Someone is scraping public rooms for user data using a bot


I really don't think this is GDPR compatible somehow?

My advice, yeet the bot. Is there a way to de-federate from that domain? I haven't actually seen that in the docs.

@kawaiipunk server-wide defederating isn't really a thing, but you could set a server acl to ban that server from a specific room. That's the only account being used tho so a ban is easier

@kawaiipunk oh and afaik just like if you kick/ban the bot after joining it won't try to rejoin your room, and remove it from the stats

@f0x yep That seems to be the case. I'm not against the project as a whole. Shame it's not opt-in though.

@kawaiipunk yeah it would be so simple for it to send an opt-in message at join and only continue when an admin responds positively..

@f0x it's a sham Matrix doesn't have better moderation tools tbh.

@f0x @kawaiipunk Hi :) while I totally get where you are coming from I actually from people I talked to beforehand that this would actually be more annoying as that would result in spam. I am planning on implementing which hopefully should improve the situation.

I can assure you however that bans will keep the room unlisted. ACL bans however may not work as my bot never sees them. This may be a bug though I am not sure if I can even see that as an appservice. I will 1/2

@spacekookie Thanks, we answered that call with some actual info. We know the dev, they‘re very open to talk and also for feedback.

How specifically is that not GDPR compatible?
Would it mot make more sense to file a complaint?

@KitKat @kawaiipunk Well s the one coding this thing I honestly wonder the grounds of a gdpr based complaint. As there is no personal data listed anywhere on the tool. Its all data you can get just by joining random rooms and waiting long enough and clicking on every room link you find. That is everything my bot is doing :) So there are no names or anything being published or worked with. I see however the point about opt in vs opt out. However I see no solution that makes both sides happy.

@KitKat @kawaiipunk Though I am totally open to finding a way to resolve this issue somehow.

@KitKat @kawaiipunk For reference thats the privacy policy as of so to my understanding of gdpr there is no personal data being collected in this. But I am not perfect so please tell me if you think that any of this is "personal data".

long reply 

@MTRNord @KitKat It's just great to have this dialogue. The cultural context you have to understand is that people regularly carry out research on decentralised networks and they usually don't give a shit about privacy or consent.

It happened on Fediverse a while back with some researchers who were scanning public content and people were super pissed off.

It just makes people not want to have public rooms and close off their spaces. The problem is that the infra that you've built looks similar to something that would be used for surveillance.

It seems that your project is built with privacy in mind. It's also a useful study to be done mapping the network on a technical basis.

But at the end of the day, sending a bot into every single room you can find without asking isn't going to make folks feel comfortable.

@MTRNord as far as I understand, it doesn't matter what data is displayed in the tool, GDPR prevents processing personal data in any way without consent.

one way of doing opt-in without tonnes of spam might be for the bot to message admins of a channel it joins, and wait for their consent before collecting any data.

@handle Well thats the point. I dont process any personal data in this. Matrix is NOT part of this tool. Thats seperate tech. I only access public available data that is accessible by anyone with a internet connection. The page is not storing or processing any data. It displays it and thats about it.

@handle and if your concern is about matrix here then I guess I will take the offer I got about letting a lawyer solve this once and forall. (as in getting a proper privacy policy)

@MTRNord what do you mean "Matrix is NOT part of this tool"? Sorry, not sure I get you.

Yes, a privacy policy sounds like a great idea 🤘

@handle well Matrix as the network and the data is saved and processed by synapse and not by serverstats. serverstats doesnt hold more than the room id and which roomid points to another. So there is no data that can get processed :) It is basically just as much a client as Element-web is. Only difference is that it is without login. So it is kind of like

And The privacy policy exists but no lawyer did look over it. It was only written by myself based on 1/2

@handle 2/2 my understanding of GDPR/DSGVO (german variant of it).

@kawaiipunk Just talk to the botmaster about the project. They‘re open about what they collect and also take up suggestions.

For example the !help command the bot responds to was suggested by @MacLemon and implemented subsequently.

It‘s not collecting any usernames, and it can only join public rooms. So it only works with explicitly public information. The GDPR does not apply to public information.

We can get you in touch with the friendly dev.

@kawaiipunk As for domain defederation: You can ban the bot from rooms and it will oblige as documented. You can ban the bot from your instance using Mjolnir.

Again, it does not collect user-data. It collects public room aliases/ids.

Sign in to participate in the conversation
Sunbeam City 🌻

Sunbeam City is a anticapitalist, antifascist solarpunk instance that is run collectively.