jonasw(a.k.a. 1100Z, so maybe timezone confusion?)
winfriedprobably... feel I am living in a different zone right now ;-)
goffihas left
winfried"Date of Next: 2018/05/04 11:00 UTC" - I am not totally crazy ;-)
jonaswoh oops
alexishas joined
jonaswwelp
Kev11:00Z is in two hours (just under)
winfriedFrom the mail from pep.
jonaswright
jonaswah
jonaswnow I’m super confused
jonaswand I *do* have UTC timestamps in MUCs.
winfriedso am I
jonaswI don’t seem to be awake
KevIt's 09:07Z at the moment.
jonasw09:06:09 winfried> "Date of Next: 2018/05/04 11:00 UTC" - I am not totally crazy ;-)
jonaswso yes, GDPR in 2h
alexishas left
winfriedis fixing timezone bug in his mind
jonaswecho 'Etc/Utc' | ssh winfried 'sudo tee /etc/localtime'
winfrieddives into a mild jetlag, Amsterdam is not in UTC
alexishas joined
danielhas left
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
winfriedI know where it is coming from: I always regard myself as the center of the world. :-D
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
Guushas left
la|r|mahas joined
la|r|mahas joined
la|r|mahas left
la|r|mahas joined
la|r|mahas joined
winfriedwill be back at 11:00 UTC ;-)
Guushas left
jonaswgl
danielhas left
rtq3has left
rtq3has joined
alexishas left
danielhas left
Guushas left
alexishas joined
Guushas left
danielhas left
xnyhpshas joined
xnyhpshas joined
lskdjfhas joined
danielhas left
Guushas left
goffihas left
goffihas left
Guushas left
danielhas left
SaltyBoneshas left
SaltyBoneshas joined
Guushas left
danielhas left
danielhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
danielhas left
mimi89999has joined
moparisthebesthas joined
moparisthebesthas joined
jubalhhas left
ThibGhas joined
ThibGhas joined
danielhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Valerianhas left
Valerianhas joined
Valerianhas left
Guushas left
jubalhhas joined
jubalhhas left
Guushas left
Guushas left
Guushas left
Guushas left
lnjhas joined
Guushas left
MattJhas left
MattJhas joined
Tobiashas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
winfriedsecond attempt ;-)
jonaswriiight, and I managed to entirely forget about this in the meantime :)
jonaswI’m goood
jonaswpep., Ge0rG, GDPR in 0
lnjhas left
pep.!
pep.Same, I did also entirely forget
Tobiashas left
pep.So, what's up for today
winfriedWhen updating the WiKi, I came across a question (is MAM 6.1a or 6.1b)
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
winfriedI want to discuss briefly how we handle existing specs
pep.I think we settled on MAM is opt-in?
pep.And that should be fixed in the XEP/clients
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
jonasw(clients)
Guushas left
winfriedpep.: correct, but, if i recall correctly, the reason for it was that MAM is not 'naturally' part of the package when you are communicating
pep.We won't go as far as to prompt the user when he decides to enable MAM right? I mean from the server. « Hey you're enabling MAM, here is what happens no: [..] »
winfriedpep.: exact
pep.noa*
pep.*nao
Tobiashas left
pep.I'm not sure if we should go this road
winfriedbut just enabling MAM rather is requesting a service in sense of art 6.1b then an opt-in in the sense of art 6.1a
Ge0rGsorry I'm late.
winfriedwelcome, Ge0rG
jonaswwinfried, is it? I’d say it’s kinda 6.1a
jonaswis it very relevant?
jonasw(which of it it is)
winfriedyes, 6.1a has quite tight regulations (art. 7)
winfried6.1b not
Tobiashas left
jonaswwinfried, Art 7 should be no problem for enabling MAM
winfriedAnd the server operator should prove the client has asked the question, kind of hard
jonaswwinfried, that was one of my original questions in the whole GDPR-in-XMPP discussion
jonaswwho is liable if the client didn’t properly ask?
