probably... feel I am living in a different zone right now ;-)
goffihas left
winfried
"Date of Next: 2018/05/04 11:00 UTC" - I am not totally crazy ;-)
jonasw
oh oops
alexishas joined
jonasw
welp
Kev
11:00Z is in two hours (just under)
winfried
From the mail from pep.
jonasw
right
jonasw
ah
jonasw
now I’m super confused
jonasw
and I *do* have UTC timestamps in MUCs.
winfried
so am I
jonasw
I don’t seem to be awake
Kev
It's 09:07Z at the moment.
jonasw
09:06:09 winfried> "Date of Next: 2018/05/04 11:00 UTC" - I am not totally crazy ;-)
jonasw
so yes, GDPR in 2h
alexishas left
winfriedis fixing timezone bug in his mind
jonasw
echo 'Etc/Utc' | ssh winfried 'sudo tee /etc/localtime'
winfrieddives into a mild jetlag, Amsterdam is not in UTC
alexishas joined
danielhas left
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
winfried
I know where it is coming from: I always regard myself as the center of the world. :-D
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
Guushas left
la|r|mahas joined
la|r|mahas joined
la|r|mahas left
la|r|mahas joined
la|r|mahas joined
winfried
will be back at 11:00 UTC ;-)
Guushas left
jonasw
gl
danielhas left
rtq3has left
rtq3has joined
alexishas left
danielhas left
Guushas left
alexishas joined
Guushas left
danielhas left
xnyhpshas joined
xnyhpshas joined
lskdjfhas joined
danielhas left
Guushas left
goffihas left
goffihas left
Guushas left
danielhas left
SaltyBoneshas left
SaltyBoneshas joined
Guushas left
danielhas left
danielhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
danielhas left
mimi89999has joined
moparisthebesthas joined
moparisthebesthas joined
jubalhhas left
ThibGhas joined
ThibGhas joined
danielhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Valerianhas left
Valerianhas joined
Valerianhas left
Guushas left
jubalhhas joined
jubalhhas left
Guushas left
Guushas left
Guushas left
Guushas left
lnjhas joined
Guushas left
MattJhas left
MattJhas joined
Tobiashas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
winfried
second attempt ;-)
jonasw
riiight, and I managed to entirely forget about this in the meantime :)
jonasw
I’m goood
jonasw
pep., Ge0rG, GDPR in 0
lnjhas left
pep.
!
pep.
Same, I did also entirely forget
Tobiashas left
pep.
So, what's up for today
winfried
When updating the WiKi, I came across a question (is MAM 6.1a or 6.1b)
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
winfried
I want to discuss briefly how we handle existing specs
pep.
I think we settled on MAM is opt-in?
pep.
And that should be fixed in the XEP/clients
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
jonasw
(clients)
Guushas left
winfried
pep.: correct, but, if i recall correctly, the reason for it was that MAM is not 'naturally' part of the package when you are communicating
pep.
We won't go as far as to prompt the user when he decides to enable MAM right? I mean from the server. « Hey you're enabling MAM, here is what happens no: [..] »
winfried
pep.: exact
pep.
noa*
pep.
*nao
Tobiashas left
pep.
I'm not sure if we should go this road
winfried
but just enabling MAM rather is requesting a service in sense of art 6.1b then an opt-in in the sense of art 6.1a
Ge0rG
sorry I'm late.
winfried
welcome, Ge0rG
jonasw
winfried, is it? I’d say it’s kinda 6.1a
jonasw
is it very relevant?
jonasw
(which of it it is)
winfried
yes, 6.1a has quite tight regulations (art. 7)
winfried
6.1b not
Tobiashas left
jonasw
winfried, Art 7 should be no problem for enabling MAM
winfried
And the server operator should prove the client has asked the question, kind of hard
jonasw
winfried, that was one of my original questions in the whole GDPR-in-XMPP discussion
jonasw
who is liable if the client didn’t properly ask?
