15 Apr
2024
15 Apr
'24
2:43 p.m.
Hello Operators,
Notes:
- I am aware a lot of this will be IANAL, however I wanted to ask
anyways to see others views on this.
- As the subject states, this is mainly concerning UK GDPR, however EU
GDPR is pretty similar and therefore I am sure advice will carry over.
- One of the reasons I wanted to mailing list this, is that I feel it
could be a pretty good reference for others which are planning to run
XMPP servers within UK/EU, for personal use or for educational use,
information on this doesn't seem to be widespread, and many people
(including me) can't simply ask a lawyer for their interpretation.
- I self host my own server, and I run my own XMPP server on it for me
and my friends. My server is closed registration.
The issue:
Under UK GDPR (not sure about the EU one) the only grounds for
exemption is "Residential use" (other than police and national
security, which are also exempt), quoting from the ICO:
"Domestic purposes – personal data processed in the course of a purely
personal or household activity, with no connection to a professional or
commercial activity, is outside the UK GDPR’s scope. This means that if
you only use personal data for such things as writing to friends and
family or taking pictures for your own enjoyment, you are not subject
to the UK GDPR." [1]
(For those who don't know who the ICO is, they are the British data
protection authority, see [2])
At first, at least in my case, this seems pretty easy. The data is
stored domestically, it is used with me and my friends for
communication, there shouldn't be any more to it... right?
But there is. I regularly connect and talk in many MUCs for open source
projects, such as Ignite Realtime (which this was initially discussed
until Guus suggested moving it to operators, thanks Guus :) ).
IP addresses, are considered identifiable information, logs will store
said information, this therefore means my server is storing
identifiable information on other servers, in this case, servers which
could be considered for commercial purposes.
It needs to be noticed commercial purposes doesn't necessarily mean
paid services, charities and non-profits are included within the
definition. Open source projects COULD be considered commercial
purposes because, although contributions are provided free of charge,
it is still a "donation" of sorts in the way of code.
The definition of "professional" does not seem to be clarified anywhere
on the ICO page, nor in their legal definitions [3]. It doesn't seem to
be within the UK GDPR legislation [4] (I will admit I did not read all
of this, I tried searching for keywords and found nothing, if someone
read it all and knows where this exception is clarified, please let me
know). Professional could mean a lot, but I will assume it is to do
with some sort of "work", which therefore would include open source
contributions.
This therefore could break the "no connection to professional or
commercial activity", to be honest the easiest thing to draw from this
is if it involves someone who is not family or friend (or yourself),
you are very likely to not be exempt.
For those who will suggest a zero storage solution, where the XMPP
server doesn't store any data, it still comes under GDPR due to
PROCESSING of data, simply processing it, even if you don't store it,
will have GDPR requirements.
Failure to pay when you are required to results in fines.
This is really cracking open a huge can of worms, it isn't so much of
"ah £45/yr is no big deal", once you are exempt you must follow all the
legal requirements of GDPR, and for a hobby? Is it worth it?
I am 100% sure, an XMPP server which does not federate, which is used
to communicate with friends would be exempt. But I have my doubts
whether a federated server can still use the same exemption clause.
Whether it is IANAL or not, what are your opinions on this?
(Note: This is also a big drawback to why, even though I have resources
to contribute, I can't simply setup a public instance to help out the
XMPP community... doing so has legal requirements)
Oh and this ignores the Communications Act, which your legal status
must be declared to your ISP (Subscriber, Communications Provider, or
Internet Service Provider), which definitions of each, are obscure. My
ISP leaves it up to me to decide which I fall under, and if they get
fined for it, I am expected to pay the fine.
This is a can of worms I have avoided for years now, on the hope that
my hobby is too small for anyone to care about. This is a separate
issue, GDPR is the topic of this thread :)
Take care,
--
Polarian
GPG signature: 0770E5312238C760
Jabber/XMPP: polarian(a)icebound.dev
[1]
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/exempti…
[2] https://en.wikipedia.org/wiki/Information_Commissioner's_Office
[3]
https://ico.org.uk/for-organisations/data-protection-fee/legal-definitions-…
[4] https://www.legislation.gov.uk/ukpga/2018/12/contents
15 Apr
15 Apr
3:50 p.m.
Firstly, as far as I'm aware, the EU and UK GDPRs are broadly identical,
with the UK's differing only in a handful of bits talking about when
processing became subject to the UK version instead of the EU version, and
a heck of a lot of search and replace. I am not a lawyer, nor am Ia DPO, so
the following should not be considered legal advice.
I would strongly argue that you joining a chatroom does not mean you fall
under the ICO's remit, even if you store a copy of messages from others you
see, and even if you paid for the purpose.
Here's another example: If you buy a magazine related to your profession
(say, a computer programming journal), then they may publish a letters
page. This is surely an equivalent situation.
Similarly, you don't have to inform the ICO that you occasionally get phone
calls or receive a text message on your mobile - even if you *shock* store
the phone numbers you received them from on your phone. Forever. The same
reasoning has to apply for 1:1 messages you receive.
Now, if you offer others the ability to join your server, you're clearly
offering a service and that puts you firmly into the GDPR, whether it's
family or not.
Similarly, hosting a chatroom may also put you under the GDPR. You may need
a privacy policy, and may need to obtain consent. However, I think this one
is something of a grey area, and you might find there are legal arguments
for an exemption there.
