That looks useful for sure. Not sure what it does as far as direct PC-phone transactions but I think it would help with some of my needs.

It apparently uses a server for a lot of things, but in some cases that will be useful, such as reaching heavily restricted websites.

(edit: I don’t find the phone app… i wonder if the jar file can run on android)

sideload what, exactly?

To get apps, I usually bring a tor-only laptop into a cafe and download apk files, then later sideload them using adb. But this does nothing to solve the problem I described.

Oh, sorry about the confusion. Indeed I framed it in the context of software we need, then crossposted to relevant groups. I will adjust the title.

I should add that part of the idea is to solicit suggestions from those who have perhaps hacked something together.

It means that for more than 30 days, you’ll be unable to send or receive emails that have to do with that email provider.

I’m not sure how you arrive at that. Whether you file a GDPR Art.77 complaint is independent of how you ultimately decide to reach the other party.

This is not what I would do but this is what most activists would do:

1. Use a residential dynamic IP address to attempt to send an email to a recipient whose data processor (email provider) is Microsoft.
2. Keep the logs of the MS server refusing you.
3. File an Art.77 GDPR complaint against MS.
4. In parallel, use a different webmail account to email your correspondent. Ideally wait a week or two after filing the GDPR complaint.

The fact that your webmail provider can reach MS does not obviate your Art.77 complaint.

Personally, I have indeed quit sending email. When I need to reach an MS recipient, I use fax or snail mail and I do not give them an email address, thus forcing them to respond by snail mail. Most people will not elevate ethics above convenience like that, but to each his own.

but not being able to receive them gets really problematic.

That’s a separate matter and it depends on what email address you supply. You can attempt to send from your own server using any email address you want, even an @gmail.com address if that’s your thing. The email address you share with the other party need not be one that associates to your mail server.

I personally do not even share an email address with MS users, so those users can only reach me by postal mail. But of course this move requires a higher level of discipline on your part.

Thanks. That may indeed be a good answer.

I’m confused because it claims to work offline yet it’s also p2p and uses no centralised server. Perhaps mgs queue up until both parties are simultaneously connected at some point? Guess I’ll have to study it more.

Fighting for your rights… with gdpr, yeah, I’m sometimes doing it, but the problem is, sometimes tcompanies fail to respond … and if they take 30 days… or longer to give a response you’re really at a huge loss

Not sure what you mean by being at a huge loss. Filing a GDPR complaint is gratis, by law. It’s indeed typical that data controllers ignore complaints. After 30 days of ignoring your request, you have a sound case for an art.77 complaint. The DPA will also likely do nothing, but you’re not at a loss for complaining. If the DPA decides to simply contact the data controller, they will dance. The case will still go nowhere, but the data controller will respond to the DPAs inquiry, if they make one.

The options (1) use black box, (2) start a tech company, as you presented in the bakery case, is a false dichotomy. Managed open source is the middleground.

It’s a false middleground. It is still taking on the burden of tech knowledge. It’s a true dichotomy, as follows:

① use a black box
② become technical

(or trichotomy if you figure the baker can nix email)

You still have to understand what’s going on in the FOSS box even if it’s managed – otherwise you are in the same position. The point in being managed is to perform the work you don’t understand. That managed box is still likely to use a Spamhaus gatekeeper or the like which the baker has no clue about. The baker is still unlawfully using AIDM, unwittingly, because he just saw the ad for the managed service saying “spam free” – thinks that’s good but has no idea what questions to ask or how it can go badly. He could just as well ask the relevant questions to the blackbox provider. Just the same, his business carries on uninformed about GDPR infringement.

BTW, you’re also wrong about managed open source services giving you the needed info, even if the customer is highly technical. I use a managed service of FOSS s/w. I can see the source code that runs on the box but I cannot see how it is installed or configured. The account dashboard I get is nannied subset of control. I can do basic tasks like create users, but I cannot see the backend configs or even an inventory of other software running on the host. There could be all kinds of snooping and shenanigans on that host and I have no way of verifying it. It could be littered with AIDM abuses, but I don’t have a root shell account on that host.

It’s the same problem in the end. The data processors have no legal accountability for the logic that they control. At the same time, they are not even required to disclose the AIDM logic, or even the existence of it, to the data controller. Yet the controller is exclusively liable for what they potentially do not control – or even have awareness of. This is all still possible if the processor runs a managed open source service.

