XSF Discussion - 2018-04-09

https://techcrunch.com/2018/04/07/rss-is-undead/

> I think the solution is a set of improvements. RSS as a protocol needs to be expanded so that it can offer more data around prioritization as well as other signals critical to making the technology more effective at the reader layer. This isn’t just about updating the protocol, but also about updating all of the content management systems that publish an RSS feed to take advantage of those features.

Pubsub :-° ?

I've read that article in my RSS reader. To me, RSS is pretty much alive.

Andrew Nenakhov don't wanna use Pubsub :D Movim is my news reader B-)

https://nl.movim.eu/?node/news.movim.eu/TechCrunch

GDPR meeting in 5

according to my clock and calendar at least

jonasw: according to mine too ;-)

neat.

pep., Ge0rG, you there?

jonasw: kind of

I fixed my poezio, but this is still the worst monday I've had this year

yet.

right.

Ge0rG, set up a disk quota for your borg things so that they can’t eat all the disk space.

disk quotas aren’t deep magic

jonasw: good point. But then I couldn't prune the old backups any more because pruning would exceed the quota

also allows you to disable/unset the quota while pruning when you need that

it’s all a matter of invoking edquota and increasing the limit temporarily :)

I didn't even anticipate the backups to grow that large.

or maybe use that cuteborg alpha software which schedules prunes automatically. (shameless plug)

My computer has decided to be angry at me this morning, should be here soon

okay, now I’m getting wary, why hasn’t any of my stuff failed today.

bad digital karma today, what did we do to our computers to make them so upset?

made it!

\o/

I’m not up for chairing or anything, having mild headache.

!

Would it be ok, to slowly progress through the list at the wiki?

seems good

Ah I haven't updated with last week's

Yes please

Ge0rG: you mentioned there are discussions about ip-adresses being pii or not, maybe we should settle that one first

winfried: I don't think we should.

I don’t think that’s useful.

Can _we_ settle anything?

ok, we don't settle it ;-)

winfried: in our context it's best to consider them as PII

first, what pep. says, lots of laywers have been fighting over that already before the GDPR, and second I think that would let us lose ourselves in details.

winfried: my point was just to show the ambiguity of the legal framework

Ge0rG: clear and good course of action

Q1.1d, do we dig into that one further?

For the logs and newcomers: https://wiki.xmpp.org/web/GDPR

winfried: I think we weren't done with 1.1c for s2s

ok, 1,1c it will be

I would s/Archiving/user content/ on the notes to make it just like the others ✏

Yes please

+1

We are also lacking logs of 1.1b s2s in the wiki

yes, let me put last week's in there

Maybe somebody could paste from the minutes

So that we can proceed from there

maybe it is good to make clear: transfer itself is a processing, but needs explicitation about what data is transfered, what processing is done on the other side and with what purpose...

can we know the processing on the other side, really?

since there’s no contract or something which would be binding for the other side.

I don't think we can

they could store the message forever even without advertising MAM

I think we'd best assume the worst once the messages are gone over s2s

yes. the question is: how do we tell the users?

Just as I did? :/

maybe we can define a xep & service discovery that just says: this server keeps to these rules....

and how do we tell the users in a way that they can give consent properly, and don’t wander off to silo services?

winfried, hmm, you mean the GDPR-policy-XEP pep. wanted to write for c2s could be used for s2s too?

interesting.

question is, would a user still have to consent for each remote domain?

Also, I trust my own server, I'm not sure I trust many others

jonasw: I tend to slightly disagree

jonasw: think that in many cases it does't, but it is our task to find out

Ge0rG, with what exactly? I think I mostly asked questions at this point :D

as winfried said last time, this is handing off of data to another controller. The other controller is also bound by GDPR rules, so they can't just do anything they want with the data. In theory

pep.: yeah, we move to the delicate field legal trust...

