XMPP Service Operators - 2021-06-28

Any Suggestions on how to provide links to MUCs on websites that don't like xmpp URLs, like github?

Specifically, looking for something I can put here: https://github.com/moparisthebest/xmpp-ircd/blob/master/readme.md#development That "the XMPP-IRCd chatroom" phrase is supposed to be a link per the markdown....

Like this https://conversations.im/j/public@conference.loranger.xyz

Leads to a web page with an xmpp link and sons other info

Mmm..., yeah I forgot about that option. I'd rather do something that's not an ad for just one particular client for one particular OS, actually. I like Conversations, but....

The "right" solution is for things like github to stop allowing only a limited list of protocols in URLs, and stop assuming nobody needs anything but HTTP. But yeah it'd be nice if there was a more neutral landing page.

Other ideas that occurred to me: Suggestions for working around that? e.g. * used provide the bare URLs for people viewing on github to copy/paste? * link to an "xmpp-ircd" search-results page on https://search.jabber.network ? * link to a HTTP->XMPP redirect service like https://cheogram.com/link/xmpp-ircd@chatrooms.hackerposse.com?join ? * link to a webchat front end, which we have via https://anonymous.cheogram.com/ (is "looks like an xmpp URL, links to a webchat URL" a bad idea?) * make an actual website? 😉️

Too many options, too hard for me to figure out which one is closest to "right"....

If you can only link to web resources I'd lean toward having your own web page and linkiing to that, rather than handing responsiblity to a third party. Plus the bare unlinked URL for copy/paste as you say.

otherwise it's starting to wind up like "I can't use mailto: so here's a link to gmail.com"

Yeah, pretty much.

I see nothing wrong with linking to a web chat. For those familiar with XMPP, one could easily enough get into it via client. For others, it gets them directly to the action. Lol.

Licaon_Kter: > 404.city: how is https://xmpp-servers.404.city/ respecting GDPR if hosted/whatever on CF? CF?

Cloudflare.

Ah

does CF automatically imply "not GDPR compliant" ?

I would say so. The company is US-based and can’t therefor be GDPR-compliant because it falls under Cloud/Patriot/Fisa act, but IANAL

I think it’s difficult to argue that CF won’t see any personal data and therefor it needs to provide an equivalent level of protection which the EuGH denied for USA

That would imply no us company could ever be gdpr compliant, no way that's true

Well, the BfDI (German federal DPO) wrote a letter federal offices last week (german): https://www.bfdi.bund.de/SharedDocs/Downloads/DE/DokumenteBfDI/Rundschreiben/Allgemein/2021/Facebook-Auftritte-Bund.pdf?__blob=publicationFile&v=1

on page 2 you can read that the EuGH denied the equivalent level of protection for the USA.

and yes, basically this means no services of US based companies are GDPR-legal - at least when it is not possible to refuse the usage of that service beforehand and agree to their ToS before use - which is not possible for CF. Of course you are totally free to visit US-based websites willingly and agree in an informed way to their ToS.

> In addition, I would like to point out the judgment of the European Court of Justice in Case C-311/18 ("Schrems II"). In its ruling, the ECJ clarified that personal data of EU citizens may only be transferred to third countries outside the European Economic Area if they enjoy an essentially equivalent level of protection in this third country as in the EU. For the U.S., it has denied such an adequate level of protection. This applies not only to personal data that data controllers from the European Economic Area transfer directly to partners in third countries, but also to personal data that flows to a third country when certain IT processes are used > Translated with www.DeepL.com/Translator (free version)

Part of the text

moparisthebest: > does CF automatically imply "not GDPR compliant" ? Yup

Schrems-II ruling is a big one…

moparisthebest: https://gitlab.com/fdroid/admin/-/issues/229 https://gitlab.com/fdroid/admin/-/issues/230

But its OK to be non compliant if the user is aware of it. Otherwise we couldn't use all the us services ✏

