[SigmaEpsilonChi]

Hello, Chris here!

Nobody—certainly not any adult staff—at Hack Club relied on ChatGPT for legal advice. Nor do we employ teenagers to answer legal questions, we have actual legal counsel for that! Or in my personal case I ask my wife, who is a law professor, and then she asks ChatGPT (just kidding).

There is too much nonsense in this post to rebut line by line, and these conversations have all been had to death within Hack Club (we put a lot of time into transparently and publicly discussing our programs, problems, and decisions). Here's the short version of this saga:

- The author found a serious vuln in one of our programs introduced by a junior engineer

- We take vulns seriously—especially the serious ones! It was fixed immediately by a senior engineer upon report (within a day?)

- The author insisted that their test of the vuln to access their own address was a data breach, therefore obligating us to notify all 5,000 participants of this "breach" as per GDPR

- We judged this to be Prima Facie incorrect. A lawyer has since confirmed this judgment.

- It is, in fact, bad practice to notify users for every vulnerability. If this were the norm, you would inundated with notices from practically every software product you interact with. Almost all of these notices would be virtually non-actionable by the user, and they would wash out the few notices of breaches which are actionable. There is a good reason why the GDPR does not demand notice for vulns; mass notices are reserved for incidents where there is a known exfiltration of a meaningful amount of user data!

- The author was ultimately banned from the community not for their opinions on this matter, but because of a long streak of unrelated conduct issues that culminated in a spree of saying horribly abusive things to multiple other members of the community.

— They have been pursuing a grudge against the organization ever since. They are not a reliable narrator, this post is a fantasy version of events that casts them as a martyred hero.

Hack Club is an oddly-shaped organization with operations that often raise very real security concerns, but these are wrapped up in a complex web of tradeoffs that are very much still evolving as we refine and expand our core infrastructure. We are not Google, and it is a mistake to import reasoning from that kind of environment when analyzing our security/threat model. Nonetheless, privacy/security is something we think about and invest extensively in. In the past year we have started an organization-wide bounty system, moved all PII storage into a central "identity vault", and consulted extensively with a very fancy lawyer who specializes in corporate compliance with the growing raft of online privacy laws around the world. The good news is, according to that lawyer we already do almost everything we need to be compliant; we just need to publish a privacy policy! We are actively iterating on a mostly-finished draft of this document with our counsel, but it is taking time because, well, this stuff is very complicated. We serve or have served teenagers in almost every country, and GDPR is just the most prominent of many laws that are now on the books worldwide.

[ThrowawayTestr]

So was kids' data exposed or no?

[rlmineing_dead]

Not exposed but hackclub's security practices always seems to make it easy to access if you want to.

[SigmaEpsilonChi]

The short answer is no.

[Benjamin_Dobell]

It most certainly was. You have someone outside your organization who accessed the data, and you know about it. Here's what you just wrote about the person who accessed this endpoint:

> - The author was ultimately banned from the community not for their opinions on this matter, but because of a long streak of unrelated conduct issues that culminated in a spree of saying horribly abusive things to multiple other members of the community.

> — They have been pursuing a grudge against the organization ever since. They are not a reliable narrator, this post is a fantasy version of events that casts them as a martyred hero.

Someone who has been acting maliciously against your organization accessed that data. And you think it's fine? They're a teenager. An angry teenager, who is acting out. You honestly believe you can trust they didn't distribute this data or tell anyone else about the problem before you found out about it?

When I was a teenager, someone in my year level gained access to a lot of personal data about a bunch of people in our year level. This was a smart individual who at least somewhat understood the gravity of the situation. But they were also a kid, of course they distributed some of the data — bragging rights and what not.

What about the section titled "the surveillance infrastructure (orpheus engine)" where the teenager claims children's data was intentionally being sent out to third parties, specifically to profile kids? What's that all about?

Look, no-one read this article and thought "Wow, this is well written article by a super mature well-adjusted individual. I'm taking this as gospel." The article is clearly written by an angry teenager. I feel far more invested in this now that I've seen your responses. The way you're handling this, and yourself, is just downright absurd. Stop.

[VEBee]

By the way, orpheus engine is available publicly at https://github.com/hackclub/orpheus-engine.

[SigmaEpsilonChi]

I never said anything was fine. I said it was a serious vuln, and we took it seriously.

We patched the vulnerability, quickly. We addressed it with the engineer and made clear that this is no joke. We have extensive refactoring happening within our infrastructure to move to a model where this information is handled as much as possible through secure, audited, centralized systems. Is there something else we should be doing?