jonasw
is it the client developer? or can the server operator rely on the client asking properly and blame the client if it didn’t?
jubalhhas joined
Andrew Nenakhovhas joined
pep.
yeah and we haven't answered this really. Not that I'm qualified to
Nekithas joined
winfried
we can avoid that problem altogether if it is 6.1b, what is rather appropriate IMHO because enabling MAM is requesting a storage service
Nekithas joined
jonasw
I’m not convinced though that this is any type of contract
Tobiashas left
winfried
jonasw: what is your doubt?
jonasw
it may be my IANAL, but when I think contract, I think more formal than ticking a box in a UI
jonasw
with terms & conditions I can read and am aware of etc.
pep.
jonasw, that's what the EULA XEP is for right
jonasw
maybe
pep.
When I asked above « are we going to prompt the user when he decides to enable MAM, from the server », I had in mind some version of that
winfried
the eula xep is for the obligation to inform. And because the MAM (in case of a muc) may be hosted on an other server, it may be appropiate to include a link to the EULA in that question to...
pep.
Like, client issues MAM query, EULA kicks in and requests ticking a box, and MAM gets enabled only if accepted
jonasw
winfried, and then, wouldn’t the server operator still have to kinda prove that htere’s that contract with the user, in case of doubt?
pep.
I think the burden of proof is required anyway
winfried
pep.: using the service is enough burden of proof for a contract, not for 6.1a
Tobiashas left
pep.
When the user creates an account, "please read terms & conditions. Here's what going to happen to your data [for X, Y reasons]. Are you ok with it?". This is what I'm picturing
pep.
I see
winfried
pep.: when going 6.1b, just informing is enough
pep.
Shall we allow for both in EULA then? 6.1b only (no ticking box), and 6.1a (ticking box, plus blocking operations)
jubalhhas left
winfried
pep.: don't know if that is any help, you still need the infrastructure for the burden of proof of 6.1a
pep.
I think MAM would fall under 6.1b like jonasw. The operator can state in the terms, "If you enable [MAM], here is what will happen"
winfried
pep.: exactly
Tobiashas left
winfried
Ge0rG: can you give your opinion on this? I propose we move on in the mean time...
Steve Killehas left
Steve Killehas left
pep.
right
winfried
We have a list of XEPs that have potential deletion problems, should we check other (all?) XEPs for issues?
jonasw
winfried, have you followed the discussion on standards@?
pep.
HTTP-upload?
jonasw
I’d like somebody except me to reply to the last part of the thread.
jonasw
yeah
winfried
nope, didn't will look into it
pep.
jonasw, the part where people don't want to mix the XEP and laws?
pep.
protocol / laws*
jonasw
that, and the part with "better have a separate xep which discusses that"
marmistrzhas left
Tobiashas left
pep.
Yeah. well changes are still required in the XEP to allow deletion via the protocol anyway right? This doesn't have to be because of local laws
MattJ
Right, I think the two things are separate
jonasw
daniel is against a deletion flow AFAIK
MattJ
I'm not saying I'm in favour of deletion (or against), I just think it's a separate concern
pep.
yeah
MattJ
An out-of-protocol deletion would work just as well
MattJ
Meanwhile there may be a non-GDPR case where someone accidentally shares the wrong file/picture
pep.
Not so long ago a user asked on movim@ for that iirc
jonasw
hah, just the other day :>
MattJ
:)
jonasw
and that fun day when somebody posted very ... uhm ... interesting ... drawn content in prosody@
MattJ
I guess I somehow missed that
winfried
I will respond in standards and I will need some time here to think it over: there are lots of things at stake in that discussion
pep.
We'll need to clear this issue while we're asking for changes in lots of other XEPs
Kev
My uninformed take on this is that the GDPR shouldn't mean any need to change any protocols, but that having notes in specs saying "but consider this" is worthwhile.
pep.