CF seems to think it's GDPR compliant https://www.cloudflare.com/gdpr/introduction/

hmm, I would say: it’s ok to use US based services when the user does know s/he uses such services and can decide whether or not to use it.

moparisthebest, well, Microsoft, Zoom and Webex all thing they are GDPR-compliant as well… doesn’t mean anything if the company labels itself as GDPR-compliant, because as an US-based company they are bound to US laws - and the US laws are the reason why they are not compliant and will never be

moparisthebest: they all think they are pure Then the law says otherwise...but heard of any GDPR enforcement? Me neither...so they just wait for the fallout, they can afford it...oh, it never comes? The better...

ij: exactly, Microsoft had some angry letters to some german agency that reported last year that Teams is non compliant

FISA court act is one of the reasons for that. As long as they can seize (personal) data under FISA rulings EU citizens do not have the same level of protection as in the EU because they are not going to be informed about such FISA action and thus cannot undertake legal actions against it

Germany is the funniest because half the govt seems to be trying to enforce the GDPR while the other half is trying to pass laws breaking the GDPR

ij: they can't sieze data you don't have, I refuse to believe no US service can ever be gdpr compliant

they can be compliant when the USA do change their laws

but they won’t do that

otherwise: no, US-based (cloud) services are and will never be GDPR-compliant because of post-9/11 surveillance laws and what Snowden revealed

I run an IRC server and record nothing, you are telling me that's not GDPR compliant because I'm in the USA? Doesn't sound right

some DPOs consider IP addresses a personal data

I don't record those either

which seems legit because of NSA and such

but your users are connected via TCP/IP, I think… or do you have some other network technology without using IP addresses? :)

What does that have to do with it?

I thought it was what you record, not what you could potentially record

yeah, in fact it is a difficult story… not storing any personal data is big plus in that story… but doesn’t mean that the data cannot be obtained in other ways and conducted by some 3 letter agencies… That’s the part of Schrems-II ruling that won’t change

I do think it can be compliant if no data whatsoever is collected. Maybe. But that may be again a thing for lawyers..

personally I would say: if you don’t collect any data then it’s fine. If it’s obvious for your users that they connect with an US based server, it is ok… e.g. when you have us.ircnetwork.tld hostnames for example

lawyers on the other hand might have a different way on this like: hey, there is no publically available paper about FISA court, it’s a secret, therefor it does not exist and therefor we have no issue with GDPR and we are compliant. That’s the way how many company lawyers might see it (my impression)

If you go down that path then BGP isn't gdpr compliant because it can be used to route EU -> EU traffic through the US or China, in fact it's happened before

Better turn off the internet...

moparisthebest: or not devolve it to the absurd or the black and white fallacies ✏

Right, absurd like "no US service can be gdpr compliant"

That's not a theory, that's the law...the US law...

It's made like that...on purpose

No it's not at all

Which part?

The US govt can't make me record things I'm not recording

Great, can you front a CDN for us? No? CF does and their terms are...different? Their goals are...different than yours or ours? Interesting...

Not sure why you interjected here, it's not about what you or other US based, good faith hosters, can or do. It's about the ever growing presence of CF.

Actually by some luck I saw a glimpse of "Attention something....| Cloudflare" in the tab title, then I checked the certs...because it loaded the site and I would have been none the wiser.

Additionally it also doesn’t help when a US based company will operate their service in a EU-based datacenter. They are still bound to US laws. But I think it is a good thing after all. It can help to decentralize the Internet a *little* bit. A cloud service from a US based company then needs to be operated by a legally and financially independent EU-based company. That’s a chance for EU-based providers

moparisthebest: > The US govt can't make me record things I'm not recording "room 641a" mhm

ij: Ireland will gladly host that for them I heard hehe ✏

well, maybe no longer as there is also a ruling that other DPOs can take action when the irish DPO is inactive

Let me put this another way, if no US person/company can ever be gdpr compliant, then why not just use cloudflare and collect+sell all the data anyway :)

