Skip to content
GitLab
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    • Switch to GitLab Next
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • Security Overview Security Overview
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Graph
    • Compare revisions
  • Issues 3
    • Issues 3
    • List
    • Boards
    • Service Desk
    • Milestones
  • Deployments
    • Deployments
    • Releases
  • Packages and registries
    • Packages and registries
    • Model experiments
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • lucaluca
  • Security OverviewSecurity Overview
  • Issues
  • #1
Closed
Open
Issue created Apr 26, 2021 by Ralf Rottmann@ralfr

Handling of responses to freely configurable questions created by Venue Owners

Venue Owners can set up arbitrary additional questions which will then be presented to users during check-in. These questions are

  • (a) not obviously marked as additional questions crafted by Venue Owners and
  • (b) handled as required so users cannot opt-out of providing information which is not at all legally required.

In addition, it is unclear, how the responses to these questions are handled cryptographically. The Security Concept explicitly states, that Check-in contact data is encrypted. Since these additional questions are added by Venue Owners, it is fair to assume, that the ultimate goal is to give Venue Owners access to the collected information. The check-in form in no way makes this explicitly obvious to users nor does it explicitly ask for consent.

Please provide the missing information:

  • How exactly are the responses to these additional questions handled cryptographically?
  • Who has access to these responses?
  • Has the ability to create freely configurable, arbitrary information requests been part of the supposed DSGVO and DSFA audits?

luca_Contact_Form

Edited Apr 26, 2021 by Ralf Rottmann
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking