-
winfried
GDPR
-
jonasw
in 2 hours?
-
winfried
(oops did I do it wrong?)
-
jonasw
my last information was 1300 CEST
-
jonasw
(a.k.a. 1100Z, so maybe timezone confusion?)
-
winfried
probably... feel I am living in a different zone right now ;-)
-
winfried
"Date of Next: 2018/05/04 11:00 UTC" - I am not totally crazy ;-)
-
jonasw
oh oops
-
jonasw
welp
-
Kev
11:00Z is in two hours (just under)
-
winfried
From the mail from pep.
-
jonasw
right
-
jonasw
ah
-
jonasw
now I’m super confused
-
jonasw
and I *do* have UTC timestamps in MUCs.
-
winfried
so am I
-
jonasw
I don’t seem to be awake
-
Kev
It's 09:07Z at the moment.
-
jonasw
09:06:09 winfried> "Date of Next: 2018/05/04 11:00 UTC" - I am not totally crazy ;-)
-
jonasw
so yes, GDPR in 2h
- winfried is fixing timezone bug in his mind
-
jonasw
echo 'Etc/Utc' | ssh winfried 'sudo tee /etc/localtime'
- winfried dives into a mild jetlag, Amsterdam is not in UTC
-
winfried
I know where it is coming from: I always regard myself as the center of the world. :-D
-
winfried
will be back at 11:00 UTC ;-)
-
jonasw
gl
-
winfried
second attempt ;-)
-
jonasw
riiight, and I managed to entirely forget about this in the meantime :)
-
jonasw
I’m goood
-
jonasw
pep., Ge0rG, GDPR in 0
-
pep.
!
-
pep.
Same, I did also entirely forget
-
pep.
So, what's up for today
-
winfried
When updating the WiKi, I came across a question (is MAM 6.1a or 6.1b)
-
winfried
I want to discuss briefly how we handle existing specs
-
pep.
I think we settled on MAM is opt-in?
-
pep.
And that should be fixed in the XEP/clients
-
jonasw
(clients)
-
winfried
pep.: correct, but, if i recall correctly, the reason for it was that MAM is not 'naturally' part of the package when you are communicating
-
pep.
We won't go as far as to prompt the user when he decides to enable MAM right? I mean from the server. « Hey you're enabling MAM, here is what happens no: [..] »
-
winfried
pep.: exact
-
pep.
noa*
-
pep.
*nao
-
pep.
I'm not sure if we should go this road
-
winfried
but just enabling MAM rather is requesting a service in sense of art 6.1b then an opt-in in the sense of art 6.1a
-
Ge0rG
sorry I'm late.
-
winfried
welcome, Ge0rG
-
jonasw
winfried, is it? I’d say it’s kinda 6.1a
-
jonasw
is it very relevant?
-
jonasw
(which of it it is)
-
winfried
yes, 6.1a has quite tight regulations (art. 7)
-
winfried
6.1b not
-
jonasw
winfried, Art 7 should be no problem for enabling MAM
-
winfried
And the server operator should prove the client has asked the question, kind of hard
-
jonasw
winfried, that was one of my original questions in the whole GDPR-in-XMPP discussion
-
jonasw
who is liable if the client didn’t properly ask?
-
jonasw
is it the client developer? or can the server operator rely on the client asking properly and blame the client if it didn’t?
-
pep.
yeah and we haven't answered this really. Not that I'm qualified to
-
winfried
we can avoid that problem altogether if it is 6.1b, what is rather appropriate IMHO because enabling MAM is requesting a storage service
-
jonasw
I’m not convinced though that this is any type of contract
-
winfried
jonasw: what is your doubt?
-
jonasw
it may be my IANAL, but when I think contract, I think more formal than ticking a box in a UI
-
jonasw
with terms & conditions I can read and am aware of etc.
-
pep.
jonasw, that's what the EULA XEP is for right
-
jonasw
maybe
-
pep.