Plus none of you are GDPR compliant since I'm seeing your messages I guess? Seems like a pretty bad argument

I'm no fan of cloudflare either, but basically from a "centralization is bad" POV

moparisthebest: > Plus none of you are GDPR compliant since I'm seeing your messages I guess? Seems like a pretty bad argument This is meant to be public, this is part of the service contract Adding my IP to the Oak Ridge Big Data DB it is not...

no, it’s perfectly legal to visit and use US based webservices under EU law - if they are compliant with the law and users are aware of it. for example browsing the website of Washington Post is perfectly fine. The user can anticipate the nature of a US based website from the domain name and agrees willingly to the ToS…

Right, forgot to mention: "adding it without my consent..."

... and I think there is also some sort of "non-discriminating way to use it". So basically such a service should be available without that additional CDN or whatever... exemptions are technically needed cookies and other stuff (to store your login or so), but is a (third party) CDN technically needed or is it optional to speed up delivery? It's complex, but in the end I really like that Schrems-II ruling and think it's a good thing

for us XMPP operators it's important to have some GDPR declaration of what is stored and what not. I don't like the additional "paper" work, but I think it's good way to think about what data you store and what you don't store

and it is a chance to gain some "market share" because the big players are quite often not GDPR compliant while it is easier for distributed networks to match the local legislation of your region than to follow all laws in the world

So, get a Europe VPS and fully follow GDPR there?

> ij wrote: > no, it’s perfectly legal to visit and use US based webservices under EU law - if they are compliant with the law and users are aware of it. for example browsing the website of Washington Post is perfectly fine. The user can anticipate the nature of a US based website from the domain name and agrees willingly to the ToS… TLDs for US websites are often .net, .com, etc, same for many Europe ones

nah, it's not as simple as that 😉

GDPR is active over 2 years and *now* they/you are awake ? 😂 :scnr:

3 years...

meh

always do the best you can

> ij wrote: > but your users are connected via TCP/IP, I think… or do you have some other network technology without using IP addresses? :) Tor :)

> GDPR is active over 2 years and *now* they/you are awake ? 😂 > :scnr: Funfact: Germany already had all the rules long before the GDPR. As if anyone had cared. 🤷‍♀️

Okay, think was given as german law in Mai 2019 IP-Address could be personal information, but what will a server-op get with a whois ? Only the ISP is able to match timestamp and IP against a name and therefor *I* think IP shouldn't classified as personal data. But we are very OT i think 😉

[Disclaimer: I've no link with 404] No problem with GDPR and server location out of EU: > The general principle for transfers is outlined in Article 44, which can be summed up as saying, if you transfer EU personal data out of the EU, make sure that this data still enjoys the same level of protection it gets under GDPR https://www.twilio.com/blog/2018/05/gdpr-and-eu-data-location-requirements.html And according to 404 it complies with GDPR on the _not too much data storing_ topic: https://wiki.404.city/en/404.city:_Privacy_Policy The bigger issue with GDPR would be they don't give information to designate _someone_ to address the GDPR requests to. But I assume a lot of servers don't want this and rather prefer to keep anonymity. Maybe they break some US rules but not at least the privacy GDPR ones.

ernst.on.tour, actually, data protection/privacy considerations of running an XMPP service are perfectly on-topic in my book

(the guidelines even have an example about a log retention time discussion :))

my MUC retention policy is unlimited until you delete your MUC... :/

we'll figure it out

we also have an unlimited file retention policy

ernst.on.tour: Germany in pre-GDPR times had pretty much the same rules in its BDSG (federal privacy law / data protection law); only the fines were limited to 250k €. Only with GDPR people became a little more aware.

what is GDPR:)))

It's the new name for modal website popups

okay thanks ;-)

we should rename the term server in terver, because to prevent confusions with the socialist regimes. this would also prevent confusions with politicians and amateur lawyers ;-)

zp1.net: if you process EU citizen personal data, whatever they are (eg cookies for identification), you shall apply GDPR which is EU regulation. It's basically: - do not store too much and forget the data after processing - ask for user consents for any storage

*for any storage which isn’t inherently required by the service

and be responsible if leaking data.

e.g. you don’t have to ask consent for roster items… they are inherently required for routing of presence && the user actively puts them there.

also, consent is not only required for storage, but also for processing of information.

e.g. if you run a data miner on user’s MAM archives… that most likely requires consent, even if you don’t store additional data over what the user already opted into with MAM.

