It appears that someone at (ISC)2 has decided to Tweet links to Community discussion threads in Twitter:
https://twitter.com/ISC2/status/1025383344970846209
I don't recall giving anyone at (ISC)2 permission to quote me outside of the Community site.
Did every member who took part in the CPE thread give permission for (ISC)2 to expose them on Twitter like this?
All are in the twitted thread.
and 1 more thing - are we just supposed to take ISC2 at your word that the "Private" areas are really private, as in exempt from the web use policy? Hope that someone won't decide down the road that they can use anything, and everything from those sections as well?
That's great - nothing like expecting a bunch of security professional to ignore a facebook like use policy for a platform our dollars were wasted on, and ask us to just take for granted that private means private.
/d
So... Assuming we don’t all wish to emoragequit ISC2(if those subs are not spent on something they get drunk, and my liver is probably already a fine example of Foie Gras) how should we go about changing this?
@SamanthaO_isc2 wrote:Hello everyone,
As it has been mentioned, this area of the Community and a large portion of the Community, in general, is publicly available. Within our Website Access Policy, which can be found here, the section about User Contributions covers this topic. It states “Any User Contribution you post to the site will be considered non-confidential and non-proprietary. By providing any User Contribution on the Website, you grant us and our affiliates and service providers, and each of their and our respective licensees, successors, and assigns the right to use, reproduce, modify, perform, display, distribute, and otherwise disclose to third parties any such material for any purpose.”
It is time for the (ISC)2 legal team to re-examine the Website Access Policy with respect to GDPR implications, and in particular in light of a recent French court ruling on Twitter's 256-clause privacy policy.
French court orders Twitter to change smallprint after privacy case
AFP•August 9, 2018
and
From that article:
"The consumer association had called on the high court "to recognise the abusive or illegal nature" of 256 clauses contained in Twitter's terms and conditions that it said breached users' privacy. In particular, UFC-Que Choisir said the court's decision guarantees Twitter users that their photos and tweets can no longer be "commercially exploited" if they have not given their consent.
"By ticking a small box to accept the terms of service, the consumer has not expressly accepted their data can be exploited," the group said."
Just to add more grist to the mill here from a privacy standpoint. ISC2 should speak to it’s lead supervisory authority. differntiatianion in the way it handles it’s dealings with folks it has contracts with (members, candidates et) and folks it doesn’t(casual users of the community). If it was me running it I’d want completely separate privacy notices and terms and conditions for the community and core sites.
Under GDPR should be given on specifity for the purpose of processing, consent must be explicit, etc. For example if we were to say ‘may be linked’ then a Supervisory Authrority might correct you and say that we’d need to be definite with the data subject about whe we were doing and ambiguous language should be removed. For example after combination of that data could be worked back from a screen name to a real name, and the data subject had a reasonable expectation that their name was not going to be made public(why yes Mr Sockpuppet, this is one of the reasons we have sreennames after all) then that in itself could be construed to be a misuse of personal data if consent was the basis of processing as we didn’t point out it was going to Twitter. Couple of gems from the website access/privacy policies:
‘All information we collect on this Website is subject to our Privacy Policy. By using the Website, you consent to all actions taken by us with respect to your information in compliance with the Privacy Policy’
‘Generally, we do not consider Usage Data as Personal Information because Usage Data by itself usually does not identify an individual. Personal Information and Usage Data may be linked together. Different types of Usage Information also may be linked together and, once linked, may identify an individual person. Also, some Usage Data may be Personal Information under applicable law.’
How is it possible that "The World’s Leading Cybersecurity and IT Security Professional Organization"
feels that the web usage policy of this website is acceptable?
Any User Contribution you post to the site will be considered non-confidential and non-proprietary. By providing any User Contribution on the Website, you grant us and our affiliates and service providers, and each of their and our respective licensees, successors, and assigns the right to use, reproduce, modify, perform, display, distribute, and otherwise disclose to third parties any such material for any purpose.
Presumably our fees paid for this community, or at the very least contribute to whatever cost was incurred. And yet ISC2 seems intent to treat it like any "free" social media environment where the users information, posts, etc. can be used and shared with anyone ISC2 sees fit. That is to say, the web usage policy suggests that our information, posts, etc. is in fact likely to be the PRODUCT that ISC2 intends to peddle to interested parties, regardless of the fact that all the ISC2 members paid for our membership.
In regards to the ISC Canon please consider the following:
Certainly isn't protecting anything other than ISC2 current/potential profits derived from selling information pulled from our community, and surely I am not the only one who finds this policy indicative of ISC2 being roughly as trustworthy as e.g. facebook, let alone considering what the wider security community would feel about these policies, and how the fly (or at the very least, can be interpreted to fly) directly in the face of our own canons.
Legally, sure. Honestly? yeah, its right there in black and white. Honorably? Justly? Responsibly? The web policy certainly makes it legal for ISC2 to use the data however they want, and provide to anyone they want. So we, the members who pay for these "services" simply have to trust that private groups are really private, and that anything we post won't be provided to anyone, as ISC2 deems fit for any reason. How is potentially using anything we contribute, as paying members, honorable or just? In the absence of limiting disclosure policies (not to mention bugs in the community web site that could certainly do little to suggest a lack of risk of information disclosure) how is telling us you will do whatever, whenever, and by extension with whomever you want a responsible way to act?