Because the same question will appear over and over
winfried
It has also to do a bit with localization of the XMPP network and values around an open internet. And *every* technology is political and XMPP certainly is. But we must take that discussion to the standards list.
Ge0rG
winfried: sorry, got caught up in a business call
Ge0rGfeels ashamed and guilty
pep.
Ge0rG, pff
winfried
Ge0rG: expected sth like that
winfried
We have half an hour left now, can tick Q.2 there?
winfried
(can we)
pep.
Can we ?
pep.
is that Q1.2 rather than Q2?
pep.
I was still stuck in 1.1e in my minutes..
winfried
pep.: you are right.
winfried
I think 1.1e is about done by now
pep.
k, I'm not really clear on the boundaries of 1.1e, I have also mixed that with 1.2 certainly
lnjhas joined
winfried
and the discussion @standards certainly is 1.3 ;-)
pep.
Right
Ge0rG
winfried: regarding the consent. I think it's technically not feasible (and neither legally reasonable) to ask for explicit consent for passing data from the user to other servers/third parties, for when the user tries to communicate with those third parties
Ge0rG
So "by using this server to communicate with third parties you agree that data will be passed to third parties" is IMHO a good trade-off
winfried
Ge0rG: agree
danielhas left
jonasw
Ge0rG, the consent thing was about local MAM though
winfried
pep.: plz put that sentence of Ge0rG in the minutes, we need it ;-)
pep.
winfried, we already had something similar, but yes
Ge0rG
jonasw: re local MAM the question is interesting.
Ge0rG
my position is that the client needs to inform the user that by enabling MAM, they will enable MAM.
Ge0rG
or rather, ask the user for consent to store data on the server.
Ge0rG
I've called out clients that silently auto-enable MAM before. Without success.
lovetox
But client doesnt know server policies, so how good is that consent?
Ge0rG
lovetox: did I hear "data-forms"?
lovetox
yes good idea, but then its not only the client anymore 🙂
pep.
Ge0rG, so that's 6.1a realm?
pep.
And some more XEP (or just EULA?) required for this, as I was asking above
winfried
pep.: I would say: that is still informing and 6.1b
Ge0rG
lovetox: the server has a kind of tri-state of MAM of (undefined, enabled, disabled). The client comes and silently enables MAM. Who's at fault?
winfried
all processing is odne to deliver the service the user requested, nothing more.
lovetox
What i want to say is, it would make sense for the server to communicate the policy on enable, or a xep that lets us retrieve those
pep.
ok
Ge0rG
I'm not sure how far we can put MAM in 6.1b land
lovetox
so we can really inform the user, not just say "we now going to store data somewhere, for some unkown time, and we dont know what will happen with it"
winfried
lovetox: correct
la|r|mahas left
pep.
ok, so what I've been asking above :P
pep.slowly filling the gaps in the minutes
winfried
Ge0rG: what is your doubt? MAM is an archiving service and the user agrees to use that for that service, I would say that is 6.1b
jonasw
winfried, but the server would still have to prove that hte user agreed to that service, right?
Kev
jonasw: Surely that's part of the service agreement the user sigs up to?
Kev
*signs
winfried
jonasw: difficult wording there, when you decide yourself to start using a service, then you agree to the data processing that is inherent to that service
pep.
you have to know what kind of processing though
pep.
That'd have to be ack-ed before signing in
winfried
pep.: the information must be available and up to date (art 12 if I recall correctly)
pep.
Right
winfried
pep.: but for 6.1a it has to be acked on forhand, for 6.1b not
pep.
So in the IBR processus or similar, "This is what you are signing for. [Create]"
winfried
pep.: yes
lovetoxhas left
pep.
hmm, trying to summarize all this..
Guushas left
pep.
date of next?
winfried
a hairy issue is what if a client enables MAM by default? And does it make a difference if the UI of the client suggest storage or if it suggests the absence of persistence? And who is liable then?
pep.
winfried, what jonasw was asking
pep.
