Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Privacy Policy #93

Closed
khlr opened this issue Dec 2, 2023 · 32 comments · Fixed by simplesamlphp/simplesamlphp.github.io#15
Closed

Privacy Policy #93

khlr opened this issue Dec 2, 2023 · 32 comments · Fixed by simplesamlphp/simplesamlphp.github.io#15

Comments

@khlr
Copy link
Contributor

khlr commented Dec 2, 2023

The other day I have been taking a glance at the Chrome Web Store to see if we could publish a new version of SAML-tracer anytime soon. I couldn't help but notice that the CWS now enforces the linking of a privacy policy. Without this, it is not possible to publish a new version.

Now one could certainly click through one of the numerous online generators for privacy policies. Sure, sounds easy at first. Nevertheless, it is not unlikely that you will not state things correctly and that the whole structure will become legally vulnerable as a result.

I wonder how you deal with these kind of issues in SimpleSAMLphp? I think that privacy issues and legal matters in general are even more acute with this project than with SAML-tracer.
Is SimpleSAMLphp backed by Sikt/UNINETT in this regard? Or SURF (probably not)?
However, I couldn't find a privacy policy anywhere in the SimpleSAMLphp project or on the website. Either I'm looking too hard, or there isn't one?!

Anyway. I think with the necessary effort one could also create a (hopefully legally bulletproof) privacy policy for SAML-tracer. It would certainly also be in the users' interest if they could find out what happens to their data (namely nothing; since we don't play fast and loose with it).
However, I have concerns about article 13(1a) of the GDPR. This article requires the specific designation of a responsible person ("controller"). Who should be named here in an open source project? If SAML-tracer were the product of some company, it would certainly be a different situation.
Hence the question about Sikt/UNINETT: Would it somehow be conceivable to come under their umbrella in this respect?

What do you think about this, @tvdijen , @thijskh , @jaimeperez ?

@tvdijen
Copy link
Member

tvdijen commented Dec 2, 2023

Sikt is not involved anymore and I believe the SimpleSAMLphp project to be a legal entity on it's own.
This sounds like a job for our board to figure this stuff out.

@khlr
Copy link
Contributor Author

khlr commented Dec 3, 2023

Oh, I didn't know that Sikt isn't involved anymore.
What form of legal entity is SimplesSAMLphp likely to be?

How can the board be 'activated' to clarify these questions? 😉

@tvdijen
Copy link
Member

tvdijen commented Dec 3, 2023

Jaime is one of the board-members, so let's wait for him to respond. He can bring the topic to their monthly-or-so board-meeting.

@jaimeperez
Copy link
Member

jaimeperez commented Dec 4, 2023

SimpleSAMLphp is established as a non-profit entity under the umbrella of the NLNet Foundation. This means we are free to accept donations without worrying about taxes and all sorts of administrative issues, and use that to take care of the project. Sikt and Cirrus Identity have been the only ones who have donated to the project since the new non-profit was established, but neither of them have any control or ownership capabilities.

Regarding the GDPR & Privacy Policy, as far as I understand it shouldn't affect us in general for two reasons:

  • We are not a company offering any services, and as such, we cannot be designated as controller of any personal data.
  • We are not collecting any personal data either. In fact, we are not collecting any data at all.

The only tricky part is this issue tracker and any mailing lists. In theory, people who have written here or in mailing lists that we manage could exercise their right to be forgotten under GDPR, and that would force us to delete their comments. I believe both Google Groups and Github offer an automated way to delete all your comments when you delete your account, so that leaves us with no need to do anything on our side (but we should verify this, of course).

Other than that, the Privacy Policy for SAML-tracer should be as simple as We don't collect any data. All data made available to the SAML-tracer extension, personal or not, is under your control at all times.

@jaimeperez
Copy link
Member

Hi again!

Just a quick update on this. We just discussed the topic in our board meeting and we are going to look into the legal requirements, write something that we can use as a privacy policy and find a place where we can publish it when done 😄

@khlr I'll let you know when everything is in place so that you can use it in the CWS!

