[Standards] XEP-0363 (HTTP Upload): Privacy Considerations & Deletion

Jonas Wielicki jonas at wielicki.name
Thu Apr 26 14:35:00 UTC 2018

Hi all,

During the last "XSF & GDPR" meeting (minutes pending), we were discussing 
HTTP Upload.

As it turns out, several implementations are making it not trivial for 
operators to be GDPR compliant. One of the things definitely necessary (as far 
as our understanding goes) is that users must be able to have their data 
deleted in a reasonable timeframe; it must also be possible to create a bundle 
of all data the service currently has from the user.

Some implementations do not allow this. I have prepared [PR #625] which adds 
wording to inform implementations about these requirements.

In addition, it would be useful if users could delete files they uploaded 
themselves. This is rather optional (which is why I made separate PRs), since 
services are likely to auto-expire files anyways. I can however see use-cases 
where a user wants a file deleted immediately, and this saves the interaction 
with the operator. I prepared [PR #624] for this.

I’d like to hear your (especially Daniels) opinions on this.

kind regards,

   [PR #625]: https://github.com/xsf/xeps/pull/625
   [PR #624]: https://github.com/xsf/xeps/pull/624
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.jabber.org/pipermail/standards/attachments/20180426/8dfdba38/attachment.sig>

More information about the Standards mailing list