GDPR: Removing Monal from the EU

As many people know the EU’s GDPR regulations come into effect on May 25th. While Monal is privacy focused, it is also free, open source and run by a single person — me.  I simply do not have the resources or the time to jump through the regulatory hoops required by the EU.  While I do not live in the EU, I frequent Europe and do not want to get into legal trouble on vacation.  As GDPR approaches, I get the impression that it is an end of an era for the internet. The days of someone making something, putting it on the internet and offering it to the world seem to be over.  EU users can always download the source on GitHub and compile the iOS app but they will be blocked from using push when I deploy it.

The problems below are likely not unique to me and there are many other issues. Other open source projects may want to consider their fate under GDPR as well.

Data Protection Officer

I do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR.  I do not have designated EU contacts.

Crashes

Tracking crashes with Crashlytics introduces new issues because it is posted to Fabric from a user’s device,  IP addresses are in the logs this is  personally identifiable information  (PII).  Crashlytics  is GDPR compliant but the burden is on me to show  regulators that I am compliant points back to the need for DPO.

Push

Even though no message traffic passes through Monal’s sever, registering for a push does make an HTTP call which logs a user’s IP and this  requires GDPR compliance.  APNS push tokens are associated with devices which can be traced back to a user if combined with info on the originating XMPP server. Obviously, this is needed for a notification to be delivered to the right person. However,the fact that it can be combined to identify a person makes it PII. I believe in privacy but I do not have the resources to meet the letter of the law for compliance especially with respect to retention and processing these tokens.

XMPP Federation in General

Honestly, I do not know if XMPP federation is legal anymore in the EU with GDPR.  EU user data is sent out of Europe constantly.  GDPR is written such that a user cannot agree to a user agreement that gives up GDPR requirements it’s not a matter of saying you agree to X by using this service. GDPR compliance is something the XSF is talking about right now.

 

 

61 thoughts on “GDPR: Removing Monal from the EU”

  1. Hey, this is very unfortunate. I was hoping to use Monal for my parents who both have iPhones. Unfortunately, without Push it will not be very useful. I’m a EU citizen, can I help you somehow with this?

    1. Tell your politicians be aware of unexpected consequences when they make new regulations.

    2. The nice thing about it being open source with a BSD license is anyone is free to reuse/redistribute. I am simply planning on not distributing iOS binaries for Europeans so that I do not have to deal personally with regulatory issues there.

  2. I think you are over-reacting. Most of the usage you are describing falls under the case of being essential in order to maintain the service.

    As a service with no presence in the EU you’d really fine, and don’t need a DPO.

    At the very very least I would wait a few months to see how the law is actually enforced.

    1. The fine for not complying with the loosely defined regulation is 20mil, a lot of people don’t like to tempt fate and would rather just stay away from the EU all together. He’s not overreacting, he’s being rational.

      1. It is up to 20 Mio or 4% of the revenue. However the fines should be “effective, proportionate and dissuasive.” So if a private person gets a fine, this would be only a small amount. Furthermore authorities should also give advise in such cases.

  3. Wow, what an over-reaction. The GDPR clearly mentions legitimate (business, technical) reasons in which collecting PII is okay, you only have to give the users some inside about it happening. So, Crashalytics is okay, as you mentioned yourself. In addition, you don‘t need to hire someone, that’s absolute ridiculous. A DPO is not necessary for small businesses. The only thing you communicate with your behavior: You are not unable but unwillig to tell your users who you collect, analyse, share and monetize their data. Good luck with thus an attitude.

    1. Yet the GDPR defines nowhere what the size of a “small business” is. Also the entirety of the law reads to the tune of “if we want to punish you we will” so it’s very rational to stay away from the EU entirely.

      1. If a one person outfit doesn’t count as a small business, I’d love to know what does.

  4. hi,
    I have no idea what your product does (I just clicked from HN) but I have a pretty good idea of what the GDPR may require you to do.

    After reading your conclusions, I have three remarks:
    1) Almost everything you wrote above in terms of requirements vs. implications to your service is wrong.
    2) Restricting yourself from providing your service to EU citizens is the right decision, at least for as long as you don’t resolve 1).
    3) You will probably change your mind after a good night’s sleep, which is a good reason for me to stop writing ; )

    1. Yeah, I’m sure you’ll be happy to pay his legal costs when it doesn’t turn out the way you’ve said, random internet poster.

      1. I’ve definitely noticed this pattern too, EU citizens / GDPR proponents seem quick to claim overreaction seemingly easily overlooking that 20mil fine.

