Privacy Policy

[khlr]

The other day I have been taking a glance at the Chrome Web Store to see if we could publish a new version of SAML-tracer anytime soon. I couldn't help but notice that the CWS now enforces the linking of a privacy policy. Without this, it is not possible to publish a new version.

Now one could certainly click through one of the numerous online generators for privacy policies. Sure, sounds easy at first. Nevertheless, it is not unlikely that you will not state things correctly and that the whole structure will become legally vulnerable as a result.

I wonder how you deal with these kind of issues in SimpleSAMLphp? I think that privacy issues and legal matters in general are even more acute with this project than with SAML-tracer.
Is SimpleSAMLphp backed by Sikt/UNINETT in this regard? Or SURF (probably not)?
However, I couldn't find a privacy policy anywhere in the SimpleSAMLphp project or on the website. Either I'm looking too hard, or there isn't one?!

Anyway. I think with the necessary effort one could also create a (hopefully legally bulletproof) privacy policy for SAML-tracer. It would certainly also be in the users' interest if they could find out what happens to their data (namely nothing; since we don't play fast and loose with it).
However, I have concerns about article 13(1a) of the GDPR. This article requires the specific designation of a responsible person ("controller"). Who should be named here in an open source project? If SAML-tracer were the product of some company, it would certainly be a different situation.
Hence the question about Sikt/UNINETT: Would it somehow be conceivable to come under their umbrella in this respect?

What do you think about this, @tvdijen , @thijskh , @jaimeperez ?

[tvdijen]

Sikt is not involved anymore and I believe the SimpleSAMLphp project to be a legal entity on it's own.
This sounds like a job for our board to figure this stuff out.

[khlr]

Oh, I didn't know that Sikt isn't involved anymore.
What form of legal entity is SimplesSAMLphp likely to be?

How can the board be 'activated' to clarify these questions? 😉

[tvdijen]

Jaime is one of the board-members, so let's wait for him to respond. He can bring the topic to their monthly-or-so board-meeting.

[jaimeperez]

SimpleSAMLphp is established as a non-profit entity under the umbrella of the NLNet Foundation. This means we are free to accept donations without worrying about taxes and all sorts of administrative issues, and use that to take care of the project. Sikt and Cirrus Identity have been the only ones who have donated to the project since the new non-profit was established, but neither of them have any control or ownership capabilities.

Regarding the GDPR & Privacy Policy, as far as I understand it shouldn't affect us in general for two reasons:

• We are not a company offering any services, and as such, we cannot be designated as controller of any personal data.
• We are not collecting any personal data either. In fact, we are not collecting any data at all.

The only tricky part is this issue tracker and any mailing lists. In theory, people who have written here or in mailing lists that we manage could exercise their right to be forgotten under GDPR, and that would force us to delete their comments. I believe both Google Groups and Github offer an automated way to delete all your comments when you delete your account, so that leaves us with no need to do anything on our side (but we should verify this, of course).

Other than that, the Privacy Policy for SAML-tracer should be as simple as We don't collect any data. All data made available to the SAML-tracer extension, personal or not, is under your control at all times.

[jaimeperez]

Hi again!

Just a quick update on this. We just discussed the topic in our board meeting and we are going to look into the legal requirements, write something that we can use as a privacy policy and find a place where we can publish it when done 😄

@khlr I'll let you know when everything is in place so that you can use it in the CWS!

[khlr]

Thanks for the feedback and for discussing the further details in the board meeting, Jaime.

Thanks also for the info on the NLNet Foundation. However, I can't find SimpleSAMLphp anywhere on the list of supported projects. Is it listed there under a different name?

[thijskh]

So it's not NLNet Foundation but The Commons Conservancy. NLNet in turn delivers services to TCC.

[jaimeperez]

That's absolutely true, my bad. TCC is the legal instrument that hosts us, while NLNet provides most services for it. I was thinking strictly on economical terms, so I just thought about the NLNet foundation.

[khlr]

Hi @jaimeperez!

Are there any results on this topic in the meantime? 🙂

[tvdijen]

I've been checking out some other browser add-ons that similar functionality and found this one to have a very simple privacy statement that perhaps we could re-use?

https://chromewebstore.google.com/detail/enlnbonndfjonmelmplbmgnobjffbhoj/privacy

Is there a generic email address we use?

[thijskh]

Since the privacy question with SAML Tracer is rather trivial, I've gone ahead and just wrote what it does. That seems the essential part. We do nothing with your data.