When I asked above « are we going to prompt the user when he decides to enable MAM, from the server », I had in mind some version of that
-
winfried
the eula xep is for the obligation to inform. And because the MAM (in case of a muc) may be hosted on an other server, it may be appropiate to include a link to the EULA in that question to...
-
pep.
Like, client issues MAM query, EULA kicks in and requests ticking a box, and MAM gets enabled only if accepted
-
jonasw
winfried, and then, wouldn’t the server operator still have to kinda prove that htere’s that contract with the user, in case of doubt?
-
pep.
I think the burden of proof is required anyway
-
winfried
pep.: using the service is enough burden of proof for a contract, not for 6.1a
-
pep.
When the user creates an account, "please read terms & conditions. Here's what going to happen to your data [for X, Y reasons]. Are you ok with it?". This is what I'm picturing
-
pep.
I see
-
winfried
pep.: when going 6.1b, just informing is enough
-
pep.
Shall we allow for both in EULA then? 6.1b only (no ticking box), and 6.1a (ticking box, plus blocking operations)
-
winfried
pep.: don't know if that is any help, you still need the infrastructure for the burden of proof of 6.1a
-
pep.
I think MAM would fall under 6.1b like jonasw. The operator can state in the terms, "If you enable [MAM], here is what will happen"
-
winfried
pep.: exactly
-
winfried
Ge0rG: can you give your opinion on this? I propose we move on in the mean time...
-
pep.
right
-
winfried
We have a list of XEPs that have potential deletion problems, should we check other (all?) XEPs for issues?
-
jonasw
winfried, have you followed the discussion on standards@?
-
pep.
HTTP-upload?
-
jonasw
I’d like somebody except me to reply to the last part of the thread.
-
jonasw
yeah
-
winfried
nope, didn't will look into it
-
pep.
jonasw, the part where people don't want to mix the XEP and laws?
-
pep.
protocol / laws*
-
jonasw
that, and the part with "better have a separate xep which discusses that"
-
pep.
Yeah. well changes are still required in the XEP to allow deletion via the protocol anyway right? This doesn't have to be because of local laws
-
MattJ
Right, I think the two things are separate
-
jonasw
daniel is against a deletion flow AFAIK
-
MattJ
I'm not saying I'm in favour of deletion (or against), I just think it's a separate concern
-
pep.
yeah
-
MattJ
An out-of-protocol deletion would work just as well
-
MattJ
Meanwhile there may be a non-GDPR case where someone accidentally shares the wrong file/picture
-
pep.
Not so long ago a user asked on movim@ for that iirc
-
jonasw
hah, just the other day :>
-
MattJ
:)
-
jonasw
and that fun day when somebody posted very ... uhm ... interesting ... drawn content in prosody@
-
MattJ
I guess I somehow missed that
-
winfried
I will respond in standards and I will need some time here to think it over: there are lots of things at stake in that discussion
-
pep.
We'll need to clear this issue while we're asking for changes in lots of other XEPs
-
Kev
My uninformed take on this is that the GDPR shouldn't mean any need to change any protocols, but that having notes in specs saying "but consider this" is worthwhile.
-
pep.
Because the same question will appear over and over
-
winfried
It has also to do a bit with localization of the XMPP network and values around an open internet. And *every* technology is political and XMPP certainly is. But we must take that discussion to the standards list.
-
Ge0rG
winfried: sorry, got caught up in a business call
- Ge0rG feels ashamed and guilty
-
pep.
Ge0rG, pff
-
winfried
Ge0rG: expected sth like that
-
winfried
We have half an hour left now, can tick Q.2 there?
-
winfried
(can we)
-
pep.
Can we ?
-
pep.
is that Q1.2 rather than Q2?
-
pep.
I was still stuck in 1.1e in my minutes..
-
winfried
pep.: you are right.