On Mon, 15 Apr 2024 at 21:45, Polarian <polarian(a)polarian.dev> wrote:
Hello Operators,
Notes:
- I am aware a lot of this will be IANAL, however I wanted to ask
anyways to see others views on this.
- As the subject states, this is mainly concerning UK GDPR, however EU
GDPR is pretty similar and therefore I am sure advice will carry over.
- One of the reasons I wanted to mailing list this, is that I feel it
could be a pretty good reference for others which are planning to run
XMPP servers within UK/EU, for personal use or for educational use,
information on this doesn't seem to be widespread, and many people
(including me) can't simply ask a lawyer for their interpretation.
- I self host my own server, and I run my own XMPP server on it for me
and my friends. My server is closed registration.
The issue:
Under UK GDPR (not sure about the EU one) the only grounds for
exemption is "Residential use" (other than police and national
security, which are also exempt), quoting from the ICO:
"Domestic purposes – personal data processed in the course of a purely
personal or household activity, with no connection to a professional or
commercial activity, is outside the UK GDPR’s scope. This means that if
you only use personal data for such things as writing to friends and
family or taking pictures for your own enjoyment, you are not subject
to the UK GDPR." [1]
(For those who don't know who the ICO is, they are the British data
protection authority, see [2])
At first, at least in my case, this seems pretty easy. The data is
stored domestically, it is used with me and my friends for
communication, there shouldn't be any more to it... right?
But there is. I regularly connect and talk in many MUCs for open source
projects, such as Ignite Realtime (which this was initially discussed
until Guus suggested moving it to operators, thanks Guus :) ).
IP addresses, are considered identifiable information, logs will store
said information, this therefore means my server is storing
identifiable information on other servers, in this case, servers which
could be considered for commercial purposes.
It needs to be noticed commercial purposes doesn't necessarily mean
paid services, charities and non-profits are included within the
definition. Open source projects COULD be considered commercial
purposes because, although contributions are provided free of charge,
it is still a "donation" of sorts in the way of code.
The definition of "professional" does not seem to be clarified anywhere
on the ICO page, nor in their legal definitions [3]. It doesn't seem to
be within the UK GDPR legislation [4] (I will admit I did not read all
of this, I tried searching for keywords and found nothing, if someone
read it all and knows where this exception is clarified, please let me
know). Professional could mean a lot, but I will assume it is to do
with some sort of "work", which therefore would include open source
contributions.
This therefore could break the "no connection to professional or
commercial activity", to be honest the easiest thing to draw from this
is if it involves someone who is not family or friend (or yourself),
you are very likely to not be exempt.
For those who will suggest a zero storage solution, where the XMPP
server doesn't store any data, it still comes under GDPR due to
PROCESSING of data, simply processing it, even if you don't store it,
will have GDPR requirements.
Failure to pay when you are required to results in fines.
This is really cracking open a huge can of worms, it isn't so much of
"ah £45/yr is no big deal", once you are exempt you must follow all the
legal requirements of GDPR, and for a hobby? Is it worth it?
I am 100% sure, an XMPP server which does not federate, which is used
to communicate with friends would be exempt. But I have my doubts
whether a federated server can still use the same exemption clause.
Whether it is IANAL or not, what are your opinions on this?
(Note: This is also a big drawback to why, even though I have resources
to contribute, I can't simply setup a public instance to help out the
XMPP community... doing so has legal requirements)
Oh and this ignores the Communications Act, which your legal status
must be declared to your ISP (Subscriber, Communications Provider, or
Internet Service Provider), which definitions of each, are obscure. My
ISP leaves it up to me to decide which I fall under, and if they get
fined for it, I am expected to pay the fine.
This is a can of worms I have avoided for years now, on the hope that
my hobby is too small for anyone to care about. This is a separate
issue, GDPR is the topic of this thread :)
Take care,
--
Polarian
GPG signature: 0770E5312238C760
Jabber/XMPP: polarian(a)icebound.dev
[1]
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/exempti…
[2] https://en.wikipedia.org/wiki/Information_Commissioner's_Office
[3]
https://ico.org.uk/for-organisations/data-protection-fee/legal-definitions-…
[4] https://www.legislation.gov.uk/ukpga/2018/12/contents
6:20 p.m.
Hello,
I would strongly argue that you joining a chatroom
does not mean you
fall under the ICO's remit, even if you store a copy of messages from
others you see, and even if you paid for the purpose.
Here's another example: If you buy a magazine related to your
profession (say, a computer programming journal), then they may
publish a letters page. This is surely an equivalent situation.
Similarly, you don't have to inform the ICO that you occasionally get
phone calls or receive a text message on your mobile - even if you
*shock* store the phone numbers you received them from on your phone.
Forever. The same reasoning has to apply for 1:1 messages you receive.
However I am not only the client here, I am both the client and the
server.
In your interpretation you are seeing only the client, and not the
server in the mix, the client server is what connects to the remote
server, therefore storing and processing data which is for a client.
This could surely alter the interpretation no?
My server could be peering with a "corporate" or "professional"
servers, I guess its important to read the entire GDPR and not just
rely on the ICO regurgitation of the legislation.
Now, if you offer others the ability to join your
server, you're
clearly offering a service and that puts you firmly into the GDPR,
whether it's family or not.
Not exactly, quoting ICO from the previous email:
"This means that if you only use personal data for such things as
writing to friends and family or taking pictures for your own
enjoyment, you are not subject to the UK GDPR."
They literally state messaging friends or family does not fall under UK
GDPR, this is the purpose of my XMPP server, therefore I do not believe
this would be an issue.
