[Standards] XEP-0363 (HTTP Upload): Privacy Considerations & Deletion

Winfried Tilanus winfried at tilanus.com
Mon May 7 08:24:06 UTC 2018

On 05/01/2018 10:03 AM, Evgeny Khramtsov wrote:

Hi Evgeny,

> I think the behaviour is up to a local policy. We shouldn't make
> default recommendations based on some local laws (GDPR). Because if we
> do that, we can easily add "NOT" to all "SHOULD"s, and in this case we
> will describe the local law of Russia (where it is required to keep all
> users data for at least 6 months). I would really advise XSF to avoid
> making political statements.

I think you are raising an important issue here: somehow the XSF must 
relate to local laws. The EU wants the right to be forgotten, Russia 
wants retention, China wants to proxy and filter all traffic (and so 
on). We can't do all at the same time. We can't demand retention and the 
right to be forgotten at the same time, we can't do strong encryption 
and forcing all traffic through a proxy at the same time.

I fully agree to that the XSF should not choose one local jurisdiction 
above an other. We don't want to go down that road. At the same time we 
can not say that we should avoid political statements. By creating a 
decentralized network that is resilient against firewalling and 
censoring attempts and that uses state the art encryption, both c2s, s2s 
and e2e, we DO make a political statement. Technology never is neutral 
and XMPP certainly isn't.

Lets bring the discussion back to this pull request. The question is: 
"does it represent a value the XSF underwrites fully." If so, we must 
integrate it in the XEP. If not so (maybe because the XSF thinks the 
right to be forgotten is utterly nonsense, maybe because it is not 
universal, like business server Dave mentions), we MUST NOT integrate it 
in the XEP. The only way we can resolve these kind of issues is to have 
the discussion about what values the XSF wants to represent.

In those cases we have several options:
- Write a separate XEP that is explicit about its goal to comply with a 
certain jurisdiction. Server en client implementers can then choose if 
they want to implement it and operators and end users can choose to 
enable it or not.
- Create a single point at the xsf-wiki with implementation notes for 
that jurisdiction. This can be limited to a short note outlining the 
possible issues and 'consult a lawyer' to detailed guidelines.
- Add to existing XEPs short pointers to those accompanying XEPs 
targeted at certain jurisdictions and/or pointing to the central page 
with information about that jurisdiction.

If an action to comply with a certain jurisdiction does not represent 
one of the base values of the XSF, then I think we should do all three 
of the above.


privacy consultant e-health

More information about the Standards mailing list