In this thread I would like to discuss the topic of push notifications. This was triggered by my issue 37322 on the in my opinion wrong text “This community release of Nextcloud is unsupported and push notifications are limited.” I interpret “unsupported” with software versions End of Life (End of Life Releases) and not “unlicensed”. (-> Not my theme in this thread)
For solracsf the F in FOSS in Nextcloud stand for Fremium. svenseeberg thinks my issue is totally valid.
Now Volker-K goes one step further in his post below my issue. He writes that the statements Nextcloud makes regarding push notifications are not only incorrect, but can be also dangerous for the operators of Nextcloud instances. For example, it does not correctly address the fact that push notifications go through Nextcloud’s servers. Also it can not be deactivated. Also he writes about GNU AGPLv3, which clearly states “This License explicitly affirms your unlimited permission to run the unmodified Program.” (-> Not my theme in this thread)
But he wrote:
I work for a government data centre myself and am in a political party that uses Nextcloud so as not to be dependent on the Redmont company and to comply with the GDPR. In both cases, the use of the push notification server prevents us from complying with the GDPR. Period.
What do you think about this? Do you also think there needs to be a better information and a way to completely disable push notifications as listed in another Issue 38122 to host Nextcloud 100% on-prem? Are the push notifications in this form a problem with GDPR?
I would be pleased about a constructive discussion.
Great topic, I wasn’t aware of this 500 users limit for push notifications. Also the discussion in regards to GDPR seems to be important.
Is there any official reason, why this push proxy cannot be hosted on-prem? Is this one of those “artificial barriers” to force users to buy an Enterprise license?
You could say that sending more than xx messages via the NC push server is not supported. At the login page, it looks a bit that if you want to scare users and make it unusable for enterprise customers.
Yes, absolutely. It should be more transparent what and why this is happening and to be able to know it before you run into these limitations.
For me, one very strong point of NC was that they provided the full features without the need to subscribe to enterprise support. And also without limit where the company defines what they consider acceptable private use or not (in contrast to e.g. seafile or ownCloud).
For enterprise subscriptions, they can or they help you to release dedicated desktop and mobile clients where you can use your own push server.
In theory it should be possible to encrypt the notification messages so that the push-server does not see the actual message. Not sure if that is done…
All push notifications are encrypted (with a different key for each device), which is a recommended thing by both Apple and Google anyway, and signed on your server, so the client app can make sure the push proxy didn’t tamper with the data.
Yes that is what I had hoped. But it does not solve my actual question. I think it is ok for some Nextcloud hoster who want to use Google and Nextcloud GmbH for push notifications. But some Nextcloud hosters do not want to use it because e.g. of meta data, data privacy or compliance.
Thank you for the link. @nickvergessen has last commented (mabe written) the documentation Push notifications as a Nextcloud client device. Maybe he knows how to deactivate/change push notifications and maybe it can be included in the Nextcloud configuration config.php see issue 38122. But maybe i just overlooked or didn’t understand in his article how it’s already possible today without changing Nextcloud code directly.
I just used a search within the PHP files in the webroot in order to find all calls of getSystemValue* functions that evaluate the parameters in config.php and I didn’t find any that affects the push notification proxy.
Regarding Art 28 GDPR: The payload might be encrypted but in Germany even logging of an IP address is seen as a privacy issue. The mobile device might register with push-notifications.nextcloud.com anonymously but as far as I understand with the same ID for all NC instances connected. So it might be possible to determine the specific device. Nevertheless our data protection officer confirmed that even when you are routing encrypted data you must describe this in your privacy police, the owner of the NC instance that is using this proxy as well as NC GmbH that is running it.
I’m aware of the discussion and all the black/white arguments of this discussion and for this reason I didn’t want to join the discussion from the beginning… but I see it’s heading completely wrong direction and I would appreciate you understand the problem entirely before you ask for solutions for not relevant problems…
while the issue is worth talking about from privacy point of view, the pragmatic way is exactly what have been implemented by “Nextcloud operated push server”.
push notifications to mobile devices
There is no good way to send push notifications to Google and Apple devices without using their infrastructure… definitely there are alternative ways like “pull” model - but this drains mobile device battery, adds useless load on the server and wastes resources… not a good trade off in my eyes.
Returning to the starting point:
the wording is definitely wrong and must be improved.