  5. Monal is awesome.
    I function as an outsourced Data Protection Officer for the GDPR for multiple companies.
    If you would like please reach out to me to be your FREE DPO, and we can get started asap on your gap analysis. My company will also serve as your EU Representative.

    GDPR is meant to protect consumers from abuse, not hurt those who respect privacy. Let’s keep it that way.

      1. Unfortunately hobby projects can hurt user privacy just as much as “serious” ones, especially if hackers come and steal that data.

        I have a lot of work because of GDPR due to various projects, some of them legacy ones, but I still consider GDPR a very good thing. I also happen to think the author is wrong on all points and would only need a good disclosure text plus logrotate to be compliant, but then again I am neither they or their lawyer.

        1. I value my time more than you it seems then. Reguardless of how important the spirit of the law is, why should I take time from my current endeavors to update all of my old projects to be compliant? When a hobby takes more time than your normal job it just became a job that doesn’t pay.

  6. You don’t need a privacy officer, those are only needed if ten fully employed people have access to personal data. Also I don’t think you need an access protocol, this is for very sensitive personal information like health data. What you need is a privacy policy and a way for your users to extract their data and completely delete their account. The GPDR sounds scarier than it actually is.

    1. I’m not too familiar with the source code, but since Monal is an XMPP client, I’m guessing it doesn’t collect anything apart from (a) Crashlytics and (b) IP address for Push Notifications.

      Apart from that, Monal just acts as a frontend to whichever XMPP server you choose to use.

      Unfortunately, that also means there may not be an in-app way to completely delete your account. Will a “we’re providing this app but the server you choose is responsible for your data” suffice, do you think? I don’t know enough about GDPR to judge. That would place the burden on the XMPP servers (who, after all, are the ones actually processing your data).

      1. I thought he was writing about a server not a client. Anyway, with the client it is even simpler, he needs to pseudonymize or better remove the IP addresses from the crash logs and ask the user for their consent before sending them. The push notifications are necessity for running the application. He could turn them off by default of course.

        It is also likely that if he writes the software alone and for free that he falls under Article 2 – 2c but how far “purely personal” goes is debatable.

        But I understand the confusion, it is a huge law which is suppose to protect people and it is hard to understand w/o proper explanation.

        My personal advice is simple, reduce the amount of personal data to a minimum and delete the rest as soon as you don’t need it anymore.

    2. Where are you getting the 10 from, the GDPR definitions page doesn’t define a “large company”

  7. I’m a SaaS owner and I did some research on this topic obviously. For businesses with less than 250 employees a data protection officer is not mandatory. As long as you have a list of where what user data goes and what third parties collects your PII you’ll be fine. For the rest try to anonimize PII where you can (data that is not necessary for running your app).

    The fact that you are thinking about the gdpr already gives you a plus, what do you think about the dentist in Poland collecting patient details in a SaaS or the mall in a small village in Germany collecting newsletter addresses? They don’t have the resources to handle gdpr, and the EU won’t go to kill off small business. They’ll go for the big entities first.

    1. Where are you getting 250 employees from? The GDPR doesn’t define a “large business”

      1. Seriously? Ive just been through GDPR compliance with my ~30 person business, and it didnt stress me out nearly as much as it seems to be stressing you out.

        You already know what data you collect & where its stored, so that’s done. You’ve put something on your website (sort of) to tell people what data you collect and why, so that’s done.

        So all you need do is share or delete people’s data if they ask for it, explain why you cant if that’s not possible, and delete it when you dont need it any more. Oh and name yourself as DPO. Sorted.

  8. Hi Anu,

    I’ve read the GDPR for work and your use cases seem to at least remotely involve security (arguable also in the crash logs).

    So if you need an IP to be saved in order for your service to operate: That’s fine.
    If you keep logs that can help you mitigate attacks: That’s fine.
    There’s an exception clause in the law for security purposes.

    Have a great day!

  9. “IP addresses are in the logs this is personally identifiable information (PII).”

    Not really – these don’t point to specific person, only to the computer.
    That’s how we (large EU company, with own lawyers and GDPR specialist) interpret this and what we comply to.

    1. And will your lawyers come to his aid if you’re both found to be non-compliant? What if the computer is using a static IP and only has one user account? Now I can identify a single user using just an IP. Many mobile devices fall into this category.

    2. Wrong. Just ask your IT guys about the dhcp logs. Just ask every hacker who was trapped by the police.

      The real point is that “personal data” means “every data related to a person”, not “data allowing to identify a person”. PII is an american concept.

      Change your lawyers before you get into trouble.