And actually this is an annoying banner asking to click on "accept" or go to hell :-)

jonas’: you're probably true, I'm not an expert.

I’m not an expert either :)

i think you are some sort of legal bdsm fans. you can't wait that the eu make a idiotic law to jump and fulfill it.

learn to ignore laws.

<sef-redacted off-topic> ✏

<self-redacted off-topic> ✏

no it is not. encryption is the solution. not laws

zp1.net: yes. But BDSM is also awaiting us if they throw us in jail ;-) ✏

thus channel should be encrypted

zp1.net, the discussion laws vs. encryption and whether and which laws are sensible or not is getting too off-topic.

this is a service operator channel. encryption and stupid laws are nit off topic here

zp1.net, I agree.

> *for any storage which isn’t inherently required by the service Or to process a treaty. Or for your legitimate interest, like protecting your server. Or for legal reasons. Art. 6 knows many other legal reasons to process data apart from consent and technical necessity. Technical necessity comes more into play w.r.t. data minimisation, I'd say.

encryption is freedom.

zp1.net: https://www.google.com is encrypted.

That's only part of the solution

what is google?

millesimus, yep, simplifying here to err on the safe side for anyone only reading casually. Thanks for listing additional reasons :)

So..., fail2ban is not GDPR-compliant, right?

It falls outside of the scope of GDPR

Ellenor Malik: howso?

It's data retained for technical reasons

inherently required by the realities of the internet

it’s not outside the scope of the GDPR

but keeping logs for $days is legitimate interest of the service provider under art 6f IIRC

Because my next question was: are there any guides on how to do guard against cyberattacks while remaining GDPR-compliant?

rozzin, art 6.1f to be specific (looking at the sjn privacy policy :))

rozzin, if people yesterday were correct it doesn't matter what you do, you can't be GDPR compliant because you are an american, so just don't worry about it ¯\_(ツ)_/¯

do the best you can

moparisthebest: maybe I should raise GDPR-compliance as a topic in the xmpp-ircd MUC.... Seems like a topic people love to talk about, at least—would spark some conversation there 😃

I'm not gdpr compliant. I have an unlimited retention policy on uploads and I don't link upload slots to the users that used them

BTW moparisthebest: > Germany is the funniest because half the govt seems to be trying to enforce the GDPR while the other half is trying to pass laws breaking the GDPR What about France? Don't they just outright require GDPR non-compliance? IIRC there was news last year about a bunch of pubs being fined because they weren't keeping records about all of their Wi-Fi users or something?

Ellenor Malik: yeah, I think open-ended retention going to have to be part of my TOS whenever I start offering service on pantyraid.im....

rozzin, oh yea I forgot about that

Still trying to come up with a good slogan for that domain.... Something semantically along the lines of "encrypt your delicates, because we can't promise not to raid your panties".

"make the NSA get *their* knickers in a twist"

> rozzin wrote: > Ellenor Malik: yeah, I think open-ended retention going to have to be part of my TOS whenever I start offering service on pantyraid.im.... I intend to start linking users to their upload slots so that if they request deletion, best effort doesn't involve retaining their encrypted data.

encrypted data? delete it? I never had it!

» [08:04:00] <rozzin> moparisthebest: maybe I should raise GDPR-compliance as a topic in the xmpp-ircd MUC.... Seems like a topic people love to talk about, at least—would spark some conversation there 😃 » what is the xmpp-ircd muc rozzin?

tom: xmpp:xmpp-ircd@chatrooms.hackerposse.com?join

ty