-
jonasw
not that I knew
-
winfried
GDPR in +3
-
jonasw
uh, lunch in +0
-
winfried
same here ;-)
-
Wiktor
vanitasvitae: what do you mean by Mastodon? do you want to promote social services based on the nefarious HTTP protocol, while we have some based on XMPP? :)
-
jonasw
I’m kinda there nevertheless, winfried
-
jonasw
pep., Ge0rG, GDPR in +0
-
Ge0rG
wut?
-
Ge0rG
-ECOFFEE
-
Ge0rG
The GDPR is active now. There is nothing more we can do, anyway.
-
jonasw
we can run in circles panicin
-
winfried
send every user a mail they have to give permission!
-
Ge0rG
I don't know my users' emails. I need to create an xmpp bot to ask them for addresses first.
-
winfried
Ge0rG: GO!
-
jonasw
I can let muchopper do that
-
Ge0rG
No, not Go. Erlang!
-
Ge0rG
jonasw: MUC-PM everyone for consent!
-
jonasw
do I interpret this correctly that tehre’s not going to be an actual meeting now?
-
Ge0rG
It looks like we are all here. Let's meet!
- winfried bangs the gavel, lets talk business
-
winfried
what is on the list today?
- Ge0rG looks at the chair.
-
Ge0rG
winfried: what is on the list today?
-
winfried
:-D
-
Ge0rG
There is a "TBD" proto-XEP
-
Ge0rG
There is technical work in the context of consent.
-
Ge0rG
My personal opinion is that I'm not doing any consent-requiring data processing, so I don't need explicit consent nor any kind of XEPs to support it.
-
winfried
Lets talk the consent XEP first
-
Ge0rG
There is merit in having a formalized way to link to ToS and similar policy documents.
-
Ge0rG
At least it's better than something like https://yaxim.org/blog/2018/05/24/updated-yax-dot-im-policies/
-
winfried
Ge0rG: first of all: it is not only about consent, but also about informing users about the privacy statement and changes in it
-
winfried
other jurisdictions or other deployments *may* have the need for consent
-
jonasw
I plan to extend the ProtoXEP with an IBR integration proprosal and write a draft prosody module which implements the Ad-Hoc flow this weekend
-
Ge0rG
winfried: good point. Is there a legal obligation to inform users about ToS changes that do not require explicit consent?
-
Ge0rG
jonasw: also don't forget to submit yaxim PRs :P
-
jonasw
Ge0rG, you wish
-
winfried
Ge0rG: yes, there is
-
winfried
consent is article 6.1a + article 7, informing is article 12
-
winfried
I feel the XEP should cover both use cases
-
jonasw
it does, I hope
-
Ge0rG
> When requested by the data subject, the information may be provided orally Yay.
-
jonasw
when I have the draft impl in prosody for the Ad-Hoc flow, I can make a demo video
-
winfried
(haven't checked the latest version, but it should)
-
winfried
Anything else on the ToS-XEP?
-
Ge0rG
winfried: I've skimmed §12 but I don't see anything about pushing updates to users
-
winfried
Ge0rG: it say right at the start "appropriate measures" (own translation from dutch), that includes informing about changes...
-
winfried
Ge0rG: at least, that is where is case-law has been heading
-
winfried
but you are right, when skimming it, I don't see it explicitly stated
-
pep.
!
-
winfried
hi pep. !
-
pep.
Sorry I even missed the start
-
winfried
I propose to move on to the informal TBD XEP I submitted
-
winfried
The XSF seems te be a bit reluctant to give legal advice (what I kind of understand)
-
pep.
Well if we can't give some kind of guidance this meetings were somewhat pointless, no
-
pep.
I mean from the XSF point of view
-
pep.
The ToS XEP is coming out which is good, but it doesn't cover everything
-
winfried
so I proposed, here in the MUC and on standards@ to write a XEP with general privacy considerations and best practices and to keep hard legal stuff out of the XSF but on personal title
-
jonasw
that doesn’t seem like a bad idea
-
pep.
