Synapse: Removing an administrative 3PID also attempts to remove the IS 3PID mapping without user consent

Created on 1 Feb 2019  路  6Comments  路  Source: matrix-org/synapse

Synapse is currently implementing matrix-org/matrix-doc#1194 in production systems even with the MSC still under review with several privacy concerns and GDPR illegalities.

This issue represent the community request for this behaviour to be removed for the following reasons:

  1. Current C2S API is clear that [contact information] is independent of any information kept by any identity servers.
  2. Current IS API is clear that for privacy reasons access should be restricted to avoid leaking potentially sensitive data.
  3. The Identity servers are made independent from Homeservers, allowing a user to choose an Identity server across several servers if they so wish. This means they might not want a 3PID to be removed from their IS if they remove a specific 3PID from one of the HS they use. They are never given any choice on the matter.
  4. The process by which a 3PID is removed is not a mirror of the process by which a 3PID is added. Adding is done under user's consent with at least one confirmation needed from the user while removing is done in a totally invisible manner without even informing the user.
  5. The user does not give informed and unambiguous consent for their personal data to be sent to a potentially independent 3rd party service, being illegal under GDPR.

We have added a link to this issue in mxisd notification upon blocking any attempt from synapse to make our users aware of the lack of concern for privacy and GDPR user consent when dealing with personal data.

Synapse v1.0
Source
picture maxidorius
👍31 🎉1 😄1

Most helpful comment

The 5 points raised by @maxidorius are serious, which is despite the fact that synapse is rolling out an under-review proposal to production systems (and that the proposal as it stands has severe outstanding issues).

Points 1 and 2 demonstrate that synapse is breaking from the matrix protocol spec. I can't find any discussion where this deviation was justified or considered.

In NV's own post on GDPR compliance they state:

Consent requires that our users are fully informed as to exactly how their data will be used, where it will be stored, and (in our case) the specific caveats associated with a decentralised, federated communication system. They are then asked to provide their explicit approval before using (or continuing to use) the service.

The synapse implementation of revealing the personally identifiable information to the first IS clearly violates this principal of consent, particularly when the user specified their own IS when registering the 3PID in the first place. The fact that synapse has no memory of the user's chosen IS should be considered a bug, and addressed accordingly.

picture abeluck on 1 Feb 2019
👍5

All 6 comments

The 5 points raised by @maxidorius are serious, which is despite the fact that synapse is rolling out an under-review proposal to production systems (and that the proposal as it stands has severe outstanding issues).

Points 1 and 2 demonstrate that synapse is breaking from the matrix protocol spec. I can't find any discussion where this deviation was justified or considered.

In NV's own post on GDPR compliance they state:

Consent requires that our users are fully informed as to exactly how their data will be used, where it will be stored, and (in our case) the specific caveats associated with a decentralised, federated communication system. They are then asked to provide their explicit approval before using (or continuing to use) the service.

The synapse implementation of revealing the personally identifiable information to the first IS clearly violates this principal of consent, particularly when the user specified their own IS when registering the 3PID in the first place. The fact that synapse has no memory of the user's chosen IS should be considered a bug, and addressed accordingly.

abeluck picture abeluck on 1 Feb 2019
👍5

This definitely needs addressing. I don't have much to add other than:

This doesn't feel much like a decentralized, federated, and privacy respecting communications protocol if it just shoots off incredibly sensitive and very identifiable information with wanton disregard for the user.

Data leaks of such incredibly personally identifiable information should be treated as a serious security risk and addressed as soon as possible.

sparky8251 picture sparky8251 on 1 Feb 2019
👍3

For the sake of transparency, there was a closed door Jitsi meeting to re-discuss MSC1194 and solve this issue. For the record, here are the minutes which I have accepted in case those get edited: PDF.

The outcome is to fix it by following my original counter-proposal which was mentioned at several places in my original review of the MSC and remove the current behaviour of synapse.

maxidorius picture maxidorius on 4 Feb 2019

FYI such requests are now actively blocked in stable releases of mxisd, starting from v1.3.0 with a notification sent to the 3PID owner informing them about this issue.

maxidorius picture maxidorius on 10 Feb 2019

MSC1915 has now been implemented

erikjohnston picture erikjohnston on 3 Apr 2019

If I'm not wrong, it seems like not all of the 5 paragraphs are fixed in MSC1915

rubo77 picture rubo77 on 21 Jun 2019
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

matrixbot picture matrixbot  路  5Comments
ansiwen picture ansiwen  路  4Comments
brainscar picture brainscar  路  3Comments
APwhitehat picture APwhitehat  路  4Comments
AnwariasEu picture AnwariasEu  路  3Comments