Push notifications and GDPR

localguru · May 18, 2019, 11:47am

Hi,

on this precarious topic, there have already been several posts here, all of which have run aground.

From a privacy point of view, you are currently completely lost if you activate pushes. If I understood the principle correctly, the data will be sent via a TLS encrypted path to the push notification gateway of rocket.chat (https://gateway.rocket.chat) and from there to Apple or Google, but the content is plain. Both rocket.chat as push gateway operator and Google or Apple have full access to your content. Please correct me if this is not true. Basically pushes are a data protection disaster. You can disable pushes in your Rocket (or use the client from F-Droid) or configure the push without content (see administration interface of your RC: push notifications/data protection). The situation would be somewhat improved if the mobile RC clients also supported E2E. I mean, that wouldn’t be the case yet. Then at least the content would no longer be readable in plain text by third parties. But with the “metadata” you will always get naked, even with E2E. This is a basic problem and not Rocket.Chat specific, e.g. also with signal, telegram, matrix. Ultimately, you have to adapt your privacy policy or deactivate pushes. Privacy statements are not worth the paper they are written on. For example, our privacy policy stipulates that data of a certain security class may not be exchanged via Rocket.Chat. Does anyone comply with this prohibition? Ping me in #ug_german channel on open.rocket.chat, then we can discuss this in detail and I can send you our privacy policy.

As an alternative you could run your own push gateway (are there instructions for this?), but then you have to build the mobile clients yourself, a lot of effort, see here. But even with your own gateway, you can only bypass the gateway of rocket.chat. You still have to push from your gateway via Google or Apple to your mobile clients. And frankly, I trust the Rocket.Chat team more than Google or Apple. So in the current concept it doesn’t matter to me that the data would be pushed through the Rocket.Chat gateway in advance.

In the summary: pushes are simply a terrible dilemma. This is where we really need to gather ideas to better implement data protection and confidentiality.

Some further links:

github.com/RocketChat/Rocket.Chat

Public gateway privacy clarification

opened 07:22PM - 06 Dec 17 UTC

closed 03:37AM - 02 Jan 18 UTC

flaviovs

Can anyone elaborate a bit more about what travels through Rocket.Chat notificat…ion gateways? I think that most people that self-host a RC server are interested in maintaining privacy control of the messages exchanged on them, and it is not clear what actually goes back and forth between self-hosted instances and the RC gateway WRT notifications. More specifically, are message contents sent to RC servers upon notifications? What exactly goes **outside** a self-hosted installation and the connected clients? Any insight will be appreciated. p.s.: I can provide a PR to documentation explaining this, if desirable.

Ciao
Marcus

Topic		Replies	Views
Privacy and this stuff Community Support	5	3874	February 9, 2019
Data Protection and Rocket.Chat Push Gateway Community Support	2	1526	October 14, 2018
Question about the privacy policy and the push notifications Community Support	0	566	July 29, 2020
Getting push notifications to work Community Support	4	1327	November 3, 2021
Mobile Push Notifications Question Community Support android , mobile	0	826	June 11, 2020

[Rocket.Chat v7.0: Join the webinar] Roadmap Reveal: on-prem AI, VoIP, and more! Save your seat ->

Push notifications and GDPR

Related topics