Ge0rG, sooo... if you federate with servers which have users which are inside the EU you’re under GDPR? ✏

What I'd like to know more about is whether we need some explicit legal framework for handing off data, or if this is covered by the user's implicit consent of wanting the message delivered

jonasw: basically, yes.

neat

so everything is under GPDR now.

jonasw: as if it wasn't before

yeah, with "now" I mean "when it takes effect"

winfried: I suggest we have a look at the "incoming s2s" situation first, and then try to reverse the approach for "outgoing"

Ge0rG: smart!

obviously, with incoming s2s we are already required to be GDPR compliant.

Ge0rG: if you are situated in the EU or if you are targeting EU users

We receive data via s2s (s2s meta-data, user content, user meta-data), and we are kindly asked to process that data in some way that was implied by the user

winfried: s/targeting/not explicitly blocking/ ;)

Ge0rG: hmmm... my reading up to now was targeting, but that maybe the old legal framework....

you can’t block EU users s2s-wise

but also you can’t really target EU users s2s-wise

so I’m like 😕

jonasw, not like it's impossible

winfried: targeting is implied if you don't exclude them explicitly, AFAIU

winfried: but back to the topic.

When does a service become "accepting EU users" exactly? Say as an EU citizen I go to a japanese website, with their server located in Japan, there's not GDPR applying is there

(I'm here to ask the dumb questions)

I'd say that processing of received data is covered by Art6 1.f "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party" - the legitimate interest is to deliver the message to the appropriate user

if LQ1 evaluates to "yes", it’s more tricky than that though

We are moving a bit forward and backward trough the topics...

This means two things basically: a) we are allowed to do everything appropriate to deliver the content; b) we are not allowed to do anything that's not directly required for that

winfried, okay, where were we?

GDPR hints.

Maranda, we can see for technical details later

1.1c s2s wasn't it?

winfried: yes please

incoming and outgoing

incoming

- store in roster of peer

We should cover each one of these: s2s meta-data (IPs, hostnames, sessions, server logs?) - GDPR probably doesn't apply user meta-data (presence, subscriptions, message routing) user content (messages, pubsub, etc.) MUC history, MUC MAM Remote components (e.g., roster management)

Ge0rG: yes that was what I was looking for

s2s meta-data: R49 if at all

user metadata: minimal: forwarded to receiving users connections typical: stored while receiving user is online (to avoid having to send out probes for new resources)

jonasw: subscription requests and roster info is stored

Ge0rG, that’s content though?

from the categories in Q1.1b

(update the wiki I added 1.1c from the minutes)

jonasw: ah, right

user content: minimal: forwarded to receiving users connections if online; storage of roster-related things with account. typical: minimal + offline-storage if offline or even MAM for undefined period of time for messages

I'm not sure if A in user B's roster is subject to user B's privacy laws, user A's or both'.

probably mostly B

yes

I can have you in my phone book and you can’t force me to erase that, I think, due to private use.

but the transfer to jurisdiction B is a processing

jonasw: but I can get you fined it you upload my phone number to whatsapp.

Ge0rG, yes.

Which is what's happening here

Ge0rG, but the roster is my phone book in this case.

Well not whatsapp

jonasw: so maybe I can also get you fined if you store my JID and name on your server?

mmm

Ge0rG, so what do you propose? When a user calls for their right to erasure, that's propagated to every other server? And they magically disappear from everybody's roster at the same time?

no, when I am uploading pii of somebody else to a server without consent from that somebody I can be fined. Not because of that server but because of the uploading

sooo..... spammers are in violation of the GDPR?

s/consent/groud for processing/

because they upload my email adress to some server?

jonasw: yes

That wouldn't really surprise me

It's not like they weren't already in violation of any other laws

we have two s2s data specials not yet covered in 1.1c: - MUC (is that different from plain s2s?) - remote roster management

hm, delivering a message is probalby "ground for processing"

jonasw: it is needed for delivering a service you have agreed to (or not, in the case of spam)_

For (semi-)anonymous MUCs, do we need to show users a message that the MUC is anonymous and they have to assume that all messages are public? ✏

What about adding 170 when MAM MUC is enabled

because we can’t have any type of s2s-consent in that case because we don’t know to which domains the messages may go

pep., mandatory, IMO

worksforme

I asked something similar on jdev@ not so long ago

And I think maranda also did talk about that

👌🧝‍♂️

the exact definition is: > Inform occupants that room logging is now enabled which fits this use-case exactly. ✏

(note that it does not include "public")

(we might want to have a different status code for *public* logging)

(as opposed to members-only MUC MAM access)

jonasw: MAM is subject to the same rules as room access

in theory.

