[Standards] XEP-0363 (HTTP Upload): Privacy Considerations & Deletion

Daniel Gultsch daniel at gultsch.de
Fri Apr 27 12:58:02 UTC 2018

If this is about local law I don’t think a delete function will do that justice.
· Clients might not implement the delete part of the XEP and as a
service provider I can not solely rely on my users using the right
client. Therefor I will have to offer a stand alone delete
functionality on my website or over customer support anyway.
· Clients might no longer have a reference to a file anyway. (The
sending client might have been uninstalled, local history might have
been cleared etc etc). Therefor I believe once we go down the rabbit
hole of deleting files we will probably need an list/index operation
as well.

Since a simple delete won’t do local law justice anyway we should
think about whether or not we want to have delete in this XEP
independently of local law.

I haven't seen a lot of requests for file deletion from client (or
server) developers yet. So I don’t think there will be a strong demand
that justifies the KISS approach of this XEP. Furthermore HTTP File
deletion - just like individual MAM message deletion - can - if there
is in fact a demand - easily go into it's own XEP.


2018-04-26 16:35 GMT+02:00 Jonas Wielicki <jonas at wielicki.name>:
> Hi all,
> During the last "XSF & GDPR" meeting (minutes pending), we were discussing
> HTTP Upload.
> As it turns out, several implementations are making it not trivial for
> operators to be GDPR compliant. One of the things definitely necessary (as far
> as our understanding goes) is that users must be able to have their data
> deleted in a reasonable timeframe; it must also be possible to create a bundle
> of all data the service currently has from the user.
> Some implementations do not allow this. I have prepared [PR #625] which adds
> wording to inform implementations about these requirements.
> In addition, it would be useful if users could delete files they uploaded
> themselves. This is rather optional (which is why I made separate PRs), since
> services are likely to auto-expire files anyways. I can however see use-cases
> where a user wants a file deleted immediately, and this saves the interaction
> with the operator. I prepared [PR #624] for this.
> I’d like to hear your (especially Daniels) opinions on this.
> kind regards,
> Jonas
>    [PR #625]: https://github.com/xsf/xeps/pull/625
>    [PR #624]: https://github.com/xsf/xeps/pull/624
> _______________________________________________
> Standards mailing list
> Info: https://mail.jabber.org/mailman/listinfo/standards
> Unsubscribe: Standards-unsubscribe at xmpp.org
> _______________________________________________

More information about the Standards mailing list