Given the fact an intermediate (proxy) server is required
to send out push notifications - which results in costs - I agree and support in general the intention of the company: they decided to burden this costs on enterprises as biggest consumers of this service…
GDPR compliance
this statement is absolute nonsense!! Before you even start talking about GDPR compliance of push notifications delivered by small EU based company take a look at your Google and Apple mobile devices… let’s have another talk - maybe 2099 - once you run Google and Apple devices GDPR compliant
to summarize my point of view:
I would really appreciate mobile devices without big-tech surveillance and data collection
at the moment there is no good way to avoid centralized push infrastructure (beside nerds)
some “proxy” push server is required for majority of users (bigger companies could run their own server)
Nextcloud must improve correct the “unsupported” statement ASAP
I don’t see any advantage but for the sake of “data privacy” reasons I would appreciate there is a “kill switch” for push notifications if admins desire…
Yes. But then it also makes no sense to use On-Prem Nextcloud instead of Microsoft 365 in the cloud for GDPR because both solutions are not GDPR compliant for all companies who uses mobile devices for their cloud. Maybe Nextcloud can inform their customers on Nextcloud GDPR compliance about this not quite trivial point. A good reason to use Nextcloud is more control about software and data but not 100% GDPR compliant.
Hopefully at least that will be adjusted. For remember the open issue 37322.
I would disagree with this statement. Because there are two parts in this solution - one is Nextcloud system which definitely can be GDPR compliant and mobile client app which is not GDPR compliant because of reasons above (> browser on the mobile could IMHO comply with GDPR).
The client is obviously out of control of the server admin (and likely not even part of the system in terms of GDPR). If you look at the push notifications process as part of the mobile app living outside of the client it’s easy to draw the border between the NC installation and a client showing which parts are you responsible for and which are out of your control. I think the point regarding GDPR (non-)compliance relates more to the app rather to the server - if the user doesn’t like how the notifications are delivered she must not use the mobile app…
Again - I would really appreciate fully independent solution for push notification but the only choice at the moment is to implement push notification using the concentrated solution with some drawbacks on privacy or completely disable push notifications.
Yes i agree. The GDPR problem is not a problem of Nextcloud server but Nextcloud mobile apps. But it would also be nice to have a fully independent solution for push notifications. Thanks.
I disagree. The push-proxy is used by the mobile app to register there and is used by the instance to send messages to the app.
It would be a problem of the mobile App only in case the proxy would be polling the instances for notifications, but in fact my instance contacts the proxy by itself if anyone uses the mobile app, what is something I can’t prevent - or even realize without digging in the database.
The mobile app points to the privacy statement on the Nextcloud.com homepage, where - funny enough - the proxy is mentioned since wednesday, May 10. But the text stating that the mobile app does only interact with the instance and that servers at Google and Apple are used for notifications (what’s obviously wrong) is still there, too.
Regarding my inbox at the office there are other admins of gouvernmental Nextcloud Enterprise instances who have read about this problem and asking for the code to turn off the proxy.
Little additional information: In case I block push-notifications.nextcloud.com in any way, by putting it on the proxy exception list, by redirecting it to localhost in /etc/host or any other way, the users that actually do something that causes push notifications to be sent to anyone else get an error if this person has a mobile device connected with their account.
The use of the push proxy is oviously an organic part of the Nextcloud Server, so it has at least to be declared within the privacy notices of each instance. If there is no agreeement with Nextcloud GmbH neccessary (Auftragsdatenverarbeitungsvereinbarung as we call it in Germany), Nextcloud GmbH should tell us, why, so that we can discuss this with our data protection officers.
with this statement you hit the nail! push proxy comes into play only in case someone uses a mobile app. For this reason this proxy must be considered a part of the mobile app (which obviously needs right privacy statement).
no it is not as the server does not require mobile apps. Nobody forces the user to install mobile apps. Using just a browser works as well and results in a fact only direct connections from client to server exists without intermediate parties.
Personal data is always about the right of the individual.
Karl and Michael are both users of my instance.
Karl uses the mobile app and subscribes to push notifications when someone shares a file with him.
Michael shares a file with him.
My instance therefore notifies Karl that Michael has shared a file with him.
So, personal data about Michael and Karl is sent through the proxy. But only Karl has agreed to the privacy policy of the mobile app. Michael cannot see that Karl is using this app, nor that data is being sent through a Nextcloud GmbH system. Nevertheless, my instance has sent data about Michael (namely: he is user of the instance and shares file x with Karl) via the proxy.