Ge0rG, yes.

Gajim does exactly that for status 170/171 without making dumb distinctions

I wouldn't be surprised if some implementations make MAM access public ;)

so a possible processing may be "publicising the MUC logs on different channels or to non-members"? (bringing it back to 1.1c)

winfried, yes.

Aka just "room logging" enabled/disabled

Nothing prevents a muc owner from changing the member-only policy though, and suddenly everything that's been said before is public

pep.: nothing prevents a muc owner to publish their local log of the MUC in the New York Times

maybe some laws prevent that?

I would consider that all these deliberate actions by a MUC participant to leak data fall under their respective responsibility

winfried, one processing is at least "store the whole conversation on the MUC service"

and not under "s2s data processing"

+1 Ge0rG

+1

k

so it's "store on the service and make it available to room members"

and it /may/ be also publishing it

I’d like to have a status code for that, btw

because that could save us from 9.1 trouble (there’s something about "manifestly made public" in there, and if we can get clients to show "THIS ROOM IS PUBLICLY LOGGED", we’re out of trouble there I think)

do we have a technical ToDo list?

jonasw: not yet ;-)

Can make one

pep., that’d be great

I can add EULA XEP in there :x

I wouldn’t act on the ToDo list right away, but instead keep it a WIP until we figure that we really need it. ✏

(BTW one of my cats is hunting my phiysical mouse, the other one the cursor on the screen, am a bit distracted)

jonasw: +1

jonasw, the status code you're talking about is 170 or similar right

pep., yes

winfried, pics or it didn’t happen ;-)

jonasw: my cats have their privacy, I am not publishing them on the internet!

So.. what do we have atm, 1.1c S2S is split in two,

And attach those to the Meeting Minutes.

(cat pictures)

Don't forget remote roster management. It's technically well designed, so no problems there, but we need to mention it

Ge0rG: +1

Ge0rG, what about it

it is a nice example of privacy by design, but it is a possible processing of the s2s case

thinking about it, it is also a processing of the c2s case...

we need to list it and mention it is covered by explicit consent

RRM ist really good, taking a look at it for the first time now

I'm not sure I get all these comments. How is it privacy by design

What changes from normal roster management

except that it has XMPP-technical flaws

pep., the roster is managed by an entity which may be outside the domain of the user

read-write

jonasw, yeah I get that, so it's worse possibly

I mean GDPR-speaking

Than normal c2s

pep., but the entity has to ask permission and it gets only the roster entries related to their own domain, so that’s neat

it is privacy by design because the spec demands explicit consent

I lost my overview over 1.1c

have we covered the s2s cases there?

jonasw, I see

just inbound?

And even then I'm not sure

winfried: I think so

the difference to c2s is probably that there are different retention times for data, and no explicit consent from the user

oh, there is also the "transport component" use case

mmm, a whatsapp transport <3

for super fubar

If I register with icq.evildomain.com, it will store/process my ICQ credentials

Ge0rG: that is an interesting one

Isn't that another normal s2s case?

credentials, right

"We don't know what can happen on the other side"

pep.: that one is

And they won't get more than what we give them

but whatsapptransport.trusteddomain.com is different

I wonder if we want a way to give consent to the processing done by an s2s domain. then there could be something pubsubby where clients can query which s2s domains the user consented with and show that in the UI. warn the user when sending a message to a non-consented domain with "review the privacy policy" and offer doing the in-band consent thing as per the EULA XEP.

because trusteddomain is transfering it to a third server

fwiw, I’m going to head out in four minutes.

How long do you want to go btw?

jonasw, I see value in that, I'm not sure it's not going to be an annoying process though

It's the annoying "yes I agree" that everybody is going to overlook in the end

could be simplified in the UX of course, but technically we might need something like that

and the server could even block stanzas to non-trusted s2s domains in strict deployments.

maybe set a next session? Maybe we should wrap up this one and move on to the interesting stuff....

yep

Date of next?

following weeks this time won’t work for me

(I know I’m special with scheduling and I’m sorry)

I can do any

winfried: actually I'd argue that a remote transport is subject to a direct relationship with the user as a data controller

Can I make an addition to s2s message processing? If hints are made mandatory that could pose a disclaimer caveat, in which if a user doesn't give explicit consent to treatment by a remote entity and I flagged all messages with "no-store" or "no-permanent-storage" it could be argued the responsibility falls directly on the 3rd uncompliant party

Tomorrow? Wed 12:30 or 13:30CEST? (like before)

Because that'll be an impeding problem for sure

pep., tomorrow is Tue in my calendar

Wed won’t work for me

jonasw, yes it was two questions :p

I’d prefer the time we did today actually, I can arrange that any day except mondays.

both work for me

If same time, I can't do Tue/Thu

(and wednesdays, sorry)

but 12:30 CEST also works, except on wednesdays

Tue 12:30CEST then?

wfm

wfm

wfm

\o/

*bang*

okay, gotta head out, see you folks

cu!

thanks

I need my coffee now

You guys caught me early

pep.: :-D

pep.: are you taking notes/logs again? maybe coordinate who puts them in the Wiki

I'll try to come up with the minutes before noon

If you can put that on the wiki that'd be great :p

I'll try, won't be home from work meetings till 0:30 today, but I will have some time in trains...

trains. The place where you can work on the really important things, while telling your employer that you were too tired to do the after-meeting reports.

Ge0rG: watch out, this MUC has a public log :-D

> trains. The place where you can work on the really important things, while telling your employer that you were too tired to do the after-meeting reports. Trains. Those things that don't run if there is a signal failure. What ever that means. A rat bit through a cable maybe? Because apparently something as important as signals doesn't have redundancy

winfried: my employer isn't paying overtime. Sometimes I have days when I need to get out of bed at 4AM, have some 12hrs of train time with a business meeting in the middle. They can't expect me to work 16hrs ;)

daniel: the most frequent cause of delay at Deutsche Bahn is copper theft, I've heard.

https://www.n-tv.de/panorama/Kupferdiebe-kosten-Zeit-und-Geld-article10436256.html

daniel Ge0rG here in the netherlands it is / was a major cause for delays too. They do have more theft-proof infrastructure nowadays

winfried: do you have any news regarding the 112 app?

And from my point of view, after glancing at it, GDPR is made to "make it impossibile" for complex decentralised environments to exist, so whatever will be done here will be for naught beside that when a user registers he'll get a message stating "do you give consent to treatment of your data by third parties", "I give consent" == s2s enabled, else s2s disabled.

Fin.

Maranda: your point of view is cynically pessimistic.

Like with the cookie directive. The intention was to inform users and to allow them to opt out. Then it was perverted by the "content providers" to blame the EU

Ge0rG: too bad that it looks to me that for what we could ever attempt to do to be compliant, due to the nature of xmpp we could never fully be.

But we will see as usual

Ge0rG: yes, I have the interview done and a concept-blog, still working on the whitepaper. They have to check with their security persons I don't publicise any confidental information before I can show you the results

winfried: I'm a security person. I can do a closed-group review ;)

Ge0rG: :-D

Ge0rG: I got a fascinating insight in the world of Belgian organisation and security. I can already reveal the organisation operating *all* of the telecom infrastructure in Belgium has more firewalls then employees ;-)

(all of the governmental telecom infrastructure)

winfried: that sounds like much better data hygiene than T-Mobile Austria

> winfried: my employer isn't paying overtime. […] have some 12hrs of train time with a business meeting in the middle. Ge0rG, you’re not good at advertising. ✏

jonasw: my employer will gladly pay for the hotel room so you can arrive on the day before and have a pleasant day on site. I just prefer to sleep in my own bed.

