will come all those GDPR-aware users who wish to protect their data from a future 'Cambridge Analytica', how many will have data-related requests regularly or occasionally from 275k customers?  Can you tell it?  Will they read some day something bad about 'Toilet Analyzer Co' in the news and 58k of them request to modify their stored data immediately on one single day? Should we hire two additional Marys now?
 
What are the risks now if Mary misses to change the cat-litter's color to pink?   In worst case we will ship the order again, lose 2 x 3.90 EUR with the repeated shippings, I would not even tell her about the error if it would happen now.  But what is she misses to act upon a GDPR request from one customer? We lose 20 millions?  (I am exaggerating, but 2000 or 200 are also we cannot afford.)

*FYI:  Abmahnung.  A legal form of racketing your business for the smallest error, this technique is widespread in Germany bribing up to several thousands of Euros out of you pretending as these were legal costs. All this 'business' is backed up by German courts: when you receive an 'Abmahnung', it is already accompanied by the court's preliminary decision ordering you to pay the lawyer his 'work'. Usually receiving this letter is the very first moment you become aware of your violation, so you never have the chance to correct it at no costs. Many lawyers in Germany make their living proactively searching for the smallest errors, violations of law. (ranging from forgetting to show the price per liter when you are selling 100ml of something, or forgetting about battery rules, markings when you are selling anything for example with a 2mm lithium coin)
Earlier these lawyers had to work for it at least a little, nowadays they can just google the internet for prey, I think GDPR will be just another goldmine for them.
Don't get me wrong I am not a renegade against obeying the rules, just find it unfair to pay 2-3000 EUR for mistakenly not including the per-liter-price to one item in a 35k item webshop. There is even nothing that protects you from paying several different lawyers for the same small error they discover. And all this happens each day in the same country where a speeding ticket could cost you as low as 10 Euros.
The most fearsome in these GDPR regulations that ignoring a user's data handling request or even a delay to it is obviously visible from the outside, as I already tried to explain earlier.
 
** it is just half-a-joke, we really do receive and store .dwg and .eps .ai .jpg .png .pdf .tiff etc files containing sensitive personal user data (names, addresses, telephone numbers, email addresses) in one of the webshops we operate. We sell customized advertisement items, like pencils, pens, sweets, etc. with company logos, but very often names on them. Our customers upload these files and I see GDPR makes no exempt for these personal data we may 'store' in these files.
0
Sounds like a nightmare.   Typical of big government to assume that they can pass laws and experience no unattended consequences.   This will especially be a problem for companies that are targets of activist hate campaigns, such as oil companies.   Every group member demands information from the company every 90 days.
 
Lots of identification issues.   You want to know what I know about you.   I cannot answer that question until you reveal a lot of information about yourself.
 
You demand to be forgotten.   How does my company authenticate you before purging your data?   What happens if someone is purged incorrectly because of mistaken identity?   What about the web tracking services that consumers do not even know by name, and which may only know consumers by name or IP address. 
 
6 months later you write to ask what I know about you.  If I says that I have a record of your request to be forgotten, have I violated the requirement to forget you?   If I say that I have forgotten you, am I in trouble for not having a record that I purged you?
 
What happens when a nation-state actor decides to confuse the system what fraudulent-but-convincing purge requests, or to assault the system with endless requests for information about non-existent people?   What happens if they ask for information on legitimate people and are able to succeed, building a database of information that they can use for espionage or other purposes.
 
Can I shoplift from your store at 9:30am, then demand to be forgotten at 10:30am, so that when you find my face on the videotape, you cannot prosecute because my image was supposed to be purged?
 
What if all I know about you use your image on my security system?   What if all I know about you is tied to an email address but not a name?
 
I expect this law is a can of worms that will cause much harm.
0
Yeah, you are right, I have not yet even thought further, about the additional identification concerns you are talking about.
 
How do we know an email coming from johndoe@ xxxdotzzz requesting us to delete all his records  is legitimate? This action is possibly causing irreversible damages to the real John Doe who worked five years to generate that data, and he could sue us for the loss.
 
Should we ask for his ID ? 
But must he be called John Doe at all?  What about a user having the email address donkey@ xxxdotzzz. Are we supposed to see a Drivers Licence with a name 'Don Key' on it, or is it OK he just looks on his photo like a donkey? Would a spanish guy called Burro or chinese guy called ' 驴 ' fit ?  (just for fun: Try to look up 驴 in a dictionary, but don't use copy/paste, enter it into a computer manually from a scan :-)   Nonsense, then why ask him for any ID?
Those who think I am overreacting: We do have lots of russian clients living in Germany, and lots of their stuff including personal data is uploaded (to our gift shop) in cyrillic. According to GDPR are we required to sort it out hiring a russian translator ?  'Чижик Пыжик' is it a name, ie. sensitive personal data according to GDPR? Who will tell me and for how much? Is it something harmless, or ...oops, have I already violated the rule by leaking a hint that 'Чижик Пыжик' has placed an order at us?
 