The crux of the question here was about whether GDPR obligates us to email all 5,000 people signed up for this program about this vulnerability. The two lawyers we have consulted on this have both said no. One of them specifically specializes in privacy compliance. It's not a complicated legal question, the answer is just no.

[Benjamin_Dobell]

Look. This isn't on the front page of HN anymore. So I'm mostly writing this to you. You've work to do on your communication. This style of communication probably works just fine with teenagers, but it's not going to hold up to scrutiny with adults.

> The crux of the question here was about whether GDPR obligates us to email all 5,000 people signed up for this program about this vulnerability.

You are just not going to be able to control the narrative like this. Trying to tell someone else what the "crux of the issue is" will not allow you to shift the goal posts. The article described a pattern of issues, and in my previous comment I specifically raised one. No determined individual is going to just leave that thread dangling for you.

> Is there something else we should be doing?

Yes. Obviously. That's the point.

> The crux of the question here was about whether GDPR obligates us to email all 5,000 people signed up for this program about this vulnerability. The two lawyers we have consulted on this have both said no. One of them specifically specializes in privacy compliance.

It's not a great look for the leader of a children's organization to so blatantly flout that they lack a moral compass. You're currently interacting with the public, not the legal system. Sure, whether or not you're legally required to inform your kids is relevant. However, the law is quite literally the bare minimum of what you're obligated to do.

No-ones reading this thinking. "Oh great, they've done the bare minimum legally required of them." They're thinking, "Wait. Companies notify people of breaches all the time. You apologise, and explain what you're doing to rectify the situation. What have they got to hide? Are they worried they'll get an influx of outrage because this lack of care was something people in the community were already concerned about?" With the context given from the odd parent in this thread, it certainly comes across as the latter.

> It's not a complicated legal question, the answer is just no.

This detracts so much credibility from your communication. There is no lawyer on Earth that will describe this as "not a complicated legal question". No adult that's ever had any communication with a lawyer is going to believe this for a second. Lawyers are notorious for their non-committal attitude toward providing legal advice. Nothing is black and white — it's all grey. So this comes across as:

a. You've never interacted with a lawyer in your life. Or, b. You're telling porkies, or at the very least, are way too flippant with hyperbole.

[SigmaEpsilonChi]

> You've work to do on your communication. This style of communication probably works just fine with teenagers, but it's not going to hold up to scrutiny with adults. > … > It's not a great look for the leader of a children's organization to so blatantly flout that they lack a moral compass.

I'm not the leader of anything, that would be Zach Latta. He's a much better diplomat than I am, but I am doing my honest best to speak plainly and matter-of-factly to you about a complex situation that frankly requires a lot more context to properly understand than I think is possible to acquire from the information you have.

I'm also not trying to absolve our organization of all sins. We mess up all the time. We are working on many fronts to learn from these experiences and make imperfect systems a little better every day. We make mistakes, we apologize, we do our best to make amends, then we move on to the next mistake. It is the nature of doing new, hard things with real stakes.

> You're currently interacting with the public, not the legal system. Sure, whether or not you're legally required to inform your kids is relevant. However, the law is quite literally the bare minimum of what you're obligated to do. > > No-ones reading this thinking. "Oh great, they've done the bare minimum legally required of them." They're thinking, "Wait. Companies notify people of breaches all the time.

This is addressed in the top comment I left. Notifying 5k people about a patched vuln is not "more than the minimum", it's legitimately bad practice. That is not my opinion, it is industry standard practice! Absent any reason to believe there has been a data breach, absent any sort of actionable information, we are not going to send an email to thousands of people.

I call the GDPR thing the crux of the question because probably 80% of the thousands of Slack messages sent on this topic, a solid majority of them were about that question. That was the impasse. Staff considered the issue and concluded that from a moral, legal, and industry standard practice perspective, notifying every user was not the correct decision. Nothing was being hidden, that team logged and discussed the vulnerability publicly within the community from the start. They fixed, disclosed, discussed, learned, and moved on.

> This detracts so much credibility from your communication. There is no lawyer on Earth that will describe this as "not a complicated legal question". No adult that's ever had any communication with a lawyer is going to believe this for a second. Lawyers are notorious for their non-committal attitude toward providing legal advice. Nothing is black and white — it's all grey. So this comes across as: > > a. You've never interacted with a lawyer in your life. Or, b. You're telling porkies, or at the very least, are way too flippant with hyperbole.

I am married to a law professor for whom I lived through 3 years at Yale Law and 3 years of PhD/fellowship, I have about as much exposure to law as you can get without it actually being your job. I assure you, uncomplicated legal questions exist.

[dapoyo]

lies <- a hack clubber

[SigmaEpsilonChi]

What data was exposed, and to whom? Single records accessed by a white hat to test a vulnerability do not count.