Where do you want to make the split between privacy considerations and legal stuff
-
winfried
pep.: you can say: check what jurisdiction you are in, you can't say: if A or B, you are under the GDPR. You can say: check your retention policy in MAM, you can't say: to be GDPR compliant you have to default it to 0.
-
winfried
(Guess Ge0rG is on the phone)
-
Ge0rG
winfried: no, but I agree so far
-
Kev
If the privacy XEP happens to be what's needed for the GDPR, and individuals want to blog/Twit/whatever "The XSF has published privacy recommendations. I think these are sufficient for GDPR compliance", that seems fine to me.
-
Kev
Just so long as the XEP itself doesn't go near law.
-
winfried
Kev:I agree the goal of the XEP should be to present an outline that brings an operator close to GDPR compliance, but you can't go all the way because there are some choice to make that have a legal component too. The exact line where 'performing a contract' (6.1b) is insufficient and consent (6.1a) is need for example. Or when a client can enable MAM by default and when not.
-
Kev
And this is why I'm not competent to review a GDPR XEP :)
-
winfried
;-)
-
pep.
(I'm boarding, will be back in a few)
-
winfried
Then my next question is: who is willing to put his name under the non-XSF document? I don't care to do so (am putting my head far deeper in the line of liability-fire on a daily basis)
-
jonasw
I’m not keen on that
-
Kev
winfried: Don't care to do so, or Don't care about doing so?
-
Kev
Opposite meanings :)
-
winfried
Kev: thanks... I perfectly willing to do so ;-)
-
winfried
Kev: (here I miss one of the subtleties of the English language)
-
winfried
Ge0rG, pep. ?
-
winfried
The other question is: coordination of the informal XEP. I started something there, but I would like it to reflect the work done here and the involvement of all of you.
-
Ge0rG
winfried: I've put my head into the yax.im liability issues.
-
Ge0rG
and my name under.
-
winfried
Ge0rG: so we co-create this informal document?
-
Ge0rG
winfried: I'm not sure whether you are talking about the proto-XEP now or about a non-XSF document of some kind (what exactly?)
-
winfried
Ge0rG: the liability issue is with the non-XSF document, for the proto-XEP I think we have to come up with a workflow
-
pep.
I guess that's why there is so few documents out there giving advice
-
winfried
pep.: three reasons: nobody knows, lawyers who know make serious bugs right now and providing for free gives liability or other discussions...
-
pep.
winfried, what kind of liability is this really. "I've followed a guide on the internet and now I've got issues. I'm suing them because I'm an [ass]"
-
pep.
If you really want legal advice, get legal advice :x
-
winfried
pep.: I know of lawyers blogging all the time with legal advice, stating it as their own opinion. So I don't think the issue is too big
-
winfried
pep.: but a bit of risk is always there
-
winfried
(feel some lag on the line... hoping to finish Q1.3 with this)
-
pep.
winfried, you can put my name in there as well fwiw
-
pep.
Now where is that document going to be published
-
Ge0rG
winfried: I can imagine posting a blog post on my private blog with IANAL "advice" for XMPP operators.
-
winfried
Yes, I was also thinking of my site/blog (though that one is mainly in Dutch)
-
winfried
Which one is the most steady and best read?
-
winfried
And an interesting question: should we coordinate writing it on a XSF chatroom/mailinglist ;-)
-
jonasw
as long as you don’t get kicked out :)
-
Kev
winfried: I think it also matters where you are, when you give legal 'opinions'.
-
Ge0rG
winfried: I'm pretty sure there is no liability issue for the XSF if we use this MUC
-
Ge0rG
Kev: what kind of "where" do you mean?
-
Ge0rG
winfried: my blog is minimalistic, but pretty robust. it's probably a bit off-topic as it is highly technical. https://op-co.de/blog/posts/
-
Kev
Ge0rG: In the US, etc.