Similarly, hosting a chatroom may also put you under
the GDPR. You
may need a privacy policy, and may need to obtain consent. However, I
think this one is something of a grey area, and you might find there
are legal arguments for an exemption there.
I doubt you can exempt this.
At it is, MUCs are a little bit of a difficulty... images are from each
individual MUC the user is from, this therefore means clients which
auto-download are feeding data to other MUCs without consent, if this
MUC isn't registered, then there are issues.
You could also use the same argument against http upload as a whole, a
foreign user is requesting data from your server, you are providing a
service to them to share a image.
The centre server hosting the MUC would ultimately be the one
responsible for the data, seen as its the one who would (possibly) have
logging and storing messages in MAM, furthermore its the one which is
making the connection to all the other servers users are from, and thus
it is the one which can see where all the messages are going.
I can see a very strong argument against hosting your own MUC and
against the use of http upload when joining federated channels, I think
there is a good chance this would remove the exemption and make you
liable for GDPR.
Again, not looking for definite legal advice, just wanting to see what
others think on the situation.
It does seem after further look into GDPR, one downside is that it
appears to be a kick in the balls to start ups which need to go through
the legal headache (and also small fee from SCO), and then for
individuals wanting to self host, the more I delve into it, the more it
seems that it effectively kills any self hosting which is
WAN-accessible.
Also there might even be a case against clients which default to
downloading images automatically. As a user you have consented to your
provider storing information on you, but in a MUC a client which
automatically downloads images is, without consent, connecting to
foreign servers which could log IP addresses (which are considered
identifiable information). Surely there should be a pop up warning you
"Hey auto downloading of http uploads is enabled, this will share your
IP with federated servers", you then consent to this and all is good.
Or thats my understanding at least, I am sure there is some way this is
fine.
Take care,
--
Polarian
GPG signature: 0770E5312238C760
Jabber/XMPP: polarian(a)icebound.dev
16 Apr
16 Apr
3:42 a.m.
On Tue, 16 Apr 2024 at 01:22, Polarian <polarian(a)polarian.dev> wrote:
Ooooh... Nice try. So if you have a falling out with your cousin and they
demand you delete their account and associated data, you think that the
GDPR won't apply? Good luck with that.
If "friends" were a concrete exemption - it's not - then an organisation
could declare all its users to be friends.
Well, to be clear, I think the structure of XEP-0045 would make an argument
for exemption pretty interesting, but it's also a useful defence by dint of
being a published interoperable standard. You'll note that, for example,
you don't need to explicitly offer consent to use a DNS server, despite the
fact they may not only log your IP address (gasp!) but also process your IP
address data (shock!) to detect security issues. So I think it may be
possible to exempt a self-hosted MUC from GDPR consent requirements.
Whether that means it's exempt from registration I don't know.
Some further info here: How to satisfy GDPR's consent requirement for IP
logging? - Law Stack Exchange
<https://law.stackexchange.com/questions/28603/how-to-satisfy-gdprs-consent-requirement-for-ip-logging>
I suspect that the finding would be that a MUC hosted for reasons other
than being purely personal would need registration (ie, the £45 a year),
but not consent, at least for a standard MUC service (including MAM and the
other expected features of a typical chatroom service).
You could also use the same argument against http upload as a whole, a
Hello,
No, the question isn't "client" versus "server", those are
low-level
technical distinctions. Do not, ever, try to apply a technical meaning to a
legal document, there's a lot of impedance mismatch you'll find yourself
tripping over.
The GDPR does talk of "offering a service", but that is a business meaning
of service, rather than a technical one.
I would strongly argue that you joining a
chatroom does not mean you
fall under the ICO's remit, even if you store a copy of messages from
others you see, and even if you paid for the purpose.
Here's another example: If you buy a magazine related to your
profession (say, a computer programming journal), then they may
publish a letters page. This is surely an equivalent situation.
Similarly, you don't have to inform the ICO that you occasionally get
phone calls or receive a text message on your mobile - even if you
*shock* store the phone numbers you received them from on your phone.
Forever. The same reasoning has to apply for 1:1 messages you receive.
However I am not only the client here, I am both the client and the
server.
In your interpretation you are seeing only the client, and not the
server in the mix, the client server is what connects to the remote
server, therefore storing and processing data which is for a client.
This could surely alter the interpretation no?
My server could be peering with a
"corporate" or "professional"
servers, I guess its important to read the entire GDPR and not just
rely on the ICO regurgitation of the legislation.
Your stuff (client, server, etc) is accessing a service offered by those
other servers. This is no different to you accessing, I dunno, a discord
server over a web browser. The GDPR affects the service provider (or more
accurately, the controller and processors).
Now, if you
offer others the ability to join your server, you're
clearly offering a service and that puts you firmly into the GDPR,
whether it's family or not.
Not exactly, quoting ICO from the previous email:
"This means that if you only use personal data for such things as
writing to friends and family or taking pictures for your own
enjoyment, you are not subject to the UK GDPR."
They literally state messaging friends or family does not fall under UK
GDPR, this is the purpose of my XMPP server, therefore I do not believe
this would be an issue.
Similarly,
hosting a chatroom may also put you under the GDPR. You
may need a privacy policy, and may need to obtain consent. However, I
think this one is something of a grey area, and you might find there
are legal arguments for an exemption there.
I doubt you can exempt this.