  10. I think you missed the point of GDPR and how it operates, but at the end it’s your call.

    1. Everybody knows the point of the GDPR, the 20mil fine is a hard pill to swallow for a one person show

      1. You are seriously over-reacting. The 20 million that you keep quoting is for ‘serious and repeat offenders’. As another comment has already pointed out, you have already complied with the GDPR with 1 minor exception. Currently you have told people what you store – and it is irrelevant for the purposes of the GDPR – , all you have to do now is delete any PII information that you _do_ hold if requested to do so. As you don’t hold any, that shouldn’t be a difficult thing to do!

        If you hold personal information, such as addresses, telephone numbers, health details, financial details then you have to protect it from abuse. What you are doing is not even worth considering. But, if you wish to over-react, then by all means keep your software aware from Europe.

        1. >>…If you hold personal information, such as addresses, telephone numbers, health details, financial details then you have to protect it from abuse

          Of course not, he doesn’t have to. In a non-socialistic world you can only get that the contract offers you, no more. Are you enjoying of use some free service? So you have the options: trust it or go search another one. Does someone force you to put your data into the service (I mean some abstract service, not this one)? No? Why are you doing it? This is totally childish to put some Great Valuable Data to someone whom you even do not pay and then make the demands to him. Have valuable data? Keep it on the local drive, use the encryption and don’t share – it really helps. Or give it to someone who offers you a special service which includes data protection and which would cost you something, you know.

  11. Yet another victim of the GDPR.

    Gravity/Warpportal have also abandoned their EU customers due to it. Flat out banning their current account, and region blocking EU form their games.

    1. I’m a gdpr expert consultant, working only on this for years for the largest european corporations. This is absolutely ridiculous.
      If a business creates no risk to users, then gdpr is not a risk. But if you’re Adult friend finder, you’re bound to protect your users’ privacy. That just common sense.

  12. The DPO isn’t a new hire (a full-time post), it’s just a role given to an existing employee (usually). For example, it might be the existing CTO of the company (who’s now responsible for ensuring the company’s privacy compliance). And it’s no extra work: the CTO was _already_ responsible for the company’s compliance to their privacy policy, and how the company handled customer data! All that’s changed is that now he’s a registered individual within the company, so customers and regulators know who to email with queries.

    Unless you’re doing something unethical, GDPR shouldn’t involve significant changes in practice – and compliance should be achievable for projects of all sizes.

  13. You’re clearly being flippant, ignorant, and childish. The law states almost nothing that you’ve assumed, you do not need to hire a new person, nor are IP addresses PII. The law is there to protect users, and you’re generally not allowed to collect information that identifies a particular user without their explicit consent. Broadly speaking this includes the likes of Google Analytics / other 3rd party cookie shite that’s used to track people too, but none of that is necessary for an email product.
    You choosing to do this has nothing to do with GDPR.

    1. Ignoring the irony of the “flippant” comment and post, it has everything to do with the GDPR. Who wants to stare that 20mil fine in the face daily when writing code? One wrong move and there goes the farm. Why should I as an american give two shits about jumping through hoops to prove i’m not using your data? News flash, a GREAT majority of companies could really care less about what you’re doing online. The GDPR is overly burdensome to small business and projects. If you can’t see that then you’re the one being ignorant.

      1. You keep repeating yourself about the 20 million euros, but that’s the upper fine limit and based on business size and seriousness of your offence. No data protection officer will just fine an hobbyist project in that level and I would even assume that a simple warning letter setting a deadline would be issued before.

        I don’t know about you Americans, but principle of proportionality is core of our law. We also don’t have death penalities.

  14. Hi,

    As a EU user, i’m happy with GDPR. I don’t care about your shitty product, I give you a big “fuck your” if you are collecting my data.

  15. Sorry to hear about this. Hopefully it can get sorted out eventually. I assume Monal will still be available for non-EU users, right?

    Also, from what I can make out, the only PII you’re “collecting” is the crash analytics, and the users’ IP addresses for the Push Notifications. Perhaps you could publish a special edition with those two features disabled, at least till things get clearer?

    In that case you would just be providing an app, not collecting data at all, and it would be up to the XMPP servers to prove that *they* were compliant. You could have a note saying that users were responsible for the servers they connected to, or something.

    1. As am I. Considering I’ve developed and paid to keep Monal free and ad-free for a decade, I dislike not making it available everyone.