I hate hotels, exactly.

I often take my own pillow with me when I go to the office, if I'm driving (not so much with carrying it on the train).

I don't hate them. I just love to sleep at home

Ge0rG, yeah, that’s what i meant.

also see what I wrote in the other muc.

I'm still catching up with last night.

Ge0rG: I was pretty impressed with the data infrastructure they are using, they even build a (rudimentary) application firewall for XMPP!

does conversations get consent from the user for using google cloud push? :)

okay, so since I have merge powers, I need advice on what to do with this: https://github.com/xsf/xmpp.org/pull/425

I was actually happy that pidgin dropped off the list and was silently hoping that it wouldn’t re-appear.

but apparently that didn’t happen

so what to do now?

possibly a question for board

jonasw: the right way would be for the Board or some other Official Entity to say "no" to this request. The loophole workaround would be to reject the PR until it's vouched for by an identified pidgin developer

Ge0rG, maybe you should add your "ceterum pidgin delendam esse" to board agenda instead of council ;)

jonasw: I don't have the power to add things to Board's agenda

jonasw: and I don't have the karma either. Whatever I wanted from Board so far was vetoed.

Ge0rG, ask Guus or MattJ to add "Vote for elimination of all pidgin references from xmpp.org" to it :)

Ge0rG, the laws of probability say that this time it’ll work!!1 ✏

Ge0rG, I note that there is a carbons plugin for libpurple: https://github.com/gkdr/carbons

plugins for libpurple are always good.

they rarely break anything or introduce security issues or something like that.

flow: do you want to explain to my aunt how to install it?

BTW, I think the easiest way to (potentially) resolve the Pidgin thing is to ask the project if they mind not being listed.

If they say "Yeah, that's fine, it's not very current", there's no need to make difficult decisions.

Kev, they made a release a few weeks ago

Does that contradict anything I said? :)

dunno

I’m not awake.

Kev: the easiest way is to require somebody from the project to raise their voice in that PR.

Kev: which is even less work than asking them, and which is what I implied in my PR comment and described above as a "loophole"

So, dead-end for GDPR is.. 25th May again?

yeah

towel day

And I see Ge0rG with an avatar feels strange compared to the usual "G"

jonasw, ok I suppose I'll go with my cynical, pessimistic idea, until I see more definite developments.

(which I do not)

Maranda: I suppose I need to restart prosody to get rid of it.

Ge0rG: oh?

Dave Cridland: I'd like to put up "kill GC1.0" onto the Council agenda for this week. I've collected some numbers, and I'll write a mail if I manage somehow.

I'm also sure there was some other thing I promised / intended to PR.

https://arstechnica.com/tech-policy/2018/04/hours-after-zuck-deletion-scandal-facebook-announces-new-unsend-feature/ - this totally triggers the GDPR

"You can't delete sent or received messages from someone else's device." -- unless you are Mark Zuckerberg.

What's next, unsend email? 😂

I always thought that features like last message correction are just silly

Andrew Nenakhov: that's old. https://support.office.com/en-us/article/recall-or-replace-an-email-message-that-you-sent-35027f88-d655-4554-b4f8-6c0729a723a0

LMC is actually useful in most cases. ✏

/load display_corrections

Ge0rG, > Message recall is available after you click Send and is available only if the recipient has an Exchange account within the same organization. Not really working in federated environment

Andrew Nenakhov: tough luck.

I motion that we all get ice cream! (everyone says +1) /correct I motion that we do evil things!

toads. ✏

🤔

so.... everyone licking ice cream, except for Maranda who's licking toads?

