Hi all,
The XSF infrastructure team is planning to move our mailman installation
from a dedicated machine to a cloud service. When doing so, we also plan
to delete some lists that are no longer in use or that could be replaced
with chatrooms. Do we feel the need to keep this list for coordination
among server operators, or could we use the operators@ chatroom instead?
Peter
Hello Operators,
Notes:
- I am aware a lot of this will be IANAL, however I wanted to ask
anyways to see others views on this.
- As the subject states, this is mainly concerning UK GDPR, however EU
GDPR is pretty similar and therefore I am sure advice will carry over.
- One of the reasons I wanted to mailing list this, is that I feel it
could be a pretty good reference for others which are planning to run
XMPP servers within UK/EU, for personal use or for educational use,
information on this doesn't seem to be widespread, and many people
(including me) can't simply ask a lawyer for their interpretation.
- I self host my own server, and I run my own XMPP server on it for me
and my friends. My server is closed registration.
The issue:
Under UK GDPR (not sure about the EU one) the only grounds for
exemption is "Residential use" (other than police and national
security, which are also exempt), quoting from the ICO:
"Domestic purposes – personal data processed in the course of a purely
personal or household activity, with no connection to a professional or
commercial activity, is outside the UK GDPR’s scope. This means that if
you only use personal data for such things as writing to friends and
family or taking pictures for your own enjoyment, you are not subject
to the UK GDPR." [1]
(For those who don't know who the ICO is, they are the British data
protection authority, see [2])
At first, at least in my case, this seems pretty easy. The data is
stored domestically, it is used with me and my friends for
communication, there shouldn't be any more to it... right?
But there is. I regularly connect and talk in many MUCs for open source
projects, such as Ignite Realtime (which this was initially discussed
until Guus suggested moving it to operators, thanks Guus :) ).
IP addresses, are considered identifiable information, logs will store
said information, this therefore means my server is storing
identifiable information on other servers, in this case, servers which
could be considered for commercial purposes.
It needs to be noticed commercial purposes doesn't necessarily mean
paid services, charities and non-profits are included within the
definition. Open source projects COULD be considered commercial
purposes because, although contributions are provided free of charge,
it is still a "donation" of sorts in the way of code.
The definition of "professional" does not seem to be clarified anywhere
on the ICO page, nor in their legal definitions [3]. It doesn't seem to
be within the UK GDPR legislation [4] (I will admit I did not read all
of this, I tried searching for keywords and found nothing, if someone
read it all and knows where this exception is clarified, please let me
know). Professional could mean a lot, but I will assume it is to do
with some sort of "work", which therefore would include open source
contributions.
This therefore could break the "no connection to professional or
commercial activity", to be honest the easiest thing to draw from this
is if it involves someone who is not family or friend (or yourself),
you are very likely to not be exempt.
For those who will suggest a zero storage solution, where the XMPP
server doesn't store any data, it still comes under GDPR due to
PROCESSING of data, simply processing it, even if you don't store it,
will have GDPR requirements.
Failure to pay when you are required to results in fines.
This is really cracking open a huge can of worms, it isn't so much of
"ah £45/yr is no big deal", once you are exempt you must follow all the
legal requirements of GDPR, and for a hobby? Is it worth it?
I am 100% sure, an XMPP server which does not federate, which is used
to communicate with friends would be exempt. But I have my doubts
whether a federated server can still use the same exemption clause.
Whether it is IANAL or not, what are your opinions on this?
(Note: This is also a big drawback to why, even though I have resources
to contribute, I can't simply setup a public instance to help out the
XMPP community... doing so has legal requirements)
Oh and this ignores the Communications Act, which your legal status
must be declared to your ISP (Subscriber, Communications Provider, or
Internet Service Provider), which definitions of each, are obscure. My
ISP leaves it up to me to decide which I fall under, and if they get
fined for it, I am expected to pay the fine.
This is a can of worms I have avoided for years now, on the hope that
my hobby is too small for anyone to care about. This is a separate
issue, GDPR is the topic of this thread :)
Take care,
--
Polarian
GPG signature: 0770E5312238C760
Jabber/XMPP: polarian(a)icebound.dev
[1]
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/exempti…
[2] https://en.wikipedia.org/wiki/Information_Commissioner's_Office
[3]
https://ico.org.uk/for-organisations/data-protection-fee/legal-definitions-…
[4] https://www.legislation.gov.uk/ukpga/2018/12/contents
Hi all,
This topic is all over the internet at that point, and I doubt most operators here
would be affected, but it is worth a heads-up for people who do not stay on to
of the news:
The current maintainer (and also for the past two years) of xz-utils, which is
included in about every linux distribution in existence, has been backdooring
the release tarball of the package since at least February 2024 and the 5.6.0 release.
The backdoor is specifically targeted at debian and rpm-based systems, which
one known effect providing a remote unauthorized access to the SSH server
(due to those distributions patching sshd to link to systemd which itself uses
liblzma from xz-utils).
The version is recent, and only included in debian sid/testing as well as
Fedora 40/41, which have since yesterday published new packages removing
the backdoor. Other distributions like Gentoo or Archlinux and derivatives were
also including the vulnerable versions, though it seems like no backdoored code
was built in there (the exploit was targeted during the build, and neither distribution
used a process that would include it).
The investigation is ongoing, but here [1] is the link to the oss-security mail which
was the first publication on that topic, and here [2] is a more detailed writeup of
the events.
Stay safe,
Mathieu
[1] https://www.openwall.com/lists/oss-security/2024/03/29/4
[2] https://boehs.org/node/everything-i-know-about-the-xz-backdoor