At it is, MUCs are a little bit of a difficulty... images are from each
individual MUC the user is from, this therefore means clients which
auto-download are feeding data to other MUCs without consent, if this
MUC isn't registered, then there are issues.
foreign user is requesting data from your server, you
are providing a
service to them to share a image.
Yes, HTTP upload is a privacy nightmare. It's also a general problem for
federated services where the clients lack full connectivity; like they're
behind an enterprise firewall. Or over a low-bandwidth radio link. But I
think that from a GDPR point of view, it'd only become an issue if you were
deliberately abusing the privacy issues to tie a user's identity to the IP
address for further processing.
Again, "service" here is not the same as the technical meaning. Your own
HTTP upload service isn't a thing you offer to everyone, it's a thing you
have to run to send people pictures of cats.
It does seem after further look into GDPR, one
downside is that it
appears to be a kick in the balls to start ups which need to go through
the legal headache (and also small fee from SCO), and then for
individuals wanting to self host, the more I delve into it, the more it
seems that it effectively kills any self hosting which is
WAN-accessible.
That last is certainly not true. There are a swathe of exemptions from
consent and other GDPR related issues which mean that unless you're doing
something pretty odd for a self-hosted site, you're good.
However!
If you do cookies on your purely personal website, you still need to ask
for consent because of the EU Stupid Cookie Thing of 2002.
Also there might even be a case against clients which
default to
downloading images automatically. As a user you have consented to your
provider storing information on you, but in a MUC a client which
automatically downloads images is, without consent, connecting to
foreign servers which could log IP addresses (which are considered
identifiable information). Surely there should be a pop up warning you
"Hey auto downloading of http uploads is enabled, this will share your
IP with federated servers", you then consent to this and all is good.
Or thats my understanding at least, I am sure there is some way this is
fine.
I don't think you need to ask for consent here. It might need to be noted
in a privacy policy (probably not) and it would certainly be a good idea
for a client to note this at some point in their privacy guide (ie, not a
legal requirement just a nice thing to do).
Dave.
5:57 a.m.
Hello,
No, the question isn't "client" versus
"server", those are low-level
technical distinctions. Do not, ever, try to apply a technical
meaning to a legal document, there's a lot of impedance mismatch
you'll find yourself tripping over.
The GDPR does talk of "offering a service", but that is a business
meaning of service, rather than a technical one.
Ah... well I am not well versed in law, thanks for the clarification.
Your stuff (client, server, etc) is accessing a
service offered by
those other servers. This is no different to you accessing, I dunno,
a discord server over a web browser. The GDPR affects the service
provider (or more accurately, the controller and processors).
I see the point, but where is the line drawn? When is it considered
professional/commercial?
Ooooh... Nice try. So if you have a falling out with
your cousin and
they demand you delete their account and associated data, you think
that the GDPR won't apply? Good luck with that.
This is a difficult one, just sharing internet with your family or
friends then makes you GDPR liable without this exemption. For example
I run OpenBSD on the router, my logs could contain personal
information, however am I going to get sued by family/friends for it?
Or will they simply say "hey could you delete my stuff" "yeah sure no
problem".
(I guess it depends on whether your family are mean enough to
go to the SCO to report you as well... most wouldn't)
GDPR wasn't designed to handle domestic use, storing family pictures
could then make you liable to GDPR, which would be a major headache for
every single person.
If "friends" were a concrete exemption -
it's not - then an
organisation could declare all its users to be friends.
Organisations fall under professional/commercial use to its void
anyways.
An individual running a small chat server with his friends, shouldn't
break GDPR.
I don't know how the EU enforces GDPR, but the introduction of the SCO
has added tons of overhead and a big headache to knowing when to pay
the fee, and when not to. Failure to pay the fee you will be fined.
Stupid system.
For example, I am pretty much GDPR compliant anyways, my friends know
what I store, they agreed to it, and I will purge their data the moment
they want me to. The issue isn't complying with GDPR, but you only pay
the fee if you are not exempt, you shouldn't pay it if you are exempt.
So you must know where the line is drawn. (also becoming SCO registered
then gives you full liability)
Well, to be clear, I think the structure of XEP-0045
would make an
argument for exemption pretty interesting, but it's also a useful
defence by dint of being a published interoperable standard. You'll
note that, for example, you don't need to explicitly offer consent to
use a DNS server, despite the fact they may not only log your IP
address (gasp!) but also process your IP address data (shock!) to
detect security issues. So I think it may be possible to exempt a
self-hosted MUC from GDPR consent requirements. Whether that means
it's exempt from registration I don't know.
You must ask for consent for non-critical data storage, you only store
the bare minimum for whatever you are providing to work.
Again, it depends where the line is drawn here.
GDPR also takes protecting data seriously, so if you store extra data
for the sake of security, then you are still complying.
I suspect that the finding would be that a MUC hosted
for reasons
other than being purely personal would need registration (ie, the £45
a year), but not consent, at least for a standard MUC service
(including MAM and the other expected features of a typical chatroom
service).
I would argue it would still need consent.
XEP are extensions to the base protocol, the base still works without
MUCs, as MUC is an additional feature, surely permission should be
asked? Some clients don't even inform you if the server is logging or
if the logs are publicly available. These are NOT required for the
operations of a MUC. You could also argue that MAM isn't required and
you should ask permission to store peoples messages, OMEMO encrypted or
not.
