[Standards] XEP-0363 (HTTP Upload): Privacy Considerations & Deletion
winfried at tilanus.com
Mon May 7 08:24:06 UTC 2018
On 05/01/2018 10:03 AM, Evgeny Khramtsov wrote:
> I think the behaviour is up to a local policy. We shouldn't make
> default recommendations based on some local laws (GDPR). Because if we
> do that, we can easily add "NOT" to all "SHOULD"s, and in this case we
> will describe the local law of Russia (where it is required to keep all
> users data for at least 6 months). I would really advise XSF to avoid
> making political statements.
I think you are raising an important issue here: somehow the XSF must
relate to local laws. The EU wants the right to be forgotten, Russia
wants retention, China wants to proxy and filter all traffic (and so
on). We can't do all at the same time. We can't demand retention and the
right to be forgotten at the same time, we can't do strong encryption
and forcing all traffic through a proxy at the same time.
I fully agree to that the XSF should not choose one local jurisdiction
above an other. We don't want to go down that road. At the same time we
can not say that we should avoid political statements. By creating a
decentralized network that is resilient against firewalling and
censoring attempts and that uses state the art encryption, both c2s, s2s
and e2e, we DO make a political statement. Technology never is neutral
and XMPP certainly isn't.
Lets bring the discussion back to this pull request. The question is:
"does it represent a value the XSF underwrites fully." If so, we must
integrate it in the XEP. If not so (maybe because the XSF thinks the
right to be forgotten is utterly nonsense, maybe because it is not
universal, like business server Dave mentions), we MUST NOT integrate it
in the XEP. The only way we can resolve these kind of issues is to have
the discussion about what values the XSF wants to represent.
In those cases we have several options:
- Write a separate XEP that is explicit about its goal to comply with a
certain jurisdiction. Server en client implementers can then choose if
they want to implement it and operators and end users can choose to
enable it or not.
- Create a single point at the xsf-wiki with implementation notes for
that jurisdiction. This can be limited to a short note outlining the
possible issues and 'consult a lawyer' to detailed guidelines.
- Add to existing XEPs short pointers to those accompanying XEPs
targeted at certain jurisdictions and/or pointing to the central page
with information about that jurisdiction.
If an action to comply with a certain jurisdiction does not represent
one of the base values of the XSF, then I think we should do all three
of the above.
privacy consultant e-health
More information about the Standards