[SigmaEpsilonChi]

I never said anything was fine. I said it was a serious vuln, and we took it seriously.

We patched the vulnerability, quickly. We addressed it with the engineer and made clear that this is no joke. We have extensive refactoring happening within our infrastructure to move to a model where this information is handled as much as possible through secure, audited, centralized systems. Is there something else we should be doing?

The crux of the question here was about whether GDPR obligates us to email all 5,000 people signed up for this program about this vulnerability. The two lawyers we have consulted on this have both said no. One of them specifically specializes in privacy compliance. It's not a complicated legal question, the answer is just no.

[Benjamin_Dobell]

Look. This isn't on the front page of HN anymore. So I'm mostly writing this to you. You've work to do on your communication. This style of communication probably works just fine with teenagers, but it's not going to hold up to scrutiny with adults.

> The crux of the question here was about whether GDPR obligates us to email all 5,000 people signed up for this program about this vulnerability.

You are just not going to be able to control the narrative like this. Trying to tell someone else what the "crux of the issue is" will not allow you to shift the goal posts. The article described a pattern of issues, and in my previous comment I specifically raised one. No determined individual is going to just leave that thread dangling for you.

> Is there something else we should be doing?

Yes. Obviously. That's the point.

> The crux of the question here was about whether GDPR obligates us to email all 5,000 people signed up for this program about this vulnerability. The two lawyers we have consulted on this have both said no. One of them specifically specializes in privacy compliance.

It's not a great look for the leader of a children's organization to so blatantly flout that they lack a moral compass. You're currently interacting with the public, not the legal system. Sure, whether or not you're legally required to inform your kids is relevant. However, the law is quite literally the bare minimum of what you're obligated to do.

No-ones reading this thinking. "Oh great, they've done the bare minimum legally required of them." They're thinking, "Wait. Companies notify people of breaches all the time. You apologise, and explain what you're doing to rectify the situation. What have they got to hide? Are they worried they'll get an influx of outrage because this lack of care was something people in the community were already concerned about?" With the context given from the odd parent in this thread, it certainly comes across as the latter.

> It's not a complicated legal question, the answer is just no.

This detracts so much credibility from your communication. There is no lawyer on Earth that will describe this as "not a complicated legal question". No adult that's ever had any communication with a lawyer is going to believe this for a second. Lawyers are notorious for their non-committal attitude toward providing legal advice. Nothing is black and white — it's all grey. So this comes across as:

a. You've never interacted with a lawyer in your life. Or, b. You're telling porkies, or at the very least, are way too flippant with hyperbole.

[SigmaEpsilonChi]

> You've work to do on your communication. This style of communication probably works just fine with teenagers, but it's not going to hold up to scrutiny with adults. > … > It's not a great look for the leader of a children's organization to so blatantly flout that they lack a moral compass.

I'm not the leader of anything, that would be Zach Latta. He's a much better diplomat than I am, but I am doing my honest best to speak plainly and matter-of-factly to you about a complex situation that frankly requires a lot more context to properly understand than I think is possible to acquire from the information you have.

I'm also not trying to absolve our organization of all sins. We mess up all the time. We are working on many fronts to learn from these experiences and make imperfect systems a little better every day. We make mistakes, we apologize, we do our best to make amends, then we move on to the next mistake. It is the nature of doing new, hard things with real stakes.

> You're currently interacting with the public, not the legal system. Sure, whether or not you're legally required to inform your kids is relevant. However, the law is quite literally the bare minimum of what you're obligated to do. > > No-ones reading this thinking. "Oh great, they've done the bare minimum legally required of them." They're thinking, "Wait. Companies notify people of breaches all the time.

This is addressed in the top comment I left. Notifying 5k people about a patched vuln is not "more than the minimum", it's legitimately bad practice. That is not my opinion, it is industry standard practice! Absent any reason to believe there has been a data breach, absent any sort of actionable information, we are not going to send an email to thousands of people.

I call the GDPR thing the crux of the question because probably 80% of the thousands of Slack messages sent on this topic, a solid majority of them were about that question. That was the impasse. Staff considered the issue and concluded that from a moral, legal, and industry standard practice perspective, notifying every user was not the correct decision. Nothing was being hidden, that team logged and discussed the vulnerability publicly within the community from the start. They fixed, disclosed, discussed, learned, and moved on.

> This detracts so much credibility from your communication. There is no lawyer on Earth that will describe this as "not a complicated legal question". No adult that's ever had any communication with a lawyer is going to believe this for a second. Lawyers are notorious for their non-committal attitude toward providing legal advice. Nothing is black and white — it's all grey. So this comes across as: > > a. You've never interacted with a lawyer in your life. Or, b. You're telling porkies, or at the very least, are way too flippant with hyperbole.

I am married to a law professor for whom I lived through 3 years at Yale Law and 3 years of PhD/fellowship, I have about as much exposure to law as you can get without it actually being your job. I assure you, uncomplicated legal questions exist.

[pupwithcomputer]

Glad to see you here, actually interacting. I've made this clear on the slack, and truthfully I'm disappointed in the fact that it took so long and external involvement from a parent on HN to get a response.

Another example: there was a relatively civil debate about a new hackathon yall are putting out, funded by.... AMD, and the US government's fund to "teach AI literacy" or whatever the fuck that means. Due to this, _you region locked an entire Hack Club event_. This is the kind of stunt Nintendo would pull, but an organization that thrives itself in "everyone is welcome".

When confronted, yall decided to..... shut down any internal discussion, and avoid the thread at all costs, directly going against you other claims of "radical transparency" and "openness to feedback"/

What long game are you playing here? The game of "make Hack Club suck for 5 years, and lose our motives, morals, and the trust of our community, for an extra few bucks on the 6th?

It's complicated to handle the law. It's why lawyers cost, per your quote, $500 an hour. But it's not complicated to listen to people and genuinely try to turn back from the wrong turn you took somewhere during Juice.

The only reason we got an update from you in the first place is the opposite of what it should have been. Send this to Christina as well: https://mondaynote.com/united-broken-culture-6b35267c8a10

About the vuln, Ella is exaggerating and has very minimal basis if at all. She did some pentesting, vuln got patched, problem solved. Does HQ need to be more responsible here? Yes. Should critical infrastructure be written by AI? Absolutely not! But does Ella have the basis to start claiming legal superiority over here? Also no.

But, now that you absolutely insist you need to keep my passport indefinitely in order to ship me a sticker that says "summer of making" on it, I expect you to be a little more responsible in: - Who you give access to - How you give said access - How long you give it for - How strict you are about conduct when person is in possession of said access.

TL;DR: Ella's point sucks. Hack Club data handling, also socks. Hack Club PR? Might be worse.