The example the SCO gives for this (paraphrased :P):
A builder needs an address and a name to complete the work on a house,
they do not need to ask for consent to store this data as it is
required for them to provide their service, however the builder wants
to email the invoice to the client, they must request permission to
store the email address, as the invoicing is not required to provide
their service.
Only the bare minimum should be consent-less.
Unless I am taking the examples too extreme :P
Yes, HTTP upload is a privacy nightmare. It's also
a general problem
for federated services where the clients lack full connectivity; like
they're behind an enterprise firewall. Or over a low-bandwidth radio
link. But I think that from a GDPR point of view, it'd only become an
issue if you were deliberately abusing the privacy issues to tie a
user's identity to the IP address for further processing.
Again, "service" here is not the same as the technical meaning. Your
own HTTP upload service isn't a thing you offer to everyone, it's a
thing you have to run to send people pictures of cats.
The thing is, there is two sides to http upload.
The uploader, which would definitely be a service, you are letting them
upload whatever file to share with someone else, and you are storing it
for them.
However you are then delivering this image to many different users,
this can also be considered a service, your server is serving a
download, its no different than a netflix stream (in fact you could
upload a film with http upload and then share it with all your
friends!).
That last is certainly not true. There are a swathe of
exemptions from
consent and other GDPR related issues which mean that unless you're
doing something pretty odd for a self-hosted site, you're good.
SCO only mentions 3 exemptions.
I only need to cross the exemption line once, even if its minor, to be
accountable for GDPR, or at the very least, the SCO registration fee.
I can't find anything on WAN accessible home services and GDPR/SCO
compliance, I looked around, doesn't seem people talk about it.
Is it just assumed SCO doesn't give a damn about some small server?
If you do cookies on your purely personal website, you
still need to
ask for consent because of the EU Stupid Cookie Thing of 2002.
Depends on whether this law copied over to the UK, and also depends on
the type of cookie. There is a cookie guide the size of the GPDR
describing the different types of cookies and when they are/are not
required to follow GDPR.
I don't think you need to ask for consent here. It
might need to be
noted in a privacy policy (probably not) and it would certainly be a
good idea for a client to note this at some point in their privacy
guide (ie, not a legal requirement just a nice thing to do).
In the privacy policy of your server you sign up with, which you
agree to, sure.
But in a MUC with http uploads from OTHER servers, you haven't agree to
their privacy policy and thus you are automatically downloading from a
server you haven't consented to, and haven't seen their privacy policy
(not like people read them anyways).
Take care,
--
Polarian
GPG signature: 0770E5312238C760
Jabber/XMPP: polarian(a)icebound.dev
6:10 a.m.
s/SCO/ICO/
I am exhausted, apologises for mistake :)
Take care,
--
Polarian
GPG signature: 0770E5312238C760
Jabber/XMPP: polarian(a)icebound.dev
6:12 a.m.
I, too, am old enough to remember when my typing muscle memory had SCO on
speed-dial...
On Tue, 16 Apr 2024 at 13:10, Polarian <polarian(a)polarian.dev> wrote:
s/SCO/ICO/
I am exhausted, apologises for mistake :)
Take care,
--
Polarian
GPG signature: 0770E5312238C760
Jabber/XMPP: polarian(a)icebound.dev
7:43 a.m.
On Tue, 16 Apr 2024 at 12:58, Polarian <polarian(a)polarian.dev> wrote:
It seems unlikely to be a problem in practice, but yes, I think if you had
an XMPP server that you offered accounts on to friends, you'd be very much
skirting the GDPR.
On the other hand, if you just operate the router for your own home, then
even if others are also using it I can't see that being a problem.
Remember, the law is intended to be "reasonable"; lawyers have often warned
me over the years that technical folk tend to fall into the trap of seeing
the law as some kind of computer program, but it's more like the
specification for one, and there's therefore much "intent" to be assumed.
Mmmm... I think that's a grey area. Individuals running services certainly
are covered by the GDPR.
Wait, no. So if someone joins a chatroom, then for that chatroom to work
XEP-0045 needs to be supported, and in order to support a reasonable
service you do indeed need to store at least some messages for at least
some time.
This all might well need a privacy policy published, and might need an ICO
registration if it's not for purely personal reasons.
So if you're running a chatroom for you and your friends/family to chat, in
the same way that you have a family groupchat on WhatsApp, then I see no
reason to need to register.
Similarly, HTTP is an extension to the base spec of IP, but if you use a
website you don't have to consent to processing of your IP address, or
indeed formally consent to having your HTTP requests processed.
Unless I am taking the examples too extreme :P
Yes and no.
The builder doesn't need to ask for consent for names and addresses, but
the building work itself is still optional. A chatrooom is indeed an
optional thing to have on a server - but if it's there, there are some
fundamental requirements in order to provide that service.
> > Yes, HTTP upload is a privacy nightmare. It's also a general problem
> > for federated services where the clients lack full connectivity; like
> > they're behind an enterprise firewall. Or over a low-bandwidth radio
> > link. But I think that from a GDPR point of view, it'd only become an
> > issue if you were deliberately abusing the privacy issues to tie a
> > user's identity to the IP address for further processing.
> >
> > Again, "service" here is not the same as the technical meaning. Your
> > own HTTP upload service isn't a thing you offer to everyone, it's a
> > thing you have to run to send people pictures of cats.
>
> The thing is, there is two sides to http upload.
>
> The uploader, which would definitely be a service, you are letting them
> upload whatever file to share with someone else, and you are storing it
> for them.
Yes, totally agreed there.