-
Ge0rG
Kev: is giving free "legal" "advise" on some blog while not being a lawyer an offense somewhere?
- Ge0rG asking for legal advise.
-
jonasw
I don’t feel I can contribute to this, so I’ll cut that meeting short for me, I have a tighter schedule for today
-
winfried
Ge0rG: it would be fully on-topic on my blog, but technically my blog is not very suited for longer reads https://www.tilanus.com/#weblog
-
Kev
I had heard that it was in the US, which is why IANAL is a thing. But that could be entirely ficticious. *shrug*.
- winfried gives Ge0rG legal advise in a blog :-P
-
winfried
Ge0rG: and my blog is not very SEO
-
pep.
Not really sure what to do for my part either.
-
winfried
jonasw: ok... I would love of you can comment on a draft!
-
winfried
pep.: commenting on a draft would be the least!
-
Ge0rG
winfried: your blog indeed is very strange ;)
-
winfried
Ge0rG: yeah, still wondering of I should refactor my site...
-
winfried
and there are still over a dozen blogs that are not on my site yet!
-
Ge0rG
winfried: it looks like it's a javascript spa?
-
winfried
Ge0rG: yes.. wanted to expirement with some techniques
-
jonasw
winfried, commenting on the draft is surely a thing I can do
-
winfried
jonasw: great!
-
winfried
Ge0rG: can we create a collaborative editing document somewhere?
-
winfried
And we have to set a date for the next meeting
-
winfried
should we invite the XSF server operators to discuss Q2 with them?
-
winfried
Guys: I have to leave in some minutes...
- winfried bangs the gavel and thinks about the old Buddhist discussion about whether a sound is a sound if nobody hears it
-
Seve/SouL
That's deep.
-
pep.
winfried: sure, same here I can comment. (Sorry my connection is really spotty)
-
pep.
I'll also try to comment on the ToS XEP today/this weekend
-
pep.
There's no planning for next?
-
winfried
pep.: not yet
-
Ge0rG
> Complaints have been filed against Facebook, Google, Instagram and WhatsApp within hours of the new GDPR data protection law taking effect. That should read "against Facebook, Google, Facebook and Facebook"
-
Zash
Spam spam spam eggs bacon and spam?
-
Link Mauve
https://gafam.laquadrature.net/ is one such complaint, filed as a class action.
-
Zash
So today is the day of the GDPRcalpyse?
-
Link Mauve
Finally. :)
-
Dave Cridland
Zash, Seems OK so far. If you want to continue to receive my replies, please click here.
-
Zash
<{jabber:x:form} type="submit">here</x>
-
winfried
Ge0rG: are you aware of any other claims then those by NOYB and laquadrature?
-
winfried
Link Mauve: My French fails on me there, is laquadrature.net preparing complaints or did they already file them?
-
Ge0rG
winfried: Max Schrems is actually the one I'm following the most
-
Link Mauve
They are filing it today, have been preparing for some months already.
-
winfried
Ge0rG: yeah, NOYB got a *big* donation from me, hope that finally the android-spyware ecosystem gets taken down, it is a *real* problem in my work
-
winfried
Link Mauve: thanks!
-
Tobias
Regarding GDPR, could I request my messages to be removed from an archive of a user I talked to on a remote server?
-
Zash
Sure you can. You can request anything from anyone! (I don't know the answer to the actual question.)
-
Ge0rG
Tobias: no
-
Ge0rG
Tobias: unless the remote user is a commercial entity
-
Tobias
The user is not, but the server the user is on probably, not?
-
Ge0rG
Tobias: maybe, but the other server is storing data on behalf of that other user.
-
Ge0rG
Tobias: so they can argue they have a legitimate interest to store it to fullfil the xmpp service agreement to the user
-
Tobias
Ah...ok