20:10:05 jonasw> winfried, that was one of my original questions in the whole GDPR-in-XMPP discussion
20:10:10 jonasw> who is liable if the client didn’t properly ask?
20:10:23 jonasw> is it the client developer? or can the server operator rely on the client asking properly and blame the client if it didn’t?
winfried
pep.: translated to what we know now...
MattJ
What happens if you have a web-based consent form, but the user has some obscure browser that doesn't render the page correctly
MattJ
and maybe it has a bug that swaps the "I consent" and "I do not consent" button text
winfried
I think we can argue that if the client suggest immediate deletion but enables MAM silently the client is liable
pep.
MattJ, that's always been an issue? :x
Kev
winfried: But that the server presumably still had to say "If you enable MAM, we'll store X"?
pep.
GDPR is not changing anything here
winfried
Kev: yes it has to inform
jonasw
pep., but the analogy help with the "what if the client doesn’t do things right" question
MattJ
pep., but now the server owner is legally liable? :)
jonasw
date of next?
winfried
MattJ: about what consent form are you talking? I am right now trying to circumvent all consent forms!
winfried
Mo, Tue, Thu & Fri are possible for me
Guushas left
pep.
Mon/Tue/Wed ok for me, the rest might be more difficult
winfried
Mon or Tue?
pep.
Actually.. I'll be in Karlsruhe with some other xsf people, so I can also do it from there :P
pep.
Assuming it's not *too* early (as I'll be in holidays ><)
jonasw
Mon is not possible
jonasw
Tue would work
pep.
Tue 12:30CEST?
jonasw
wfm
pep.
I'm in CEST next week btw, all week
Guushas left
jonasw
Ge0rG?
winfried
wfm
Guushas left
Syndacehas joined
jubalhhas joined
marmistrzhas left
winfried
I will have to go, won't be waiting for Ge0rG
Guushas left
pep.
okay
pep.
The minutes won't appear just right now but I'll try to do that quickly
winfried
pep.: thanks once more!
winfriedbangs a gavel, hoping Ge0rG hears it and confirms tuesday
Zashhas joined
Ge0rG
next week I'm completely unavailable
winfried
:-( is there any way we can still get your input?
jubalhhas left
Dave Cridlandhas left
Dave Cridlandhas left
rtq3has left
Wiktorhas joined
Wiktorhas joined
Dave Cridlandhas left
alacerhas left
Dave Cridlandhas left
lumihas joined
la|r|mahas joined
la|r|mahas joined
rtq3has joined
alexishas left
Tobiashas left
Tobiashas joined
Guushas left
Guushas left
jubalhhas joined
jubalhhas left
Guushas left
Guushas left
jubalhhas joined
jubalhhas left
Guushas left
Guushas left
SaltyBoneshas left
Valerianhas joined
Marandahas joined
Marandahas left
jerehas joined
Valerianhas left
Valerianhas joined
Valerianhas left
Valerianhas joined
Marandahas joined
SaltyBoneshas joined
moparisthebest
thanks MattJ ! so XEP-0368 is constructed the same way (same misunderstanding of requirements section) and I copied from there so this has been a long ongoing misunderstanding :)
The technical stuff should be in "Use Cases", as e.g. "This is how a client should connect to the server" etc. etc.
