XSF Discussion - 2018-05-25


  1. jonasw

    not that I knew

  2. winfried

    GDPR in +3

  3. jonasw

    uh, lunch in +0

  4. winfried

    same here ;-)

  5. Wiktor

    vanitasvitae: what do you mean by Mastodon? do you want to promote social services based on the nefarious HTTP protocol, while we have some based on XMPP? :)

  6. jonasw

    I’m kinda there nevertheless, winfried

  7. jonasw

    pep., Ge0rG, GDPR in +0

  8. Ge0rG

    wut?

  9. Ge0rG

    -ECOFFEE

  10. Ge0rG

    The GDPR is active now. There is nothing more we can do, anyway.

  11. jonasw

    we can run in circles panicin

  12. winfried

    send every user a mail they have to give permission!

  13. Ge0rG

    I don't know my users' emails. I need to create an xmpp bot to ask them for addresses first.

  14. winfried

    Ge0rG: GO!

  15. jonasw

    I can let muchopper do that

  16. Ge0rG

    No, not Go. Erlang!

  17. Ge0rG

    jonasw: MUC-PM everyone for consent!

  18. jonasw

    do I interpret this correctly that tehre’s not going to be an actual meeting now?

  19. Ge0rG

    It looks like we are all here. Let's meet!

  20. winfried bangs the gavel, lets talk business

  21. winfried

    what is on the list today?

  22. Ge0rG looks at the chair.

  23. Ge0rG

    winfried: what is on the list today?

  24. winfried

    :-D

  25. Ge0rG

    There is a "TBD" proto-XEP

  26. Ge0rG

    There is technical work in the context of consent.

  27. Ge0rG

    My personal opinion is that I'm not doing any consent-requiring data processing, so I don't need explicit consent nor any kind of XEPs to support it.

  28. winfried

    Lets talk the consent XEP first

  29. Ge0rG

    There is merit in having a formalized way to link to ToS and similar policy documents.

  30. Ge0rG

    At least it's better than something like https://yaxim.org/blog/2018/05/24/updated-yax-dot-im-policies/

  31. winfried

    Ge0rG: first of all: it is not only about consent, but also about informing users about the privacy statement and changes in it

  32. winfried

    other jurisdictions or other deployments *may* have the need for consent

  33. jonasw

    I plan to extend the ProtoXEP with an IBR integration proprosal and write a draft prosody module which implements the Ad-Hoc flow this weekend

  34. Ge0rG

    winfried: good point. Is there a legal obligation to inform users about ToS changes that do not require explicit consent?

  35. Ge0rG

    jonasw: also don't forget to submit yaxim PRs :P

  36. jonasw

    Ge0rG, you wish

  37. winfried

    Ge0rG: yes, there is

  38. winfried

    consent is article 6.1a + article 7, informing is article 12

  39. winfried

    I feel the XEP should cover both use cases

  40. jonasw

    it does, I hope

  41. Ge0rG

    > When requested by the data subject, the information may be provided orally Yay.

  42. jonasw

    when I have the draft impl in prosody for the Ad-Hoc flow, I can make a demo video

  43. winfried

    (haven't checked the latest version, but it should)

  44. winfried

    Anything else on the ToS-XEP?

  45. Ge0rG

    winfried: I've skimmed §12 but I don't see anything about pushing updates to users

  46. winfried

    Ge0rG: it say right at the start "appropriate measures" (own translation from dutch), that includes informing about changes...

  47. winfried

    Ge0rG: at least, that is where is case-law has been heading

  48. winfried

    but you are right, when skimming it, I don't see it explicitly stated

  49. pep.

    !

  50. winfried

    hi pep. !

  51. pep.

    Sorry I even missed the start

  52. winfried

    I propose to move on to the informal TBD XEP I submitted

  53. winfried

    The XSF seems te be a bit reluctant to give legal advice (what I kind of understand)

  54. pep.

    Well if we can't give some kind of guidance this meetings were somewhat pointless, no

  55. pep.

    I mean from the XSF point of view

  56. pep.

