[WIP] MSC2438: Local and Federated User Erasure Requests #2438
Conversation
anoadragon453
force-pushed
the
anoa/gpdr17
branch
from
e1167a3
to
c9eeedb
Compare
anoadragon453
changed the title
|
|
||
| At this point, the application service SHOULD try to erase as much | ||
| identifying information about this user as possible. Upon successfully | ||
| acknowledging the request, the application service should return a `200 OK` |
There was a problem hiding this comment.
What's the expected response if the application service fails to remove the user?
There was a problem hiding this comment.
Currently this MSC is designed to just fan out the request, without returning any success/failure back to the user on whether the data was actually deleted. Thus here the 200 OK is just so that the AS acknowledged the request.
| At this point, the application service SHOULD try to erase as much | ||
| identifying information about this user as possible. Upon successfully | ||
| acknowledging the request, the application service should return a `200 OK` | ||
| with an empty JSON body. |
There was a problem hiding this comment.
What's the expected response if the application service hasn't ever seen the user?
There was a problem hiding this comment.
A 200 OK, as it'd be the same result as the AS deleting all data of a known user.
| other homeserver should respond with a `403 M_FORBIDDEN`. | ||
|
|
||
| For application services, a new API endpoint will be added on the application | ||
| service: `POST /_matrix/app/v1/users/erase`. It contains a single, required |
There was a problem hiding this comment.
Ooi, why a blob of json and not /_matrix/app/v1/users/erase/@someone:example.com? It makes it marginally easier to trace in logging
There was a problem hiding this comment.
Because the point is to remove personal data, so forcing more personal data into logs is wrong.
There was a problem hiding this comment.
I'm inclined to agree with @turt2live here, but I also agree that it'd be good to have a record of which users were erased... but how you'd do that without keeping their User ID around in a database I'm not sure...
Therefore logs, which can be deleted according to a retention policy, may indeed be the best option?
| } | ||
| ``` | ||
|
|
||
| At this point, the application service SHOULD try to erase as much |
There was a problem hiding this comment.
Worth noting that this proposal send a 200 on acknowledging but not if it's successful, not successful or even possible. It would be nice if the appservice could feedback in these different cases.
There was a problem hiding this comment.
At the moment we don't plan to send feedback to the user about which application services out there couldn't process the request.
And I'm not sure what the homeserver would do in this case. It could keep retrying, but if the application service couldn't delete it the first time, why would a second request make any difference?
|
|
||
| ``` | ||
| { | ||
| "id_server_unbind_result": "success", |
There was a problem hiding this comment.
Kinda sucks that we have feedback for identity servers, but not for other services. It would be helpful if the API supported some granularity how successful erase has been.
There was a problem hiding this comment.
This field is a hack anyways. Granular responses is probably something for a different MSC, unless this MSC can somehow make it easy and not a nightmare to deal with. There's so much more UX to consider with granularity when the user probably only cares about it working or not.
There was a problem hiding this comment.
Indeed, this MSC is only concerned with getting the request out there, not getting feedback to the user. I'm still inclined to remove this field and just have the absence of an HTTP error mean success.
| * Other homeservers | ||
| * Application services | ||
| * Identity Servers | ||
| * Integration managers |
There was a problem hiding this comment.
Worth noting that the data contract for integration managers is between itself and the client, the homeserver isn't aware of the integration manager at all.
There was a problem hiding this comment.
False, the homeserver is aware of integration managers. The homeserver is also best positioned to deal with the data removal.
I'd still take integration managers out of scope of this MSC though because they don't exist at the spec level.
|
So is this erasing everything (to the point of allowing usernames to be reused)? |
This is simply ferrying erasure requests to different services, the spec deliberately leaves what is actually erased up to the implementation, as we can't actually enforce that at the protocol level. |
|
@Half-Shot What do you think about this proposal? |
|
oooooooh yes |
| * Whether we should just fail the request entirely if local user erase was | ||
| unsuccessful |
There was a problem hiding this comment.
We may need to introduce a custom error code for this then?
| Upon receiving this request, the homeserver should forward it to every | ||
| homeserver it believes could also contain that user's data. How it does so is | ||
| left as an implementation detail. Once it's decided, the request will be | ||
| communicated over a new Federation API, `/_matrix/federation/v1/user/erase`. |
There was a problem hiding this comment.
We're on v2 now:
| communicated over a new Federation API, `/_matrix/federation/v1/user/erase`. | |
| communicated over a new Federation API, `/_matrix/federation/v2/user/erase`. |
There was a problem hiding this comment.
It was my understanding that we'd start new APIs with v1, and only introduce a v2 for them if they need to be updated with breaking changes. Is this not right?
There was a problem hiding this comment.
We don't have any formal standard for this, but using the identity server as an example we added /v2 endpoints without /v1 counterparts, implying that we ratchet the whole version and not on a per-endpoint basis.
There was a problem hiding this comment.
There's also a difference here which is that in the IS spec every existing endpoint got a v2 (even those that haven't changed in the transition), which imho means vX is the version of the API, whereas in the S2S spec most existing endpoints are only v1 and we've only been bumping per endpoint when we need to change it, which imho means vX is the version of the endpoint.
Argh all this is confusing.
There was a problem hiding this comment.
I've opened #2475 to settle this.
There was a problem hiding this comment.
vX is the version of the API,
no. The API doesn't have a single version. It just sounds like we happened to bump all the IS APIs at once.
| Example request: | ||
|
|
||
| ``` | ||
| POST /_matrix/federation/v1/user/erase |
There was a problem hiding this comment.
We're on v2 now:
| POST /_matrix/federation/v1/user/erase | |
| POST /_matrix/federation/v2/user/erase |
turt2live
changed the title
turt2live
added
the
needs-implementation
| A new parameter to the | ||
| [`/account/deactivate`](https://matrix.org/docs/spec/client_server/r0.6.0#post-matrix-client-r0-account-deactivate) | ||
| Client-Server API endpoint will be added, called `erase`, which is a boolean | ||
| that specifies whether the homeserver MUST attempt to erase all personal | ||
| data pertaining to the user off of the homeserver and as much of the rest of | ||
| the federation as it can. |
There was a problem hiding this comment.
We ended up implementing erase long ago, but without the federation propagation bit. #4025 covers the history here (and may affect how this proposal operates).
Rendered