948603 - Review needed for crash-stats PII access for users to their own data

Status: RESOLVED WONTFIX

(Privacy Graveyard :: Product Review, task, P2)

Description

[Laura Thomson :laura]

We now have Persona login on crash-stats, and a new very granular permission system.

These two things enable us to build something we've wanted for a while, which is that if users log in with the Persona email that matches the email in submitted crashes, we'd like to be able to give users access to their full crash, including the binary dump and all PII. 

This will be especially useful for e.g. volunteer QA contributors.

The feature is outlined in bug 948597.

We would like Privacy to review and tell us if there are any issues about which we should be concerned.

Comment 1

[Shane Caraveo (:mixedpuppy)]

Hi Laura,
Do we have a real sense of the risk and security issues around providing these dumps?  #3 under premises in bug 948597 is a bit concerning.

Comment 2

[Laura Thomson :laura]

As long as we're confident about Persona email matching the dump, then we are only giving back the user data that came off their machine in the first place, just in a human-readable way.  Happy to defer to privacy/appsec though.

Comment 3

[Robert Kaiser]

(In reply to Shane Caraveo (:mixedpuppy) from comment #1)
> Hi Laura,
> Do we have a real sense of the risk and security issues around providing
> these dumps?  #3 under premises in bug 948597 is a bit concerning.

We already bought into that premise itself a long time ago (and giving selected, trusted Mozilla employees access to that PII).

The question here is if we can be confident enough that we can let someone who got their email verified by Persona get access to that PII for reports on which the user sending the report entered that same email as the one to contact them.