jonaswis it the client developer? or can the server operator rely on the client asking properly and blame the client if it didn’t?
jubalhhas joined
Andrew Nenakhovhas joined
pep.yeah and we haven't answered this really. Not that I'm qualified to
Nekithas joined
winfriedwe can avoid that problem altogether if it is 6.1b, what is rather appropriate IMHO because enabling MAM is requesting a storage service
Nekithas joined
jonaswI’m not convinced though that this is any type of contract
Tobiashas left
winfriedjonasw: what is your doubt?
jonaswit may be my IANAL, but when I think contract, I think more formal than ticking a box in a UI
jonaswwith terms & conditions I can read and am aware of etc.
pep.jonasw, that's what the EULA XEP is for right
jonaswmaybe
pep.When I asked above « are we going to prompt the user when he decides to enable MAM, from the server », I had in mind some version of that
winfriedthe eula xep is for the obligation to inform. And because the MAM (in case of a muc) may be hosted on an other server, it may be appropiate to include a link to the EULA in that question to...
pep.Like, client issues MAM query, EULA kicks in and requests ticking a box, and MAM gets enabled only if accepted
jonaswwinfried, and then, wouldn’t the server operator still have to kinda prove that htere’s that contract with the user, in case of doubt?
pep.I think the burden of proof is required anyway
winfriedpep.: using the service is enough burden of proof for a contract, not for 6.1a
Tobiashas left
pep.When the user creates an account, "please read terms & conditions. Here's what going to happen to your data [for X, Y reasons]. Are you ok with it?". This is what I'm picturing
pep.I see
winfriedpep.: when going 6.1b, just informing is enough
pep.Shall we allow for both in EULA then? 6.1b only (no ticking box), and 6.1a (ticking box, plus blocking operations)
jubalhhas left
winfriedpep.: don't know if that is any help, you still need the infrastructure for the burden of proof of 6.1a
pep.I think MAM would fall under 6.1b like jonasw. The operator can state in the terms, "If you enable [MAM], here is what will happen"
winfriedpep.: exactly
Tobiashas left
winfriedGe0rG: can you give your opinion on this? I propose we move on in the mean time...
Steve Killehas left
Steve Killehas left
pep.right
winfriedWe have a list of XEPs that have potential deletion problems, should we check other (all?) XEPs for issues?
jonaswwinfried, have you followed the discussion on standards@?
pep.HTTP-upload?
jonaswI’d like somebody except me to reply to the last part of the thread.
jonaswyeah
winfriednope, didn't will look into it
pep.jonasw, the part where people don't want to mix the XEP and laws?
pep.protocol / laws*
jonaswthat, and the part with "better have a separate xep which discusses that"
marmistrzhas left
Tobiashas left
pep.Yeah. well changes are still required in the XEP to allow deletion via the protocol anyway right? This doesn't have to be because of local laws
MattJRight, I think the two things are separate
jonaswdaniel is against a deletion flow AFAIK
MattJI'm not saying I'm in favour of deletion (or against), I just think it's a separate concern
pep.yeah
MattJAn out-of-protocol deletion would work just as well
MattJMeanwhile there may be a non-GDPR case where someone accidentally shares the wrong file/picture
pep.Not so long ago a user asked on movim@ for that iirc
jonaswhah, just the other day :>
MattJ:)
jonaswand that fun day when somebody posted very ... uhm ... interesting ... drawn content in prosody@
MattJI guess I somehow missed that
winfriedI will respond in standards and I will need some time here to think it over: there are lots of things at stake in that discussion
pep.We'll need to clear this issue while we're asking for changes in lots of other XEPs
KevMy uninformed take on this is that the GDPR shouldn't mean any need to change any protocols, but that having notes in specs saying "but consider this" is worthwhile.
pep.Because the same question will appear over and over
winfriedIt has also to do a bit with localization of the XMPP network and values around an open internet. And *every* technology is political and XMPP certainly is. But we must take that discussion to the standards list.
