Discovery data sharing and privacy policies

[oneiros]

We recognized early on that at least some FASP will need to receive PII from fediverse servers and that this will need to be as transparent as possible. As under GDPR this must become part of the fediverse server's privacy policy, we went so far as to require the specifications to include this information (see https://github.com/mastodon/fediverse_auxiliary_service_provider_specifications/blob/main/general/v0.1/provider_specifications.md#privacy-policy-information).

I fully expected the discovery provider specifications to be the first instance where this would become necessary. But then we decided on a concept that was slightly different from my initial expectation: In our current proposal fediverse servers only share URIs of content/accounts with FASP. FASP then need to fetch the actual content or account information themselves.

I am pretty confident that URIs are not PII. But that means I have absolutely no idea what to put into the specification regarding privacy policies 😦

(See also this discussion: #36 (comment))

Any ideas or help would be really appreciated.

[ThisIsMissEm]

In this case, whilst the Fediverse server isn't directly sending PII to the FASP, the FASP may be requesting it based on the URIs sent, therefore the FASP would be processing PII. At least, that's my assumption

[oneiros]

I did some googling and sometimes usernames are considered PII. I guess the subject of pseudonimity is complex, but since actor URIs often include usernames I would err on the side of caution.

I guess a sentence or two about the purpose of data sharing cannot hurt either, even if it is not strictly required.

(Note that this issue is about the requirement for the spec to include a paragraph that connected fediverse servers can put in their privacy policy, not about the FASP's privacy policy).

[jmking-iftas]

Any server using a third-party to process data should execute a data processing agreement, which should in turn inherit the privacy policy. The server should then include the FASP in its list of data processors in its privacy policy. Assuming both sides have a privacy policy, this can be pretty straight-forward click through agreements that result in the server adding recommended language from FASP along the lines of

Service Providers and Data Processors
In order to provide our Services, we depend on service providers. These providers offer critical services including cloud infrastructure and/or the safety and security of our Services. We authorize these service providers to use or disclose the Personal Data we make available to them to perform services on our behalf and comply with relevant legal obligations. We mandate these service providers to contractually commit to ensuring the security and confidentiality of the Personal Data they process on our behalf.

List of Data Processors

• Web Host
• FASP1
• FASP2

[oneiros]

that result in the server adding recommended language from FASP along the lines of

We would like to go a step further than that though and provide the server with a small paragraph that can be used to illustrate what data is shared with FASP and why. To not overcomplicate this, I think it should be limited to PII and any other data that might be deemed sensitive.

Hence the question what is possibly PII or sensitive about public URIs.

[jmking-iftas]

I see. The issue is PII is subjective and context-based. There are times username is, and time username isn't. If you want to provide guidance it should probably assume PII is being transferred as in all likelihood, it is; and the FASP should issue guidance to add something like what we're using for CCS (a possible future FASP btw) which encourages service providers to state the following under their List of Data Processors:

FASP
FASP processes content to provide CAPABILITY. This helps us provide OPERATIONAL ACTIVITY. All transfers are encrypted and secure, and FASP retains data only for as long as needed for this purpose or to meet legal requirements. Members may request information about the processing of their data by contacting us at the address below, subject to legal or moderation constraints."