Avon wrote (2021-05-14):

Security / Privacy
==================

Binkp secure encryption for all hubs.

Better privacy.

SSH officially supported.

SSH for specific echos.

# More discussion needed around these points. It's only as strong as weakest link and echomail may not have been designed with privacy in
mind. How best to enforce an echomail area only available via SSH?

What nobody mentioned was privacy regarding privacy laws and meta data. I know many (especially people from countries who don't have strict privacy regulations) argue that BBS are all private and stuff or privacy laws don't apply. Unfortunately or fortunately (depends on your point of view) this is not the case.

There are several aspects where the current practice in fsxNet and the BBSs connected to it are not compatible with the GDPR in the EU (General Data Protection Regulation) (I guess there are other countries with strict privacy laws that might apply too).

I see three ways to address it:

1) ignore it
2) refuse service to users from the EU (nodes, points, BBS users)
3) make fsxNet and BBSs adhere to the GDPR


Now we can jump directly to the discussion why BBSs are different and why there is no need to care about GDPR and stuff ... ;)



Regarding security and transport encryption (CRYPT / TLS / SSH): I wouldn't trust collaborative security measures that only try to encrypt the traffic. If you want private conversations that don't leak, you always can setup private feeds between nodes and points and crash netmail. Or use some kind of e2e encryption. Some sysop / BBS / web echomail will offer it unencrypted or feed it to the Google at some point. Encrypt everything (TLS / SSH) is still good practice.

# We could choose to 'secure' the network using something like ZeroTier

I used ZeroTier and it's quite easy to setup and works, but I dislike the idea to use a commercial provider for the basic infrastructure. FTN is DIY.

# We can offer echos and netmail but not privacy

In some countries you are not allowed to offer anything then.

---
* Origin: . (21:3/102)

There are several aspects where the current practice in fsxNet and the
BBSs connected to it are not compatible with the GDPR in the EU
(General Data Protection Regulation) (I guess there are other
countries with strict privacy laws that might apply too).

I don't really understand how european laws are enforcable in
non-european nations? If the BBS was in europe, sure, they must comply to european laws, but if a BBS is in another country.. do we have
international agreements to honour GDPR laws? Am I going to get
extradited from Australia if a European user logs into my BBS?

I don't see any need to block europeans from fsxnet / BBSing, it's up to
them to comply with their own laws. What's to stop a european from
logging into a BBS via a proxy even if we did block them all out?

Ok, now say we care about the GDPR, how do we comply? is it simply a
matter of having a privacy policy?

Personally, I don't care. I'm not in europe, I'm never going to europe,
and I'm kind of offended that europeans think they can enforce their
moronic laws on the entire world?

Andrew

--
|03Andrew Pamment |08(|11apam|08)
|13Happy|10Land |14v2.0|08!|07


--- Talisman v0.21-dev (Linux/x86_64)
* Origin: HappyLand v2.0 - telnet://happylandbbs.com:11892/ (21:1/182)

Re: fsxNet Feedback ("Privacy")
By: Oli to Avon on Fri May 14 2021 08:05 am

# We could choose to 'secure' the network using something like ZeroTier

I used ZeroTier and it's quite easy to setup and works, but I dislike the idea to use a commercial provider for the basic infrastructure. FTN is DIY.

You dont have to use "a provider" with ZeroTier.

I run a ZeroTier network that is independant of "zerotier" (the provider) itself.

While you may argue that you "find" me through their root server (which is the default) - it doesnt "have" to operate that way. I can populate a "moon" that you "orbit" around (their terms, not mine) so that zerotier can be turned off and our connection still works.

I know ZeroTier were working on personal "roots" so that this moon thing has a less of a value (and they are no longer a sudo dependancy). (I havent kept up with it recently though.)

The other good thing, with ZeroTier, you dont necessarily provide anybody on the network (who needs to be authorised if it is configured to do so), to see everything on all ports. You can firewall it to a certain extent (at the network layer), such that only specific ports are permitted on the network. (I did setup the FSX zerotier network this way.) (You could also have your own running firewall as well if you wanted.)