moparisthebest
I *probably* copied an existing XEP back in 2015 but I couldn't even begin to guess
Kevhas left
Kevhas joined
Tobiashas left
MattJ
Take a look at https://xmpp.org/extensions/xep-0297.html#requirements for a simple example, or https://xmpp.org/extensions/xep-0313.html#requirements for an example that replaces an existing protocol (and discusses why)
moparisthebest
https://github.com/xsf/xeps#new-protoxeps should mention XEP-0143 I think
moparisthebest
again I can't recall but I don't exactly remember reading it
jonasw
moparisthebest, that README is for editors, not for authors
moparisthebest
ok, then there should be a readme/section for authors :)
jonasw
right on the top it says:
> To submit a new proposal for consideration as a XEP, please read this page: https://xmpp.org/about/standards-process.html#submitting-a-xep
Marandahas left
moparisthebest
ah yes and then suggests the wrong way to do it
Marandahas joined
moparisthebest
(email editors instead of pull request)
jonasw
that’s not wrong
jonasw
just old
moparisthebest
and both links https://xmpp.org/extensions/xep-template.xml and https://xmpp.org/about/xsf/xsf-source-control/ is broken
jonasw
mailing the editors is still totally a fine thing to do
jonasw
moparisthebest, PRs against the website welcome
moparisthebest
I would just put the correct procedure at the top of the readme in the xeps repository
jonasw
why not both
Timhas left
moparisthebest
yea and fix the website
jonasw
PRs welcome
jonasw
will be happy to review htem
lovetoxhas joined
jubalhhas joined
alexishas joined
Marandahas left
Marandahas joined
ThibGhas joined
ThibGhas joined
marmistrzhas left
alihas joined
Kevhas left
lumihas joined
danielhas left
pep.
"By creating a post, you agree to Imgur's [Terms of Service] and [Privacy Policy]" What imgur.com has btw
Tobiashas left
jonasw
wait until May 25th
jonasw
I’m still getting at least two mails per week from esrvices which have adapted their ToS/Privacy stuff
jonasw
and imgur didn’t do that yet
jonasw
so that may still be a WIP
pep.
yeah
pep.
I'm also getting spammed by policy updates
la|r|mahas joined
jjrhhas left
Marandahas joined
rtq3has left
waqashas joined
danielhas left
Ge0rG
There is an easy solution to the GDPR now! https://gdpr-shield.io/
moparisthebest
ha I love it
Ge0rG
> We provide you with a JavaScript snippet that you'll paste into your site's existing HTML code
> We'll check every user that visits your site and block access to users from the EU. This happens in the background and doesn't affect your site's speed for non-EU users
Ge0rG
This!
Tobiashas left
jubalhhas left
MattJ
<stream:stream><script...
moparisthebest
Or just put a "EU citizens not allowed" disclaimer in your TOS, that's what I did in the motd of my IRC server for German citizens
Ge0rG
moparisthebest: I'd say that doesn't qualify
moparisthebest
Why not?
moparisthebest
How could I be liable if you illegally use my service in violation of my terms?
goffihas joined
Ge0rG
moparisthebest: I'd say you need to explicitly block the EU IPs
jjrhhas left
moparisthebest
Why?
Marandahas joined
rtq3has joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
alexishas left
Wiktor
Does it really apply to moparisthebest's IRC server? I guess he doesn't collect any personal info there.
Marandahas left
moparisthebest
I think similar should work everywhere even if you do collect PII
jubalhhas joined
Wiktor
Yeah but irc doesn't need your personal data and by design it's a public forum.
jjrhhas left
Marandahas joined
jonasw
but most nickservs operate using email adrseses
jonasw
which are PII
Ge0rG
And IPs. You need those against spambots!
Wiktor
A similar thread was recently here https://news.ycombinator.com/item?id=16661323
alexishas joined
Kevhas joined
jjrhhas left
Kevhas left
Kevhas joined
jjrhhas left
jjrhhas left
moparisthebesthas left
valohas joined
alexishas left
alexishas joined
jubalhhas left
jubalhhas joined
Wiktor
> Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.
Source: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en
moparisthebest
interesting
Wiktor
I think a ToS like moparisthebest would strongly signal it does not target EU.
alexishas left
alexishas joined
Ge0rG
Wiktor: I think that "specifically targeting" are weasel words that need to be checked by courts.
Wiktor
Sure, I'm not your lawyer, but I wouldn't panic if I was moparisthebest :)
Guushas left
Ge0rG
Why, you can't panic often enough.
Guushas left
moparisthebest
EU citizens are forbidden from using this IRC server
- This is specified so the GDPR does not apply:
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en
moparisthebest
added that to my motd, done and done, GDPR is easy!
