Consent: don't ask to agree, just confirm to have read the privacy policy

[rubo77]

No description provided.

[richvdh]

I think you need to agree to it, not just read it...

[rubo77]

To the euoropiean GDPR there is no need to "agree", you only have to confirm to have read.

if you have a button to "Agree" you also need a workflow to "disagree" later on, which we don't want to provide.

This PR changes the wording to "I confirm to have read the privacy policy"

[ilu33]

@rubo77 is correct. The average home server doesn't have any consent to track because there should be nothing you have to consent to. Art. 7 1 b "Processing shall be lawful only if ... processing is necessary for the performance of a contract to which the data subject is party". Everything that is technically necessary to provide the service needs just information, not consent.

Consent needs to be freely given and can be retracted at any time - without terminating the service (Art. 7 GDPR and Recital 43). We are not Facebook or Google, we do not force the user to consent to anything. We can't help the technical necessities though and about them we INFORM.

"Consent" and "agree" implies that you store data that is not technically necessary to supply the service, which - I hope - no homeserver does. (Except: Consent to statistics/piwik is tracked in the settings which is correct. Consent to bots - which I personally think needs consent - should be in the settings too but that's not the topic here.)

[richvdh]

First of all, this just changes the fallback form. Clients will show their own wording here in most cases, so the argument is pretty much moot.

Secondly: no. If you want to use a homeserver, you must agree to abide by the conditions put in place by the admin of that server. If you don't agree with those conditions, you are welcome not to use the server. If you change your mind later, you are welcome to stop using it.

[richvdh]

Clients will show their own wording here in most cases

This, incidentally, is why there is no support for internationalisation on these forms currently.

However, if you'd like to submit a PR which makes it possible to change the forms with configuration, we could consider it.

I am not prepared to consider this PR as it stands.

[lampholder]

Some of the wording baked into the underlying impl here reflects our journey towards implementing GDPR compliance - we only settled on deriving legal processing of data through legitimate interest after first thinking we were going to use consent and later provision of contract.

So it's true that we don't require consent to process users' data - we just want to be able to demonstrate that our users have been informed of the important caveats regarding their use of this service resulting from the underlying technology.

However, the 'agreement' here is actually a single verb representing the user's having read and understood the privacy policy, and having agreed to our terms and conditions (which are separate from the privacy policy and detail how we handle criminal activity, what the service can and can't be used for, etc.).

Perhaps we should split the registration/policy flow to allow users to indicate that they have read the privacy policy and agree to the terms and conditions, @ilu33 I'd be interested to know how important you think this is (so we can balance this need sensibly against everything else we're trying to achieve).

[ilu33]

1. Nobody knows which way the case-law on GDPR is going to develop - it might even end up being very different in continental Europe and GB due to brexit. Nobody can really predict anything but the best way is IMHO to play it safe and keep exactly to the regulation which in this case means information but not consent.

2. Nobody knows if and when anybody would try to retract consent which could lead to very unpleasant consequences. Your guess is as good as mine. Better do it right now.

3. If you want to be sure that acceptance of your TOS is valid it's important to keep that consent separate. This has nothing to do with GDPR but with (german, austrian and probably also other countries) laws about TOS consent. TOS consent has to be given without any doubt and without being confused with anything else. There's a lot of case-law about that already, it has to be separate. I think a split is really important for the TOS part.

4. Now some less urgent considerations: Most homeservers won't have a TOS at all, so they don't need consent. Also it would look good on a FOSS product like matrix/riot so stress the difference to the ususal commercial services. Most users are used to understand the words "I agree" meaning that the service wants to profit form their data - which is the main case where consent is needed. They won't read the privacy policy at all but just grudgingly accept thinking that Matrix is just like everybody else. I would prefer Matrix to declare openly that there is no unnecessary data collectiony and thus no consent is needed.

Anyway, in my jurisdiction valid TOS consent requires the split.