> However you are then delivering this image to many different users,
> this can also be considered a service, your server is serving a
> download, its no different than a netflix stream (in fact you could
> upload a film with http upload and then share it with all your
> friends!).
Ah... If you were using it in that way, then maybe it would be a service.
But if it's simply ancillary to sending cat GIFs, then not so much.
> > That last is certainly not true. There are a swathe of exemptions from
> > consent and other GDPR related issues which mean that unless you're
> > doing something pretty odd for a self-hosted site, you're good.
>
> SCO only mentions 3 exemptions.
The ICO mentions loads, actually, but personal use isn't one of them -
that's simply out of scope entirely for the GDPR.
> I only need to cross the exemption line once, even if its minor, to be
> accountable for GDPR, or at the very least, the SCO registration fee.
>
> I can't find anything on WAN accessible home services and GDPR/SCO
> compliance, I looked around, doesn't seem people talk about it.
>
> Is it just assumed SCO doesn't give a damn about some small server?
Most home services are things like a personal blog, and there's been lots
written about those. An XMPP server is something different, but unless
you're offering that as a service, I'm unconvinced it falls into scope.
(And if you are, I'm pretty sure it does).
The EU Stupid Cookie Law has been copied to UK law, and isn't part of the
GDPR.
Sucky law.
Yes, but it's not the client's responsibility since they are neither the
controller nor processor at this point.
Dave.
Hello,
When the courts decide... Sorry, that's an unhelpful answer, but it is
accurate.
No, the question isn't "client"
versus "server", those are low-level
technical distinctions. Do not, ever, try to apply a technical
meaning to a legal document, there's a lot of impedance mismatch
you'll find yourself tripping over.
The GDPR does talk of "offering a service", but that is a business
meaning of service, rather than a technical one.
Ah... well I am not well versed in law, thanks for the clarification.
Your stuff (client, server, etc) is accessing a
service offered by
those other servers. This is no different to you accessing, I dunno,
a discord server over a web browser. The GDPR affects the service
provider (or more accurately, the controller and processors).
I see the point, but where is the line drawn? When is it considered
professional/commercial?
Ooooh... Nice
try. So if you have a falling out with your cousin and
they demand you delete their account and associated data, you think
that the GDPR won't apply? Good luck with that.
This is a difficult one, just sharing internet with your family or
friends then makes you GDPR liable without this exemption. For example
I run OpenBSD on the router, my logs could contain personal
information, however am I going to get sued by family/friends for it?
Or will they simply say "hey could you delete my stuff" "yeah sure no
problem".
(I guess it depends on whether your family are mean enough to
go to the SCO to report you as well... most wouldn't)
GDPR wasn't designed to handle domestic use, storing family pictures
could then make you liable to GDPR, which would be a major headache for
every single person.
If
"friends" were a concrete exemption - it's not - then an
organisation could declare all its users to be friends.
Organisations fall under professional/commercial use to its void
anyways.
An individual running a small chat server with his friends, shouldn't
break GDPR.
I don't know how the EU enforces GDPR, but the
introduction of the SCO
has added tons of overhead and a big headache to knowing when to pay
the fee, and when not to. Failure to pay the fee you will be fined.
Stupid system.
As far as the UK ICO is concerned, they're useless, so I wouldn't worry -
I
can't imagine they're organised enough to fine anyone.
For example, I am pretty much GDPR compliant anyways,
my friends know
what I store, they agreed to it, and I will purge their data the moment
they want me to. The issue isn't complying with GDPR, but you only pay
the fee if you are not exempt, you shouldn't pay it if you are exempt.
So you must know where the line is drawn. (also becoming SCO registered
then gives you full liability)
Yes indeed. Well. Sort of.
You have to ask for consent for anything that you don't have any other
legitimate reason. "legitimate interest", however, covers a lot. (And,
probably, a lot more than it should).
Well, to be clear, I think the structure of
XEP-0045 would make an
argument for exemption pretty interesting, but it's also a useful
defence by dint of being a published interoperable standard. You'll
note that, for example, you don't need to explicitly offer consent to
use a DNS server, despite the fact they may not only log your IP
address (gasp!) but also process your IP address data (shock!) to
detect security issues. So I think it may be possible to exempt a
self-hosted MUC from GDPR consent requirements. Whether that means
it's exempt from registration I don't know.
You must ask for consent for non-critical data storage, you only store
the bare minimum for whatever you are providing to work.
Again, it depends where the line is drawn here.
GDPR also takes protecting data seriously, so if you store extra data
for the sake of security, then you are still complying.
I suspect that
the finding would be that a MUC hosted for reasons
other than being purely personal would need registration (ie, the £45
a year), but not consent, at least for a standard MUC service
(including MAM and the other expected features of a typical chatroom
service).
I would argue it would still need consent.
XEP are extensions to the base protocol, the base still works without
MUCs, as MUC is an additional feature, surely permission should be
asked? Some clients don't even inform you if the server is logging or
if the logs are publicly available. These are NOT required for the
operations of a MUC. You could also argue that MAM isn't required and
you should ask permission to store peoples messages, OMEMO encrypted or
not.
The example the SCO gives for this (paraphrased :P):
A builder needs an address and a name to complete the work on a house,
they do not need to ask for consent to store this data as it is
required for them to provide their service, however the builder wants
to email the invoice to the client, they must request permission to
store the email address, as the invoicing is not required to provide
their service.
Only the bare minimum should be consent-less.