MattJ
I really don't think it works like that :)
Ge0rG
MattJ: I might have said the same thing before, without convincing anybody.
alexishas left
alexishas joined
moparisthebest
no one is going to sue me for that anyway, but if they do, I think 'they were forbidden from using my server' is a pretty strong argument
vanitasvitaehas left
moparisthebest
also 'go *&@! yourself I'm not flying to the EU to appear in court' is pretty good too
vanitasvitaehas joined
alexishas left
jubalhhas left
Guushas left
marmistrzhas left
alexishas joined
la|r|mahas left
la|r|mahas joined
jubalhhas joined
danielhas left
alexishas left
alexishas joined
pep.
re gdpr-shield, I was going to ask what if I disable JS, but in that case I probably won't have access to the website anyway :)
danielhas left
Syndacehas joined
Ge0rG
pep.: websites on .io require JS, didn't you know?
pep.
yeah I know
pep.
That's why I corrected myself
alacerhas joined
rtq3has left
jubalhhas left
rtq3has joined
Wiktor
> This won't apply to every U.S. business — just the ones that are knowingly, and actively, conducting business in the EU. In this vein, EU courts have the discretionary ability to determine if a U.S. company was purposely collecting EU resident data and subverting GDPR compliance. So, in some cases, the inadvertent collection of personal data will be forgiven if it is found to have been occasional and "unlikely to result in a risk to the rights and freedoms of natural persons."
Source: https://community.spiceworks.com/topic/2007530-how-the-eu-can-fine-us-companies-for-violating-gdpr
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
sezuanhas left
goffihas left
alacerhas left
alihas left
Chobbeshas joined
SamWhitedhas left
SamWhitedhas left
Valerianhas left
Valerianhas joined
jubalhhas joined
jubalhhas left
lorddavidiiihas left
jjrhhas left
jjrhhas left
jjrhhas left
valohas left
jjrhhas left
SaltyBoneshas left
SamWhitedhas left
alacerhas joined
Marandahas left
marchas joined
jjrhhas left
lnjhas left
alacerhas left
alacerhas joined
lnjhas joined
mrdoctorwhohas left
Guushas left
debaclehas left
tahas joined
sezuanhas left
sezuanhas joined
jerehas left
jerehas joined
jjrhhas left
tuxhas left
danielhas left
tuxhas left
Dave Cridlandhas left
lumihas left
Dave Cridlandhas left
Tobiashas joined
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Kevhas left
marchas left
valohas joined
Dave Cridlandhas left
Dave Cridlandhas left
Valerianhas left
marchas joined
Guushas left
mrdoctorwhohas left
Marandahas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
jjrhhas left
jjrhhas left
jjrhhas left
jjrhhas left
jjrhhas left
Guushas left
Guushas left
derdanielhas left
derdanielhas joined
Kevhas joined
Kevhas left
Guushas left
Tobiashas joined
Tobiashas joined
mimi89999has left
mimi89999has left
mimi89999has left
mimi89999has left
jubalhhas joined
jubalhhas left
mimi89999has left
mimi89999has left
mimi89999has joined
mimi89999has left
mimi89999has left
marmistrzhas left
mimi89999has left
rionhas joined
Dave Cridlandhas left
Tobiashas joined
Dave Cridlandhas left
la|r|mahas left
la|r|mahas joined
danielhas left
Syndacehas joined
Dave Cridlandhas left
Dave Cridlandhas left
jubalhhas joined
Tobiashas joined
tahas left
rtq3has left
rtq3has joined
tahas joined
danielhas left
marmistrzhas left
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
la|r|mahas joined
lorddavidiiihas joined
lskdjfhas joined
blablahas left
SamWhitedhas left
SamWhitedhas left
SamWhitedhas joined
moparisthebest
does anyone know if any servers implement bcc from here? https://xmpp.org/extensions/xep-0033.html#addr-type