Jamulus, privacy, IP addresses and GDPR/legal

[gilgongo]

If you are interested in the issues in the title of this ticket, please read this summary and discuss here if you want.

TL;DR executive summary

If the Jamulus project were to treat IP addresses as personally identifiable information (PII) under GDPR, we would need to have a feature that allowed server operators optionally to turn on a notice that said something like, “By using Jamulus your IP address will be made available to third parties”. If the user clicked “no” they would not be able to use the system.

The argument for this would seem to be ultra-cautious, since web browsers or mail server software doesn’t do this. But is Jamulus different?

We could also have a notice on the wiki that tells people how their IP is used by Jamulus. But it’s not clear what good that would do without also giving server operators the option of informing users and allowing them to stop using Jamulus. But we could just be nice and explain for clarity’s sake.

The very long boring version

The following are, I believe, accurate and uncontroversial points (if not, we should discuss them on this ticket):

1. As of now, the only thing that Jamulus collects from users that in theory could be personally identifiable information (PII) is the user’s IP address. The IP address is either that of the user’s server if they are running one, or their client. Note that we assume profile “names” are not PII because if the user doesn’t want to “freely give” their real name, they don’t have to.

2. All public server IPs are available to see on a 3rd party website (for debugging and other purposes). In the case of Jamulus client IPs, it’s harder to find out which IP addresses are connected to a given server, but it’s not impossible (Jamulus does not attempt to obscure them). (EDIT: This is not not true of later versions of Jamulus.)

3. In order for Jamulus to work, it also sends user’s IP addresses to a 3rd party (currently Google but it could be anyone).

Do we need to treat IP addresses as PII?

1. Firstly, it’s important to note that the Jamulus project itself has no responsibility toward users to advise them on legal matters, since a) the person responsible under law is the person(s) who runs a Jamuls server and b) not all Jamulus users are bound by the GDPR and c) we are not lawyers. We can be transparent about how Jamulus works though. This compares to a project such as the Apache web server for example, which has no privacy policy about its use of IP addresses in serving web pages.

2. However, for EU residents, the letter of the GDPR does say that IP addresses should be treated in the same way as PII (ie that consent for their collection should be “freely given”). However, ordinary people cannot normally associate an IP to the user’s PII. The current thinking is therefore that IPs are only PII under law because they can be used to associate things like names, postal addresses etc. under certain unusual circumstances. For example, if you are an ISP and the IP addresses in question are ones you are assigning to your customers. Or if you have been asked by law enforcement to hand over IP addresses so that they can obtain PII from the user’s ISP (Consider also that the chances of Jamulus being involved in a court case that might decide as yet untested issues under GDPR is vanishingly close to absolute zero).

3. A secondary question arising from this is do we need to have a function that server operators can turn on to inform their users about the fact that their IP address will be used and made public when they use Jamulus, and give them an option to back out? This is unlike the Apache project because Jamulus operates differently to a web application server where Apache users can create a consent form themselves.

The ultra-cautious answer would be yes. And we almost have such a feature today in the form of the “show licence” option in the server.

It has also been suggested that we should have a “privacy policy” on the wiki, which I assume means a statement about how people’s IP addresses are used by Jamulus. This implies though that we would also need to give people the option to act on that information.

[ann0see]

their users about the fact that their IP address will be used and made public when they use Jamulus

1. I think it has to be clear what and who gets the IP. As you mentioned, the client IP can not be accessed easily by other clients. I wouldn't say that we have to do anything here (yet).

2. I'd say that if a user connects to a server he doesn't have to agree that this server uses his IP. If it was like this, every program connecting to the internet had to ask the user if he really wants to connect to xxx.xxx.xxx.xxx.

3. I'd suggest not to show the IP of a newly connected user in the log in the default setup or only show e.g 10.10.x.x If the server admin enables a flag to log ip-adresses (e.g. --logip), the behaviour should be like today. I can look into implementing this.

4. If a server is made public, the server operator not the users have to agree that his IP will be made public (and that to get the external IP, jamulus relies on an outside service (google))

[gilgongo]

Sorry to be annoying, but can you number your points so I can refer to them easier? Thanks.

[ann0see]

@gilgongo done

[corrados]

I'd suggest not to show the IP of a newly connected user in the log in the default setup or only show e.g 10.10.x.x If the server admin enables a flag to log ip-adresses (e.g. --logip), the behaviour should be like today

In the default setup there is no logging enabled. If a server admin wants to log, he has to enable it and specify a file name for it. Note that this file is only available for the Jamulus server operator and not for any other Jamulus user (i.e. using the Jamulus client).

If you are a Jamulus server operator and have privacy concerns with your server, you simply do not use the logging. No need to implement a "--logip".

[ann0see]

On my setup it sends everything to the syslog:

Sep 06 22:24:30 ** jamulus[**]: 2020-09-06 22:24:30, 10.10.11.11, connected (1)
This is since jamulus server automatically outputs it on stdout

[corrados]

The output is not put in the syslog if you start the server with "> /dev/null 2>&1 < /dev/null &".

[ann0see]

This does solve the log problem so so. Sometimes you do want to log other actions, errors etc.
IPs are still shown in the server GUI and that's not needed for the correct function of Jamulus --> they should not be shown fully. I've updated my PR for this.

[bflamig]

I'm having a hard time seeing what the problem is of logging IP addresses in the Jamulus server and even showing them on the server dialog. If it's to prevent unscrupulous people from setting up a Jamulus server to collect IP addresses, well, not logging them in Jamulus is not going to prevent that. As far as I know, anybody who runs a server machine has access to all IP addresses that connect to it, and there's nothing Jamulus can do about it. So what's the point?

For sure don't post them on any Jamulus client dialog, that certainly is an invasion of privacy. But internally to the server? If it is a legal privacy issue there, then every website in the world has that problem, does it not?

[pljones]

A server operator is providing a service and any one using that service is doing so through their own free will. It's a service providing over the internet which means it exposes your IP address. By using my server, you choose to expose your IP address.

I strongly object to having IP address not available by default or removed.

[ann0see]

You can always choose to enable full IP logging. Of course, the default behavior can be changed to log the full IP but that wouldn’t be "privacy by design"

[gilgongo]

@bflamig

I'm having a hard time seeing what the problem is of logging IP addresses in the Jamulus server

You make good points, but sadly they are irrelevant to this ticket.

Whether, how and why IP addresses could be used to do bad things is not the point, but whether, how and why Jamulus should treat IP addresses as PII and implement measures in the spirit of GDPR or other privacy enhancing policies.

[pljones]

@ann0see Exposing the IP address of a client that has chosen to connect is not a breach of privacy, or every Apache server on the internet would have been shut down by now.

[gilgongo]

@pljones Yes, we've agreed to tick that off the list as per points 1 and 2 here I think: #576 (comment)

[storeilly]

I don't think of ip addresses as pii because they need to be matched with actual pii of the issuing authority before being useful. They are essential debug data.

…

On Mon 7 Sep 2020, 08:19 Jonathan, ***@***.***> wrote: @pljones <https://github.com/pljones> Yes, we've agreed to tick that off the list as per points 1 and 2 here I think: #576 (comment) <#576 (comment)> — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#576 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABIJSQI54RX727QBQJUD7KTSESCORANCNFSM4Q4VXMSA> .

[bflamig]

@gilgongo

Point 3 of annosee in an earlier comment up the thread, and Issue #578 Remove last digits of IP in server logging (default) directly wants to put in code to limit the showing of IP addresses in the server logs. So that's somehow not relevant to the discussion here?

[gilgongo]

This discussion is supposed to about whether we want take the stance that IP addresses are PII, as stated (albeit debated) in the GDPR. Hiding IP addresses in logs would be aligned with treating IP addresses as PII (from the point of view of the GDPR, not programmers).

Put it this way, if names and addresses were appearing in logs, we would probably want to hide those I think. Maybe not?

[gilgongo]

@storeilly That's certainly the majority view from most discussion on this, for the reason I gave in the ticket above.

[pljones]

Yes, #578 should be withdrawn as it directly conflicts with the discussion here.

[ann0see]

Or should the default behavior be changed to show the IP?
So a Server Provider would have the choice to anonymize IPs but has to actively add a flag. Then he can decide to have a working log with IPs or a working log without full IPs. That’s my proposal since in my opinion adding this feature as an optional flag wouldn’t harm in any way and would give the server admin the possibility to choose.
I think Apache also has a setting which anonymizes IPs.
mod_log_ipmask?

[gilgongo]

BTW before somebody brings it up, I forgot to mention that recording audio would in theory also need consent.

I recall though that Zoom and others simply inform participants that recording is on. We also have a recently added message to say that recording is on, so we can probably say we're OK. And of course server operators must retain and dispose of any recordings they make according to whatever laws they want to follow. Nothing to do with us.

Just thought I'd add that for completeness :-)

[atsampson]

In the case of Jamulus client IPs, it’s harder to find out which IP addresses are connected to a given server, but it’s not impossible

That shouldn't be the case in current versions - e7621af made the server send a dummy address in the client list response, and the other changes in #316 got rid of the code that used the client address as a fallback when no username is provided.

[gilgongo]

This ticket was supposed to discuss issues related to #572 so as not to confuse dislike of Google with privacy-related legal issues in general. But it turns out at least part of the resolution to that ticket (the production of a privacy statement) also effectively address the issues discussed here I think.

Happily closing 👍