πŸ’Ύ Archived View for gemi.dev β€Ί gemini-mailing-list β€Ί 000943.gmi captured on 2023-12-28 at 15:55:28. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-11-04)

🚧 View Differences

-=-=-=-=-=-=-

GDPR and the protocol implications

1. Matthias Geier (matthias.geier (a) antipod.de)

Hello fellow developers

To say that upfront, I searched most of the archive, didn't find that topic
in there

About gdpr and certificates. If I am not mistaken, before I even request
the TLS certificate, I'd need to get a user consent, not to mention storing
it.

On a capsule like station, you can ignore the certificate until you sign
up, but for instance if I want to prevent spam/DoS and check against a
certification authority, I'd need to get permission for that first. Which
beats the purpose partially

Is the manual opt-in to show a cert on a specific domain enough for gdpr
(clients require you to set the cert for the domains)? I can't show a gdpr
warning on the cert missing error, since the spec doesn't allow me to.

Not to mention other consent stuff for storing and processing information?

I am aware that the small internet won't be sued soon, because no one
cares. However hosting a service in the EU as a private person has become
dangerous and you don't want to end up with a fine in the 10k range for
infringement

Any opinions, best practices, advice, discussion is welcome πŸ™ƒ

Link to individual message.

2. Omar Polo (op (a) omarpolo.com)


Matthias Geier <matthias.geier@antipod.de> writes:

> Hello fellow developers
>
> To say that upfront, I searched most of the archive, didn't find that topic
> in there
>
> About gdpr and certificates. If I am not mistaken, before I even request
> the TLS certificate, I'd need to get a user consent, not to mention storing
> it.
>
> On a capsule like station, you can ignore the certificate until you sign
> up, but for instance if I want to prevent spam/DoS and check against a
> certification authority, I'd need to get permission for that first. Which
> beats the purpose partially
>
> Is the manual opt-in to show a cert on a specific domain enough for gdpr
> (clients require you to set the cert for the domains)? I can't show a gdpr
> warning on the cert missing error, since the spec doesn't allow me to.

IANAL but what about responding with something like

	60 Missing certificate: <gdpr warning here>\r\n

Not all clients show the *exact* meta for status codes != 20, but that's
another issue.

> Not to mention other consent stuff for storing and processing information?
>
> I am aware that the small internet won't be sued soon, because no one
> cares. However hosting a service in the EU as a private person has become
> dangerous and you don't want to end up with a fine in the 10k range for
> infringement
>
> Any opinions, best practices, advice, discussion is welcome πŸ™ƒ

Link to individual message.

3. adnidor (lists-gemini (a) adnidor.de)

On Fri, Jun 25, 2021 at 10:59:32AM +0200, Matthias Geier wrote:
> About gdpr and certificates. If I am not mistaken, before I even request
> the TLS certificate, I'd need to get a user consent, not to mention storing
> it.

Not necessarily. There are 6 possible justifications for processing personal
data:

Wikipedia - GDPR[0]:
> (a) If the data subject has given consent to the processing of his or 
her personal data;
> (b) To fulfil contractual obligations with a data subject, or for tasks 
at the request of a data subject who is in the process of entering into a contract;
> (c) To comply with a data controller's legal obligations;
> (d) To protect the vital interests of a data subject or another individual;
> (e) To perform a task in the public interest or in official authority;
> (f) For the legitimate interests of a data controller or a third party, 
unless these interests are overridden by interests of the data subject or 
her or his rights according to the Charter of Fundamental Rights 
(especially in the case of children)[7]

Most processing that gemini capsules do will probably fall under the last
point, and therefore doesn't require consent. (as an aside: most processing
that websites do also falls in that category, including stuff for which cookie
banners are show).

Also, if you are an individual, it is possible that the GDPR doesn't apply,
although I don't believe that there has been a court decision on this.

Please do note that I am not a lawyer and that you should do your own research
before relying on anything.

    adnidor

[0] https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

Link to individual message.

4. KΓ©vin (gemini (a) ml.oh.mg)


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

Le vendredi 25 juin 2021 Γ  16:41, adnidor - lists-gemini at adnidor.de a Γ©crit :

> On Fri, Jun 25, 2021 at 10:59:32AM +0200, Matthias Geier wrote:
...
> Also, if you are an individual, it is possible that the GDPR doesn't apply,
> 

> although I don't believe that there has been a court decision on this.

It depends on the country, there are some that actively go after 
individuals (Austria, Sweden, Spain, and Norway have in the past) and 
others that just can't be bothered (notably France and most other EU countries).

It also really depends on the data you collect, purpose of the collection, 
and whether or not you could extract that against a real data subject.

The question would be would the certificate be at the same technical 
processing level as an IP address (server logs) or would it be storing a 
full data subject (account database).

Again I'm not a lawyer, but your national data privacy organisation are 
generally more than happy to answer these kind of questions if you contact them.

-KΓ©vin

Link to individual message.

5. Johann Galle (johann+gemini (a) qwertqwefsday.eu)

(note: I am not a lawyer)

On 2021-06-25, Matthias Geier wrote:
> About gdpr and certificates. If I am not mistaken, before I even request 
the TLS certificate, I'd need to get a user consent, not to mention storing it.

The certificate is not technically required to contain personally 
identifying information, people can just input nothing or random data when 
they generate it. The main interesting part of the certificate would be 
the public key. Of course a specific service might not accept certificates 
where fields do not contain some expected form of content.

If they want to, users can choose to input their own personally 
identifying information but in that case I think it could maybe qualify as 
consent. I would question if this consent is "active" enough though.

> I can't show a gdpr warning on the cert missing error, since the spec 
doesn't allow me to.

If you really wanted to you could make your server redirect people 
connecting without a certificate to a full document to tell them that they 
need a certificate, if you want to be sure.

Similarly for people visiting the site with an unknown/new certificate 
(maybe something like "You are connecting with a certificate which may 
contain personally identifying information. Under GDPR we must ask you to 
stop using this certificate for browsing this capsule or continue this way 
to consent to let us process that data.") Seeing how web pages request 
consent to use cookies I think it would be fine to request a certificate 
from the client and then show some consent page if the certificate is 
new/unknown. Otherwise how would you know whether this user has already 
consented or not? IP addresses will usually be dynamic or a user might 
move to a different connection. I don't know if any current server allows 
for something like this though.

To be even more sure you could outright reject client certificates that 
contain more than just the public key, depending on your applications needs.

Link to individual message.

---

Previous Thread: Re: Gemini Digest, Vol 23, Issue 40

Next Thread: [USER][IDEA] Gemini Database of Places and Restaurants