matrix-doc/proposals/4025-local-user-erasure-req...

84 lines
5.0 KiB
Markdown

# MSC4025: Local user erasure requests
Long ago a need arose for having a user specify that they'd like to not just deactivate their account,
but also *erase* as much of their content as possible for largely GDPR purposes. This got implemented
in the matrix-js-sdk as [PR #649](https://github.com/matrix-org/matrix-js-sdk/pull/649), but never
quite made it to the spec.
Back in 2018 the proposal process was very different (technically didn't actually exist at the time
the js-sdk PR was written). A [spec omission issue](https://github.com/matrix-org/matrix-spec/issues/297)
was opened to track the missing property, however [an attempt](https://github.com/matrix-org/matrix-spec-proposals/pull/1290)[^1]
to do the documentation got blocked on having a larger GDPR-centric proposal.
Eventually, [MSC2438](https://github.com/matrix-org/matrix-spec-proposals/pull/2438) was drafted,
presumably to be that GDPR/erasure-specific MSC the prior spec PR was waiting for. Unfortunately, it
appears to have gotten stuck in various stages of drafting.
It's highly regrettable that yet another spec change from 2018 has managed to go unspecified for so
long. Theoretically, the change could go through as a spec PR (much like the one linked above) rather
than as a proposal, however there is significant interest in giving the feature a formal chance to be
*rejected* as a solution under the modern spec proposal process.
This MSC serves as that opportunity. While a more comprehensive system could be designed, such as in
MSC2438, this MSC has a very narrow and specific scope of what was implemented back in 2018. For the
spec process, this translates to accepting the feature as-is, or rejecting it and flagging the client
behaviour non-compliant.
## Proposal
A new optional boolean is added to the request body of [`POST /deactivate`](https://spec.matrix.org/v1.7/client-server-api/#post_matrixclientv3accountdeactivate):
`erase`. It defaults to `false` and signifies whether the user would like their content to be erased
as much as possible.
Erasure does *not* mean issuing redactions for all of the user's sent events, but does mean that any
users (or servers) which join the room after the erasure request are served redacted copies of those
events. Users which had visibility on the event prior to the erasure are able to see unredacted copies.
The server should additionally erase any non-event data associated with the user, such as account
data and [contact 3PIDs](https://spec.matrix.org/v1.7/client-server-api/#adding-account-administrative-contact-information).
This is in line with what Synapse does, as referenced [here](https://github.com/matrix-org/synapse/issues/8185).
This is also what is described by the [matrix.org blog post](https://matrix.org/blog/2018/05/08/gdpr-compliance-in-matrix)
on GDPR compliance.
## Potential issues
Erasure requests are not sent over federation in this model, meaning servers which already have an
unredacted copy of the event will continue to serve that to their users after the erasure happened.
Servers are expected to be informed out of band of erasure requests that affect them, if they affect
them.
## Alternatives
[MSC2438](https://github.com/matrix-org/matrix-spec-proposals/pull/2438) is the leading alternative,
however as specified in the introduction for this proposal, the desired outcomes of this MSC are either
acceptance as-written or rejection. Ideally, if rejected, another MSC or idea is marked as the suitable
alternative.
Redactions could be sent for all the user's events, however this has obvious performance impact on
servers and rooms. The [matrix.org blog](https://matrix.org/blog/2018/05/08/gdpr-compliance-in-matrix)
discusses how redactions and GDPR Right to Erasure interact (or rather, how they aren't the same).
## Security considerations
This feature was originally introduced primarily in response to the GDPR Right to Erasure requirement
within the European Union. The privacy benefits apply to all users of the ecosystem and there's no clear
reason to region-lock or otherwise leave this as an implementation detail for EU-operated homeservers.
There are however consequences of GDPR erasure that are not covered by this proposal, such as the
deletion of server logs, forwarding the request, etc. Server operators are encouraged to seek legal
advice on how to handle this form of erasure request (and whether it qualifies under GDPR's Right to
Erasure requirements). The general recommendation is to enforce the erasure request as much as possible
on the local homeserver, including redacting/purging server logs, appservice data, etc.
## Unstable prefix
Even more regrettably than having unspecified behaviour, this feature was implemented before unstable
namespaces existed. Implementations can use `erase` without prefix.
<!-- Footnotes below here (github draws this as a real line in the rendered view) -->
[^1]: Readers should note that the spec-proposals repo used to contain both the spec itself and proposals
to change the spec. This was later split into dedicated repos, but closed PRs and issues were not migrated.