Not a technical question but legal, and probably specific to Europe: how to make sure we’re GDPR compliant when we use the (external) push/notification service?
We’ve exposed our server to the Internet, have many happy users now who are keen on using their mobiles. What’s missing so far however is a reliable push service to alert users who receive a message. From what I know there is a service (needs to be paid for higher volume, that’s not the issue) but our Lawyer raised the concern of sending data from Europe/Germany to a 3rd party in the US including personal information, e.g. the user name. Encryption exists but is not end-to-end.
I would assume we’re not the first user group who experience that issue but I couldn’t find any prior discussions in this forums. Is there anybody else who’s facing that issue? What’s your view, and have you managed to find a legal agreement to successfully run a notification service?
on this precarious topic, there have already been several posts here, all of which have run aground.
From a privacy point of view, you are currently completely lost if you activate pushes. If I understood the principle correctly, the data will be sent via a TLS encrypted path to the push notification gateway of rocket.chat (https://gateway.rocket.chat) and from there to Apple or Google, but the content is plain. Both rocket.chat as push gateway operator and Google or Apple have full access to your content. Please correct me if this is not true. Basically pushes are a data protection disaster. You can disable pushes in your Rocket (or use the client from F-Droid) or configure the push without content (see administration interface of your RC: push notifications/data protection). The situation would be somewhat improved if the mobile RC clients also supported E2E. I mean, that wouldn’t be the case yet. Then at least the content would no longer be readable in plain text by third parties. But with the “metadata” you will always get naked, even with E2E. This is a basic problem and not Rocket.Chat specific, e.g. also with signal, telegram, matrix. Ultimately, you have to adapt your privacy policy or deactivate pushes. Privacy statements are not worth the paper they are written on. For example, our privacy policy stipulates that data of a certain security class may not be exchanged via Rocket.Chat. Does anyone comply with this prohibition? Ping me in #ug_german channel on open.rocket.chat, then we can discuss this in detail and I can send you our privacy policy.
As an alternative you could run your own push gateway (are there instructions for this?), but then you have to build the mobile clients yourself, a lot of effort, see here. But even with your own gateway, you can only bypass the gateway of rocket.chat. You still have to push from your gateway via Google or Apple to your mobile clients. And frankly, I trust the Rocket.Chat team more than Google or Apple. So in the current concept it doesn’t matter to me that the data would be pushed through the Rocket.Chat gateway in advance.
In the summary: pushes are simply a terrible dilemma. This is where we really need to gather ideas to better implement data protection and confidentiality.
Yeah, I second that, and many thanks for your initial answer. @aaron.ogle : a gateway in Europe is a good start but nonetheless we need to know what data (or metadata) exactly is going out to the push service.
I read some rocket.chat page that say “Rocket.Chat is GDPR compliant” and I very much appreciate you take that serious but the statement can hardly include the push service as-is as obviously neither you nor the (on-premise) user/admin have sufficient control over data once it goes there and (that’s what the Lawyer says) if you pass personal information to another system you’ll need to get the user agreement in advance. Since it’s a global setting that means all users.
I read @rodrigo.nascimento in https://github.com/RocketChat/Rocket.Chat/issues/9027 saying that disabling “Show message” and “Show channel/group/username” makes sure this data is not transferred to the gateway and I wonder if that is good enough to at least satisfy the privacy needs of the senders…
Apparently these Gateway Servers within the EU never happened though.
At least I can’t find any official information on it and when I run dig gateway.rocket.chat from a German host I get two IPs, which are both located in the US.
I really like Rocket.Chat and am currently trying to set it up for a local community that I am a member of, but since we take GDPR compliance seriously, we just can’t have all our messages’ plain text go through US servers (this must be an issue for many organizations in the EU trying to use Rocket.Chat, right?). The only way then (except from releasing our own mobile apps) is to disable usernames and message content within push notifications, which of course isn’t ideal either…
We actually started to use push notifications as of this months, as agreed with our data protection officer to comply with GDPR. We need to use the settings
Channel/Group/Username in Notification: off
Show Message in Notification: off
Fetch full message content from the server on receipt: on
This is indeed not very handy but better than none. If Rocket however wants to keep up with other similar services (which often ignore these rules and therefore appear more user friendly) then they better come up with dedicated EU gateways.
Hi and thanks for all the comments. I will pass this back to the dev teams.
They are aware of some of these issues and I can assure you that there is a big push starting to address various concerns in the community including stability and privacy. However, it won’t happen overnight!
Absolutely the best way to ensure your own privacy is to use your own gateway and we have instructions on how to do that:
it sounds like there has been a change in how Rocket.Chat handels push notifications since your above comment (or the explanation is wrong).
Can you confirm that messages pushed out to mobile clients are now being encryped (in the community edition) or not being pushed out at all (in the enterprise edition)?
So in the current concept it doesn’t matter to me that the data would be pushed through the Rocket.Chat gateway in advance.