Further to that, according the the GDPR an IP address is also personal data (can be used to identify a person, I partly agree). How is a person supposed to confirm he is belonging to a particular IP, lets suppose his ISP changed his address yesterday...   Should I ask for a court decision to force his ISP to confirm he was issued that old IP earlier, before I may touch his records ?
 
What I don't understand why there is not much fuss all about this nonsense in the news and the industry?
This law applies to millions of entrepreneurs, companies, webshops. And what the most knowledgable forums, government sites with their 'practical advices' are telling us is only repeat the very same legal-bullshit sentences we can read in the original GDPR and/or just telling us: 'ask your GDPR advisor'.
 
But may we know now what are those 'GDPR advisors' replies are ?  I can't afford a legal advisor, but I suppose he would tell me 'Do what the law says' and charge me 2000 EURs, a smarter one would tell me the same in 700 bla-bla pages and charge me 10k.
 
I need clear answers now, Mary either presses the ENTER key after typing DELETE From Customer Where Name='John Doe', or she does not. I can't give her a 1700-page legal blurb to find out.
Why can't I have these YES ot NOs now, five days before the law comes into force.
 
Or am I completely wrong, and this law is not at all about all these words are meaning?
 
What I am going to do:  Let's think outside the box, we are including an additional link, like  'GDPR Management' or similar on all our websites, it will show a page with some Buttons, checkboxes (although I am inclined to make it look like a Nuclear Power Station's control room with 274 buttons, levers and gauges showing GDPR-compliance percent in the green 100%, just to annoy them by covering all aspects of this law). This setiings page will  include some explanation text at least five time mentioning the word 'GDPR' and will also have further links to the GDPR law itself in 24 languages. This should make us look very much GDPR-compliant scaring off all those lawyer-hyenas and satisfying the most law-aware users at the same time.
And we will continue business as usual.  (those buttons will do nothing beyond logging the requests) This is the most responsible way of treating this problem currently, I think.
We will later see what the others do. I think the least effective way dealing with this problem now, is trying to interpret this nonsense lawmakers tell us with a coder's  if... then ... else logic.
0
Another side effect:   compliance will force you to aggregate personal information acroas all sources, data  that you had not previously tried to aggregate.  Name and address, email, photo, government id number.  Every business is sufdenly required to act like Facebook. So in an effort to provide privacy and fix the problems that Facebook and a few others created, the law will reduce effective privacy for everyone.
0
Derek Curtis Replied
Employee Post
This article lays out some of the trouble spots of GDPR, and hits some of the issues that have been raised here: 
 
 
Also, we just put out this blog post about GDPR and where things stand with SmarterTools' products. 
 
Derek Curtis
COO
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Hello,
 
I am following the process of data erasure (right to be forgotten) from the GDPR and at this point I am looking into anonymizing personal information from SmarterTrack on premises (so we are looking into doing this through the database).
However, we have currently hit an impasse.
We don't know which table to look into for e-mail addresses. In the "queue" (Department), the e-mail has been hidden, but if you select the thread, the customer name and e-mail address are still visible. Could you please point me in the right direction? 
 
Thank you for your reply in advance!
Andreea-Luciana Ostache
0
Andrew Barker Replied
Employee Post
Andreea,
 
Email addresses are stored in multiple places, based on the needs of the system. Keep in mind that as you look at these fields, it is possible that they may contain multiple email addresses, or values like "Test <test@example.com>", so it is best to avoid looking for exact matches.
 
Chats
When a chat is initiated, the customer's email address, if provided, is stored in the Chats table using the CustomerEmailAddress field.
 
Custom Fields
Custom fields may contain email addresses, depending on your configuration. Because Display Name and Email address are default, required custom fields for creating tickets from the Portal, there is a very good chance that your database will have some email addresses stored as custom fields. To find affected custom fields, I would recommend that you start by looking at the CustomDataFields table to determine which custom fields need to be reviewed. Once you have the appropriate CustomFieldID values, you can check CustomDataFieldsForUsers, CustomDataFieldsInCallLogs, CustomDataFieldsInChats, and CustomDataFieldsInTickets.
 
Tickets
For tickets, there are several places to look. The Tickets table itself will likely have a value in the CustomerEmailAddress field. The TicketMessages table is expected to have emails stored in the ToAddress and CcAddresses fields. TicketEmails could have what you are looking for in Email, FriendlyName, or DomainName. Finally, the TicketEventLog table doesn't directly store emails, but it does reference the EmailAddresses table.
 
Users
For users, the only place where emails are stored is in the Users table using the Email and LoweredEmail fields. I would recommend anonymizing the information in the Users table - including the username and password - to avoid unforeseen complications. However, if you intend to delete these records, you will also need to delete the related records in UserSettings, UsersInRoles, UserTrackingCookies, and ThreadPosts. In such a situation, I would also recommend deleting the related records in UserAbuse, UserComments, UserEventLogs, UserHandshakes, UsersInGroups, UsersInRebalanceRules, UserTimings, and UserWebSessions.

Andrew Barker
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread