Change wrong info - This community release of Nextcloud is unsupported and push notifications are limited.

[devnull4242]

There is a 500+ users Nextcloud Fair Use Policy and NGO program see here https://nextcloud.com/de/pushnotifications and that is ok and good for the future of Nextcloud and Nextcloud GmbH. extract: "We believe you will have a better experience with Nextcloud Enterprise."

But with 500+ users and without Nextcloud Enterprise (there are also reasons for this) the message is wrong. It is not correct (from the Managed Nextcloud hoster view e.g. Tab.Digital) that "This community release of Nextcloud is unsupported". Please change the text or delete the irritating message from the login page. It is correct to write about limitations (e.g. push notifications). But please do not write them on the login page. On the start page it does not say that Nextcloud is not Windows 365 or that you cannot make coffee with Nextcloud. ;-) Nobody needs this information multiple. Hide them in Nextcloud itself e.g. in the user settings. I think the Nextcloud hoster can inform the users to the license and best coffee brewing. This is not the task of the Nextcloud software or the Nextcloud GmbH to post it on the login page. Thanks.

Example: https://nc.nl.tab.digital Version: https://nc.nl.tab.digital/status.php -> Nextcloud 24.0.9 -> still supported Community Nextcloud version !!!

"wird nicht unterstützt" is not true (login page)

"is unsupported" is not true (login page)

text is ok

another closed issue: https://github.com/nextcloud/server/issues/32165 help forum: https://help.nextcloud.com/t/nextcloud-25-released-to-stable/147816

[devnull4242]

Same problem on Nextcloud https://drive.shadow.tech , info on https://shadow.tech/drive .

Frank Karlitschek made such a nice video with Shadow Drive see https://www.youtube.com/watch?v=ybxhYlCHFCE . Now it looks like the nextcloud version of Shadow Drive is outdated and unsupported. But that is not true, it is Nextcloud 25.0.3. Normal users will not understand this wrong information.

@karlitschek : Please change "unsupported" in a different word or delete the entry. Thanks.

[solracsf]

input from @svenseeberg at https://github.com/nextcloud/server/issues/38086

---

Unsupported Nextcloud installations show the following message to regular users:

1 "This community release of Nextcloud is unsupported and push notifications are limited." on the login screen

2. "Push notifications might be unreliable" in the notification area with a link to contact the Nextcloud support
3. "This community release of Nextcloud is unsupported and instant notifications are unavailable." in the user profile

While I have no problem with Nextcloud asking for a fee for a functionality which is running on their infrastructure. But there is nothing users can do about it. In the best case it is only confusing them. Most users don't even know what "unsupported" means. I also don't think that Nextcloud GmbH actually wants users of random community Nextcloud servers to contact the sales department.

For us the unsupported state is no problem at the moment, only the message is not helping everyday users. Deactivating the Notifications app is also totally viable. However, at least in the profile area the notification cannot be turned off.

In different contexts I'm also operating Nextclouds for communities with very high demands on privacy. In such cases I would nowadays deactivate the notifications app anyways. The messages in the login screen and profile would then become obsolete but is shown anyways.

Expected behavior

Only admins should see notifications about the unsupported status of a Nextcloud server. When the notifcations app is disabled, the login screen and profile area should not display warnings.

[Volker-K]

Similar issue: https://github.com/nextcloud/server/issues/38122

[devnull4242]

@solracsf @svenseeberg

For us the unsupported state is no problem at the moment, only the message is not helping everyday users.

For me "unsupported" meens that a Nextcloud release is End of Life. But this is not the fact. It is not "unsupported" it is more "unlicensed".

[svenseeberg]

For me "unsupported" meens that a Nextcloud release is End of Life. But this is not the fact. It is not "unsupported" it is more "unlicensed".

I agree, the wording is a bit unlucky.

[solracsf]

I personally see this more like a "commercial" channel for Nextcloud GmbH to get Enterprise subscriptions on big instances. A FOSS where the F means Freemium 😆

[svenseeberg]

I personally see this more like a "commercial" channel for Nextcloud GmbH to get Enterprise subscriptions on big instances.

... which is totally valid in my opinion. However, @devnull4242 got a point with the phrasing. Also, the architecture seems a bit weird to me. There definitely are compliance issues with the current implementation. Organizations need to enforce compliance even on the user side (see #38122) . That means an organization, even when using smaller installations, need to be able to fully deactivate Push Notifcations. Internal notifications could work w/o the existence of an external Notification Gateway. It worked for more than a decade ;-)

[Volker-K]

There are several wrong parts not only in those messages but in the whole topic.

Let's have a look at the one that is shown when you klick on the notification bell:

"Nextcloud GmbH sponsors a free push notification gateway for private users"

That has never been communicated in this way. Push notifications are just mentioned in user's manual without any hint how they might work. Even the privacy notice on their website that is linked from within the mobile apps says:

Our apps only communicate with your own Nextcloud server and do not sent any data to us. The Play Store version equal to or newer than 1.5.0 for Nextcloud supports push notifications which use the Google servers. However Google does not have access to the actual notification data. Only a header with a subject is sent via Google, but in encrypted form, and the rest of the content is retrieved directly from your Nextcloud server and not sent through Google. The iOS client works in a similar way.

Obviously "only communicate with your own Nextcloud server and do not sent any data to us" is completely wrong.

This is a problem for all organisations using Nextcloud, and completely independent of whether they pay for the Enterprise Edition or not! They have to fix their privacy policies asap but unless they have more than 1000 users in a Community Edition (that's the limit set in the code) they might never realize that their privacy policy does not cover the push notification server run by Nextcloud GmbH.

Furthermore, the wording "sponsors a free push notification gateway for private users" gives the false impression that the Community Edition is only intended for private users and may not legally be operated by an organisation. But that would be a violation of the GNU AGPLv3, which clearly states "This License explicitly affirms your unlimited permission to run the unmodified Program."

The whole situation is really unsatisfactory and similar situations have already led to forks in other projects, which can massively damage a project of the size and complexity of Nextcloud.

Especially since Nextcloud GmbH offers special conditions for the Enterprise Edition for government and education, which is great. In Germany, the first federal states have banned the use of Office 365 on the web and Teams in schools and public authorities because of the well-known GDPR issues.

And that is so completely correct in my eyes. Which online shop we buy from (or whether we do so at all) is ultimately our free decision, but we can hardly influence what data the state collects. From the state, i.e. government and education, we can therefore expect particularly strict compliance with data protection regulations.

I work for a government data centre myself and am in a political party that uses Nextcloud so as not to be dependent on the Redmont company and to comply with the GDPR. In both cases, the use of the push notification server prevents us from complying with the GDPR. Period.

The Nexcloud instance is becoming mission critical for us (we actually want to have a five-figure number of students online soon) and will need a support contract for this in the medium term, but for now we would have to use a fork of the application in which we make the push notifications disengageable (as described in https://github.com/nextcloud/server/issues/38122 ).

That's pretty absurd.

[andristeiner]

I contacted you back when Nextcloud 23 was released in #32165 already, and we do still struggle with this as of today. We do participate in the Nextcloud provider signup program and run three installations to accommodate those users with a few thousand accounts each.

I don't consider it good practice to show warnings to those users who just signed up to try Nextcloud through an official channel. As we do provide these installations and accounts for free, I'm not willing to buy an enterprise subscription either.

Can you provide us with a license, or another workaround to get rid of those messages? Otherwise, we'll most probably withdraw from being a member of the provider signup program, which would be sad after being part of it since the beginning.

[jospoortvliet]

@andristeiner Please contact nextcloud gmbh for that, not the developers, volunteers and community here - this is totally the wrong place for this kind of business conversations. And indeed, your users shouldn't get this warning - so please, talk to the company about this.

For you and others here, may I propose a very simple 'rule of thumb' for the question "should I post my Nextcloud question or request on github or the community forums": if you are paid to ask the question, ask somebody who is paid to answer you, not volunteers or developers. It doesn't seem fair to ask volunteers to work for your boss for free.

If you work for a charity, Nextcloud GmbH is happy to help - and often for free.

@Volker-K and devnull4242 - I'll try and answer your inquiry about the push notifications and the GDPR before the weekend, but the same I said above evidently holds in your case, too. Our sales team is better equipped to answer such business and legal questions than software developers and volunteers, I don't really understand why you ask this here. Is our issue template not clear enough on that?

[devnull4242]

@jospoortvliet Thank you for your help. My problem is the text "unsupported", the combination with the text "push notifications" and the very prominent placement at the login page e.g. https://nc.nl.tab.digital and not after login. And i think here the developers can give good suggestions that it is useful for Nextcloud GmbH and all community and commercial users.

[jospoortvliet]

Hi Volker, Devnull and others,

Let me first very shortly address the term 'supported'. Let me propose that most people would understand that term to mean "supported by the software vendor", meaning you can call them if you have a problem. With Nextcloud, that requires Nextcloud Enterprise. I know some read 'supported' to mean "the product still gets security updates" or "I can call my mom if something breaks and she'll fix it", but that discussion will never end. So I hope you can accept we simply use the most basic meaning: support from the vendor.

Then, to answer the GDPR question. Let me repeat what I said before: best talk to the sales team at Nextcloud GmbH about this. They are much better equiped to answer the kind of questions large businesses or government organizations like yours face.

Having said all that, I'm sure people interested in this subject would benefit from reading the documentation on the push proxy to dispel some of the confusion and incorrect information here: https://github.com/nextcloud/notifications/blob/master/docs/push-v2.md

I did add a link to that in our privacy page to make it easier to find for the future.

I would summarize it as such:
Nextcloud GmbH gets no IP or other personal data on any individual. The push proxy is designed to work with the absolute minimum amount of data being shared with us and Google to be able to work.

