[PRIVACY] E-mail recipients shouldn't be disclosed

I believe it’s very irresponsible for sending mails like this:

擷取選取區域_001.png800×509 36.7 KB

UPDATE: The issue has been dealt with by the most proper way IMO.

Oops, the previous title was opposite to what actually happens, corrected(?).

6/20 UPDATE: Let’s Encrypt has made a final report according to this issue, I’m really cheerful to be (one of if not) the first one to make a feedback and Let’s Encrypt took rectify actions immediately. Note that according Let’s Encrypt Privacy Policy there’s a e-mail address specifically to report such issue and I suggest to rather using mailto:security@letsencrypt.org instead of posting on the forum.

Yep, I got the same thing. Someone sent the list in the to section instead of the BCC section.

The e-mail addresses (3347 of them in the e-mail I received) aren’t in the “To:” section of the header.

They’re in the body of the message.

(At least we won’t get spammed if someone does a reply-all.)

I got the same thing. It seems that all LE users now have the email addresses of all other LE users?

Edit: on Twitter there seems to be someone saying that their own email is the last one in the list, so it is appending emails to the body it seems… but I’m still mobile and have not been able to confirm.

Nevermind: Now that I’m at a real computer I was able to follow more links. They’re working on it: Email Address Disclosures, Preliminary Report, June 11 2016

Bugs happen, especially these kinds which can be pretty subtle. I’ve made similar errors myself in the past (albeit with a user base of only ~150) so I totally understand. Kudos to the team for addressing it quickly!

I got the same email and I was suprised!

New information posted here.

Seriously Matt? Just a hundred and fifty of us?

擷取選取區域_005.png882×484 32.3 KB

I got 4923 e-mail addresses (including mine) in my mail.

Apparently the email was sent by a service called “Mandrill” which is a “transactional email platform from MailChimp”. See also https://www.mandrill.com/

Since the sensitive content appears in the message body of the emails, one imagines it might have been a bug on LE’s part when interacting with the Mandrill service. If so, shame on you, LE, and one hopes a strict process will be put in place to prevent this in future.

On the other hand, if Mandrill’s service was responsible for the leak, then as a provider of the very kind of service one expects not to exhibit this kind of fault, they should be sacked outright.

And that’s why you register anonymously. It’s not the first time LE fails at the most basic tasks like mail or DNS.

While I’m grateful for the service I benefit from, LE as an organization is not very trustworthy for personal data, IMHO.

Is there any way for one to know if their email address was part of the disclosure? I don’t recall receiving the original mailing (and it’s not showing up in my email search) so I assume mine isn’t listed, but as far as I can tell the only thing that’s been stated is that if you saw a list of disclosed emails, it’s likely that your email address had been disclosed as well - but that doesn’t present a clear negative case.

Based on my understanding of how this disclosure seems to have happened, not receiving the original mailing means your email wasn’t in the list of disclosed emails. The only exception to that rule would be delivery failures - i.e. if your mail server blocked the delivery or something like that.

Let’s Encrypt usually publishes more detailed post-mortems after an investigation, so there’s a good chance your question will be answered once that happens.

The following section in the Subscriber Agreement:

4.  ISRG’s Rights and Responsibilities
4.1 Privacy
Because others may rely on your use of Your Certificate to encrypt Internet communications, much of the
information You send to ISRG will be published by ISRG and will become a matter of public record.
However, information used for account-recovery purposes (such as Your email address and telephone
number) (“Private Recovery Information” or “PRI”) will NOT be published by ISRG. ISRG will not sell
or share your Private Recovery Information. ISRG may disclose Private Recovery Information, however,
if compelled to do so by court order or other compulsory legal process. If legally permissible and to the
extent possible and within ISRG’s control, and if you have provided ISRG with an email address, ISRG
will send an email to such address notifying You of the potential disclosure. ISRG may also disclose your
PRI if ISRG believes disclosure is necessary to prevent loss of life, personal injury, damage to property, or
significant financial harm.

Is changed to the following:

4.  ISRG’s Rights and Responsibilities
4.1 Privacy
Because others may rely on your use of Your Certificates to encrypt Internet communications, much of the
information You send to ISRG will be published by ISRG and will become a matter of public record.
ISRG’s collection, storage, use and disclosure of such information are governed by the Let’s Encrypt
Privacy Policy at: https://letsencrypt.org/privacy/.

The Privacy Policy in the Subscriber section reads as follows:

Let’s Encrypt may make public any of this information except the information you provide for account recovery purposes: for instance, your recovery email address or phone number.

By itself this looks like a good change, as it removes from the Subscriber Agreement what is allready covered by the Privacy Policy.
Yes, of course, this has to be communicated with the Subscribers of Let’s Encrypt.

So far, so good.

Something goes wrong in handling the communication.

Now what?

Where’s the follow up on this by Let’s Encrypt??
Especially to those whose e-mailadress was leaked???

It’s been over two days and there’s not been any kind of apology or explanation.

When signing up, in simple language right next to the entry field for your email address, is a bit of text that says “Will not be shared with anyone.” I propose that text be changed to, “will not be shared with anyone unless we make a mistake, in which case all bets are off.”

EDIT: My tongue is mostly in cheek here. I do take the always-evolving best efforts at their word.

Anyway, promises don’t mean much unless paired with authoritative declaration of potential compensation after a violation.

I mean: I promise that I’ll never "do it."
Then I “do it” anyway.

What can you now request from me, especially under different national jurisdictions? In theory, a lot. In reality, not much.

Unless some authority has independently promised you that if I “do it” against my promise, then the authority is coming after me in your name.

You sit in a different country than I do? OK, go ask the authorities in my country to hit me because I “did it”. It’ll become your administrative nightmare. For years to come. Unless, of course there are multi-million dollars at stake. In that case, all authorities seem to suddenly cooperate.

There has been a preliminary incident report. The link is included in the first post in this thread. It does include an apology and a promise of a more thorough postmortem. What do you feel like is missing?

At the moment this seems to be handled in a purely technocratic manner focussing on what went wrong and why, which is of course of great importance to avoid this happening ever again.

However, I miss communication on this from Let’s Encrypt, especially with those whose e-mailadress were leaked. There’s nothing on the home page directing you to the community or a blog, one has to search for answers.

Someone forgot to clear a variable of its previous value before adding the next email address to it ;o)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.