GDPR compliance, or lack of

[reetp]

I have noticed increasing amounts of what can only be described as 'surveillance' or 'tracking by Rocket Chat.

The code, documentation, and notifications of data usage for GDPR are woefully inadequate and urgently need addressing.

The latest was picked up by a user in open rocket.chat asking what collector.rocket.chat was. There is no information on this - what it is, and what it collects, and no questions on whether the installer voluntarily wants to enable it or not.

We then have situations like this: https://github.com/RocketChat/Rocket.Chat/issues/12789

"When you delete a chat the data is removed from the database. What remains in the database is the visitor data, so when we have this feature done, the Livechat managers will be able to remove the visitor data as well as we'll provide more tools to facilitate this process."

Closed apparently by: https://github.com/RocketChat/Rocket.Chat/pull/12982

But note: "In Addition: These features will only be available on our new Livechat client."

But we can't use the new livechat widget because it exposes user details as per this: https://github.com/RocketChat/Rocket.Chat/issues/12908

Then we have stuff like this that gets put in. Where is the notification about this? Where is the 'Off' switch? https://github.com/RocketChat/Rocket.Chat/pull/14765

There are still data retention Issues eg: https://github.com/RocketChat/Rocket.Chat/issues/12862 https://github.com/RocketChat/Rocket.Chat/issues/13916

On top of that there is Market Place. I have no idea what that wants in the way of data. And what about the Apps themselves? Is there a policy on place for this?

It is all well and good Rocket claiming to be GDPR compliant, but it has to back that up with code and documentation.

I would suggest that currently Rocketchat is far from GDPR compliant.

Currently this should be removed: https://rocket.chat/gdpr

[theorenck]

Hi @reetp, thanks for bringing this to our attention, we already mobilized our legal and security, to analyze the case you presented. As soon as we have our interpretation and understanding of how those specific points related to GDPR, we'll share it with you here. Thank you very much.

[reetp]

I'm happy to get involved in the discussion if needs be.

[makibras]

Hi @reetp! I help Theo and the team and will you posted here.

[reetp]

You can add this to the list as well. https://github.com/RocketChat/Rocket.Chat.Livechat/pull/242

A couple of bits in there that I noticed (the whole PR doesn't sit comfortably quite honestly):

It looks like you are getting the location appearing to open URLs like https://nominatim.openstreetmap.org and https://cors-anywhere.herokuapp.com BEFORE you have asked and received permission????

It seems (and I could be wrong) your code says 'get location, look up everything (or start the lookups), if they give permission, store it'.

That isn't right surely? No geo location data should be obtained at all until user consent is given.

Also curious as to why this is changed from localhost:3000 to some obscure location for monitoring https traffic? Where is that documented?

process.env.NODE_ENV === 'development' ? 'https://e30b913c.ngrok.io

[reetp]

Add another one to the list (and I keep seeing issues like this pop up):

https://github.com/RocketChat/Rocket.Chat/pull/14934

Sorry - I just don't see any action on this and I think Rocket is falling further and further behind on GDPR.

I am seriously starting to question whether I can can continue to use it at work for my employees or livechat for clients.

This is really serious stuff for some of us.

[geekgonecrazy]

@reetp I can assure you its being taken seriously its just taking some time to action on everything. One important thing is building that into our processes so no one person can forget about privacy implications. If it's even a question it needs to be run through and double checked.

[geekgonecrazy]

You can add this to the list as well. RocketChat/Rocket.Chat.Livechat#242

Important to point out. This is made by a GSOC student and has not been merged and not being worked on directly by one of our team. Likely has a good ways to go before its even near merging

[reetp]

Yes, I know it isn't a 5 minute job, but I do do see stuff popping up, and nothing much said or done about it - that's what I see from where I am sat. Yes, it may be different internally but that isn't reflected by what can be seen externally.

Trouble is, it will be lawyers asking the questions, and they won't take 'it's planned for next month' for an answer :-)

It is either compliant, or it isn't, and right now I don't believe it is.

Rocket did make big strides towards GDPR compliance at the time but it just seems to have fallen backwards subsequently. It should have already been built into your processes and should not need changing now.

[reetp]

Ahhhh. This is the overall bug for visitor location tracking. All the code needs some serious reviewing for privacy.... https://github.com/RocketChat/Rocket.Chat/issues/14642

[reetp]

This looks like it looks for an 'enabled setting'

https://github.com/RocketChat/Rocket.Chat/pull/14813

[reetp]

https://github.com/RocketChat/Rocket.Chat/issues/12966

[engelgabriel]

https://github.com/RocketChat/Rocket.Chat.Livechat/pull/279

[engelgabriel]

https://github.com/RocketChat/Rocket.Chat/pull/15294

[wreiske]

⚠️ Disclaimer: Random brain dump of non-important opinion. ;) Proceed with caution ⚠️