Ge0rGwinfried: sorry, got caught up in a business call
Ge0rGfeels ashamed and guilty
pep.Ge0rG, pff
winfriedGe0rG: expected sth like that
winfriedWe have half an hour left now, can tick Q.2 there?
winfried(can we)
pep.Can we ?
pep.is that Q1.2 rather than Q2?
pep.I was still stuck in 1.1e in my minutes..
winfriedpep.: you are right.
winfriedI think 1.1e is about done by now
pep.k, I'm not really clear on the boundaries of 1.1e, I have also mixed that with 1.2 certainly
lnjhas joined
winfriedand the discussion @standards certainly is 1.3 ;-)
pep.Right
Ge0rGwinfried: regarding the consent. I think it's technically not feasible (and neither legally reasonable) to ask for explicit consent for passing data from the user to other servers/third parties, for when the user tries to communicate with those third parties
Ge0rGSo "by using this server to communicate with third parties you agree that data will be passed to third parties" is IMHO a good trade-off
winfriedGe0rG: agree
danielhas left
jonaswGe0rG, the consent thing was about local MAM though
winfriedpep.: plz put that sentence of Ge0rG in the minutes, we need it ;-)
pep.winfried, we already had something similar, but yes
Ge0rGjonasw: re local MAM the question is interesting.
Ge0rGmy position is that the client needs to inform the user that by enabling MAM, they will enable MAM.
Ge0rGor rather, ask the user for consent to store data on the server.
Ge0rGI've called out clients that silently auto-enable MAM before. Without success.
lovetoxBut client doesnt know server policies, so how good is that consent?
Ge0rGlovetox: did I hear "data-forms"?
lovetoxyes good idea, but then its not only the client anymore 🙂
pep.Ge0rG, so that's 6.1a realm?
pep.And some more XEP (or just EULA?) required for this, as I was asking above
winfriedpep.: I would say: that is still informing and 6.1b
Ge0rGlovetox: the server has a kind of tri-state of MAM of (undefined, enabled, disabled). The client comes and silently enables MAM. Who's at fault?
winfriedall processing is odne to deliver the service the user requested, nothing more.
lovetoxWhat i want to say is, it would make sense for the server to communicate the policy on enable, or a xep that lets us retrieve those
pep.ok
Ge0rGI'm not sure how far we can put MAM in 6.1b land
lovetoxso we can really inform the user, not just say "we now going to store data somewhere, for some unkown time, and we dont know what will happen with it"
winfriedlovetox: correct
la|r|mahas left
pep.ok, so what I've been asking above :P
pep.slowly filling the gaps in the minutes
winfriedGe0rG: what is your doubt? MAM is an archiving service and the user agrees to use that for that service, I would say that is 6.1b
jonaswwinfried, but the server would still have to prove that hte user agreed to that service, right?
Kevjonasw: Surely that's part of the service agreement the user sigs up to?
Kev*signs
winfriedjonasw: difficult wording there, when you decide yourself to start using a service, then you agree to the data processing that is inherent to that service
pep.you have to know what kind of processing though
pep.That'd have to be ack-ed before signing in
winfriedpep.: the information must be available and up to date (art 12 if I recall correctly)
pep.Right
winfriedpep.: but for 6.1a it has to be acked on forhand, for 6.1b not
pep.So in the IBR processus or similar, "This is what you are signing for. [Create]"
winfriedpep.: yes
lovetoxhas left
pep.hmm, trying to summarize all this..
Guushas left
pep.date of next?
winfrieda hairy issue is what if a client enables MAM by default? And does it make a difference if the UI of the client suggest storage or if it suggests the absence of persistence? And who is liable then?
pep.winfried, what jonasw was asking
pep.20:10:05 jonasw> winfried, that was one of my original questions in the whole GDPR-in-XMPP discussion
20:10:10 jonasw> who is liable if the client didn’t properly ask?
