Further facts about data breach

Mon May 13 15:09:40 UTC 2019

Dear all,

The FSFE values your privacy and deeply regrets the incident that
occurred on 2 May 2019 that resulted in the unauthorized use of your
information, and the ensuing events that transpired. We apologise for
the delay in our response, but we wished to conduct an investigation to
accurately determine how and what exactly happened. Resulting from our
investigation, here is are summaries of what took place as we understand
it.

**TL;DR: In brief, your email addresses were used by a third party to
create another mailing list, unaffiliated with and without the consent
and prior knowledge of the FSFE, on the web infrastructure of another
company. Shortly afterwards, the third party then ran automation scripts
to unsubscribe all members of the FSFE's list, which resulted in you
receiving emails requesting your confirmation to unsubscribe from the
FSFE's lists. The FSFE has informed the relevant Federal authorities in
Germany of this breach, and we are in contact with legal counsel to
explore our options to ensure that our communities are protected.**

To get into greater detail, the FSFE operates a number of mailing lists
using the subdomain "lists.fsfe.org", as you are aware. Among these
lists are discussion at lists.fsfe.org (the "FSFE Discussion List") and
fsfe-de at lists.fsfe.org. Both these lists shall hereinafter be referred
to collectively as the "FSFE Lists".

On or before 2 May 2019, Daniel Pocock and/or Ready Technology (UK)
Limited obtained approximately 800 email addresses from the FSFE Lists,
either from the FSFE website or through other means, without the consent
of the FSFE or of the individual subscribers of the FSFE Lists. It is
our understanding that Pocock and/or Ready Technology (UK) Limited was
able to obtain these email addresses because they were subscribed to the
mailing list and therefore had access to view the register. Up until 2
May 2019, subscribers of the FSFE Lists were able to view a register of
the emails subscribed to these mailing lists, on the FSFE website. These
registers are password protected, and therefore not available for the
general public at large to access. We have since set the register of
subscriber emails on our mailing lists to be only viewable by the list
administrators.

Pocock and/or Ready Technology (UK) Limited then set up a mailing list
called discussion at lists.fsfellowship.eu (the "Unaffiliated List"), using
the email addresses obtained from the FSFE Lists with neither the
consent nor knowledge of the FSFE or of the individual subscribers of
the FSFE Lists. The Unaffiliated List is not affiliated with the FSFE in
any way.

Pocock then sent an unsolicited mass email on 2 May 2019 to the
Unaffiliated List under the subject line “[Discussion] censorship in
FSFE, Debian, Mozilla and other communities”
(https://lists.fsfellowship.eu/pipermail/discussion/2019-May/000000.html).
It included the statement "If you wish to unsubscribe, please visit
here”, which linked to the management interface for the FSFE Discussion
List. The statement was vague enough to mislead a number of people into
thinking that clicking on such link would allow them to unsubscribe from
the Unaffiliated List. This email did not contain any information on how
to unsubscribe from the Unaffiliated List. 

Information on how to unsubscribe from the Unaffiliated List was
provided in a later email sent by Pocock on the same day, under the
subject line “[Discussion] unsubscribing and transparency”
(https://lists.fsfellowship.eu/pipermail/discussion/2019-May/000016.html),
together with the unsubscribe information for the FSFE Discussion List.
Further, the email contained the statement: “if you have technical
problems unsubscribing, please ask on IRC or simply email system-hackers
at lists.fsfe.org and we'll work it out behind the scenes as
professionals." This statement misrepresented Pocock and/or Ready
Technology (UK) Limited to be an official representative(s) of the FSFE.

Mailing list software commonly injects so called list management headers
into e-mails sent through the list. Among other things, these headers
can provide a way to unsubscribe from the mailing list. The e-mails sent
on 2 May 2019 contained the relevant list management headers, but the
unsubscribe interface indicated in the headers was not functioning for
all subscribers correctly.

Additionally, unsubscribe requests for all members of the FSFE
Discussion List were automatically generated on two separate occasions:
on 2 May 2019 and 5 May 2019 (one of them proven to be from Pocock),
regardless of whether or not they had requested to be unsubscribed from
the FSFE Discussion List. This resulted in members receiving emails
requesting them to confirm their unsubscribe request from the FSFE
Discussion List.

We have gathered enough evidence to be confident that these are the
events that transpired, and also to identify the parties involved in the
breach. Accordingly, we have banned all relevant email addresses from
the FSFE web infrastructure. We have also reached out to Pocock last
week informing him of our understanding of these events and the
consequences, in order to give him an opportunity to comment on or
clarify any of the points made above. As of the sending of this email,
we have not received word from him.

The FSFE has been in contact with legal counsel to understand our
options and the steps that we will take to ensure the protection of our
communities and its data. We have reached out specifically to the
relevant German Data Protection Authorities to inform them of the data
breach, and to receive any advice that they may provide on this matter.

We ask you for your patience and understanding, and once again, we
apologise for any problems that the events of the past weeks may have
caused you. We will keep you updated as the situation develops, and want
to assure you that the FSFE remains dedicated to our mission to promote
and further the development of Free Software.

Best Regards,
Matthias

-- 
Matthias Kirschner - President - Free Software Foundation Europe
Schönhauser Allee 6/7, 10119 Berlin, Germany | t +49-30-27595290
Registered at Amtsgericht Hamburg, VR 17030  |(fsfe.org/support)
Contact (fsfe.org/about/kirschner)       Weblog k7r.eu/blog.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.fsfe.org/pipermail/discussion/attachments/20190513/b7d6c5ee/attachment.sig>