[Standards] XEP-0363 (HTTP Upload): Privacy Considerations & Deletion

Dave Cridland dave at cridland.net
Tue May 1 08:28:39 UTC 2018

On 1 May 2018 at 09:03, Evgeny Khramtsov <xramtsov at gmail.com> wrote:

> While I'm fine with having a separate extension, I'm against the PR
> itself. I think the behaviour is up to a local policy. We shouldn't make
> default recommendations based on some local laws (GDPR). Because if we
> do that, we can easily add "NOT" to all "SHOULD"s, and in this case we
> will describe the local law of Russia (where it is required to keep all
> users data for at least 6 months). I would really advise XSF to avoid
> making political statements. Not to mention that the text brings
> nothing to the document and only increases its size: it doesn't
> describe any protocol, it doesn't describe security considerations, it
> doesn't describe UX, so what does it do? Can we replace the text with
> "People SHOULD live in peace?" Because the meaning of the statement
> doesn't change a lot and a reader can easily ignore it.

Right, there is a tension between prompt deletion (for consumer data under
the GDPR) and retention (for corporate data and other regimes). I don't
believe that Surevine's server is in any way required to delete my data
should I leave under the GDPR, for example.

That said, I don't think that saying that operators should be able to
delete files is a political statement - it's just that it's potentially
naïve, and does not have an impact on Security or Interoperability (which
is what RFC 2119 language is for).

I'd be happier with a section in the document (or another document) that
pointed out legal compliance issues we are aware of, irrespective of the
regime they're affected by.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20180501/e83e4c51/attachment.html>

More information about the Standards mailing list