    The ToS XEP is coming out which is good, but it doesn't cover everything

  57. winfried

    so I proposed, here in the MUC and on standards@ to write a XEP with general privacy considerations and best practices and to keep hard legal stuff out of the XSF but on personal title

  58. jonasw

    that doesn’t seem like a bad idea

  59. pep.

    Where do you want to make the split between privacy considerations and legal stuff

  60. winfried

    pep.: you can say: check what jurisdiction you are in, you can't say: if A or B, you are under the GDPR. You can say: check your retention policy in MAM, you can't say: to be GDPR compliant you have to default it to 0.

  61. winfried

    (Guess Ge0rG is on the phone)

  62. Ge0rG

    winfried: no, but I agree so far

  63. Kev

    If the privacy XEP happens to be what's needed for the GDPR, and individuals want to blog/Twit/whatever "The XSF has published privacy recommendations. I think these are sufficient for GDPR compliance", that seems fine to me.

  64. Kev

    Just so long as the XEP itself doesn't go near law.

  65. winfried

    Kev:I agree the goal of the XEP should be to present an outline that brings an operator close to GDPR compliance, but you can't go all the way because there are some choice to make that have a legal component too. The exact line where 'performing a contract' (6.1b) is insufficient and consent (6.1a) is need for example. Or when a client can enable MAM by default and when not.

  66. Kev

    And this is why I'm not competent to review a GDPR XEP :)

  67. winfried

    ;-)

  68. pep.

    (I'm boarding, will be back in a few)

  69. winfried

    Then my next question is: who is willing to put his name under the non-XSF document? I don't care to do so (am putting my head far deeper in the line of liability-fire on a daily basis)

  70. jonasw

    I’m not keen on that

  71. Kev

    winfried: Don't care to do so, or Don't care about doing so?

  72. Kev

    Opposite meanings :)

  73. winfried

    Kev: thanks... I perfectly willing to do so ;-)

  74. winfried

    Kev: (here I miss one of the subtleties of the English language)

  75. winfried

    Ge0rG, pep. ?

  76. winfried

    The other question is: coordination of the informal XEP. I started something there, but I would like it to reflect the work done here and the involvement of all of you.

  77. Ge0rG

    winfried: I've put my head into the yax.im liability issues.

  78. Ge0rG

    and my name under.

  79. winfried

    Ge0rG: so we co-create this informal document?

  80. Ge0rG

    winfried: I'm not sure whether you are talking about the proto-XEP now or about a non-XSF document of some kind (what exactly?)

  81. winfried

    Ge0rG: the liability issue is with the non-XSF document, for the proto-XEP I think we have to come up with a workflow

  82. pep.

    I guess that's why there is so few documents out there giving advice

  83. winfried

    pep.: three reasons: nobody knows, lawyers who know make serious bugs right now and providing for free gives liability or other discussions...

  84. pep.

    winfried, what kind of liability is this really. "I've followed a guide on the internet and now I've got issues. I'm suing them because I'm an [ass]"

  85. pep.

    If you really want legal advice, get legal advice :x

  86. winfried

    pep.: I know of lawyers blogging all the time with legal advice, stating it as their own opinion. So I don't think the issue is too big

  87. winfried

    pep.: but a bit of risk is always there

  88. winfried

    (feel some lag on the line... hoping to finish Q1.3 with this)

  89. pep.

    winfried, you can put my name in there as well fwiw

  90. pep.

    Now where is that document going to be published

  91. Ge0rG

    winfried: I can imagine posting a blog post on my private blog with IANAL "advice" for XMPP operators.

  92. winfried

    Yes, I was also thinking of my site/blog (though that one is mainly in Dutch)

  93. winfried

    Which one is the most steady and best read?

  94. winfried

    And an interesting question: should we coordinate writing it on a XSF chatroom/mailinglist ;-)

  95. jonasw

    as long as you don’t get kicked out :)

  96. Kev

    winfried: I think it also matters where you are, when you give legal 'opinions'.

  97. Ge0rG

    winfried: I'm pretty sure there is no liability issue for the XSF if we use this MUC

  98. Ge0rG

    Kev: what kind of "where" do you mean?