@khlr
Copy link
Contributor Author

khlr commented Dec 7, 2023

Thanks for the feedback and for discussing the further details in the board meeting, Jaime.

Thanks also for the info on the NLNet Foundation. However, I can't find SimpleSAMLphp anywhere on the list of supported projects. Is it listed there under a different name?

@thijskh
Copy link
Member

thijskh commented Dec 7, 2023

So it's not NLNet Foundation but The Commons Conservancy. NLNet in turn delivers services to TCC.

@jaimeperez
Copy link
Member

That's absolutely true, my bad. TCC is the legal instrument that hosts us, while NLNet provides most services for it. I was thinking strictly on economical terms, so I just thought about the NLNet foundation.

@khlr
Copy link
Contributor Author

khlr commented Feb 17, 2024

Hi @jaimeperez!

Are there any results on this topic in the meantime? 🙂

@tvdijen
Copy link
Member

tvdijen commented Feb 17, 2024

I've been checking out some other browser add-ons that similar functionality and found this one to have a very simple privacy statement that perhaps we could re-use?

https://chromewebstore.google.com/detail/enlnbonndfjonmelmplbmgnobjffbhoj/privacy

Is there a generic email address we use?

@thijskh
Copy link
Member

thijskh commented Feb 19, 2024

Since the privacy question with SAML Tracer is rather trivial, I've gone ahead and just wrote what it does. That seems the essential part. We do nothing with your data.

Please find the proposed text on simplesamlphp/simplesamlphp.github.io#11. Improvements to the text welcome, but I prefer to keep simple things simple.

We can improve on this at any later time, but I suggest not to dwell too long on theoretical legal aspects of something that is so trivial re privacy risks and go ahead with what is proposed in this one.

@tvdijen
Copy link
Member

tvdijen commented Feb 19, 2024

I think it makes more sense to add the .md file to this repository, rather than on the SSP-website.
Other than that, 👍🏻

@thijskh
Copy link
Member

thijskh commented Feb 19, 2024

How can we then link to it? Isn't the whole purpose of this issue that we provide a link to the Privacy Policy

@tvdijen
Copy link
Member

tvdijen commented Feb 19, 2024

I'd link to the raw file in the master-branch 🤷🏻‍♂️

@thijskh
Copy link
Member

thijskh commented Feb 20, 2024

This might be a matter of taste but I think it looks more reliable and official to random end users if it's part of a proper website and not some file deep in a code repository. YMMV

@tvdijen
Copy link
Member

tvdijen commented Feb 20, 2024

Right, and I do not disagree on that matter, but right now the website has no relation to (not even a mention of) SAML-tracer and vice versa.
For now, merge it so @khlr can do the release of v1.8

@thijskh
Copy link
Member

thijskh commented Feb 20, 2024

Here's the Privacy Policy: https://simplesamlphp.org/support/samltracer_privacy.html
I could not find out if this needs to be added to the Manifest or otherwise.

@khlr Is this enough for you to proceed?

@tvdijen
Copy link
Member

tvdijen commented Mar 23, 2024

@khlr ?

@khlr
Copy link
Contributor Author

khlr commented Mar 24, 2024

I apologize for still not getting back to you...
I've let the topic slide a little. I had hoped that @jaimeperez might have some feedback from the board meeting after all, as I would personally prefer to have a more legally certain result. Is something still in the works there?

Any way, I will (hopefully) continue with the current status next week. 🐌

@tvdijen
Copy link
Member

tvdijen commented Mar 24, 2024

I wouldn't get your hopes up ...

@tvdijen
Copy link
Member

tvdijen commented Apr 10, 2024

Just 🚢 it @khlr !

@tvdijen tvdijen closed this as completed Apr 10, 2024
@khlr
Copy link
Contributor Author

khlr commented Apr 11, 2024

Sorry guys. I've given this a lot of thought over the last few days. Thanks @thijskh for the generated privacy statement, but I think that's simply not enough. I just don't feel comfortable using a privacy policy that doesn't meet the necessary legal requirements (I refer here again, for example, to Article 13 (1a) of the GDPR).
Sooner or later, some warning lawyer will take notice and we'll have a problem on our hands.