[VEBee]

As a longtime member of hackclub, I can confirm that while OP may have been banned, most of her points are completely valid and I can find most of the original sources for them. Point-by-point:

> - We take vulns seriously—especially the serious ones! It was fixed immediately by a senior engineer upon report (within a day?)

What? From the many, many #meta posts and other sources I cannot back this up.

> - The author was ultimately banned from the community not for their opinions on this matter, but because of a long streak of unrelated conduct issues that culminated in a spree of saying horribly abusive things to multiple other members of the community.

OP did say some bad stuff, but it wasn't a spree and was an isolated incident. I don't agree with her actions, but I see where she was coming from: she didn't feel heard and just wanted to get back at people she saw as having wronged her. She definitely shouldn't have done what she did but it was an isolated incident or two.

> — They have been pursuing a grudge against the organization ever since. They are not a reliable narrator, this post is a fantasy version of events that casts them as a martyred hero.

You'll note that in the article that isn't what she portrays herself as and she explicitly bookends the article with paragraphs of text praising the mission and all of the good hackclub has done. Which is it, is she rightfully praising the organization but rightfully getting angry about it or is she wrongfully praising the organization and wrongfully getting angry?

> Nonetheless, privacy/security is something we think about and invest extensively in.

Based on HQ's HCB, #meta, posts in #hq, and more this is not true in the slightest.

> In the past year we have started an organization-wide bounty system, moved all PII storage into a central "identity vault" Bounties were addressed in the article and last thing I heard PII is still massively distributed. If that isn't the case anymore, please actually make a post about it so the community is aware?

> consulted extensively with a very fancy lawyer who specializes in corporate compliance with the growing raft of online privacy laws around the world

That's good but again, make an announcement in hackclub?

> The good news is, according to that lawyer we already do almost everything we need to be compliant; we just need to publish a privacy policy!

The fuck?? No?? if this has happened in the last year, how angry has your lawyer about the numerous vulnerabilities that were pushed, not notified, underpaid bounties, and more? Oh, and don't forget you TAKING DOWN THE GDPR EMAIL AND NOT DELETING DATA??

> We are actively iterating on a mostly-finished draft of this document with our counsel, but it is taking time because, well, this stuff is very complicated.

I can definitely understand that. I really love hackclub and think the mission is amazing but at the moment I don't feel safe with my data in its hands.

[throwwee12]

If possible, could you link any of those posts, or post them through Prox2 in Slack? I'd be interested in reading it, because that's not the vibe I've gotten.

> OP did say some bad stuff, but it wasn't a spree and was an isolated incident. I don't agree with her actions, but I see where she was coming from: she didn't feel heard and just wanted to get back at people she saw as having wronged her. She definitely shouldn't have done what she did but it was an isolated incident or two.

If I remember correctly, she admitted that her ban was justified. But also, she didn't just do "some bad stuff", she did a lot of it - there's even a recent #meta thread referencing this exact post.

> You'll note that in the article that isn't what she portrays herself as and she explicitly bookends the article with paragraphs of text praising the mission and all of the good hackclub has done. Which is it, is she rightfully praising the organization but rightfully getting angry about it or is she wrongfully praising the organization and wrongfully getting angry?

Nuance does exist.

> That's good but again, make an announcement in hackclub?

Zach did.

> The fuck?? No?? if this has happened in the last year, how angry has your lawyer about the numerous vulnerabilities that were pushed, not notified, underpaid bounties, and more? Oh, and don't forget you TAKING DOWN THE GDPR EMAIL AND NOT DELETING DATA??

I'm more inclined to trust Chris than an anon account that straight up denies that internal conversations happened. You also seem to be regurgitating posts from earlier without seeing Chris's context.

[VEBee]

> If I remember correctly, she admitted that her ban was justified. But also, she didn't just do "some bad stuff", she did a lot of it - there's even a recent #meta thread referencing this exact post.

I think I've read through the #meta post you're referencing and commented in it and yeah, but it still wasn't a spree. It was not a lot of it? cite your sources as well

> > That's good but again, make an announcement in hackclub? > Zach did.

Where?

> I'm more inclined to trust Chris than an anon account that straight up denies that internal conversations happened. You also seem to be regurgitating posts from earlier without seeing Chris's context.

Well yeah, I'm on a throw away as I don't want to be deanon'd. If you really want to talk contact https://hackclub.slack.com/team/U09Q734PGUU, it's an alt I have. Where did I deny internal conversations as well? And wdym regurgitating posts without Chris' context? I literally broke his reply down point-by-point?