
Notes on GDPR Compliance of Matrix.org (With Data Leak Disclosure), Part 2 - maxidorius
https://github.com/libremonde-org/paper-research-privacy-matrix.org/tree/master/part2
======
ATsch
As always, it is worth nothing that these things are being conducted by
individuals who have had a falling out with the general matrix community for a
number of reasons and have since worked on a generally hostile fork. It is in
their best interest to make these documents as damaging for matrix and
matrix.org as possible.

That won't change any facts, which I can't comment on the validity of, but
it's important to keep this context in mind while reading these and any future
documents.

~~~
maxidorius
Thank you for bringing our "failing out", which has an impact on the Personal
Data leak itself, so I really hope people will look into it.

As for "with the general matrix community", I believe the amount of projects
and people we talk to, and still are in rooms with (which are public) will be
the proof of that.

I hope you'll enjoy the read, since we believe this is not the first data leak
of this kind and that your personal data might very well have been leaked if
you're a Matrix user.

------
Achilles099
What was the point of redacting the name of the operator in Annex A "for
privacy" and then linking to a blog post that clearly states the author's name
saying "the same operator made this blog post while we were talking"?

~~~
maxidorius
Because our document could be collected and processed illegally under GDPR.
That the operator makes the conscious choice to have their name listed on
their own organisation's website they are from is their own choice. Their
organisation is processing their data, not us. They have the right to object
to that, and the right to erasure of their personal data if having their name
is listed.

They were not given the choice to be part of our publication and therefore, we
have no lawful basis to use their name since 1) they did not give us consent
and 2) they would not have understood (we didn't say) nor expect (it was a
private chat) that we will use their personal data - making Legitimate
Interest not possible.

The only way we could be GDPR compliant for being Accountable and not break a
lawful basis was to not use their name but the name of their role under their
obligations towards us, and linking to the blog post instead (Accountability
of what we claim).

~~~
Achilles099
Still doesn't seem necessary to point out that it was the same person writing
the blog post, could have just said New Vector released this blog post around
the same time. Just seems underhanded, but that isn't much surprise coming
from someone with a clear vendetta against NV because you want people to
switch to Grid. These papers are nothing more than marketing documents for
your fork.

~~~
maxidorius
I guess then New Vector is actually our best sponsor: they always give us
those very important things to write about, like a personal data breach that
has a federation-wide scope.

They certainly are generous! I'll ask them to renew our contract!