Ge0rG, who knows maybe they'll turn into something else, or kill me, or both.

I haven't had ice cream in days…

I get a feeling that xsf has entered a steep decline

I have a fridge full of ice cream at my old home, and no sensible logistic way to get it into the new home.

Andrew Nenakhov: the xsf MUC is not representative of the XSF.

Ge0rG: "sensible"

Ge0rG, it's not?

:O

Andrew Nenakhov: the only decline the XSF is facing is that of available time of its members.

Disclaimer 😚 ™

:P

I just came back from having ice cream.

/topic Ice Cream

that’s relevant, right? ✏

Luckily there is no XMPP off-topic MUC.

/topic Chips

Damn, I'm hungry. Only had some waffles for breakfast and no lunch. Time to make a break

what does it do?

guess I could just peruse code...

for now just disables s2s if you don't agree to conditions and 3rd party treatment of your data.

if a XEP says stuff like : Given the foregoing discussion, it is evident that an entity could receive any combination of iq:register, x:data, and x:oob namespaces

then i know im in for a lot of fun

what are email providers doing with their identical S2S problem?

https://github.com/maranda/metronome/blob/6044add55d8acfef86f4210ceae27cd6ca178a3f/plugins/mod_gdpr.lua --> completely untested, though it should be portable to Prosody easily enough.

moparisthebest, nobody knows

moparisthebest, but the expectations might be different for email which might be relevant for law stuff

why would expectations matter? they are 100% identical as far as I can tell

moparisthebest, I’m not sure. people might not expect their IM to be stored indefinitely on some server. for mail, this might be different.

why? maybe they think everyone uses pop3 and has the 'delete from server' box ticked?

moparisthebest: wasn't the box for "don't delete from server"?

depends on the client I guess :)

I'm just saying from a technical perspective, with regard to s2s issue, email and xmpp are identical, and since email is far more widely used by much bigger companies, I feel like we should just see what they are doing

Identical me... thinks not.

Comparing mail data with a xmpp s2s stream is weird at best.

One it's just a singler envelope the other... is... a stream? With potentially much more data passing by.

Maranda, sorry, how is it not identical?

I just said.

you send individual messages to a federated server

they may or may not keep them

the 'potentially more data' seems totally wrong too

You just send individual messages? Oh rly?

how often do you send/recieve xmpp messages with 25mb attachments sent with bob or whatever :P

I tend to agree that they’re pretty much identical regarding the data which passes.

that happens regularly with email

I repeat "You just send individual messages? Oh rly?"

yes, both email and xmpp just send individual messages, right?

Hmmm nay, but okay.

Maranda, how do you think they are different? because xmpp often sends multiple messages over a single connection?

because smtp does that too, and so does imap, pop3, etc

<incoming-routed presence="2078391" message="644568" iq="1050302"/> <outgoing-routed presence="428397" message="152432" iq="985607"/>

that's 2 messages I guess, still not getting the point

.

Please try to explain with words and not just examples, because I don't understand what you mean either.

I don't think I have to explain XMPP (says even just XMPP) isn't just about messages, and you don't send exactly just messages actually you send much more of the other two.

And there's a lot of data in *those two*

when you boil it all down though, it's just message passing

if you say so.

are you saying you also send presence and things?

how is that different than an email like 'hey, I started work today' or whatever

Maybe I don't operate the sending directly which poses *much* of a difference compared to e-mail since those are completely (or almost) abstracted from users UI wise

I think when you're potentially talking about clients broadcasting your current location to all of your contacts, or whether you're WFH or in the office, that *is* a different use case than email.

and still for GDPR we have to take that data/meta-data in account

so if you keep saying xmpp is like e-mail okay.

ok, so you are saying extra types of data get sent with xmpp without user intervention than email?

*that's* an argument I can follow

still, I believe normal message sending should be the same as email, so we could copy email providers for that, and maybe your mod_gdpr could just filter everything but normal messages or something?

