search

RocketChat / feature-requests

This repository is used to track Rocket.Chat feature requests and discussions. Click here to open a new feature request.
21 stars 9 forks source link

GDPR: quoted message still appears in deleted message #464

Open Timelessprod opened 3 years ago

Timelessprod commented 3 years ago

Description:

When someone (A) write a message that is then quoted by someone else (B), and A delete his message, its content is still quoted on the message of B. Europe Union new laws impose the service to remove any content of a user when he requests it. Here my message content is still visible by everyone even if I remove it. So this is a violation of my right to get my content removed

Steps to reproduce:

Send a message Make someone quote your message Delete this message

Expected behavior:

There should be a "deleted message" appearing at the place of the deleted message.

Actual behavior:

Server Setup Information:

This is my school's Rocketchat. They asked me to make the issue myself. I dont know anything about their config

Client Setup Information

Mareo commented 3 years ago

Hi @Timelessprod,

The choice made by the Rocket.Chat development team to have quotes as copies of the original messages and not references can be deliberate and is not a GDPR violation per se. Article 17 ("Right to erasure") states that the data subject have the right to obtain from the controller the erasure of personal data if he withdraw consent when "[consent is the legal basis for the processing] according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;". In the general case in our school Rocket.Chat instance, the legal basis for data processing is not consent but point (b) of article 6(1).

Moreover the GDPR does not mandate tools to allow these operations to happen without intervention from an operator and it's perfectly fine from a legal standpoint to require users to make a formal request before messages being deleted, as long as it is done "without undue delay".

We nonetheless chose to enable the setting allowing users to delete their own messages on our Rocket.Chat instance but I am not fond of the idea of them being able to delete quotation in other users messages and should it be a new settings in Rocket.Chat, I'd choose not to enable it.

You may still ask an administrator to delete the offending quotations by using the proper communication channel (tickets and not private DM on Discord with a random member of my staff). Of course, the best way for not having this kind of issue is not to send messages you do not want quoted.

We certainly never asked you to make an issue claiming Rocket.Chat did not respect the GDPR, in fact you were told exactly the opposite regarding GDPR compliance. Having the ability to remove quotations when the original message is deleted is indeed a useful feature but you should be asking nicely for it to be added, not making baseless claim on this project GDPR compliance.

Regards,

johncrisp commented 3 years ago

Hi and thanks for reporting this issue.

It is the responsibility of the administrator of the system to manage GDPR compliance. Not Rocket.Chat. And as rightly pointed out you should contact your administrators to ask for removal of any data.

So this is a violation of my right to get my content removed

Rocket.Chat provides tools to help facilitate the management of data, but we are not the data controller in any given instance. Rocket.Chat has not violated any of your rights.

Note that tracking the quoting of a piece of text would probably be extremely difficult. Not so bad if a 'Quote' message link was used and you could actually identify it, (blockchain anyone?) but what happens if someone just copies and pastes your text unreferenced as I have done above?

As this is not a bug - there is no error thrown in Rocket.Chat, and we certainly can't delete any of your data - I will move this to the feature requests repo where it belongs.

charlyrock commented 3 years ago

We activated the auto-delete option for all chats after 30 days. That works fine but now it doesn´t work anymore at messages, that was quoted. That is definitively a bug. Before the last update it works fine!

charlyrock commented 3 years ago

It should be fix urgently! That is a security problem, if you have installed, that all messages should be deleted after a specific time like us!

charlyrock commented 3 years ago

Hi and thanks for reporting this issue.

It is the responsibility of the administrator of the system to manage GDPR compliance. Not Rocket.Chat. And as rightly pointed out you should contact your administrators to ask for removal of any data.

So this is a violation of my right to get my content removed

Rocket.Chat provides tools to help facilitate the management of data, but we are not the data controller in any given instance. Rocket.Chat has not violated any of your rights.

Note that tracking the quoting of a piece of text would probably be extremely difficult. Not so bad if a 'Quote' message link was used and you could actually identify it, (blockchain anyone?) but what happens if someone just copies and pastes your text unreferenced as I have done above?

As this is not a bug - there is no error thrown in Rocket.Chat, and we certainly can't delete any of your data - I will move this to the feature requests repo where it belongs.

This is definitely a bug! The autodelete doens´t work correct. If I had configure a autodelete after 30 days and it purge not the quoted messages, that is a big big bug and a security failure. Please correct the bug!