GDPR tooling: Erasure

[InezMc]

Your use case

GDPR lists the right to deletion / erasure. We are not adequately allowing for users and customers to enact this right.

There are many places where 'deletion' of user content could be done better. Including federation of redactions.

The Admin API on account deletions https://matrix-org.github.io/synapse/develop/admin_api/user_admin_api.html#deactivate-account

The following actions are NOT performed. The list may be incomplete.

Remove mappings of SSO IDs
Delete media uploaded by user (included avatar images)
Delete sent and received messages
Remove the user's creation (registration) timestamp
Remove rate limit overrides
Remove from monthly active users
Remove user's consent information (consent version and timestamp)`

Steps towards GDPR compliance

For Individual on Matrix: Self serve erasure Tooling

• Account deletion
• message deletion/redaction (without account deletion)
• Rageshake/ issue submission deletion.
• Media deletion
• Containment for Law enforcement Requirements

Customers Tooling

• admin able to enforce deletion (controller responsibilities) URGENT
  • Customers need this to enact their rights as controllers.
• Delete Identifiable data. If name is used in mxID, can that be redacted?

Education Documentation

• ensure users understand how erasure works in Matrix and technical limits.

Additional context

Currently you can deactivate an account. Deactivating an account does not free up the username, and does not delete user messages, but we do delete all other local user data : Deactivating “(…) removes active access tokens, resets the password, and deletes third-party IDs (to prevent the user requesting a password reset).

It can also mark the user as GDPR-erased. This means messages sent by the user will still be visible by anyone that was in the room when these messages were sent, but hidden from users joining the room afterwards.” (see Admin API documentation)

Are you willing to provide a PR?

No

[amilah-a]

Synapse/sydent: when accounts are deleted, remove all the 3pid bindings from the identity servers #162 Check for completion.

[amilah-a]

element-hq/riot-meta#163 Check for completion.

[amilah-a]

element-hq/riot-meta#164 Check for completion. What happens when someone clicks on the deactivate button. What data is actually erased and what lingers?

[amilah-a]

element-hq/riot-meta#165 Work-in-progress here: matrix-org/synapse#4720

[amilah-a]

element-hq/riot-meta#166 WIP (see issue)

[amilah-a]

element-hq/riot-meta#167 Check for completion.

[amilah-a]

element-hq/riot-meta#168 Check for completion. Seems related to several other issues.

[amilah-a]

element-hq/riot-meta#169 Check for completion. Likely related to other issues.

[amilah-a]

element-hq/riot-meta#171 WIP

[amilah-a]

element-hq/riot-meta#175 Check for completion? Or possibly duplicate?

[amilah-a]

element-hq/riot-meta#176 Check for completion.

[amilah-a]

element-hq/riot-meta#178 Check for completion. Likely a duplicate or has overlap with another issue.

[amilah-a]

element-hq/riot-meta#194 Check for completion.

[InezMc]

It can also mark the user as GDPR-erased. This means messages sent by the user will still be visible by anyone that was in the room when these messages were sent, but hidden from users joining the room afterwards.” (see Admin API documentation)

• WHY IS THIS NOT DONE BY DEFAULT on ACCOUNT DEACTIVATION?

[InezMc]

We have been made aware that customers are requesting GDPR tooling around deletion.

• For GDPR compliance, PII data must be removed (or anonymised) for deactivated users.
• Requires account portability which is not available yet. (GDPR Article 20)

[InezMc]

There is a discussion currently happening of concerns around PII linked to the MX ID and the benefit of some kind of pseudomisation. CC @simaddis

What are the current technical limitations within synapse around deletion. Why are these the case and what would happen if the mxID were removed.

Would any of the new tooling eg auditbots break if mxID is removed, pseudomised or deleted?