Update on the recent sharing of three users' IP addresses

[KateMumsnet]

Hi everyone

As many of you already know, some screenshots of Mumsnet posts were recently uploaded to Twitter by a former Mumsnet intern - here’s a link to a a previous thread discussing this.

Three of the screenshots showed an Admin’s view of the site, and therefore contained the IP addresses of the posters concerned.

Understandably, there are lots of questions about this, and we thought it best to address them in one stab over here.

Please do post any queries here, or [email protected] if you’ve any concerns or have further questions.

Thanks
MNHQ

@FrancisCrawford

we hope the knowledge that Justine believes there not to be an ongoing problem here will make people feel less uneasy

Given that Justine has stated in writing that MN do not have any data that falls into the “sensitive personal data” category, which is 100% wrong and shows a total lack of understanding about data protection, that does nothing to make me feel less uneasy.

What people volunteer to post is not classed as Sensitive Personal Data FrancisCrawford. Any sensitive data that we ask for/collect (eg medical info) then we have a legal obligation to make sure we protect it. If people volunteer that info to a public forum that’s a different thing.

Thank you Justine.

In the context of a data breach which could leave users identifiable through email addresses and LinkedIn/ facebook/ whatever, then the data sensitivity of information posted on the forum would surely change in light of the breach? Seeing as it was posted anonymously, not written with names stamped all over it
not my field but think this would be logically arguable

@leghoul

In the context of a data breach which could leave users identifiable through email addresses and LinkedIn/ facebook/ whatever, then the data sensitivity of information posted on the forum would surely change in light of the breach? Seeing as it was posted anonymously, not written with names stamped all over it not my field but think this would be logically arguable

It's certainly potentially sensitive info for sure - i was just explaining why I'd said what I said about MN holding what's officially classed as PSI in response to a user who'd suggested best practice around those. We don't according to the legal definition. There is some debate about whether gender counts but the NHS don't class it as such. But I agree it's not really the critical issue here.

What about information shared via PMs? That's not volunteered to a public forum and people send it in the reasonable assumption that it won't be viewed by anyone except the intended recipient (well, I think we all know mods can look at PMs too).

If people volunteer that info to a public forum that’s a different thing.

That's a frankly astonishing conclusion. I would be very interested to see the legal analysis or the ICO position statement that justifies that.

You are processing data which the user uploads, including both postings and signup data. When combined, that is clearly SPD. It is therefore your responsibility to keep those datasets separate. If the signup data, which is (I think you accept) at the very least PD, is joined to the postings, that then becomes SPD. In order to avoid that, you need to have appropriate organisational and technical measures to keep them apart. Yesterday's debacle shows you don't, or if you do, they are inadequate.

@ChampiontheWonderHamster

How do I go about getting all my data held by MN including posts and PMs deleted?

I believe your reading of the DPA (current law) is incorrect.

Just mail [email protected]

I would really like to know why MN think EH felt it necessary to take screenshots of posts from her work computer when the posts could already be seen on the MN website by anybody with an internet connection.

Evening everyone. Just a heads up that Justine has started a Site Stuff thread here - please do have a read.

Hi everyone - Justine's posted a thread with 'data breach' in the title over here now.

Sorry for the inconvenience but please go over to that thread to continue.

@merrymouse

I would really like to know why MN think EH felt it necessary to take screenshots of posts from her work computer when the posts could already be seen on the MN website by anybody with an internet connection.

Ok so you're asking what we think so... at the risk of being accused of being blase about it... I think she actually just didn't think. Obviously I can't prove that but it's my impression from working with her and from her behaviours and correspondence since.

But clearly others have different opinions.

Justine, how does your view that she “just didn’t think” square with Emma’s tweets beforehand about how we’re scum, and how she was about to screw up any chance of a reference etc etc?

She may not have given any thought to the data protection act, but this was hardly a “tweeting in anger” incident as she has tried to portray it in her “apology”. It was an entirely pre-meditated attempt to damage mumsnet.

