

Losing Confidence in Creative Commons - marteki
https://marteydodoo.com/writing/2014/05/09/losing-confidence-creative-commons/

======
sylvinus
Looks like pointless complaints to me. You're losing confidence in CC because
their _process_ for reporting security issues is okay, but not perfect?

They did the hard thing, which was emailing users about a "breach" that may or
may not have been exploited. I mean we're only talking about names/emails here
but whatever.

I donated to CC a couple times and may be in that file but frankly I couldn't
care any less, as long as CC does an outstanding job improving their licenses
(which they do!).

~~~
6cxs2hd6
OP says that CC didn't reply. At all.

If true, I think it's totally reasonable to complain about that.

You donate to an organization because you want to support them. You
responsibly report a data breach because you want to support them. And in
response? They can't be bothered to take 10 seconds to type "Thank you! We'll
fix this ASAP." Really?

My advice to OP: Next time you're fortunate enough to be able to donate to an
organization, pick another one. It's not just about supporting good causes,
it's about supporting effective organizations.

~~~
JoeAltmaier
Something like 'enlightened self-interest'. I like the term "effective
organizations". There's little point it supporting any other kind, except
perhaps for external effects - praise, reflected esteem - which is more PR
than a will to benefit the public.

Now I have a way to distinguish public organizations wanting my money. And
since I donate anonymously, I have no need to ever donate to the PR kind.

------
elliotharmon
Hi Martey, thank you so much for alerting us to this issue, and for your other
suggestions. You should have already received the email below from CC general
counsel Diane Peters; I'm posting it here so that others in this thread can
see it too.

Cheers,

Elliot Harmon / Communications manager, Creative Commons /
elliot@creativecommons.org

\---

Martey,

Thanks for your help in identifying this issue and for your related
suggestions. You’re welcome to post this reply as an addendum to your blog
post; we’ll also be posting it on the Hacker News thread.

We regret not replying to you promptly about what we were doing to resolve the
issue, and to express our gratitude. That was our error, and we apologize. Our
immediate focus was on locating the file you identified, confirming that no
other files with sensitive information had been inadvertently uploaded,
determining what information the file contained, and identifying and
contacting affected donors. Thankfully, we were able to remove the file the
same day you reported the incident. That was our highest priority.

We have since learned that our rapid deletion of the file limited our ability
to access statistics about its use. We will share an update if we learn more
about views or possible downloads.

As to your other suggestions, they are well taken and we will do better. Both
emails for the audit committee on the contact page are functional, but in
order to avoid confusion, we removed one of them. We have also emphasized that
audit@creativecommons.org is the most appropriate portal for sending privacy-
related concerns at this time.

Thanks again for calling this to our attention, and our apologies for not more
quickly replying to you individually.

Diane M. Peters / General Counsel, Creative Commons

------
mark_l_watson
It seems like CC did the right thing in general but the informer of the
problem would have liked an email acknowledgement.

Although not as serious as the release of names and addresses, I email people
and organizations all the time when I see typos on their web sites, and I
don't much expect any response or acknowledgement; I am just trying to be
helpful. It seems like the author of the article was similarly trying to be
helpful.

------
marteki
Full disclosure from submitter: the writer of the blog post is my brother.

