[Governance] Slack and Privacy

Noreen Whysel noreen.whysel at owasp.org
Tue Jul 28 02:41:27 UTC 2015


That read very negatively Ann. I am not suggesting that OWASP should shoot for the bottom, by any means. I would welcome a better solution if you would like to propose one.

Noreen Whysel
Community Manager
OWASP Foundation

> On Jul 27, 2015, at 10:06 PM, Ann Racuya-Robbins <ARR at wkbank.com> wrote:
> 
> Thank you for these comments, Noreen. 
> I can't  imagine a much lower bar than social media as you have defined it... We are not after all in a race to the bottom. I  think OWASP can do much better and ultimately if it cannot via a third party OWASP could create its own secure app to do this very thing...maybe we could work with Johanna's new foundation.
> Regards
> Ann Racuya-Robbins
> 
> Sent from my iPhone
> 
> On Jul 27, 2015, at 6:07 PM, Noreen Whysel <noreen.whysel at owasp.org> wrote:
> 
>> I read through the policy and came up with similar reading as Jim. Most of the documented functions require a certain level of data sharing with Slack in order for it to work as intended. This is common in most social media, as is saving aggregate data for research purposes and to improve future service. There are ways to turn off location data sharing from mobile devices and other settings that improve privacy for users. But at a certain point a product like this is not usable and as Jim mentioned, not open/accessible as the OWASP mission requires.
>> 
>> You know from our research into dynamic KBA that third parties do exist to process data from certain clients that they can ensure will remain out of reach of the client. Slack doesn't seem to go nearly to that level of identity authentication. I am not fully aware of all the ways that data is collected or used by these kinds of services, but it doesn't seem that Slack is nearly at that level.
>> 
>> The Slack privacy statement does say that it holds third parties to contracted confidentiality requirements:
>> 
>> "...we may share data with a security consultant to help us get better at preventing unauthorized access or with an email vendor to send messages on our behalf. We may also share data with hosting providers, payment processors, marketing vendors, and other consultants who work on our behalf and under contractual promises of confidentiality."
>> 
>> I haven't gotten through the entire policy document, but I have taken notes in response to some of your concerns and was planning to share it with you. I could post to this thread if you like as well.
>> 
>> Noreen Whysel
>> Community Manager
>> OWASP Foundation
>> 
>> On Jul 27, 2015, at 4:01 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> 
>>> Ann,
>>> 
>>> Slack is an optional communication platform for the OWASP community. I read the Slack policy and for a service of this nature the policy looks very honest and transparent. I do not think using slack for private communications is appropriate, I think we should think of it more as a list service or other public posting service.
>>> 
>>> So after a first read of their policy, I like the detail, honestly and tradeoffs they are making. 
>>> 
>>> Perhaps OWASP should publish a little guide explaining that uses for Slack are most appropriate?
>>> 
>>> Aloha,
>>> Jim
>>> 
>>> 
>>>> On 7/27/15 9:55 AM, Ann Racuya-Robbins wrote:
>>>> Thank you Fabio for the invitation to SLACK. It looks like this could be very useful. I have attached the SLACK Privacy Policy where I have highlighted a number of concerns. Is OWASP not able to find a product with better Privacy protections?
>>>> 
>>>> Regards,
>>>> 
>>>> Ann Racuya-Robbins
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Governance mailing list
>>>> Governance at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/governance
>>> 
>>> -- 
>>> Jim Manico
>>> Global Board Member
>>> OWASP Foundation
>>> https://www.owasp.org
>>> Join me at AppSecUSA 2015!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20150727/c64ae97f/attachment.html>


More information about the Governance mailing list