-
winfried
I think 1.1e is about done by now
-
pep.
k, I'm not really clear on the boundaries of 1.1e, I have also mixed that with 1.2 certainly
-
winfried
and the discussion @standards certainly is 1.3 ;-)
-
pep.
Right
-
Ge0rG
winfried: regarding the consent. I think it's technically not feasible (and neither legally reasonable) to ask for explicit consent for passing data from the user to other servers/third parties, for when the user tries to communicate with those third parties
-
Ge0rG
So "by using this server to communicate with third parties you agree that data will be passed to third parties" is IMHO a good trade-off
-
winfried
Ge0rG: agree
-
jonasw
Ge0rG, the consent thing was about local MAM though
-
winfried
pep.: plz put that sentence of Ge0rG in the minutes, we need it ;-)
-
pep.
winfried, we already had something similar, but yes
-
Ge0rG
jonasw: re local MAM the question is interesting.
-
Ge0rG
my position is that the client needs to inform the user that by enabling MAM, they will enable MAM.
-
Ge0rG
or rather, ask the user for consent to store data on the server.
-
Ge0rG
I've called out clients that silently auto-enable MAM before. Without success.
-
lovetox
But client doesnt know server policies, so how good is that consent?
-
Ge0rG
lovetox: did I hear "data-forms"?
-
lovetox
yes good idea, but then its not only the client anymore 🙂
-
pep.
Ge0rG, so that's 6.1a realm?
-
pep.
And some more XEP (or just EULA?) required for this, as I was asking above
-
winfried
pep.: I would say: that is still informing and 6.1b
-
Ge0rG
lovetox: the server has a kind of tri-state of MAM of (undefined, enabled, disabled). The client comes and silently enables MAM. Who's at fault?
-
winfried
all processing is odne to deliver the service the user requested, nothing more.
-
lovetox
What i want to say is, it would make sense for the server to communicate the policy on enable, or a xep that lets us retrieve those
-
pep.
ok
-
Ge0rG
I'm not sure how far we can put MAM in 6.1b land
-
lovetox
so we can really inform the user, not just say "we now going to store data somewhere, for some unkown time, and we dont know what will happen with it"
-
winfried
lovetox: correct
-
pep.
ok, so what I've been asking above :P
- pep. slowly filling the gaps in the minutes
-
winfried
Ge0rG: what is your doubt? MAM is an archiving service and the user agrees to use that for that service, I would say that is 6.1b
-
jonasw
winfried, but the server would still have to prove that hte user agreed to that service, right?
-
Kev
jonasw: Surely that's part of the service agreement the user sigs up to?
-
Kev
*signs
-
winfried
jonasw: difficult wording there, when you decide yourself to start using a service, then you agree to the data processing that is inherent to that service
-
pep.
you have to know what kind of processing though
-
pep.
That'd have to be ack-ed before signing in
-
winfried
pep.: the information must be available and up to date (art 12 if I recall correctly)
-
pep.
Right
-
winfried
pep.: but for 6.1a it has to be acked on forhand, for 6.1b not
-
pep.
So in the IBR processus or similar, "This is what you are signing for. [Create]"
-
winfried
pep.: yes
-
pep.
hmm, trying to summarize all this..
-
pep.
date of next?
-
winfried
a hairy issue is what if a client enables MAM by default? And does it make a difference if the UI of the client suggest storage or if it suggests the absence of persistence? And who is liable then?
-
pep.
winfried, what jonasw was asking
-
pep.
20:10:05 jonasw> winfried, that was one of my original questions in the whole GDPR-in-XMPP discussion 20:10:10 jonasw> who is liable if the client didn’t properly ask? 20:10:23 jonasw> is it the client developer? or can the server operator rely on the client asking properly and blame the client if it didn’t?
-
winfried
pep.: translated to what we know now...