20:10:23 jonasw> is it the client developer? or can the server operator rely on the client asking properly and blame the client if it didn’t?
winfriedpep.: translated to what we know now...
MattJWhat happens if you have a web-based consent form, but the user has some obscure browser that doesn't render the page correctly
MattJand maybe it has a bug that swaps the "I consent" and "I do not consent" button text
winfriedI think we can argue that if the client suggest immediate deletion but enables MAM silently the client is liable
pep.MattJ, that's always been an issue? :x
Kevwinfried: But that the server presumably still had to say "If you enable MAM, we'll store X"?
pep.GDPR is not changing anything here
winfriedKev: yes it has to inform
jonaswpep., but the analogy help with the "what if the client doesn’t do things right" question
MattJpep., but now the server owner is legally liable? :)
jonaswdate of next?
winfriedMattJ: about what consent form are you talking? I am right now trying to circumvent all consent forms!
winfriedMo, Tue, Thu & Fri are possible for me
Guushas left
pep.Mon/Tue/Wed ok for me, the rest might be more difficult
winfriedMon or Tue?
pep.Actually.. I'll be in Karlsruhe with some other xsf people, so I can also do it from there :P
pep.Assuming it's not *too* early (as I'll be in holidays ><)
jonaswMon is not possible
jonaswTue would work
pep.Tue 12:30CEST?
jonaswwfm
pep.I'm in CEST next week btw, all week
Guushas left
jonaswGe0rG?
winfriedwfm
Guushas left
Syndacehas joined
jubalhhas joined
marmistrzhas left
winfriedI will have to go, won't be waiting for Ge0rG
Guushas left
pep.okay
pep.The minutes won't appear just right now but I'll try to do that quickly
winfriedpep.: thanks once more!
winfriedbangs a gavel, hoping Ge0rG hears it and confirms tuesday
Zashhas joined
Ge0rGnext week I'm completely unavailable
winfried:-( is there any way we can still get your input?
jubalhhas left
Dave Cridlandhas left
Dave Cridlandhas left
rtq3has left
Wiktorhas joined
Wiktorhas joined
Dave Cridlandhas left
alacerhas left
Dave Cridlandhas left
lumihas joined
la|r|mahas joined
la|r|mahas joined
rtq3has joined
alexishas left
Tobiashas left
Tobiashas joined
Guushas left
Guushas left
jubalhhas joined
jubalhhas left
Guushas left
Guushas left
jubalhhas joined
jubalhhas left
Guushas left
Guushas left
SaltyBoneshas left
Valerianhas joined
Marandahas joined
Marandahas left
jerehas joined
Valerianhas left
Valerianhas joined
Valerianhas left
Valerianhas joined
Marandahas joined
SaltyBoneshas joined
moparisthebestthanks MattJ ! so XEP-0368 is constructed the same way (same misunderstanding of requirements section) and I copied from there so this has been a long ongoing misunderstanding :)
MattJHeh, so it is... never noticed :)
moparisthebestit even got all the way to Draft that way haha
MattJThe technical stuff should be in "Use Cases", as e.g. "This is how a client should connect to the server" etc. etc.