Exactly: don’t use the black box.

That is not what I said. I never said don’t use it. I said black boxes bring problems that require sensible policy.

Of course it makes sense to use black boxes. Someone running a bakery does not have the competency and resources to deploy an email service. Outsourcing email is the only option that makes the business case viable, unless they discard email entirely, in which case they lose business from customers who insist on emailing orders. From there, all processors are black boxes. There is no email provider who gives you the keys to castle. And even if they did, as a baker you wouldn’t know what you’re looking at anyway. Your choice is, use the black box or get into the tech business.

Not even Microsoft can handle email alone. They outsource to Spamhaus, another black box. And Spamhaus outsources to Cloudflare – yet another black box.

It’s a black box. You can’t know what you don’t know when the information is concealed. Blackboxes can be tested (we call it blackbox testing). But it is inferior to clearbox testing. It’s too costly and ineffecient to wholly rely on. The giant processor has the resources to disclose their use of AIDM. The micro-controller (as in small data controller) does not have the resources to exhaustively simulate hundreds or thousands of demographics of people. They don’t even have the competency to be aware of all the demographics. It’s guesswork and it’s a non-starter. If the controller had that kind of resources, they would not be outsourcing the first place. Not only is it impractical, it’s also inefficient. To have thousands of small businesses and agencies carry out duplicated tests is an extremely wasteful use of resources and manpower. It just makes no sense. The processor already knows who they discriminate against.

The blackbox testing happens to some extent regardless. But there is no incentive to do the testing before deployment. The shitshow we call /GDPR enforcement/ ensures that data controllers do their testing on the public. Which means people are harmed in the process of testing because it’s cheaper for the controller (who knows their chances are low of getting penalised by DPAs who are up to their necks in 10× the workload they can handle).

They should! That’s the point! They shouldn’t use bad products, regardless of if it’s home made, from a small 3rd party, or a large 3rd party.

Yes they should, but investigative journalists are not a competent way to have that information disclosed. When the processor secretly uses AIDM and conceals that from the controller, holding the controller EXCUSIVELY¹ responsible is reckless because the controller does not have right to inspect the servers and code of the processor. It’s a black box. The GDPR requires processors to disclose a lot of GDPR factors in their contract with the controller. But AIDM is not one of them. It is perfectly legal for a processor to (e.g.) write an algorithm that treats black people different, and not tell the controller. Putting the responsibility on controllers to investigate and discover unlawful practice is not a smart system.

If a restaurant buys nails and puts it in their food, it’s not the nail manufacturer that’s at fault. The argument “but it’s a large nail manufacturer” doesn’t take away one’s own responsibility.

For this analogy to work, the nail mfr would know that the nails are being put in the food. With knowledge comes responsibility. If the nail manufacturer is aware of the misuse, the nail mfr is willfully complicit in the abuse. But also to make the analogy work, the restaurant would have to be also unaware that the nails were ending up in the food (because AIDM is undisclosed in the case that you are trying to make an analogy for).

(update) Europe does not have the machinery to bring thousands of small mom and pop shops into court. It just makes no sense from a logistical standpoint and it’s a non-starter economically. Though I do not oppose controllers having liability. They should retain liability. But processors should also have liability, when you have one giant processor who is the cause of hundreds of thousands of people’s rights being infringed by way of thousands of controllers. To neglect the giant is to fail at data protection.

¹ added that word late! Controllers should be accountable, but not exclusively.

Depends on how you define the goal. It’s not going to work like magic, all in one motion. Indeed you are right that the DPAs are not going to take remedial action on the spot. The DPAs ignore most cases that get filed by individuals no matter how solid the law and evidence is.

After dealing with deadbeat DPAs, I’ve lowered my expectations quite a bit. The DPA cannot legally ignore the complain wholly. They must file it and acknowledge it. Then they will ignore it, sure. For me, it’s about getting the valid complaint on record. Then it gets reported in the stats and metrics in annual reports and the 4-year report that the EDPB prepares for the Commission. It helps add to the collossal embarrassment of DPA inaction.

Indeed it may very well be in vain to file an article 77 complaint. I am saying you might as well do it, if you have the urge and the time. It is gratis. Technically the DPA must accept the complaint and file it. The reality is they will do that much but then the case will rot.

