Dear all, The FSFE values your privacy and deeply regrets the incident that occurred on 2 May 2019 that resulted in the unauthorized use of your information, and the ensuing events that transpired. We apologise for the delay in our response, but we wished to conduct an investigation to accurately determine how and what exactly happened. Resulting from our investigation, here is are summaries of what took place as we understand it.
**TL;DR: In brief, your email addresses were used by a third party to create another mailing list, unaffiliated with and without the consent and prior knowledge of the FSFE, on the web infrastructure of another company. Shortly afterwards, the third party then ran automation scripts to unsubscribe all members of the FSFE's list, which resulted in you receiving emails requesting your confirmation to unsubscribe from the FSFE's lists. The FSFE has informed the relevant Federal authorities in Germany of this breach, and we are in contact with legal counsel to explore our options to ensure that our communities are protected.** To get into greater detail, the FSFE operates a number of mailing lists using the subdomain "lists.fsfe.org", as you are aware. Among these lists are discussion@lists.fsfe.org (the "FSFE Discussion List") and fsfe...@lists.fsfe.org. Both these lists shall hereinafter be referred to collectively as the "FSFE Lists". On or before 2 May 2019, Daniel Pocock and/or Ready Technology (UK) Limited obtained approximately 800 email addresses from the FSFE Lists, either from the FSFE website or through other means, without the consent of the FSFE or of the individual subscribers of the FSFE Lists. It is our understanding that Pocock and/or Ready Technology (UK) Limited was able to obtain these email addresses because they were subscribed to the mailing list and therefore had access to view the register. Up until 2 May 2019, subscribers of the FSFE Lists were able to view a register of the emails subscribed to these mailing lists, on the FSFE website. These registers are password protected, and therefore not available for the general public at large to access. We have since set the register of subscriber emails on our mailing lists to be only viewable by the list administrators. Pocock and/or Ready Technology (UK) Limited then set up a mailing list called discuss...@lists.fsfellowship.eu (the "Unaffiliated List"), using the email addresses obtained from the FSFE Lists with neither the consent nor knowledge of the FSFE or of the individual subscribers of the FSFE Lists. The Unaffiliated List is not affiliated with the FSFE in any way. Pocock then sent an unsolicited mass email on 2 May 2019 to the Unaffiliated List under the subject line “[Discussion] censorship in FSFE, Debian, Mozilla and other communities” (https://lists.fsfellowship.eu/pipermail/discussion/2019-May/000000.html). It included the statement "If you wish to unsubscribe, please visit here”, which linked to the management interface for the FSFE Discussion List. The statement was vague enough to mislead a number of people into thinking that clicking on such link would allow them to unsubscribe from the Unaffiliated List. This email did not contain any information on howto unsubscribe from the Unaffiliated List.
Information on how to unsubscribe from the Unaffiliated List was provided in a later email sent by Pocock on the same day, under the subject line “[Discussion] unsubscribing and transparency” (https://lists.fsfellowship.eu/pipermail/discussion/2019-May/000016.html), together with the unsubscribe information for the FSFE Discussion List. Further, the email contained the statement: “if you have technical problems unsubscribing, please ask on IRC or simply email system-hackers at lists.fsfe.org and we'll work it out behind the scenes as professionals." This statement misrepresented Pocock and/or Ready Technology (UK) Limited to be an official representative(s) of the FSFE. Mailing list software commonly injects so called list management headers into e-mails sent through the list. Among other things, these headers can provide a way to unsubscribe from the mailing list. The e-mails sent on 2 May 2019 contained the relevant list management headers, but the unsubscribe interface indicated in the headers was not functioning for all subscribers correctly. Additionally, unsubscribe requests for all members of the FSFE Discussion List were automatically generated on two separate occasions: on 2 May 2019 and 5 May 2019 (one of them proven to be from Pocock), regardless of whether or not they had requested to be unsubscribed from the FSFE Discussion List. This resulted in members receiving emails requesting them to confirm their unsubscribe request from the FSFE Discussion List. We have gathered enough evidence to be confident that these are the events that transpired, and also to identify the parties involved in the breach. Accordingly, we have banned all relevant email addresses from the FSFE web infrastructure. We have also reached out to Pocock last week informing him of our understanding of these events and the consequences, in order to give him an opportunity to comment on or clarify any of the points made above. As of the sending of this email, we have not received word from him. The FSFE has been in contact with legal counsel to understand our options and the steps that we will take to ensure the protection of our communities and its data. We have reached out specifically to the relevant German Data Protection Authorities to inform them of the data breach, and to receive any advice that they may provide on this matter. We ask you for your patience and understanding, and once again, we apologise for any problems that the events of the past weeks may have caused you. We will keep you updated as the situation develops, and want to assure you that the FSFE remains dedicated to our mission to promote and further the development of Free Software. Best Regards, Matthias -- Matthias Kirschner - President - Free Software Foundation Europe Schönhauser Allee 6/7, 10119 Berlin, Germany | t +49-30-27595290 Registered at Amtsgericht Hamburg, VR 17030 |(fsfe.org/support) Contact (fsfe.org/about/kirschner) Weblog k7r.eu/blog.html
pgpMrSTNOrdFr.pgp
Description: PGP signature
_______________________________________________ Discussion mailing list Discussion@lists.fsfe.org https://lists.fsfe.org/mailman/listinfo/discussion This mailing list is covered by the FSFE's Code of Conduct. All participants are kindly asked to be excellent to each other: https://fsfe.org/about/codeofconduct