As members of this organization do we not count as principals? I do not find the idea of blindly trusting ISC2 to do the right thing with my data to be diligent, or competent service (particularly in light of the web usage policy which explicitly permits ISC2 to disclose whatever they want, at any time, to anyone they want).
In fact, I find the idea of ISC2 expecting us to simply trust any discussions of private areas (in respect e.g. to the CISSP only board), in the absence of any specific policies, absolutely counter to any of the most basic information security tenants.
This sort of thing in absolutely no way advances or protects the profession. If anything, I would say it gives the impression that ISC2 has become nothing more than a profit making machine, intent on increasing revenue at the expense of its own reputation, and by extension the reputation of those who are members.
I may be in the minority, but I find this extremely disappointing, and counter to nearly everything our canons are supposed to represent.
Dain Perkins
@Dain wrote:...ISC2 seems intent to treat it like any "free" social media environment where the users information, posts, etc. can be used and shared with anyone ISC2 sees fit.
It does occur to me that for a forum to operate, they do need permission to redistribute our comments (for which individual posters hold the copyright) at a minimum so other members of the forum can read them.
Similar verbiage appears on all the forum TOS I have reviewed. Consistent across all of them is a requirement for a license grant. None require copyright assignment, although some are explicit about no assignment.
Interesting thought experiment.... Today, if (ISC)² wishes to move the community messages from Lithium to a new provider, they can do so because the license grant is to "(ISC)² and its providers". However to move the old CISSPforum messages, it seems that Yahoo! would need to sublicense the new location. Any idea if (a) (ISC)² also required a license grant to themselves (perhaps as part of the sign up process), or if (b) Yahoo! is willing to sublicense to competitors?
----------------------------------------------
By providing any User Contribution on the Website, you grant us and our affiliates and service providers, and each of their and our respective licensees, successors, and assigns the right to use, reproduce, modify, perform, display, distribute, and otherwise disclose to third parties any such material for any purpose.
By submitting, posting or displaying Content on or through the Services, you grant us a worldwide, non-exclusive, royalty-free license (with the right to sublicense) to use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute such Content in any and all media or distribution methods (now known or later developed). This license authorizes us to make your Content available to the rest of the world and to let others do the same
Specifically, when you share, post, or upload content that is covered by intellectual property rights (like photos or videos) on or in connection with our Products, you grant us a non-exclusive, transferable, sub-licensable, royalty-free, and worldwide license to host, use, distribute, modify, run, copy, publicly perform or display, translate, and create derivative works of your content (consistent with your privacy and application settings).
…you grant Snap Inc. and our affiliates a worldwide, royalty-free, sublicensable, and transferable license to host, store, use, display, reproduce, modify, adapt, edit, publish, and distribute that content. … [for] Public Content … you also grant us a perpetual license to create derivative works from, promote, exhibit, broadcast, syndicate, sublicense, publicly perform, and publicly display Public Content in any form and in any and all media or distribution methods (now known or later developed).
A worldwide, transferable and sublicensable right to use, copy, modify, distribute, publish, and process, information and content that you provide through our Services and the services of others, without any further consent, notice and/or compensation to you or others.
When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.
Oath (Yahoo! Groups)
you grant Oath a worldwide, royalty-free, non-exclusive, perpetual, irrevocable, transferable, sublicensable license to (a) use, host, store, reproduce, modify, prepare derivative works (such as translations, adaptations, summaries or other changes), communicate, publish, publicly perform, publicly display, and distribute this content in any manner, mode of delivery or media now known or developed in the future;
By uploading any User Content you hereby grant and will grant Groups.io and its affiliated companies a nonexclusive, worldwide, royalty free, fully paid up, transferable, sub licensable, perpetual, irrevocable license to copy, display, upload, perform, distribute, store, modify and otherwise use your User Content in connection with the operation of the Service.
1) Sure would be nice if ISC2 had ANYTHING to say on the matter
2) In no way addresses the "private" component of various community areas, and how that expectation is exempted (if at all) from said policy
3) Other than chipping in to host the archives, I don't recall paying any of those other organizations for service
Seems like it could be a whole lot more specific about what, when, how, & by whom our information may be used (seems to cover a whole lot more than e.g. switching providers.
I’m not sure, that it’s required for ISC2’s forums to have 100% equivalence with all the other forums out there - after all most forums do not have a security focused code of ethics, for some career required certifications and subscription fees attached.
Put bluntly, ISC2 holds itself to higher ideals than other chat forums, and it’s current offering in terms of content, privacy policy and IP rights could all be reshaped to be more supportive of its ideal in the community.
The demise of CISSPforum seems to be one of the chief drivers of discontent, but even if that hadn’t happened or was perfectly agreed there would still be a lot of room for improvement in the status quo.
Given the nature of forums things tend to spill out of the nice bounds there were in and conversations linger, and there might be something of an edge to some of the comments here, however I haven’t seen anything that steps beyond the bounds of the reasonable. Simply dismissing the (valid or otherwise) concerns of ISC2 members accociates and community members who would like more control over the stuff they put out there and their digital personas as ‘made up outrage’ and telling them ‘bye’ without even specifically addressing them logically seems to me to be .... well, at the very least an unenforceable sentiment.
I would leave you with this article from the BBC as I think it’s interesting and conveys a lot of the why, people in communities want more control:
https://www.bbc.com/ideas/videos/wake-up-foucaults-warning-on-fake-news/p06gzcn4