moparisthebestI *probably* copied an existing XEP back in 2015 but I couldn't even begin to guess
Kevhas left
Kevhas joined
Tobiashas left
MattJTake a look at https://xmpp.org/extensions/xep-0297.html#requirements for a simple example, or https://xmpp.org/extensions/xep-0313.html#requirements for an example that replaces an existing protocol (and discusses why)
moparisthebesthttps://github.com/xsf/xeps#new-protoxeps should mention XEP-0143 I think
moparisthebestagain I can't recall but I don't exactly remember reading it
jonaswmoparisthebest, that README is for editors, not for authors
moparisthebestok, then there should be a readme/section for authors :)
jonaswright on the top it says:
> To submit a new proposal for consideration as a XEP, please read this page: https://xmpp.org/about/standards-process.html#submitting-a-xep
Marandahas left
moparisthebestah yes and then suggests the wrong way to do it
Marandahas joined
moparisthebest(email editors instead of pull request)
jonaswthat’s not wrong
jonaswjust old
moparisthebestand both links https://xmpp.org/extensions/xep-template.xml and https://xmpp.org/about/xsf/xsf-source-control/ is broken
jonaswmailing the editors is still totally a fine thing to do
jonaswmoparisthebest, PRs against the website welcome
moparisthebestI would just put the correct procedure at the top of the readme in the xeps repository
jonaswwhy not both
Timhas left
moparisthebestyea and fix the website
jonaswPRs welcome
jonaswwill be happy to review htem
lovetoxhas joined
jubalhhas joined
alexishas joined
Marandahas left
Marandahas joined
ThibGhas joined
ThibGhas joined
marmistrzhas left
alihas joined
Kevhas left
lumihas joined
danielhas left
pep."By creating a post, you agree to Imgur's [Terms of Service] and [Privacy Policy]" What imgur.com has btw
Tobiashas left
jonaswwait until May 25th
jonaswI’m still getting at least two mails per week from esrvices which have adapted their ToS/Privacy stuff
jonaswand imgur didn’t do that yet
jonaswso that may still be a WIP
pep.yeah
pep.I'm also getting spammed by policy updates
la|r|mahas joined
jjrhhas left
Marandahas joined
rtq3has left
waqashas joined
danielhas left
Ge0rGThere is an easy solution to the GDPR now! https://gdpr-shield.io/
moparisthebestha I love it
Ge0rG> We provide you with a JavaScript snippet that you'll paste into your site's existing HTML code
> We'll check every user that visits your site and block access to users from the EU. This happens in the background and doesn't affect your site's speed for non-EU users
Ge0rGThis!
Tobiashas left
jubalhhas left
MattJ<stream:stream><script...
moparisthebestOr just put a "EU citizens not allowed" disclaimer in your TOS, that's what I did in the motd of my IRC server for German citizens
Ge0rGmoparisthebest: I'd say that doesn't qualify
moparisthebestWhy not?
moparisthebestHow could I be liable if you illegally use my service in violation of my terms?
goffihas joined
Ge0rGmoparisthebest: I'd say you need to explicitly block the EU IPs
jjrhhas left
moparisthebestWhy?
Marandahas joined
rtq3has joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
alexishas left
WiktorDoes it really apply to moparisthebest's IRC server? I guess he doesn't collect any personal info there.
Marandahas left
moparisthebestI think similar should work everywhere even if you do collect PII
jubalhhas joined
WiktorYeah but irc doesn't need your personal data and by design it's a public forum.
jjrhhas left
Marandahas joined
jonaswbut most nickservs operate using email adrseses
jonaswwhich are PII
Ge0rGAnd IPs. You need those against spambots!
WiktorA similar thread was recently here https://news.ycombinator.com/item?id=16661323
alexishas joined
Kevhas joined
jjrhhas left
Kevhas left
Kevhas joined
jjrhhas left
jjrhhas left
moparisthebesthas left
valohas joined
alexishas left
alexishas joined
jubalhhas left
jubalhhas joined
Wiktor> Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.
Source: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en
moparisthebestinteresting
WiktorI think a ToS like moparisthebest would strongly signal it does not target EU.
alexishas left
alexishas joined
Ge0rGWiktor: I think that "specifically targeting" are weasel words that need to be checked by courts.
WiktorSure, I'm not your lawyer, but I wouldn't panic if I was moparisthebest :)
Guushas left
Ge0rGWhy, you can't panic often enough.
Guushas left
moparisthebest EU citizens are forbidden from using this IRC server
- This is specified so the GDPR does not apply:
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en
moparisthebestadded that to my motd, done and done, GDPR is easy!
