Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Serious GDPR non-compliance in the newest JSD Cloud?

 

Hi,

 

I just noticed that everyone on the Jira Cloud can see all customers from the JSD when using a standard issue search.

 

How to reproduce it:

1. Go to https://YOURJIRA.atlassian.net/issues

2. Click Assignee

3. Type something

4. See customers from JSD, even if you do not have access to JSD projects.

 

Atlassian security officers, any thoughts?

2 answers

1 vote

Hi Jakub,

I'm one of our support managers. One of my remits is our privacy and legal support. I also am in charge of our community support, as chance has it. I've been discussing your reported issue internally to make sure I get a good response. Sorry for the delay. Now that we're past the holidays I'm ready for a reply.

You're correct, both in your technical assessment of what's happening and in your conclusion that it's not guaranteeing privacy the way one would expect. Our product team responsible for this has confirmed we are in progress on a fix for the issue. We intend to change the drop-down behavior to remove usernames. Once usernames are removed here, it should only show the display name. Sorry to have had a back and forth with you on confirming your original report. 

We really do take privacy seriously, it's just that tracking down all the areas where we need to improve can be tricky and in this case we really needed your report. In fact we needed to go back and forth internally just to ensure we could indeed reproduce it. 

If you need anything specific for your instance, I'm watching your support ticket as well.

Jeremy Largman
Atlassian Support

 

Hi Jeremy,

thank you for getting back to this.

 

I do not understand what exactly do you mean by removing usernames from the drop-down and showing only the display name.

 

The issue is not related to what exactly is shown in the drop-down, but to the fact that all users from the Jira instance can get information about all customers from JSD. It doesn't matter if they can see only email or username.

 

The expected fix is to disallow that completely, i.e. only users with access to JSD should be able to access customers.

 

Please remember, that not only your drop-down on search form is affected, but also REST API and thus other places.

 

 

Regards,

  Jakub.

Hi Jakub,

The GDPR piece is around PII (Personally identifiable information); it felt like that was your main concern. Display names is a different category than email addresses, avatars, or other PII, which is why I was keyed in on that distinction. That's particularly true on public sites like this one, but indeed applies to internal Jira instances as well.

It's true that most people choose to make display names personalized (ie it's generally their real name especially inside companies where that's their work), but the distinction from a legal perspective is still valid: the display name is different from personal data.

For example, you can choose to make a burner-account type display name here on Community or you can choose your actual name; in either case, it'd be a serious violation if we could click on your user account and see your email address, but it's not a violation if we see your actual name that you've chosen to display. If you choose to include a real picture of yourself, you should also be able to control removing it.

I think what you're after is more of a feature request around permissions control for fine-grained control around user pickers, but if I'm understanding this correctly it's not a GDPR non-compliance issue.

I can go back to our legal team for specifics if you think I'm misunderstanding? Also I will raise it as a feature request, but let's at least make sure we're seeing this the same way and I'll try to chase it up.

There is some misunderstanding between us, because in my case all people from the Jira instance can see all customers EMAILS.

 

It is your decision if you do something with it or not.

Since no one wants to answer here, I also created a support ticket.

The first answer from Atlassian is that this is the expected result!

 

The situation that all employees have access to all customers emails and nothing can be done with that is expected?

 

What about https://www.atlassian.com/trust

 

Privacy

We are committed to protecting the privacy of your data and your customers' data, and preventing it from unauthorized access with industry best-practices such as GDPR and Privacy Shield.

 

Is the above a joke?

@Erika Fisher  you wrote in your blog "Our developers really care about our customers, and they come up with way better solutions than the law requires." Are you sure these words are still valid?

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Jira Service Desk

The Complete Guide to Atlassian for ITSM

Hi Atlassian Community! This is Teresa from the Atlassian team. My colleague Paul Buffington @Buff and I are excited to share a brand new ITSM resource we’ve created – "The Complete Guide to At...

2,174 views 15 22
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you