Hacker News new | past | comments | ask | show | jobs | submit login
Notes on GDPR Compliance of Matrix.org (With Data Leak Disclosure), Part 2 (github.com)
5 points by maxidorius 84 days ago | hide | past | web | favorite | 8 comments

As always, it is worth nothing that these things are being conducted by individuals who have had a falling out with the general matrix community for a number of reasons and have since worked on a generally hostile fork. It is in their best interest to make these documents as damaging for matrix and matrix.org as possible.

That won't change any facts, which I can't comment on the validity of, but it's important to keep this context in mind while reading these and any future documents.

Thank you for bringing our "failing out", which has an impact on the Personal Data leak itself, so I really hope people will look into it.

As for "with the general matrix community", I believe the amount of projects and people we talk to, and still are in rooms with (which are public) will be the proof of that.

I hope you'll enjoy the read, since we believe this is not the first data leak of this kind and that your personal data might very well have been leaked if you're a Matrix user.

What was the point of redacting the name of the operator in Annex A "for privacy" and then linking to a blog post that clearly states the author's name saying "the same operator made this blog post while we were talking"?

Because our document could be collected and processed illegally under GDPR. That the operator makes the conscious choice to have their name listed on their own organisation's website they are from is their own choice. Their organisation is processing their data, not us. They have the right to object to that, and the right to erasure of their personal data if having their name is listed.

They were not given the choice to be part of our publication and therefore, we have no lawful basis to use their name since 1) they did not give us consent and 2) they would not have understood (we didn't say) nor expect (it was a private chat) that we will use their personal data - making Legitimate Interest not possible.

The only way we could be GDPR compliant for being Accountable and not break a lawful basis was to not use their name but the name of their role under their obligations towards us, and linking to the blog post instead (Accountability of what we claim).

Still doesn't seem necessary to point out that it was the same person writing the blog post, could have just said New Vector released this blog post around the same time. Just seems underhanded, but that isn't much surprise coming from someone with a clear vendetta against NV because you want people to switch to Grid. These papers are nothing more than marketing documents for your fork.

I guess then New Vector is actually our best sponsor: they always give us those very important things to write about, like a personal data breach that has a federation-wide scope.

They certainly are generous! I'll ask them to renew our contract!


Feel free to post the same with your real account instead of a puppet one, then I'll be happy to reply to all your points.

I'm serious enough to put my name out there and own up to what I write - Are you also? Or are you ashamed?


Thank you for your input. I am not worried about any traction we are getting. People do care even if you think nobody does. Per example: https://github.com/privacytoolsIO/privacytools.io/pull/1047

I'll let you do your own homework and research what else it triggered.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact