Is Mastodon ePrivacy / GDPR compliant?
I have identified an interesting non-compliance issue with Mastodon web UI and reported it on Github.
Non-compliant data storage
If you go to a Mastodon server that is not your home server, i.e. it is a different domain than the one you use, you can still follow accounts there by clicking the Follow button. However you are then required to enter your home server domain.
Once you confirm your server, you are taken to your home server and if logged in, the follow is executed automatically.
Another technical detail that happens in the background is that the original Mastodon server stores a small bit of data on in your browser with the domain you entered and marks it as mastodon_home. Traditionally this would be stored as a cookie, but since cookies are now shunned, they use Local storage.
What is Local storage?
Local storage (part of Web storage) allows websites to store arbitrary data in your browser that websites can use later. It works in similar fashion to cookies. MDN states that browsers offer more intuitive API to interact with the web storage.
Local storage offers persistent data storage (between browser restarts) and moreover extends data limit from 4 KB for cookies to around 10 MB per website (origin), but browsers can decide to extend this further.
EU requires consent before data storage
And now we are coming to the point of this blog post. ePrivacy directive (and GDPR indirectly) requires user’s consent before data is stored on user’s device (the section reads “Cookies”, but this generally applies to any type of data stored).
The addressees of the obligation are Member States, who must ensure that the use of electronic communications networks to store information in a visitor’s browser is only allowed if the user is provided with “clear and comprehensive information”, in accordance with the Data Protection Directive, about the purposes of the storage of, or access to, that information; and has given their consent.
Data storage requirement is usually transposed in Electronic Communications Acts of individual EU member states.
Are Mastodon server owners at risk?
It’s a small bug that’s putting Mastodon server owners at negligible risk from data protection authorities (if reported by users). Again, I believe this is a very small technical issue that needs to be addressed for compliance with European Union laws.
Solution
The mitigation is simple and easy. A small checkbox “Remember” can be added for compliance to the existing interface to store home server domain data under Local storage. The checkbox must not be pre-checked – must be an opt-in.
But… this falls under necessary data storage?!
Further discussion is possible whether this constitutes a necessary data storage, i.e. a data storage required for a website to function. Even then at least some information should be provided regarding such storage.
It seems to me that website will work fine even without storing this piece of data. That means it does not fit under functionality storage type. I would guess this could be personalization storage type.