I'm not the leader of anything, that would be Zach Latta. He's a much better diplomat than I am, but I am doing my honest best to speak plainly and matter-of-factly to you about a complex situation that frankly requires a lot more context to properly understand than I think is possible to acquire from the information you have.
I'm also not trying to absolve our organization of all sins. We mess up all the time. We are working on many fronts to learn from these experiences and make imperfect systems a little better every day. We make mistakes, we apologize, we do our best to make amends, then we move on to the next mistake. It is the nature of doing new, hard things with real stakes.
> You're currently interacting with the public, not the legal system. Sure, whether or not you're legally required to inform your kids is relevant. However, the law is quite literally the bare minimum of what you're obligated to do. > > No-ones reading this thinking. "Oh great, they've done the bare minimum legally required of them." They're thinking, "Wait. Companies notify people of breaches all the time.
This is addressed in the top comment I left. Notifying 5k people about a patched vuln is not "more than the minimum", it's legitimately bad practice. That is not my opinion, it is industry standard practice! Absent any reason to believe there has been a data breach, absent any sort of actionable information, we are not going to send an email to thousands of people.
I call the GDPR thing the crux of the question because probably 80% of the thousands of Slack messages sent on this topic, a solid majority of them were about that question. That was the impasse. Staff considered the issue and concluded that from a moral, legal, and industry standard practice perspective, notifying every user was not the correct decision. Nothing was being hidden, that team logged and discussed the vulnerability publicly within the community from the start. They fixed, disclosed, discussed, learned, and moved on.
> This detracts so much credibility from your communication. There is no lawyer on Earth that will describe this as "not a complicated legal question". No adult that's ever had any communication with a lawyer is going to believe this for a second. Lawyers are notorious for their non-committal attitude toward providing legal advice. Nothing is black and white — it's all grey. So this comes across as: > > a. You've never interacted with a lawyer in your life. Or, b. You're telling porkies, or at the very least, are way too flippant with hyperbole.
I am married to a law professor for whom I lived through 3 years at Yale Law and 3 years of PhD/fellowship, I have about as much exposure to law as you can get without it actually being your job. I assure you, uncomplicated legal questions exist.
Another example: there was a relatively civil debate about a new hackathon yall are putting out, funded by.... AMD, and the US government's fund to "teach AI literacy" or whatever the fuck that means. Due to this, _you region locked an entire Hack Club event_. This is the kind of stunt Nintendo would pull, but an organization that thrives itself in "everyone is welcome".
When confronted, yall decided to..... shut down any internal discussion, and avoid the thread at all costs, directly going against you other claims of "radical transparency" and "openness to feedback"/
What long game are you playing here? The game of "make Hack Club suck for 5 years, and lose our motives, morals, and the trust of our community, for an extra few bucks on the 6th?
It's complicated to handle the law. It's why lawyers cost, per your quote, $500 an hour. But it's not complicated to listen to people and genuinely try to turn back from the wrong turn you took somewhere during Juice.
The only reason we got an update from you in the first place is the opposite of what it should have been. Send this to Christina as well: https://mondaynote.com/united-broken-culture-6b35267c8a10
About the vuln, Ella is exaggerating and has very minimal basis if at all. She did some pentesting, vuln got patched, problem solved. Does HQ need to be more responsible here? Yes. Should critical infrastructure be written by AI? Absolutely not! But does Ella have the basis to start claiming legal superiority over here? Also no.
But, now that you absolutely insist you need to keep my passport indefinitely in order to ship me a sticker that says "summer of making" on it, I expect you to be a little more responsible in: - Who you give access to - How you give said access - How long you give it for - How strict you are about conduct when person is in possession of said access.
TL;DR: Ella's point sucks. Hack Club data handling, also socks. Hack Club PR? Might be worse.