MattJI really don't think it works like that :)
Ge0rGMattJ: I might have said the same thing before, without convincing anybody.
alexishas left
alexishas joined
moparisthebestno one is going to sue me for that anyway, but if they do, I think 'they were forbidden from using my server' is a pretty strong argument
vanitasvitaehas left
moparisthebestalso 'go *&@! yourself I'm not flying to the EU to appear in court' is pretty good too
vanitasvitaehas joined
alexishas left
jubalhhas left
Guushas left
marmistrzhas left
alexishas joined
la|r|mahas left
la|r|mahas joined
jubalhhas joined
danielhas left
alexishas left
alexishas joined
pep.re gdpr-shield, I was going to ask what if I disable JS, but in that case I probably won't have access to the website anyway :)
danielhas left
Syndacehas joined
Ge0rGpep.: websites on .io require JS, didn't you know?
pep.yeah I know
pep.That's why I corrected myself
alacerhas joined
rtq3has left
jubalhhas left
rtq3has joined
Wiktor> This won't apply to every U.S. business — just the ones that are knowingly, and actively, conducting business in the EU. In this vein, EU courts have the discretionary ability to determine if a U.S. company was purposely collecting EU resident data and subverting GDPR compliance. So, in some cases, the inadvertent collection of personal data will be forgiven if it is found to have been occasional and "unlikely to result in a risk to the rights and freedoms of natural persons."
Source: https://community.spiceworks.com/topic/2007530-how-the-eu-can-fine-us-companies-for-violating-gdpr
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
sezuanhas left
goffihas left
alacerhas left
alihas left
Chobbeshas joined
SamWhitedhas left
SamWhitedhas left
Valerianhas left
Valerianhas joined
jubalhhas joined
jubalhhas left
lorddavidiiihas left
jjrhhas left
jjrhhas left
jjrhhas left
valohas left
jjrhhas left
SaltyBoneshas left
SamWhitedhas left
alacerhas joined
Marandahas left
marchas joined
jjrhhas left
lnjhas left
alacerhas left
alacerhas joined
lnjhas joined
mrdoctorwhohas left
Guushas left
debaclehas left
tahas joined
sezuanhas left
sezuanhas joined
jerehas left
jerehas joined
jjrhhas left
tuxhas left
danielhas left
tuxhas left
Dave Cridlandhas left
lumihas left
Dave Cridlandhas left
Tobiashas joined
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Kevhas left
marchas left
valohas joined
Dave Cridlandhas left
Dave Cridlandhas left
Valerianhas left
marchas joined
Guushas left
mrdoctorwhohas left
Marandahas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
jjrhhas left
jjrhhas left
jjrhhas left
jjrhhas left
jjrhhas left
Guushas left
Guushas left
derdanielhas left
derdanielhas joined
Kevhas joined
Kevhas left
Guushas left
Tobiashas joined
Tobiashas joined
mimi89999has left
mimi89999has left
mimi89999has left
mimi89999has left
jubalhhas joined
jubalhhas left
mimi89999has left
mimi89999has left
mimi89999has joined
mimi89999has left
mimi89999has left
marmistrzhas left
mimi89999has left
rionhas joined
Dave Cridlandhas left
Tobiashas joined
Dave Cridlandhas left
la|r|mahas left
la|r|mahas joined
danielhas left
Syndacehas joined
Dave Cridlandhas left
Dave Cridlandhas left
jubalhhas joined
Tobiashas joined
tahas left
rtq3has left
rtq3has joined
tahas joined
danielhas left
marmistrzhas left
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
lorddavidiiihas joined
lskdjfhas joined
blablahas left
SamWhitedhas left
SamWhitedhas left
SamWhitedhas joined
moparisthebestdoes anyone know if any servers implement bcc from here? https://xmpp.org/extensions/xep-0033.html#addr-type