In the scale of data breaches, this is the most minor I've seen! Good to see MN responding to it seriously though.

What people volunteer to post is not classed as Sensitive Personal Data FrancisCrawford. Any sensitive data that we ask for/collect (eg medical info) then we have a legal obligation to make sure we protect it. If people volunteer that info to a public forum that’s a different thing.

This is both true and untrue.

It is true when it is anonymous. It is untrue when combined with other data which MNHQ have access to. It is the problem that care.data came a cropper with.

If information is leaked which means anonymity is lost then I'm afraid it is sensitive personal data and is classed as such.

For the most part its not sensitive but under certain conditions it is even if it is volunteered

(This is professional opinion of DH who does as part of his job.)

In the scale of data breaches, this is the most minor I've seen

The trouble is, neither we nor MN have any idea as to what she has taken. How do we know that she didn't download a heck of a lot more information onto a memory stick?

And if she thinks that all this will cost her is one reference, she is mistaken. This gross error of judgment will follow her for the rest of her working life.

A potential employer Google applicants these days. Even if they share your views, stealing information and being aggressive/rude/offenaive about ex-employers or client shows you to be untrustworthy, sneaky, immature, volatile, and a bit of a snake in the grass.

Shoots self in foot.

f people volunteer that info to a public forum that’s a different thing.

This is both true and untrue

Yes, I have seen companies given that advice - its one interpretation if you want to do the bare minimum against the letter of the law but mostly it fails the context tests.

What I have found interesting about this particular round of legislation is the extent to which large companies have accepted that for GDPR they need to demonstrate compliance with the spirit of the legislation and the contextual status (which elevates volunteered data to PSI).

Large companies typically do the basics they need to be compliant, even down to PCI. This has definitely been triggering a different mindset, even though much of the fear does come from fear or reputational and legal damage

Except for Facebook of course who simply shift their users outside of the EU to avoid GDPR!

I am fed up with seeing people saying this is a minor breach. We have no idea how big a breach it is - we're relying on the word of someone who has been proven to be manipulative and dishonest!

@HebeMumsnet - "it sounds like we can't say that we know with 100% certainty that these were the only screenshots taken but yes, we have spoken to the intern and Justine has said that's her firm belief. Given the intern's apology today, which we published on another thread, it sounds very unlikely to us that there's anything more 'to come'. Obviously we know that we can't give a 100% firm promise on that so we do appreciate that it won't completely allay people's concerns but we do hope that it does go some way to making people feel less worried about that."

It doesn't go any way to making me feel less worried.

Someone said to me yesterday "You know where you are with a thief but never with a liar" and it seems to me that this Emma person is both.

I assume she had an employment contract that has confidentiality in it to protect MN users from this sort of thing? If not, why not? Why are staff not contracted to protect user data?

You really cannot just ask her "did you steal any more data?" and have her say no and take her word for it. She's proved untrustworthy, although Justine's comments seem to imply she believes Emma is more stupid than untrustworthy, and it's not good enough.

It's just not.

@JustineMumsent - "I think she actually just didn't think. Obviously I can't prove that but it's my impression from working with her and from her behaviours and correspondence since."

How can you believe she "didn't think" when other posters have provided screenshots of tweets indicated that she knew exactly what she was doing and didn't care?

If she honestly is that stupid, why employ her in the first place?

@ChampiontheWonderHamster

If I request all my posts be deleted, under all usernames, can the mods or anyone at MNHQ see them after they’ve been deleted? Or are they gone from all systems?

Apologies, @ChampiontheWonderHamster

• I answered this incorrectly upthread. Yes, anyone with access to the administration tool can see the original post.

@Yarnswift

I’d like to ask how you can be sure that no name identifiable info was stolen? MNHQ had my home address and name from a competition and it’s critical that doesn’t get into the public domain.

@Yarnswift Competition entrant’s data is deleted after three months. Competition winners data is stored for longer for accounting reasons (vouchers and other prizes have a monetary value). We’re reviewing this policy, though - and if you could drop us a line via [email protected] we’ll make sure yours has been deleted.