Doesn’t matter that this data is encrypted, it is processed on my (!!!) behalf by a third party. I have to tell Michael about that in my privacy policy.
Of course, this would also be relevant if it were only the servers of Google or Apple, and it would be even more relevant there, since according to the Schrems II ruling, these US corporations are not even able to commit to the GDPR without breaking US law at the same time (compare US Cloud Act).
Therefore, I think a deactivatable push notification is really necessary.
I completely agree that one should be able to turn off the connection to the push notification servers without it affecting the internal notifications in any way when logged in via browser.
The rest is kind of pointless to discuss though, because as soon as you put something on the web via a public link, or if you send a message to someone or share a file, it’s no longer under your control what happens to it. If you want to be a 100% sure that Google, Apple or Microsoft doesn’t find out that you have sent a message or shared a file with someone, you probably can’t send any messages or share any files at all. it’s that simple, or that complicated, depending on your point of view.
Following your argument you require data processing agreement for every single provider and server you communication flows through - internet provider of you Nextcloud server, any backbone internet provider, Google/Apple, each mobile provider of the client running mobile app…
The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons.
encrypted data is not “personal” as it looks like garbage without a key. Push notifications as a Nextcloud client device clearly states Nextcloud push server (same applies to Google/Apple) has no access to contents of the notification:
Push proxy (push-notifications.nextcloud.com)
Knowledge:
- user public key (generated by Nextcloud server, send by mobile device)
- device identifier (generated by Nextcloud server, send by mobile device)
- push token (generated by mobile device)
- Google and Apple Developer certificate (generated by Nextcloud)
for this reason the server doesn’t know Michael shared a file etc… The push server just knows “one Nextcloud server send a push message to Karl’s some device”. No personal data is processed here.
I’m really frustrated seeing such discussions around FOSS products and keeping “good guys” busy without a reason. At the same more or less nobody complains about full-scale privacy breaches like chat control giving full access to contents of your communication to very broad audience…
Thanks for the discussion. I can understand all the arguments.
Nextcloud can make so much maybe soon coffee brewing. Why push notification function does not become easily configurable, I do not understand. Meta data is send to third parties. And maybe this can be disabled in future if the hoster want it.
These rules apply for everybody, not just for the bad guys. Unfortunately, this means that the good guys need to do some efforts.
And being transparent about the push notifications shouldn’t be difficult, especially if they advertise to control all your data yourself, I’d expect them to set an example, so that it is easily accessible to see which of their services you have to use (and how to disable them), and what kind of information they can obtain from them (and what they do with the information).
Question is now, what to do with it and to advance the topic. Not sure what is needed, so probably:
documentation page with all information gathered (that can be used to be linked to)
admin-interface: for the notifications add an option to use nextcloud push-server to push notifications not mobile devices (with link to docs)
mobile apps: option to disable notifications via NC push server
as there is no way to have push notification in Android/IOS this request results in having not push notifications at all. The alternative in constant “pull” notifications which is waste of resources (there are god reasons for move from pull to push model - see self-speaking numbers for Nextclouds high performance backend for files)
90% less load from polling
IP address is not on the list…likely Nextclouds push server doesn’t even know the IP of the client (only the one of the server) as it just forwards the message using “device identifier” to Google/Apple who in turn physically deliver the message to the client.
Yes but my approach is to address biggest issues first. Don’t need to discuss very small and very small theoretical privacy issue when you give away all your data on the other place. Somebody who user Android/IOS and Windows doesn’t need to worry Nextcloud knows he received push notification from his Nextcloud server - again - according to the docs no metadata and no contents are visible to Nextcloud (not even the user account as it is "device identifier" - multiple Nextcloud apps and accounts running on same device will share the device identifier…
All the requests towards disabling push notifications are really really counter-productive… once you disable it, every user will complain about delayed notifications, battery drain, blame bad product and tell Open Source is not competitive… My suggestion for this case would be a big fat notification showing every user of the instance: “you administrator decided to disable push notifications - expect delayed and unreliable notifications for this reason. our product performs better if the system is configured in a right way”.
Don’t get me wrong… 2099 once we run our mobiles on fully encrypted open source OS when Google Apple and Microsoft became bankrupt we our kids can discuss how one can improve privacy of Nextcloud push notifications. Let’s focus on real problems first.