  99. Ge0rG

    winfried: my blog is minimalistic, but pretty robust. it's probably a bit off-topic as it is highly technical. https://op-co.de/blog/posts/

  100. Kev

    Ge0rG: In the US, etc.

  101. Ge0rG

    Kev: is giving free "legal" "advise" on some blog while not being a lawyer an offense somewhere?

  102. Ge0rG asking for legal advise.

  103. jonasw

    I don’t feel I can contribute to this, so I’ll cut that meeting short for me, I have a tighter schedule for today

  104. winfried

    Ge0rG: it would be fully on-topic on my blog, but technically my blog is not very suited for longer reads https://www.tilanus.com/#weblog

  105. Kev

    I had heard that it was in the US, which is why IANAL is a thing. But that could be entirely ficticious. *shrug*.

  106. winfried gives Ge0rG legal advise in a blog :-P

  107. winfried

    Ge0rG: and my blog is not very SEO

  108. pep.

    Not really sure what to do for my part either.

  109. winfried

    jonasw: ok... I would love of you can comment on a draft!

  110. winfried

    pep.: commenting on a draft would be the least!

  111. Ge0rG

    winfried: your blog indeed is very strange ;)

  112. winfried

    Ge0rG: yeah, still wondering of I should refactor my site...

  113. winfried

    and there are still over a dozen blogs that are not on my site yet!

  114. Ge0rG

    winfried: it looks like it's a javascript spa?

  115. winfried

    Ge0rG: yes.. wanted to expirement with some techniques

  116. jonasw

    winfried, commenting on the draft is surely a thing I can do

  117. winfried

    jonasw: great!

  118. winfried

    Ge0rG: can we create a collaborative editing document somewhere?

  119. winfried

    And we have to set a date for the next meeting

  120. winfried

    should we invite the XSF server operators to discuss Q2 with them?

  121. winfried

    Guys: I have to leave in some minutes...

  122. winfried bangs the gavel and thinks about the old Buddhist discussion about whether a sound is a sound if nobody hears it

  123. Seve/SouL

    That's deep.

  124. pep.

    winfried: sure, same here I can comment. (Sorry my connection is really spotty)

  125. pep.

    I'll also try to comment on the ToS XEP today/this weekend

  126. pep.

    There's no planning for next?

  127. winfried

    pep.: not yet

  128. Ge0rG

    > Complaints have been filed against Facebook, Google, Instagram and WhatsApp within hours of the new GDPR data protection law taking effect. That should read "against Facebook, Google, Facebook and Facebook"

  129. Zash

    Spam spam spam eggs bacon and spam?

  130. Link Mauve

    https://gafam.laquadrature.net/ is one such complaint, filed as a class action.

  131. Zash

    So today is the day of the GDPRcalpyse?

  132. Link Mauve

    Finally. :)

  133. Dave Cridland

    Zash, Seems OK so far. If you want to continue to receive my replies, please click here.

  134. Zash

    <{jabber:x​:form} type="submit">here</x>

  135. winfried

    Ge0rG: are you aware of any other claims then those by NOYB and laquadrature?

  136. winfried

    Link Mauve: My French fails on me there, is laquadrature.net preparing complaints or did they already file them?

  137. Ge0rG

    winfried: Max Schrems is actually the one I'm following the most

  138. Link Mauve

    They are filing it today, have been preparing for some months already.

  139. winfried

    Ge0rG: yeah, NOYB got a *big* donation from me, hope that finally the android-spyware ecosystem gets taken down, it is a *real* problem in my work

  140. winfried

    Link Mauve: thanks!

  141. Tobias

    Regarding GDPR, could I request my messages to be removed from an archive of a user I talked to on a remote server?

  142. Zash

    Sure you can. You can request anything from anyone! (I don't know the answer to the actual question.)

  143. Ge0rG

    Tobias: no

  144. Ge0rG

    Tobias: unless the remote user is a commercial entity

  145. Tobias

    The user is not, but the server the user is on probably, not?

  146. Ge0rG

    Tobias: maybe, but the other server is storing data on behalf of that other user.

  147. Ge0rG

    Tobias: so they can argue they have a legitimate interest to store it to fullfil the xmpp service agreement to the user

  148. Tobias

    Ah...ok