...
The problematic entries are system:slac which means any machine in the SLAC ip address ranges and system:authuser which means any one in the world with a SLAC AFS token. While rl only allows reading and listing, there are many applications that assume a different file security model than the per directory one that AFS supplies. This causes problems when the application assumes that setting a file with unix permissions of -rw------- for user read/write only makes it reasonably secure, when in fact it may be readable by many other users.
In the past, SCCS OCIO has gone to some lengths to improve the security of specific apps, ( ssh, vnc , X11), but as the number and complexity of applications increases this simply becomes unmanageable. Starting on March 18, 2009, specific directories that have known security issues will have the system:slac and system:authuser permissions removed. SCCS has been doing this for .ssh and .vnc directories for several years, this just expands the list to .mozilla, .mysql and .gaim. The directories .pgp and .gnupg were added in March, 2012. Other directories will be added as deemed appropriate.
Note that when a new account is created, the subdirectories private, mail, and Downloads are pre-created with more restrictive ACLs, which should align with expectations for privacy.
In addition, we would encourage you to start tightening down the AFS ACLs on your own as much as possible. In particular, for any application specific subdirectories in your home directory that may contain private data, remove the troublesome ACL entries. In order to do this with the minimum possible disruption, SCCS OCIO has provided a tool called batten to automate as much of this as possible. Please consider using this tool in at least it's minimum mode to secure your home directory.
...