Personally, I really don't have the time, inclination or nerves for this. Since SimpleSAMLphp is fortunate enough to have an umbrella organisation in the form of the Commons Conservancy that takes care of such legal matters, then I am very much in favour of not cobbling something together ourselves, but instead relying on their support.

@jaimeperez, I would really like to hear some feedback from you as a board member.

@khlr khlr reopened this Apr 11, 2024
@jaimeperez
Copy link
Member

Sorry so much for the lack of response from my side guys! I never got the notifications and was unaware of the discussion until Tim mentioned it to me right now.

I'm still waiting for feedback myself. Another board member (Niels) was going to involve a GÉANT lawyer to give us some proper legal text we could use, but we haven't had any news yet and we had to postpone our last board meeting.

I'll ping Niels to see if we can get something as soon as possible. I totally understand that you do not want to take any risks with this and prefer to have a lawyer look into it.

@jaimeperez
Copy link
Member

By the way, I just had a quick look at the privacy statement that has been already published. I'm no legal expert myself, but I think there's little more that we can say. As described there, the SAML-tracer extension does not collect any data, and as such, there's nothing we can do about what we do with the data... because there's no data to do anything with :-)

@jaimeperez
Copy link
Member

One more comment regarding Article 13 of GDPR: the entire article does not apply to us, since it is conditional to the collection of personal data. There is personal data managed by the extension indeed, but the data is not collected, and as such there is no processing and we are not a Processor as per the regulation.

The key for us is Article 2 paragraph 1:

This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

From the definitions in Article 4, point (6):

‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

There is no set of personal data accessible, because we don't collect any data. Since there is no "filing system", the second condition in Article 2 does not apply to us. The first condition is the only one that applies, about the "processing" of personal data. According to the definitions again:

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

This definitely applies to SAML-tracer, as the extension retrieves, consults or uses the data exchanged in the SAML flow (and/or during authentication). However, this processing is done by the legal person (according to GDPR, the controller). We are not processors, as per the definition:

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

We (the SSP board, the developers, the community, whoever legal entity behind the software) do not perform any of those activities on behalf of the controller. The controller performs the processing directly (with the help of our software), and as such we aren't even in scope of GDPR.

I'm still waiting for feedback from my board colleagues, but I hope this alleviates your concerns @khlr. I'm pretty sure the Privacy Policy suggested by Thijs is more than enough for our purposes. If it helps, have a look at OpenOffice's privacy note.

@thijskh
Copy link
Member

thijskh commented Jul 31, 2024

The SSP board has commissioned a law firm to make a SAML Tracer privacy policy which is now ready. I will put it online shortly for a final review.

@tvdijen
Copy link
Member

tvdijen commented Jul 31, 2024

I see the latest 1.8.0 tag is an orphaned tag.. I may have rebased something at some point.
Since it's never released I suggest moving the tag to the latest commit in master.

@thijskh
Copy link
Member

thijskh commented Aug 1, 2024

Proposed text is in simplesamlphp/simplesamlphp.github.io#15 and has been approved by the board already. If there are no objections raised I'll merge it.

@thijskh
Copy link
Member

thijskh commented Aug 1, 2024

I see the latest 1.8.0 tag is an orphaned tag.. I may have rebased something at some point. Since it's never released I suggest moving the tag to the latest commit in master.

I would just create a new tag 1.8.1 to avoid any confusions, tags do not cost anything

@khlr
Copy link
Contributor Author

khlr commented Aug 1, 2024

Doesn't it make sense to only create a new tag when the extension has actually been published?

@tvdijen
Copy link
Member

tvdijen commented Aug 1, 2024

That was my thought as well @khlr !

@thijskh
Copy link
Member

thijskh commented Aug 9, 2024

Here's the link to the current policy https://simplesamlphp.org/support/samltracer_privacy.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants