XSF Discussion - 2018-04-02

Hmm who do I need to talk to for issues with wiki.xmpp.org?

Maranda, Guus and iteam

jonasw, hmmm ok need to correct a few broken links

if they’re wiki-internal, you can ask for an account

The more I think about it the more I think we need to define a standard way to treat mobile clients that don’t really go offline

jonasw, request where?

Maranda: here. Tell me your username and email address

Anu: yes, there are short-term and mid-term ideas for that. Short-term: combine 0198 with Push to keep a disconnected session "alive" as long as it comes back after a push message

Ge0rG, username this nick, e-mail maranda@lightwitch.org

Maranda: A randomly generated password for Maranda has been sent to maranda@lightwitch.org.

Ah ok. I was having a discussion about it on Twitter and realized all of us client developers were coming up with our own suggestions

Anu: mid-term we'll probably move more and more status and configuration options from the client to the account, like a status message and notification configs

Ge0rG, let's wait on Greylisting ™

:P

Also once we suppress presence (offline /online) in our clients

What’s the point of subscription

Anu: subscription is also an anti-spam whitelist

And feature advertising

Ive has fun explaining subscription to people

Because nothing else has it (at least visible ) these days

Anu: just hide bidirectional subscription from them.

Yes that’s what I’m thinking of doing

Anu: I hope that with things like PARS (XEP-0379) and Easy Invitations (XEP-0401) that'll get easier

Anu: in yaxim I have "Contact can see your status" for one direction and a [?] contact icon for the other

We have many ways hiding al of this

no wait, it's the same.

Unless I’m not aware of it there isn’t a document with recommendations

Unfortunately, yes.

So either several developers come together and make up our own

Circumventing the process

We are using the wiki for which things, if we aren't yet ready to make them official

Anu: the standards list archive has some ideas as well. I'm trying to link and document them, but that takes time

Ge0rG, there links fixed, thank you :P

Maranda: thank you!

Ah is the wiki public? I’d like to not reinvent the wheel

Anu: yes, https://wiki.xmpp.org/web/Main_Page

Sorry I meant the actual page where these suggestions are being written up

Anu: I try to put usability improvements under https://wiki.xmpp.org/web/Category:Easy_XMPP

Also assorted pages, like https://wiki.xmpp.org/web/XEP-Remarks/XEP-0280:_Message_Carbons

Maybe we need a new category for that, "Usability"?

Yup this is exactly what I was thinking of doing. Great

Yay, I just realized that the standards@ ML archive links from 2014 are all wrong

Thanks, mailman.

I’ve realized that xmpp has so much legacy stuff that is based on AIM or IRC

It’s like aim and irc had a baby

Haha

Anu: I think you mean ICQ.

Nope muc is an irc clone

It made sense in the 90s because that’s what people were familiar with

But feels super antiquated now

Anu: ICQ and IRC.

not AIM and ICQ

Anu: the MUC spec is a horrible mess, with many rough edges and unspecified corner cases. I'm fixing it slowly.

Ah yes

I saw there was an effort to make a new group chat spec

Hmm clients supporting Process Hints up-today?

What’s process hints?

Anu: the new group chat is MIX, and it's already huge and complex and nobody has implemented it yet.

-xep 334

Maranda: Message Processing Hints (Standards Track, Deferred, 2018-01-25) See: https://xmpp.org/extensions/xep-0334.html

Anu: did you follow the last Summit discussions? I have collected a long list of current issues we need to address at https://op-co.de/tmp/whats-wrong-with-xmpp-2017.pdf

I haven’t, no. Just had a baby and have mostly dropped off the planet

I’ve implemented group chat for several closed protocols

Anu: ah, you've been working on increasing the number of xmpp users? That's laudable!

Let’s just say there is no version that easy or clean

:)

It’s a way to keep my mind active at nap time

The other thing I’ve realized is that no one really uses status messages anymore

I’ve had it under the name on the contact list for a decade

Ge0rG add the horrible misconception of "MAM and Room Logging" to the muc list. People seem to think that MAM doesn't equate to "recording conversations" apparently (and the fact that status 170 should always be used whenever discussions are recorded server-side)

But at some point people started posting their status to twitter/fb not on chat

All of this logging is going to break so bad with gdpr

No idea how small xmpp servers are going to handle pseudo-anonymization

And purge requests

I already have a protocol for purging, and Processing Hints for not storing. But purging archives seems another controversial we have here.

Severs should have an option to run in gdpr mode

Ip logs too

Names, nick names etc

It’s a mess

I think the rules were made for large companies with resources but it’s going to impact any small server

Have we figured out what "GDPR mode" means yet?

I would say regular log purging.

Minimal logging at info level

Switching to debug mode usually lets you get away with more verbose logging

And not keeping message history beyond the legal max

It’s bad ux but that’s kind of the point

Anu: it's okay to keep message logs the users actually want.

Anu: all you need is consent from the user and some interface to download / purge

Anu: the "legal max" being? Didnt have time to even glance at that thing.

Well consent could be just setting logging default (mam prefs eg) to disabled.

I suppose

Maranda: not quite, the user should have to agree when registering, and maybe get an explicit info from the client when enabling mam

"from the client" 😉

Ge0rG the good thing with doing backends is that UI/X stuffis mostly irrelevant to me hehe

s/doing/dealing/

And *dealing with*

Hah

Except the fines for gdpr are steep

Up to 10 million euros or 2% of revenue for minor fines

€ 20 million or 4% for worse infractions

A few fines can quickly shut down smaller services

When a user registers to my server he/she has to consent to the service agreement anyways so it's possibly one or two more lines there

Service agreements dont override law though

Otherwise fb et al would just change their eulas

We only have until May 25 to be compliant

It’s a serious headache for tech companies

True but if gdpr wants user consent

This is more a problem with IBR not OOBR

You could argue that use of IBR implies consent to whatever.

You could also argue that the moon is made of cheese. Also IANAL and neither are you! :P

Haha

Also how do we recommend people handle xfer of data in and out of Europe ?

How's those XSF-GDPR meetings going?

I assume the xsf has legal help.

Anu, and yes service agreements are never normative but in the end if there's an issue you'll end in a court so I don't see where's the problem

(a ToS/EULA here has *no value* at all, you'll get to debate it anyways)

Yeah

Maranda, if you end in a court and your ToS disagrees with GDPR, you're going to have a hard time...

From my understanding if we address logging, log anonymization, allow data export and data purging it covers most bases

Curious to see how this plays out for smaller, more resource constrained xmpp providers

Maybe MattJ, I'm very transparent on what data I collect, so I don't think that would be the case anyways

Gdpr has been my life for the past year or so, it’s going to be a barrier for entry in messaging

Still sounds easiest and safest to just ban EU residents from servers

You know what's even easier? Not running an XMPP server at all!

Haha yup

Or run it out of Europe and beyond the reach of their law enforcement

My server is located in New Ark, although I'm not.

(the thing running the xmpp one at least)

:P

The only thing that somewhat concerns me is federation

I'd be sad if I had to disable federation with EU servers

Probably will

That's not a solution

Plenty of EU citizens use US servers :)

So just because you receive a message from a non-EU server doesn't mean you can assume it didn't come from an EU citizen

Jokes aside , gdpr is made to force global compliance

So us servers will have to implement it too

It’s based on the possibilities of doing business with an eu citizen

Anu: please come to our next xsf GDPR meeting

Anu: https://wiki.xmpp.org/web/GDPR

I will try.

Can I add questions for the lawyer to that wiki page?

I’m very concerned about federation

Might be an end of an era for non Balkanized Internet

Anu: we have so far tried to address the local user case. I'm hopeful that s2s delivery of messages will be permitted by assuming consent from the sender.

Anu: it would be great if you could join the meeting so we know the context of the questions you want to add.

Ok

whether they meant to enforce global compliance or not (I think you are right), sorry the EU is just a tiny portion of the internet and they cannot do it

they can enforce it on companies that operate in the EU and that is it, EU citizens will probably suffer from walled gardens but then they should vote to fix the situation I guess...

(or just use non-EU servers and don't mention they are from EU?)

So, on May 19, it will have been 4 years since https://github.com/stpeter/manifesto/blob/master/manifesto.txt went into effect.

Assuming I can count.

How is http://opendiscussionday.org/ still running?

I was looking for that just now. I had to look up the manifesto to remember the exact date

Last modified: 2018/03/09 08:24 🤔

Bunneh: xep 273

Zash: Stanza Interception and Filtering Technology (SIFT) (Standards Track, Deferred, 2011-06-27) See: https://xmpp.org/extensions/xep-0273.html

Bunneh what's your inline syntax tell me :P

{}

Nooooooooooooooooooooooooooooooooooooo

Did I just kill it

Bunneh: tell pep. no

It doesn't seem to comply much

Maranda: pong

Bunneh just doesn't like inline syntax :P

Ohhh

Now Gajim shown that with delay lol

It adds some kind of attaching tag to indicate its bottyness

I forget which

Ge0rG, I was told (but HINAL either) that even s2s should "just" require consent, as long as we're transparent and we say "This _can_ happen". Though technically that means "We have no clue what can happen on the other end"

pep.: I suppose the other server is also bound by GDPR

how is the other server supposed to get consent Ge0rG ?

I assume so

moparisthebest, I would say it doesn't get it explicitely from s2s users

moparisthebest: you need to forward messages to the other server for them to reach the receiver.

for a specific example, how is my server supposed to get consent from everyone in this channel to log their messages?

moparisthebest: this is a public room

is that different?

Ge0rG, though the same happens with private rooms here

how do you even tell which is which

moparisthebest: but if I send you a private message, I must assume that your server will process it

this is dumb, EU should feel ashamed and you EU citizens should fix your crappy law :P

moparisthebest, if it's s2s I don't think you do. I would say the c2s server has to state in its EULA that data will be sent to other services and will be processed there

But IANAL, of course

So this might be considered implicit agreement. Processing is legal to fulfill a legitimate interest of a third party. The receiver is the third party and their legitimate interest is to receive my message

moparisthebest: stop trolling us. You Americans have been fucking with our privacy long enough already

There is also right to be forgotten stuff

That’s for public records

It really is a mess

Ge0rG, are you talking about facebook? I agree, so here's an idea I've been following forever, don't use facebook

moparisthebest: I told you about Facebook already.

Anu, yeah not sure how to apply that over s2s

And it's not like I was going to keep a record of servers the user has been talking to, so I can then ask these servers to delete his stuff :/

I think on some level this is like email and someone will have to chase down every server with their info but on the other hand there might be consequences for the server that sent the info

Like google had to remove links from its index but can’t stop the news links from existing on the net

I feel like it's exactly like email, and whatever applies there must apply here

Everyone is updating for gdpr

doesn't matter if it is the EU or the States. It is all part of the same goal.

None of us are done but you will start seeing new gdpr related Eulas soon

Let's all include a long EULA in the email footer

IF YOU RECIEVED THIS EMAIL IN ERROR YOU MUST DELETE IT RIGHT NOW

like all corporations send? I'm sure that's *super* legally binding

moparisthebest, yeah, that is useless

Zash [18:05]: > Let's all include a long EULA in the email footer In the xmpp message footer

<message><footer/></message>

Haha

pep.: it must be in the body for backwards compatibility reasons

also e2e

Ge0rG, :@

really the only part that concerns me is what Anu said " on the other hand there might be consequences for the server that sent the info"

it's easy to get explicit consent from your users, and tell them what *you* are doing

but once you send it over that s2s link, it's gone, out of your and your user's control forever

moparisthebest, it's possible to warn them "Hey, we have no clue what happens to messages sent to other servers"

I don't know what legal value this has though

Also users are not really often aware of the boundaries

They add the contact once, maybe they pay attention to the JID, but probably quickly forget about it

s/users/lawyers creating EU privacy laws/

The whole nature of federation means a use has no idea what servers they are talking to

Not like email where you often see the email you send to

while you keep wasting time with GDPR....

:P

probably something people will never use ™

also removed {xep 91} layovers which is a plus.

Maranda: Legacy Delayed Delivery (Historical, Obsolete, 2009-05-27) See: https://xmpp.org/extensions/xep-0091.html