      1. And you don’t have to, just look where you can limit the use of personal data of your users. Explain what you collect and what it is for and let the people agree to it. You should also mention how long you are keeping crash logs, and so on and if you are really, really serious you can create a protocol which notes access, usage, and deletion of that data. It is most likely that you won’t have to worry about the GDPR at all. You don’t need an DPO for a single person especially if you don’t even sell anything. There is a lot of confusion about the GDPR and people like Ron E. are not helpful to solve them. In short, you won’t get a bill of 20 million euros from any privacy agency in the EU.

        1. The EU is very crazy with their GDPR. Treating crash reports, usage analytics, app instance id etc as personal data is rediculous. You just can’t use it to “identify” a person (not being the FBI or the like). The rest of the world will just block them or provide paid-only services for them.

          1. No, it is basically you as a service need to know where you store personal data. Why you do that and for how long.
            Put that on a Web page and you are basically fine.

            You should also let users edit and remove all data that you store about the user. Unless things like a rolling log, that will be cleand out automatically.

            Especially if you are seriously concerned with private persons privacy this should be a good thing.

            And no, Eu isn’t as trigger happy as Us court system, and no, no singel person organisation will be fined. At least not until they after several denial to comply by correcting thing that are wrong.
            Comply when asked to change, you are OK. If you still doesn’t comply, if you behave obstructive like Microsoft did, you can get a fine.

  16. Hey Anu,
    I didn’t know how to get in contact with you directly.

    The company I work for has a software that deals with consent & data rights management, therefore GDPR compliance.

    We have an affordable and comprehensive product for companies like yours that need- what is often a fairly simple- solution to GDPR and we would be happy to chat to you about it. Our software as standard also comes with a ‘DPO dashboard’, which gives you the configurability of being a DPO, however you certainly do not need to be one to operate it – it is very intuitive and built specifically for GDPR.

    Email me or get in touch via our website (www.trunomi.com) if you would like to speak further and we’d be happy to have a talk- you may find it’s more straightforward than originally thought…our DPO Dashboard will be on interest and consent to IP addresses we deal with A LOT; our tech team can also discuss XMPP Federation.

    A

    1. Lol. Do you really think that Anu has to do anything about GDPR?
      You’re not demonstrating a great expertise about the text.

  17. Hi Ron,

    Many people here seem to be talking about something they have very limited knowledge of.

    Does your app involve monitoring your users’ behavior? Keep in mind that collecting the IP address (which is, as you stated, personal data) doesn’t mean that you are monitoring behavior.

    Does your app involve the offering of goods and/or services to your users?

    From what i gathered here, your app does neither of those things. If I’m correct, then, guess what? The GDPR doesn’t apply (see Article 3).

    As far as the sanctions are concerned, don’t be alarmed. We’re talking about a EU regulation, we’re not in the US. It basically never comes to fines, unless a major — and I mean major — company is voluntarily and openly non-compliant. And even then, we’re a long long way yet from the 20 mil.

    Source : Am data privacy lawyer.

    1. This is perfectly right.

      When you create no risk to your users, you are not at risk with the GDPR.

      Facebook is much more dangerous with Cambridge Analytica, or Amazon with Alexa or Rekognition.

  18. Dear Anu,

    I’m a french expert about privacy. Your application creates no harm. Your risk is zero. You need no dpo, no records, no lawyers.

    In fact I chose Monal because it is the most privacy-respecting application. All others require me to open an account AND to give them my password to access my private email server. No way. Monal is the ONLY application which enforces Privacy by Design as defined by article 25 – it is designed to minimize data collected. And, it is open source so I can verify that you can’t read my messages.

    Please stay in Europe to help us to protect our’privacy!

    Fred

  19. He will not have any legal cost ifnhe just consider what the Gdpr is all about.

    1) You should know where you store information about persons. And no, it is not just data stored in computers, it is also about data stored on paper. The thing is, it is about data.

    2) You should INFORM your users WHAT data you store where. And why you store it. Use a general page on a Web site is enough for both old and new users.

    3) You should clean out the data stored about persons, remove it when it is not needed any more. A rotating log would be enough. Yes, it is ok to store bug reports while you are handling the bug. And with consent, you can store how long you like, unless asked to remove the data.

    That is needed so you can do this.

    4) If users asks to be removed, or data should be corrected, you should let them do that. Manually or on a Web page that is login protected. Unless you need the data to serve them, then you are allowed to store it longer.

    5) If you get consent, you are allowed to store more data.

    I am shore you do all this already? If not, then you think that is a good way of treating users, don’t you?
    If that is not the case, then I personally think you only should you lose Eu users, but all the others too. Because that is not hard to do.

Comments are closed.