...ëîåï

... MONEY TALKS...but all mine ever says is GOODBYE!
--- SBBSecho 3.14-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

Re: fsxNet Feedback ("Privacy")
By: apam to Oli on Fri May 14 2021 05:19 pm

I don't really understand how european laws are enforcable in
non-european nations? If the BBS was in europe, sure, they must comply to european laws, but if a BBS is in another country.. do we have
international agreements to honour GDPR laws? Am I going to get
extradited from Australia if a European user logs into my BBS?

Well, "technically" the GDPR applies to any system that has a european who uses it - including those outside of Europe. But your point is valid - are they going to come after you apam, and fine you because your "BBS" has europeans on it and you are not following the law.

I personally dont care too much about it - european or not. If we in Australia had such a thing I dont think I would behave differently.

My response would be, "you have the choice to login or not - you have no rights here (but I'll do my best to respect you, if you do too)."

...ëîåï

... The purpose of computing is insight, not numbers.
--- SBBSecho 3.14-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

apam wrote (2021-05-14):

There are several aspects where the current practice in fsxNet and the
BBSs connected to it are not compatible with the GDPR in the EU
(General Data Protection Regulation) (I guess there are other
countries with strict privacy laws that might apply too).

I don't really understand how european laws are enforcable in
non-european nations? If the BBS was in europe, sure, they must comply to european laws, but if a BBS is in another country.. do we have international agreements to honour GDPR laws? Am I going to get
extradited from Australia if a European user logs into my BBS?

You are free to give a shit, I also don't see that it is enforceable (in the case of a BBS operating outside of the EU). It also will get more confusing, when other countries will introduce similar, but slightly different regulations and laws. I'm not sure how individuals and small organizations will be able to handle it (it's already a problem).

I don't see any need to block europeans from fsxnet / BBSing, it's up to them to comply with their own laws. What's to stop a european from
logging into a BBS via a proxy even if we did block them all out?

You still violating the GDPR, if you don't comply (without any consequences for you). But for sysops / nodes / hubs / bbs who are operating in the EU, it might me a problem.

Ok, now say we care about the GDPR, how do we comply? is it simply a
matter of having a privacy policy?

Personally, I don't care. I'm not in europe, I'm never going to europe,
and I'm kind of offended that europeans think they can enforce their moronic laws on the entire world?

So you don't know the GDPR, but you know it is a moronic law? I wonder how a non-moronic law would look like and work.


The basic rules are:

- don't store and process personal data that are not technical essential
- get informed consent for the storage and processing of personal data in advance
- don't make optional (non-essential) personal data a condition (as in non-optional) for using the service
- don't leak / transmit personal data to third parties (without informed consent)

or something like this.

I privacy policy that says: agree to everything or leave is most likely not sufficient (and harmful to the idea of data protection). On the other hand I would find it acceptable to read the message: this is a private BBS. I'm unable to become an expert in every fucking data protection law in every country in my limited free time. If your not from Australia, disconnect or live with the consequences ... ;).

---
* Origin: . (21:3/102)

So you don't know the GDPR, but you know it is a moronic law? I wonder
how a non-moronic law would look like and work.

Hmm, I'm not a lawyer (are you?), so no I don't know all about it... I
know it's effects though, in that we're even having this conversation
about blocking people in europe from a BBS because "privacy" ....

- don't store and process personal data that are not technical
essential

So no wishing users happy birthday. No last 10 callers that include a "location" no real names? All these things are easily faked by anyone who
is concerned about their privacy.. the only thing technically essential
is a username and password.. and I'm not sure that is personal?

- get informed consent for the storage and processing of personal data
in advance

Ok, so privacy policy... here is a legal mumbo jumbo for you to say yes
too if you want to access the service... who reads those? and those who
don't read them, can they complain they are uninformed?

- don't make optional (non-essential) personal data a condition (as in non-optional) for using the service

Ok. But it's my service. not yours, if you want to access my service why
to you get to dictate the rules?

- don't leak / transmit personal data to third parties (without
informed consent)

This one is good, I like this one.

Andrew
--
|03Andrew Pamment |08(|11apam|08)
|13Happy|10Land |14v2.0|08!|07


--- Talisman v0.21-dev (Linux/x86_64)
* Origin: HappyLand v2.0 - telnet://happylandbbs.com:11892/ (21:1/182)