Please find the proposed text on simplesamlphp/simplesamlphp.github.io#11. Improvements to the text welcome, but I prefer to keep simple things simple.

We can improve on this at any later time, but I suggest not to dwell too long on theoretical legal aspects of something that is so trivial re privacy risks and go ahead with what is proposed in this one.

[tvdijen]

I think it makes more sense to add the .md file to this repository, rather than on the SSP-website.
Other than that, 👍🏻

[thijskh]

How can we then link to it? Isn't the whole purpose of this issue that we provide a link to the Privacy Policy

[tvdijen]

I'd link to the raw file in the master-branch 🤷🏻‍♂️

[thijskh]

This might be a matter of taste but I think it looks more reliable and official to random end users if it's part of a proper website and not some file deep in a code repository. YMMV

[tvdijen]

Right, and I do not disagree on that matter, but right now the website has no relation to (not even a mention of) SAML-tracer and vice versa.
For now, merge it so @khlr can do the release of v1.8

[thijskh]

Here's the Privacy Policy: https://simplesamlphp.org/support/samltracer_privacy.html
I could not find out if this needs to be added to the Manifest or otherwise.

@khlr Is this enough for you to proceed?

[tvdijen]

@khlr ?

[khlr]

I apologize for still not getting back to you...
I've let the topic slide a little. I had hoped that @jaimeperez might have some feedback from the board meeting after all, as I would personally prefer to have a more legally certain result. Is something still in the works there?

Any way, I will (hopefully) continue with the current status next week. 🐌

[tvdijen]

I wouldn't get your hopes up ...

[tvdijen]

Just 🚢 it @khlr !

[khlr]

Sorry guys. I've given this a lot of thought over the last few days. Thanks @thijskh for the generated privacy statement, but I think that's simply not enough. I just don't feel comfortable using a privacy policy that doesn't meet the necessary legal requirements (I refer here again, for example, to Article 13 (1a) of the GDPR).
Sooner or later, some warning lawyer will take notice and we'll have a problem on our hands.

Personally, I really don't have the time, inclination or nerves for this. Since SimpleSAMLphp is fortunate enough to have an umbrella organisation in the form of the Commons Conservancy that takes care of such legal matters, then I am very much in favour of not cobbling something together ourselves, but instead relying on their support.

@jaimeperez, I would really like to hear some feedback from you as a board member.

[jaimeperez]

Sorry so much for the lack of response from my side guys! I never got the notifications and was unaware of the discussion until Tim mentioned it to me right now.

I'm still waiting for feedback myself. Another board member (Niels) was going to involve a GÉANT lawyer to give us some proper legal text we could use, but we haven't had any news yet and we had to postpone our last board meeting.

I'll ping Niels to see if we can get something as soon as possible. I totally understand that you do not want to take any risks with this and prefer to have a lawyer look into it.

[jaimeperez]

By the way, I just had a quick look at the privacy statement that has been already published. I'm no legal expert myself, but I think there's little more that we can say. As described there, the SAML-tracer extension does not collect any data, and as such, there's nothing we can do about what we do with the data... because there's no data to do anything with :-)

[jaimeperez]

One more comment regarding Article 13 of GDPR: the entire article does not apply to us, since it is conditional to the collection of personal data. There is personal data managed by the extension indeed, but the data is not collected, and as such there is no processing and we are not a Processor as per the regulation.

The key for us is Article 2 paragraph 1:

This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

From the definitions in Article 4, point (6):

‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

There is no set of personal data accessible, because we don't collect any data. Since there is no "filing system", the second condition in Article 2 does not apply to us. The first condition is the only one that applies, about the "processing" of personal data. According to the definitions again:

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

This definitely applies to SAML-tracer, as the extension retrieves, consults or uses the data exchanged in the SAML flow (and/or during authentication). However, this processing is done by the legal person (according to GDPR, the controller). We are not processors, as per the definition:

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

We (the SSP board, the developers, the community, whoever legal entity behind the software) do not perform any of those activities on behalf of the controller. The controller performs the processing directly (with the help of our software), and as such we aren't even in scope of GDPR.

I'm still waiting for feedback from my board colleagues, but I hope this alleviates your concerns @khlr. I'm pretty sure the Privacy Policy suggested by Thijs is more than enough for our purposes. If it helps, have a look at OpenOffice's privacy note.