Push notifications and GDPR

#1

Description

Not a technical question but legal, and probably specific to Europe: how to make sure we’re GDPR compliant when we use the (external) push/notification service?

We’ve exposed our server to the Internet, have many happy users now who are keen on using their mobiles. What’s missing so far however is a reliable push service to alert users who receive a message. From what I know there is a service (needs to be paid for higher volume, that’s not the issue) but our Lawyer raised the concern of sending data from Europe/Germany to a 3rd party in the US including personal information, e.g. the user name. Encryption exists but is not end-to-end.

I would assume we’re not the first user group who experience that issue but I couldn’t find any prior discussions in this forums. Is there anybody else who’s facing that issue? What’s your view, and have you managed to find a legal agreement to successfully run a notification service?

Server Setup Information

Just for the records:

  • Version of Rocket.Chat Server: 0.74.3
  • Operating System: SUSE Linux
  • Deployment Method: Docker/k8s

Any additional Information

#2

Hi,

on this precarious topic, there have already been several posts here, all of which have run aground.

From a privacy point of view, you are currently completely lost if you activate pushes. If I understood the principle correctly, the data will be sent via a TLS encrypted path to the push notification gateway of rocket.chat (https://gateway.rocket.chat) and from there to Apple or Google, but the content is plain. Both rocket.chat as push gateway operator and Google or Apple have full access to your content. Please correct me if this is not true. Basically pushes are a data protection disaster. You can disable pushes in your Rocket (or use the client from F-Droid) or configure the push without content (see administration interface of your RC: push notifications/data protection). The situation would be somewhat improved if the mobile RC clients also supported E2E. I mean, that wouldn’t be the case yet. Then at least the content would no longer be readable in plain text by third parties. But with the “metadata” you will always get naked, even with E2E. This is a basic problem and not Rocket.Chat specific, e.g. also with signal, telegram, matrix. Ultimately, you have to adapt your privacy policy or deactivate pushes. Privacy statements are not worth the paper they are written on. For example, our privacy policy stipulates that data of a certain security class may not be exchanged via Rocket.Chat. Does anyone comply with this prohibition? Ping me in #ug_german channel on open.rocket.chat, then we can discuss this in detail and I can send you our privacy policy.

As an alternative you could run your own push gateway (are there instructions for this?), but then you have to build the mobile clients yourself, a lot of effort, see here. But even with your own gateway, you can only bypass the gateway of rocket.chat. You still have to push from your gateway via Google or Apple to your mobile clients. And frankly, I trust the Rocket.Chat team more than Google or Apple. :wink: So in the current concept it doesn’t matter to me that the data would be pushed through the Rocket.Chat gateway in advance.

In the summary: pushes are simply a terrible dilemma. This is where we really need to gather ideas to better implement data protection and confidentiality.

Some further links:



Ciao
Marcus

1 Like
#3

Thanks this is definitely correct. We would definitely be a data processor. I believe this is actually covered in the GDPR page on our website.

The gateway currently is in the US, but will soon bring to the EU as well.

We are also evaluating additional ways to protect contents passing through the gateway.

Feel free to reach out to our team at gdpr@rocket.chat

1 Like
#4

Hello Aaron,

is there an overview of what you have already evaluated?

A gateway in the EU under EU data protection rules would be a start. When are you planning it?

Ciao
Marcus

#5

Yeah, I second that, and many thanks for your initial answer. @aaron.ogle : a gateway in Europe is a good start but nonetheless we need to know what data (or metadata) exactly is going out to the push service.

I read some rocket.chat page that say “Rocket.Chat is GDPR compliant” and I very much appreciate you take that serious but the statement can hardly include the push service as-is as obviously neither you nor the (on-premise) user/admin have sufficient control over data once it goes there and (that’s what the Lawyer says) if you pass personal information to another system you’ll need to get the user agreement in advance. Since it’s a global setting that means all users.

I read @rodrigo.nascimento in https://github.com/RocketChat/Rocket.Chat/issues/9027 saying that disabling “Show message” and “Show channel/group/username” makes sure this data is not transferred to the gateway and I wonder if that is good enough to at least satisfy the privacy needs of the senders…

1 Like