I read the disclaimer, show me your brain dump! (Click Here) 👈

I am making a huge assumption here, but I would say Rocket.Chat's "default" configuration may never be "GDPR compliant".... However, there should be different "modes" or strict rules put into place that allow the server administrators to "lockdown" their server to be compliant based on the locality of the users. California's CCPA, for example, may be different than the EU's GDPR. Different states in the USA may not need any compliance, and some businesses may use Rocket.Chat much like how hubspot tracks marketing leads, etc... I agree, there needs to be a larger conversation, nevertheless, there are many cool features that USA based companies would pay an arm and a leg to have that would not be GDPR compliant at all. Does that mean Rocket.Chat as a company should limit the scope and functionality of their products in USA or other countries because they have to conform to the most strict guidelines of EU privacy laws? I think an equal amount, if not more, focus should be on protecting the data and ensuring there are no security issues that could allow a third party to access that data. Giving the server administrators (and putting the blame and risk on them) the tools to make their system "compliant" seems like a good solution in my mind. Maybe there are different "defaults" for preferences that if you select GDPR from a dropdown will disable certain livechat functionality, automatically enforce the ability for users to delete their data, etc. As a server operator myself for a USA based organization, there is no reason for employees to be able to delete their data. It's on our servers, in our datacenter, and we have every right to go through any conversation at any time and keep it for as long as we want. Not that we do (that's a little too big-brother-ish and feels a little unethical for my team at least, we respect our employee's privacy unless someone's life is in danger, etc...), but for legal reasons, one may have to keep the information, like a [litigation hold](https://www.exterro.com/basics-of-e-discovery/legal-hold/). I wonder how a litigation hold would affect GDPR https://www.todaysgeneralcounsel.com/litigation-holds-and-the-gdpr/? **With all that said, and with a few hours to let this brew in my mind, I do want to say privacy/security should always be the highest priority, period.** Even so much as all privacy questionable features should be off by default. It should, _however_, be completely up to the server administrators to decide the compliance level of their installation and how well they respect other's privacy. Maybe alerts or banners or other UI can be added to let users know, before they sign up or register, that the server they are accessing does not comply with GDPR or other privacy laws. If a corporation wants to run a Rocket.Chat server and gauge employee engagement and productivity based on how many chats they send in a day, how long they are "online", etc., that's totally up to the corporation to decide (obviously depending on the geographical location). I guess what I'm trying to get at here, and maybe not expressing so clearly, TLDR: I don't want to see a blanket privacy policy that is trying to conform to one standard (GDPR) limit the awesome new features and cool tools and magic that makes Rocket.Chat cooler than every other platform out there.

[ChristineBoersen]

Add another one to the list (and I keep seeing issues like this pop up):

RocketChat/Rocket.Chat#14934

Sorry - I just don't see any action on this and I think Rocket is falling further and further behind on GDPR.

I am seriously starting to question whether I can can continue to use it at work for my employees or livechat for clients.

This is really serious stuff for some of us.

Actually, if you read the one from me, it is on hold and will not be part of the product, until I have time to work on it, to make it compliant.

[ChristineBoersen]

Just to add, in my case, I think things worked like they should have. A) I don't work for Rocket.Chat and tried to add a feature to the product without consulting the team B) They (and the community) reviewed the feature, and brought up compliance concerns C) It has been held from production until I have time to make it address the concerns brought to my attention.

Not quite sure what else should have happened there?!?! Please don't add my ticket as "fuel to the fire" as I believe the team/community policed it well before it was approved for the product.

[reetp]

@ChristineBoersen

Please don't add my ticket as "fuel to the fire"

Sorry - it's not about singling anyone out. Just trying to keep a handle on what is going on as there are mountains of Issues here in github and it is easy for stuff to fall through the cracks. The list is not exhaustive or comprehensive or personal - I have just added stuff as I have seen it.

I had noticed a number of either existing or potential GDPR issues and put them under one 'feature request' here to track them. Any one of which can make Rocket.Chat non compliant, and the admin open to legal consequences.

@wreiske

I wonder how a litigation hold would affect GDPR https://www.todaysgeneralcounsel.com/litigation-holds-and-the-gdpr/?

It will entirely depend on the jurisdiction. If you tried to take a EU company to court in the US then a legal hold may be to late as the data may have gone long ago due to GDPR. I'm sure there will be some interesting case law in the fullness of time :-)

I am making a huge assumption here, but I would say Rocket.Chat's "default" configuration may never be "GDPR compliant".

There is absolutely no reason why not. Set default things to off and then you can turn on what ever you like. It really doesn't have to be hard. It is a state of mind. However, if it isn't then no one in the EU can use it.

I don't want to see a blanket privacy policy that is trying to conform to one standard (GDPR)

It's probably the strictest thing out there and the benchmark for privacy if you are going to follow one.

It should, however, be completely up to the server administrators to decide the compliance level of their installation and how well they respect other's privacy

Indeed it should, and I have no quibbles about that. But if you don't give them the tools to disable the unpleasant bits their hands are tied. One bit that is non compliant means the whole system is non compliant.

I don't want to see a blanket privacy policy that is trying to conform to one standard (GDPR) limit the awesome new features and cool tools and magic that makes Rocket.Chat cooler than every other platform out there.

I'm happy that you bolt on what you like. As long as I can turn it off (it should be off by default really), and manage the data. If I can't it is non compliant, and the courts will judge me accordingly. I have no choice about this. It IS the law for me at least.

If Rocket.Chat is a uncontrolled free for all then that is fine. But don't advertise that Rocket.Chat is compliant when it is clearly not. That is false advertising or mis-representation (and potentially exposes Rocket.Chat itself to legal action).

If an admin cannot make it non compliant by disabling features and managing user data then you lose your EU market.

I would point out that a large proportion of questions I see around are to do with privacy and encryption etc. vs some of the "spyware" out there etc. IMHO it is a really important selling point for Rocket.Chat. Obligatory in the EU, and preferred in a lot of places.

I always considered Rocket.Chat to be a good at this and was thrilled with the compliance back in May 2018. The issue was that it was a push then to 'achieve compliance' at a moment in time rather than changing to be 'continuously compliant'. They are not the same things. For those of us on the East side of the pond GDPR is there, all the time. It is a permanent fixture and cannot be forgotten.

I don't mind what happens (clearly I'd prefer Rocket.Chat to be compliant....), but you are either in or out, and admins will have to make their decisions accordingly. There is no 'partial compliance'.

[graywolf336]

(just going to inject this here as I know you mean no malice by it, but we are Rocket.Chat and it can potentially be a legal issue if simply refer to us by Rocket)