-
MattJ
What happens if you have a web-based consent form, but the user has some obscure browser that doesn't render the page correctly
-
MattJ
and maybe it has a bug that swaps the "I consent" and "I do not consent" button text
-
winfried
I think we can argue that if the client suggest immediate deletion but enables MAM silently the client is liable
-
pep.
MattJ, that's always been an issue? :x
-
Kev
winfried: But that the server presumably still had to say "If you enable MAM, we'll store X"?
-
pep.
GDPR is not changing anything here
-
winfried
Kev: yes it has to inform
-
jonasw
pep., but the analogy help with the "what if the client doesn’t do things right" question
-
MattJ
pep., but now the server owner is legally liable? :)
-
jonasw
date of next?
-
winfried
MattJ: about what consent form are you talking? I am right now trying to circumvent all consent forms!
-
winfried
Mo, Tue, Thu & Fri are possible for me
-
pep.
Mon/Tue/Wed ok for me, the rest might be more difficult
-
winfried
Mon or Tue?
-
pep.
Actually.. I'll be in Karlsruhe with some other xsf people, so I can also do it from there :P
-
pep.
Assuming it's not *too* early (as I'll be in holidays ><)
-
jonasw
Mon is not possible
-
jonasw
Tue would work
-
pep.
Tue 12:30CEST?
-
jonasw
wfm
-
pep.
I'm in CEST next week btw, all week
-
jonasw
Ge0rG?
-
winfried
wfm
-
winfried
I will have to go, won't be waiting for Ge0rG
-
pep.
okay
-
pep.
The minutes won't appear just right now but I'll try to do that quickly
-
winfried
pep.: thanks once more!
- winfried bangs a gavel, hoping Ge0rG hears it and confirms tuesday
-
Ge0rG
next week I'm completely unavailable
-
winfried
:-( is there any way we can still get your input?
-
moparisthebest
thanks MattJ ! so XEP-0368 is constructed the same way (same misunderstanding of requirements section) and I copied from there so this has been a long ongoing misunderstanding :)
-
MattJ
Heh, so it is... never noticed :)
-
moparisthebest
it even got all the way to Draft that way haha
-
MattJ
Yeah, surprised nobody else noticed
-
MattJ
It's documented here: https://xmpp.org/extensions/xep-0143.html#sections-reqs
- jonasw hides
-
MattJ
The technical stuff should be in "Use Cases", as e.g. "This is how a client should connect to the server" etc. etc.
-
moparisthebest
I *probably* copied an existing XEP back in 2015 but I couldn't even begin to guess
-
MattJ
Take a look at https://xmpp.org/extensions/xep-0297.html#requirements for a simple example, or https://xmpp.org/extensions/xep-0313.html#requirements for an example that replaces an existing protocol (and discusses why)
-
moparisthebest
https://github.com/xsf/xeps#new-protoxeps should mention XEP-0143 I think
-
moparisthebest
again I can't recall but I don't exactly remember reading it
-
jonasw
moparisthebest, that README is for editors, not for authors
-
moparisthebest
ok, then there should be a readme/section for authors :)
-
jonasw
right on the top it says: > To submit a new proposal for consideration as a XEP, please read this page: https://xmpp.org/about/standards-process.html#submitting-a-xep
-
moparisthebest
ah yes and then suggests the wrong way to do it
-
moparisthebest
(email editors instead of pull request)
-
jonasw
that’s not wrong
-
jonasw
just old
-
moparisthebest
and both links https://xmpp.org/extensions/xep-template.xml and https://xmpp.org/about/xsf/xsf-source-control/ is broken
-
jonasw
mailing the editors is still totally a fine thing to do
-
jonasw
moparisthebest, PRs against the website welcome
-
moparisthebest
I would just put the correct procedure at the top of the readme in the xeps repository
-
jonasw
why not both
-
moparisthebest
yea and fix the website
-
jonasw
PRs welcome
-
jonasw
will be happy to review htem
-
pep.