• While we talk to a server and thus see their IP addresses in our logs, this is not GDPR relevant as these are not user specific. We don't get IP addresses of user devices. We do see the certificates, but those are meaningless as we can't connect them to any individual or their device.
• Google or Apple have certificates of the devices connected to their networks (which they already knew about) but no IP addresses of the server side, nor any of the content of the notifications. By using an Apple or Google device with enabled notifications, you have already agreed to and (should be) are aware of the data they have of you.

For you and others worried about the GDPR situation, while I’m no lawyer and wouldn’t give legal advice on a developer forum if I was, my reading of the situation is:

• Any private users that run a server for themselves and some others here are good. The GDPR doesn't put much restrictions on such users anyway.
• The same goes for small organizations. and the GDPR doesn't require active opt-in for things that are minimally required to run a service either.
• Large organizations might run into additional complexities around compliance. I would suggest that it would not be prudent to run any complicated software that handles users’ private data without consulting either a lawyer or the vendor - in this case, us. If this applies to you and your organization please get in touch with our account managers, or talk to a lawyer.

Once more, neither github, nor our community forums, are the place for legal discussions only relevant for enterprise deployments. With regards to such business questions, let me repeat by ground rule: if you get paid to look for answers by your boss, try to talk to somebody who gets paid to answer. It's not really fair to ask volunteers to work for your boss for free. Our account managers are happy to help.

We are likely close such discussions, especially those with mis-information or (re)created by sock puppet accounts.

Still, I hope this helps. And again, if you have serious worries, talk to our team. We are happy to explore the details - together. The GDPR is not simple, and it requires a deep look at what is really happening to know what to do. We don't want to dodge the question, on the contrary, but this isn't the place or way.

I hope nobody finds it too crazy for me to close this issue. The wording won't change - though I suggest tab.digital to reach out to Nc GmbH. I am sure we can work something out. Same for others. As said on our FAQ, our goal is a win-win for everyone, from home to business users.

[svenseeberg]

I would summarize it as such: Nextcloud GmbH gets no IP or other personal data on any individual.

AFAICT this is not correct. To reach a target device, a notification needs a device ID. This ID definitely is personalized.

https://gdpr.eu/eu-gdpr-personal-data/ states:

Looking back at the GDPR’s definition, we have a list of different types of identifiers: “a name, an identification number, location data, an online identifier.” ... These identifiers refer to information that is related to an individual’s tools, applications, or devices, like their computer or smartphone. The above is by no means an exhaustive list. Any information that could identify a specific device, like its digital fingerprint, are identifiers.

And just one more thing that surprises me a little:

Then, to answer the GDPR question. Let me repeat https://github.com/nextcloud/server/issues/37322#issuecomment-1545563756: best talk to the sales team at Nextcloud GmbH about this.

As this is an open source project I think this is exactly the right place to talk about features and functions. That the Nextcloud notifications app has no built in setting to disable the notifications sent via Nextcloud GmbH is definitely a software design decision. But I can understand that developers at Nextcloud GmbH can probably not decide this ;-)

[Volker-K]

For you and others worried about the GDPR situation, while I’m no lawyer and wouldn’t give legal advice on a developer forum if I was, my reading of the situation is:

Our data protection officer is a lawyer and she says that we in fact need such an Auftragsdatenverarbeitungsvereinbarung with Nextcloud GmbH if we use the push proxy - unless Nextcloud GmbH can tell us based on GDPR why we don't need one.

At least we will have to add the use of this proxy to our privacy policy, but untill last week it wasn't even mentioned in the privacy policy of Nextcloud GmbH.

And are still contradictory statements there: It has been mentioned since 10 May that the proxy exists, but a little further down it is still stated that the mobile apps talk directly to our servers and that no Nextcloud GmbH system is involved.

In Germany, the integration of the Google Fonts servers already led to problems. In the current situation, the proxy leads to risks for all those who operate public clouds based on Nextcloud. The inevitably incorrect privacy policy alone can lead to fines.

[Volker-K]

Can you provide us with a license, or another workaround to get rid of those messages?

Have a look at this enhancement request: https://github.com/nextcloud/server/issues/38122

[jospoortvliet]

Can you provide us with a license, or another workaround to get rid of those messages?

Have a look at this enhancement request: #38122

To quote your earlier comment:

Our data protection officer is a lawyer and she says that we in fact need such an Auftragsdatenverarbeitungsvereinbarung with Nextcloud GmbH if we use the push proxy - unless Nextcloud GmbH can tell us based on GDPR why we don't need one.

So I suggest you do what your lawyer suggests - reach out to Nextcloud GmbH and figure out a contractual solution. From what I can tell our software works as intended, and if it doesn't that has to be figured out by lawyers, not engineers - this is the WRONG place for this discussion and we'll be closing any further attempts at re-discussing it.