... except that lots of stuff doesn’t work with only normal messages.

like OMEMO.

mod_gdpr blocks everything going s2s, before user consented to the agreement and mainly 3rd parties treatment of his data passing by s2s.

how does the user consent, and which agreement?

yep, but perhaps you can sort some things out to what leaks (meta)data or not

https://github.com/maranda/metronome/blob/master/plugins/mod_gdpr.lua#L19

jonasw, ^

Maranda: you need to gain consent for each individual s2s domain, and link to their respective data privacy policy.

that seems utterly impossible Ge0rG

Ge0rG, do I? Me thinks that the above is legally valid.

Also, I don't understand how email and xmpp are different either, from a data protection / data retention point of view

.oO(plot twist: user is currently negotiating for a power exchange relationship and replies with "I consent" to the wrong message.)

Maranda, I don’t think that works either. you need to make the user aware of the specific data and metadata which may be sent to the remote domain.

users might not be aware that the timestamp of their last online presence would be shared for exampale

Ge0rG, it's implicit that if a from capuleti.is user chooses to have a contact to romeo.is then whatever data gets shared with romeo.is is *his/her sole* responsibility and that the data going to romeo.is will be treated by romeo.is

jonasw, that is already done by the ToS

Maranda, which ToS?

The one which I'll add options to add you can't cover everything In-Band, else I need to send a never ending wall of text. ✏

that’s why we were discussing the EULA XEP

jonasw, which brings to the problem good luck getting every implementation and expecially every server federating to compliant by the 25th.

yea that's really insane

shouldn't it, at most, be an explanation of federation?

(if you send something to bob@example.org refer to example.org for how they manage your data)

again, what are email providers doing? they won't be doing 'federated eulas' I can almost guarantee

moparisthebest, true, but they may be gambling on the fact that nobody is going to risk to burn down all of email with a lawsuit.

Problem is that the deadline is too near now we should have moved as soon as GDPR got out in 2016 imho

yeah

that's a fine bet for my person email, but gmail/hotmail surely would just have to pay germany a few trillion dollars or something

and they've surely had lawyers on this for years?

federated EULAs sound like a friggin nightmare too

"XMPP sucks so bad, I need a lawyer every time I have to add a new contact"

What about plain ol' IP routing?

but still as soon as there's a draft of "EULA" xep I'll link to that jonasw (obviously)

that's true Zash , every IP/port combo needs another EULA, also from every switch/router along the way, right?

Yes

Zash, yeah

I think even the concept of a EULA xep is a terrible idea for the above reason

if widely implemented, it'd kill xmpp

I was thinking about that too during the last meeting. I wonder if we’re colossally missing something here.

moparisthebest, fundamentally, the EULA XEP was meant not for federation but for in-band registration

does anyone know anyone that works at gmail or hotmail or something?

unfortunately not

jonasw, ah well for in-band registration it's a good idea, it's just a terrible idea for federation

an EULA xep could not need implementation

if it's just a descriptive xep

like what data types are there, how to act in case of data transiting from a to b, who to contact in that case, who is responsible of what when etc. ✏

there's a fair amount of documents like that XEP wise

Maranda, the idea was to have an additional IQ exchange before/during registration, where the key points of a GDPR-EULA (e.g. retention times, data which is persisted/not persisted ,…) is presented as structured data (XML). this allows clients to format the key points neatly. in addition, the full terms can be provided via one or more URLs.

and then you've made the protocol user-hostile for what some non-lawyers think some lawyers wrote in a jurisdiction that controls a small fraction of the internet

sounds like a terrible plan

Which is good if the deadend wasn't in a month and a half

moparisthebest, how is that user-hostile?

Or less

I think being aware of what the service does with your data is very user-friendly.

jonasw, "XMPP sucks so bad, I need a lawyer every time I have to add a new contact"

I am not talking about federation, moparisthebest.