The invoicing is required, but what is not required is to send the invoice
by email.
Similarly, nothing required to provide a chatroom service needs consent,
but if you wanted to get more data that'd have to be optional and would
need consent. Also, if you took the data and processed it more than was
needed - for example, if you produced a top ten of people messaging, or ran
analytics to determine whose messages were read first - then you'd need to
ask consent for that processing.
If you do
cookies on your purely personal website, you still need to
ask for consent because of the EU Stupid Cookie Thing of 2002.
Depends on whether this law copied over to the UK, and also depends on
the type of cookie. There is a cookie guide the size of the GPDR
describing the different types of cookies and when they are/are not
required to follow GDPR.
I don't think you need to ask for consent
here. It might need to be
noted in a privacy policy (probably not) and it would certainly be a
good idea for a client to note this at some point in their privacy
guide (ie, not a legal requirement just a nice thing to do).
In the privacy policy of your server you sign up with, which you
agree to, sure.
But in a MUC with http uploads from OTHER servers, you haven't agree to
their privacy policy and thus you are automatically downloading from a
server you haven't consented to, and haven't seen their privacy policy
(not like people read them anyways).
5:29 p.m.
Hello,
When the courts decide... Sorry, that's an
unhelpful answer, but it is
accurate.
It was more a rhetorical question, but thanks anyways :)
It seems unlikely to be a problem in practice, but
yes, I think if
you had an XMPP server that you offered accounts on to friends, you'd
be very much skirting the GDPR.
True, which is an issue. And being registered under the ICO as a sole
trader isn't preferable either.
My purposes aren't commercial, or professional. Although you could
argue open source development is professional and thus using a home
server to store code is technically removing the exemption.
Remember, the law is intended to be
"reasonable"; lawyers have often
warned me over the years that technical folk tend to fall into the
trap of seeing the law as some kind of computer program, but it's
more like the specification for one, and there's therefore much
"intent" to be assumed.
Ugh... why can't everything be binary? :P
As far as the UK ICO is concerned, they're
useless, so I wouldn't
worry - I can't imagine they're organised enough to fine anyone.
No real point anyways, if the people you are storing data for are
friends, they are VERY unlikely to report you to the ICO.
You have to ask for consent for anything that you
don't have any other
legitimate reason. "legitimate interest", however, covers a lot. (And,
probably, a lot more than it should).
I assume this implies "read the legislation".
Wait, no. So if someone joins a chatroom, then for
that chatroom to
work XEP-0045 needs to be supported, and in order to support a
reasonable service you do indeed need to store at least some messages
for at least some time.
But would this hold up in court?
IRC never had backlog and that worked just fine, couldn't you argue
that XMPP could function without MAM?
This all might well need a privacy policy published,
and might need
an ICO registration if it's not for purely personal reasons.
If you aren't hosting public channels, I don't think it matters.
So if you're running a chatroom for you and your
friends/family to
chat, in the same way that you have a family groupchat on WhatsApp,
then I see no reason to need to register.
However you are also storing their account information, which is the
grey area here.
Yes and no.
The builder doesn't need to ask for consent for names and addresses,
but the building work itself is still optional. A chatrooom is indeed
an optional thing to have on a server - but if it's there, there are
some fundamental requirements in order to provide that service.
So as long as you can justify that the data is reasonable to store
without consent in order for the service to function to the full extent
the user wants, asking for consent is not required?
Ah... If you were using it in that way, then maybe it
would be a
service. But if it's simply ancillary to sending cat GIFs, then not
so much.
More grey area?
The ICO mentions loads, actually, but personal use
isn't one of them -
that's simply out of scope entirely for the GDPR.
The entire idea is to fall outside of the scope of GDPR :P
I guess the easiest thing to do is simply to register... but I am
unsure how that would work if you are exempt... pay anyways is fine?
Most home services are things like a personal blog,
and there's been
lots written about those. An XMPP server is something different, but
unless you're offering that as a service, I'm unconvinced it falls
into scope. (And if you are, I'm pretty sure it does).
Where you would personally think the definition of offering as a
commercial service would draw the line?
If it is used to simply relay messages between friends and family,
surely that is exempt? even if you are storing data on them.
The EU Stupid Cookie Law has been copied to UK law,
and isn't part of
the GDPR.
Sucky law.
Yippee, what a great time to be in the tech industry, one mess up and
you are in a heap of legal trouble.
Yes, but it's not the client's responsibility
since they are neither
the controller nor processor at this point.
But under these circumstances, how would the server ensure you have
agreed to their policy if the client indiscriminately downloads things
automatically?
Take care,
--
Polarian
GPG signature: 0770E5312238C760
Jabber/XMPP: polarian(a)icebound.dev
17 Apr
17 Apr
5 a.m.
I'm going to put to general issues with the GDPR here, and refer back to
them:
Firstly, there's a distinction to be made between "exempt" and "out of
scope". You ideally want to be out of scope. If you're in scope but exempt,
then you're still subject to the GDPR in every respect, just formally
exempt.
So, for example, law enforcement is exempt - but they still need to be
subject to the GDPR and register etc. Nothing we do is likely do be exempt.
But, if you or I say "exempt" we should assume we really mean "out of
scope".
Secondly, the GDPR doesn't (as is popularly understood) require consent for
all data; it requires a "legal basis" for all data processing, and one of
those legal bases can be "legitimate interest", which in turn covers things
like "I need this to provide the service", or "I need this to have decent
security", or "I just kind of wanted to do this and I have more lawyers
than you do".