"By creating a post, you agree to Imgur's [Terms of Service] and [Privacy Policy]" What imgur.com has btw
-
jonasw
wait until May 25th
-
jonasw
I’m still getting at least two mails per week from esrvices which have adapted their ToS/Privacy stuff
-
jonasw
and imgur didn’t do that yet
-
jonasw
so that may still be a WIP
-
pep.
yeah
-
pep.
I'm also getting spammed by policy updates
-
Ge0rG
There is an easy solution to the GDPR now! https://gdpr-shield.io/
-
moparisthebest
ha I love it
-
Ge0rG
> We provide you with a JavaScript snippet that you'll paste into your site's existing HTML code > We'll check every user that visits your site and block access to users from the EU. This happens in the background and doesn't affect your site's speed for non-EU users
-
Ge0rG
This!
-
MattJ
<stream:stream><script...
-
moparisthebest
Or just put a "EU citizens not allowed" disclaimer in your TOS, that's what I did in the motd of my IRC server for German citizens
-
Ge0rG
moparisthebest: I'd say that doesn't qualify
-
moparisthebest
Why not?
-
moparisthebest
How could I be liable if you illegally use my service in violation of my terms?
-
Ge0rG
moparisthebest: I'd say you need to explicitly block the EU IPs
-
moparisthebest
Why?
-
Wiktor
Does it really apply to moparisthebest's IRC server? I guess he doesn't collect any personal info there.
-
moparisthebest
I think similar should work everywhere even if you do collect PII
-
Wiktor
Yeah but irc doesn't need your personal data and by design it's a public forum.
-
jonasw
but most nickservs operate using email adrseses
-
jonasw
which are PII
-
Ge0rG
And IPs. You need those against spambots!
-
Wiktor
A similar thread was recently here https://news.ycombinator.com/item?id=16661323
-
Wiktor
> Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR. Source: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en
-
moparisthebest
interesting
-
Wiktor
I think a ToS like moparisthebest would strongly signal it does not target EU.
-
Ge0rG
Wiktor: I think that "specifically targeting" are weasel words that need to be checked by courts.
-
Wiktor
Sure, I'm not your lawyer, but I wouldn't panic if I was moparisthebest :)
-
Ge0rG
Why, you can't panic often enough.
-
moparisthebest
EU citizens are forbidden from using this IRC server - This is specified so the GDPR does not apply: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en
-
moparisthebest
added that to my motd, done and done, GDPR is easy!
-
MattJ
I really don't think it works like that :)
-
Ge0rG
MattJ: I might have said the same thing before, without convincing anybody.
-
moparisthebest
no one is going to sue me for that anyway, but if they do, I think 'they were forbidden from using my server' is a pretty strong argument
-
moparisthebest
also 'go *&@! yourself I'm not flying to the EU to appear in court' is pretty good too
-
pep.
re gdpr-shield, I was going to ask what if I disable JS, but in that case I probably won't have access to the website anyway :)
-
Ge0rG
pep.: websites on .io require JS, didn't you know?
-
pep.
yeah I know
-
pep.
That's why I corrected myself
-
Wiktor
> This won't apply to every U.S. business — just the ones that are knowingly, and actively, conducting business in the EU. In this vein, EU courts have the discretionary ability to determine if a U.S. company was purposely collecting EU resident data and subverting GDPR compliance. So, in some cases, the inadvertent collection of personal data will be forgiven if it is found to have been occasional and "unlikely to result in a risk to the rights and freedoms of natural persons." Source: https://community.spiceworks.com/topic/2007530-how-the-eu-can-fine-us-companies-for-violating-gdpr
-
moparisthebest
does anyone know if any servers implement bcc from here? https://xmpp.org/extensions/xep-0033.html#addr-type
-
Zash
https://hg.prosody.im/prosody-modules/file/f66a08f208ad/mod_addressing/mod_addressing.lua#l19
-
moparisthebest
thanks