πΎ Archived View for gemi.dev βΊ gemini-mailing-list βΊ 000943.gmi captured on 2023-12-28 at 15:55:28. Gemini links have been rewritten to link to archived content
β¬ οΈ Previous capture (2023-11-04)
-=-=-=-=-=-=-
Hello fellow developers To say that upfront, I searched most of the archive, didn't find that topic in there About gdpr and certificates. If I am not mistaken, before I even request the TLS certificate, I'd need to get a user consent, not to mention storing it. On a capsule like station, you can ignore the certificate until you sign up, but for instance if I want to prevent spam/DoS and check against a certification authority, I'd need to get permission for that first. Which beats the purpose partially Is the manual opt-in to show a cert on a specific domain enough for gdpr (clients require you to set the cert for the domains)? I can't show a gdpr warning on the cert missing error, since the spec doesn't allow me to. Not to mention other consent stuff for storing and processing information? I am aware that the small internet won't be sued soon, because no one cares. However hosting a service in the EU as a private person has become dangerous and you don't want to end up with a fine in the 10k range for infringement Any opinions, best practices, advice, discussion is welcome π
Matthias Geier <matthias.geier@antipod.de> writes: > Hello fellow developers > > To say that upfront, I searched most of the archive, didn't find that topic > in there > > About gdpr and certificates. If I am not mistaken, before I even request > the TLS certificate, I'd need to get a user consent, not to mention storing > it. > > On a capsule like station, you can ignore the certificate until you sign > up, but for instance if I want to prevent spam/DoS and check against a > certification authority, I'd need to get permission for that first. Which > beats the purpose partially > > Is the manual opt-in to show a cert on a specific domain enough for gdpr > (clients require you to set the cert for the domains)? I can't show a gdpr > warning on the cert missing error, since the spec doesn't allow me to. IANAL but what about responding with something like 60 Missing certificate: <gdpr warning here>\r\n Not all clients show the *exact* meta for status codes != 20, but that's another issue. > Not to mention other consent stuff for storing and processing information? > > I am aware that the small internet won't be sued soon, because no one > cares. However hosting a service in the EU as a private person has become > dangerous and you don't want to end up with a fine in the 10k range for > infringement > > Any opinions, best practices, advice, discussion is welcome π
On Fri, Jun 25, 2021 at 10:59:32AM +0200, Matthias Geier wrote: > About gdpr and certificates. If I am not mistaken, before I even request > the TLS certificate, I'd need to get a user consent, not to mention storing > it. Not necessarily. There are 6 possible justifications for processing personal data: Wikipedia - GDPR[0]: > (a) If the data subject has given consent to the processing of his or her personal data; > (b) To fulfil contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract; > (c) To comply with a data controller's legal obligations; > (d) To protect the vital interests of a data subject or another individual; > (e) To perform a task in the public interest or in official authority; > (f) For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the Charter of Fundamental Rights (especially in the case of children)[7] Most processing that gemini capsules do will probably fall under the last point, and therefore doesn't require consent. (as an aside: most processing that websites do also falls in that category, including stuff for which cookie banners are show). Also, if you are an individual, it is possible that the GDPR doesn't apply, although I don't believe that there has been a court decision on this. Please do note that I am not a lawyer and that you should do your own research before relying on anything. adnidor [0] https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
βββββββ Original Message βββββββ Le vendredi 25 juin 2021 Γ 16:41, adnidor - lists-gemini at adnidor.de a Γ©crit : > On Fri, Jun 25, 2021 at 10:59:32AM +0200, Matthias Geier wrote: ... > Also, if you are an individual, it is possible that the GDPR doesn't apply, > > although I don't believe that there has been a court decision on this. It depends on the country, there are some that actively go after individuals (Austria, Sweden, Spain, and Norway have in the past) and others that just can't be bothered (notably France and most other EU countries). It also really depends on the data you collect, purpose of the collection, and whether or not you could extract that against a real data subject. The question would be would the certificate be at the same technical processing level as an IP address (server logs) or would it be storing a full data subject (account database). Again I'm not a lawyer, but your national data privacy organisation are generally more than happy to answer these kind of questions if you contact them. -KΓ©vin
(note: I am not a lawyer) On 2021-06-25, Matthias Geier wrote: > About gdpr and certificates. If I am not mistaken, before I even request the TLS certificate, I'd need to get a user consent, not to mention storing it. The certificate is not technically required to contain personally identifying information, people can just input nothing or random data when they generate it. The main interesting part of the certificate would be the public key. Of course a specific service might not accept certificates where fields do not contain some expected form of content. If they want to, users can choose to input their own personally identifying information but in that case I think it could maybe qualify as consent. I would question if this consent is "active" enough though. > I can't show a gdpr warning on the cert missing error, since the spec doesn't allow me to. If you really wanted to you could make your server redirect people connecting without a certificate to a full document to tell them that they need a certificate, if you want to be sure. Similarly for people visiting the site with an unknown/new certificate (maybe something like "You are connecting with a certificate which may contain personally identifying information. Under GDPR we must ask you to stop using this certificate for browsing this capsule or continue this way to consent to let us process that data.") Seeing how web pages request consent to use cookies I think it would be fine to request a certificate from the client and then show some consent page if the certificate is new/unknown. Otherwise how would you know whether this user has already consented or not? IP addresses will usually be dynamic or a user might move to a different connection. I don't know if any current server allows for something like this though. To be even more sure you could outright reject client certificates that contain more than just the public key, depending on your applications needs.
---
Previous Thread: Re: Gemini Digest, Vol 23, Issue 40
Next Thread: [USER][IDEA] Gemini Database of Places and Restaurants