"with whatscrap I just type in a contact and start chatting"

So at the very least we should have a document to link at, me thinks

well again, for user registration I totally agree

FWIW, XEP-0389 was designed with EULAs in mind. You could probably implement it already with that.

moparisthebest, I am not talking about federation.

No time for xep-0389

ok, then I think it's a good idea

I feel

I just really don't want federation crippled due to some legislators with a superiority complex, and a likely wrong reading of the law by non-lawyers

Well I don't have 200k

😎

try voting for better people, or move :)

I mean we aren't writing code to cripple XMPP to china or russian standards

moparisthebest, I like the legislation actually.

All I want as a server operator is at least a blanket covering most of my ass

why write code to cripple XMPP to EU standards

That's all we need in the immediate time anyways

Because as I redundantly said: there's not much time left

moparisthebest, we need to get informative documentation done first, the most problematic bits are the data types descriptions, behaviour and garden-to-garden transits

not sure exactly what you mean, but are you still just talking about registration?

in general when I've had to present lawyer-stuff to users, they like to lay stuff out themselves, and I always end up providing text as written

just a giant wall of text...

No, I said it anything protocol dependant wont see the light by the 25th

just turn off IBR and make them sign up with a web page?

the free world can continue to support IBR

Because beside the servers, there's clients and the "Pidgin" effect

moparisthebest: make them sign up what with a web pave

Page*

Please do provide input during the meetings if you have insight

The registration method is irrelevant we need documentation, and stuff to add to single service agreements

In the mean time

moparisthebest: and it's not just to new users

well, web page registration lets you display a proper terms of service, and record them agreeing to it?

Yeah but what goes into the EULA

moparisthebest, yes

That's the whole poiny

pep., ask your lawyer

Point

But we need to know what to add to the service agreements...

hopefully just explaining how it works would be good enough, but who knows, IANAL

And if there's a descriptive EULA xep at least we can link that

Well we're trying to see if we can figure parts of it by ourselves. Ultimately yes, we'll ask lawyers

And then try to provide templates for operators out there, with the usual disclaimers

if you are in the 'writing code to solve it' phase then you are too far, should have already asked a lawyer

We're not

some people are :) https://github.com/maranda/metronome/blob/master/plugins/mod_gdpr.lua

That's a draft

> The software is provided "as is", without warranty of any kind etc...

And it's very "user friendly" as it's not protocol dependant

(problem is the relevant bits to add there)

Zash, if it was that easy

Apparently it's not

moparisthebest, but yes essentially that module should cover the edgy cases, in where if users stay in your garden it's "easy". When they get outside it's troubles they wrote the regulation specifically that way

(And they'll get prompted the first time they try to cross the wall)

What really annoys/confuses me, is that everybody talks about companies when this is going to reach a lot more than that

that's the problem, they seem to have written the legislation to specifically target walled gardens like facebook/whatsapp etc

and it does a good job at that

but they totally ignored federated systems, and it seems to almost outright ban federated systems

which, ignoring xmpp is something I could see legislators doing, ignoring email is not

except they probably think 'email' and 'gmail' are the same thing...

Has anyone reached out to those involved in drafting this and asked "how does this relate to email?"

IIRC they used Outlook (with web thing)

OWA?

The FOSS-friendly people I stayed with were developing something to make it usable with Thunderbird

davmail is what I used to use for that

The new CLOUD Act allows US agencies to obtain data hosted in Europe. I wonder how many days it will take for Russia to create a comparable legal framework.

but i read EU wanted to do this first ✏

get data stored in US

so everybody gets all the data :)

the solution is for everyone to run their own server in their house lovetox :P

\o/

im already using no smartphone, facebook, i just have to get rid of gmail somehow

then im underground

lovetox, I cut the gmail cord in 2013, just setup postfix/dovecot on your house-server

you can still have gmail forward mails to your new address, and you can have postfix send outgoing mails from your gmail through gmail's servers until you have everything fully migrated

im have my own domain, but i fear spam a bit

nothing goes over google spam filter

it's not that bad, spamassasin+amavis