It's only things that are truly optional that you need consent for.
On Wed, 17 Apr 2024 at 00:31, Polarian <polarian(a)polarian.dev> wrote:
Yeah, except imagine bugs in contracts.
... while they're friends, at least.
If you're ever in court over this, I'll testify as an expert witness on
why
some form of backlog is important.
Right, so, I asked an actual DPO about this. (Being explicit, I'll
attribute *every* statement the DPO made to the DPO, so you know what's the
professional advice, but of course this is not taking all your
circumstances into account and therefore don't legally rely on this)
You don't need an actual DPO, by the way. But if the channel is for an open
source project, then DPO says a basic privacy policy (somewhere) and an ICO
registration would be probably needed. But unless you're doing extended
analytics, then DPO says you don't need to worry over consent.
If you don't have their account information to some degree, you cannot send
them the chatroom's messages; this feels very legitimate interest to me.
Yes, but also to the extent where the service is secure, etc, so slightly
beyond what you're saying here.
Not really - it's more around the intent than technical detail.
Not quite - DPO says that the easiest thing to do is call the UK ICO
helpdesk. They'll actually walk you through it all.
That's not the definition, though, the phrasing used is "purely
personal".
You don't need to explicitly agree to a privacy policy; one just needs to
be available, and you can assume that continued use of the service means
the privacy policy is acceptable. You probably do need to tell people it's
changed when it does.
The only time you'd need to involve technical measures here is if you had
consent requirements for optional features.
Dave.
Hello,
So, as per above, open source is likely not considered "purely
professional", so if you provide a service based around open source, it may
become subject to the GDPR. You are, however, unlikely to need explicit
consent for any of it. I think even quite detailed data collection would be
covered by "legitimate interest" as being required to ensure security, and
if anyone argues wave xz in front of them.
When the courts decide... Sorry, that's an
unhelpful answer, but it is
accurate.
It was more a rhetorical question, but thanks anyways :)
It seems unlikely to be a problem in practice,
but yes, I think if
you had an XMPP server that you offered accounts on to friends, you'd
be very much skirting the GDPR.
True, which is an issue. And being registered under the ICO as a sole
trader isn't preferable either.
My purposes aren't commercial, or professional. Although you could
argue open source development is professional and thus using a home
server to store code is technically removing the exemption.
Remember, the
law is intended to be "reasonable"; lawyers have often
warned me over the years that technical folk tend to fall into the
trap of seeing the law as some kind of computer program, but it's
more like the specification for one, and there's therefore much
"intent" to be assumed.
Ugh... why can't everything be binary? :P
As far as the
UK ICO is concerned, they're useless, so I wouldn't
worry - I can't imagine they're organised enough to fine anyone.
No real point anyways, if the people you are storing data for are
friends, they are VERY unlikely to report you to the ICO.
You have to
ask for consent for anything that you don't have any other
legitimate reason. "legitimate interest", however, covers a lot. (And,
probably, a lot more than it should).
I assume this implies "read the legislation".
Wait, no. So if someone joins a chatroom, then
for that chatroom to
work XEP-0045 needs to be supported, and in order to support a
reasonable service you do indeed need to store at least some messages
for at least some time.
But would this hold up in court?
IRC never had backlog and that worked just fine, couldn't you argue
that XMPP could function without MAM?
This all might
well need a privacy policy published, and might need
an ICO registration if it's not for purely personal reasons.
If you aren't hosting public channels, I don't think it matters.
So if
you're running a chatroom for you and your friends/family to
chat, in the same way that you have a family groupchat on WhatsApp,
then I see no reason to need to register.
However you are also storing their account information, which is the
grey area here.
Yes and no.
The builder doesn't need to ask for consent for names and addresses,
but the building work itself is still optional. A chatrooom is indeed
an optional thing to have on a server - but if it's there, there are
some fundamental requirements in order to provide that service.
So as long as you can justify that the data is reasonable to store
without consent in order for the service to function to the full extent
the user wants, asking for consent is not required?
Ah... If you were using it in that way, then
maybe it would be a
service. But if it's simply ancillary to sending cat GIFs, then not
so much.
More grey area?
The ICO
mentions loads, actually, but personal use isn't one of them -
that's simply out of scope entirely for the GDPR.
The entire idea is to fall outside of the scope of GDPR :P
I guess the easiest thing to do is simply to register... but I am
unsure how that would work if you are exempt... pay anyways is fine?
Most home
services are things like a personal blog, and there's been
lots written about those. An XMPP server is something different, but
unless you're offering that as a service, I'm unconvinced it falls
into scope. (And if you are, I'm pretty sure it does).
Where you would personally think the definition of offering as a
commercial service would draw the line?
If it is used to simply relay messages between friends
and family,
surely that is exempt? even if you are storing data on them.
I didn't ask the DPO about this case, but yes, I think as long as you can
reasonably claim it to be "purely personal", then you're out of scope.
The EU Stupid
Cookie Law has been copied to UK law, and isn't part of
the GDPR.
Sucky law.
Yippee, what a great time to be in the tech industry, one mess up and
you are in a heap of legal trouble.
Yes, but it's not the client's
responsibility since they are neither
the controller nor processor at this point.
But under these circumstances, how would the server ensure you have
agreed to their policy if the client indiscriminately downloads things
automatically?
380
days inactive
382
days old
9 comments
2 participants
participants (2)
-
Dave Cridland -
Polarian