From there, I’m not sure it’s entirely useless. If you file an art.77 complaint against Google and it gets mothballed, then the DPA has another case against Google for another reason, perhaps they will add the art.22 reports into the mix.

I also think the reports are tracked for metrics and stats. By filing a complaint, you add to the overall stats which will add to the embarrassment of GDPR inaction by the DPAs who will look bad in the face of the EU eval every 4 yrs. Perhaps it would have the effect of increasing figures that prove the DPAs need more resources. If you don’t file a complaint, they don’t even know there is a problem. So it’s about getting light on a problem not necessarily going as far as to fix it.

Some folks are happy to take the art.78 route and directly sue. I heard a Brit say he does that. Costs him £50 or something which he does not get back, but for him it’s worth the satisfaction of getting a symbolic win.

Yes, but I think you’ve missed the point. Indeed one course of action is to file a GDPR complaint against the small controller to force them to change suppliers. But note that GDPR penalties are limited to 4% of revenue and if the controller is a gov agency I don’t even know what determines the penalty. I have also noticed a reluctance of DPAs to act on complaints against other gov agencies.

When the processor is a tech giant Google, Microsoft, or Cloudflare, the AIDM abuse is centralised on them. There are thousands of small businesses and small gov agencies using the services of MACFANG (the various tech giants). It’s a bit misguided to put accountability on each small business who does not even necessarily know the processor they outsourced to uses unlawful AIDM. It would be far more sensible to hit Microsoft or Cloudflare with the liability rather than have a separate article 77 complaint against all the small users.

Can you give more context? Why not simply choose other 3rd parties?

I’m not sure what you mean. Do you mean the data subject should choose a different controller, or that the controller should choose a different processor? Both such cases are consumer actions, which everyone in the world can do without a GDPR. But this does not make the GDPR redundant. The GDPR /theoretically/ ensures all market choices are up to a certain standard so we are not forced into a marketplace of all shit choices.

The insideous problem with AIDM is you often do not even know it’s in play. You don’t necessarily know that an adverse decision to deny you service was due to a robotic algorithm. Denials can do damage, after which point it may be too late to choose not to approach a controller. You don’t have all year to do trial and error with different suppliers.

We also have no other choice in some cases because monopolies exist. E.g. there may be only one credit bureau in a consumer’s country and it may be governmental (like a national bank). If that bank uses Cloudflare for their website, then Cloudflare’s AIDM denies some consumers web access to their credit worthiness records. The national bank may not even be aware of CF’s use of AIDM. But in any case, you cannot just choose a different supplier because it’s a monopoly.

Or if an important email to gov agency X is blocked because they use Microsoft and MS uses AIDM, you cannot simply change governments.

no, the government doesn’t serve the people it serves power.

First of all, you’re wrong, unless you have limited your comment to a particular gov where votes in an election don’t count – which is not the situation I am in. I’m in a jurisdiction where not only is there a decent voting system, the reps in gov also take public surveys and sentiment into account for operational design. I’m also in a jurisdiction where civil disobedience has effect. E.g. so many cyclists were unlawfully turning right on red that they decided to scrap the prohibition for cyclists.

You also seem to misunderstand the fact that my drop-in-the-ocean action need not change anything, just as my drop-in-the-ocean election vote is never the one vote that makes a difference.

Unless power thinks you as a group are worth the effort, they will ignore your mailed documents, state you failed to file paper work and you now have to deal with (problems incurred due to not having completed the paper work).

This assumes a scenario where I not only have an obligation to submit something but I also have an obligation to supply an email address. Obviously my form of submission accounts for these factors. The inquiry in the OP does not inherently cover such scenarios, and that’s deliberate.

Paper processes are going away.

Only in regions that are largely populated pushovers and digital zombies, without a right to be analog movement (or the rights to have a movement).

But the point was, there are no good XMPP libraries that would enable a willing government to easily onboard that support. If there were, it would be a very different discussion.

Keyword there is /easily/. It was not easy for Munich to replace all their Windows PCs with linux, but difficulty of deployment was not a show-stopper.

The question is essentially: if e-mail is scrapped, what is the next most qualifying replacement for the given requirements? If XMPP is not the answer, what is?

The gov can /want/ all they want. It is the gov who serves the people, not the other way around. And we (the people) are have some control. That is, if you object to the gov’s email policy or hosting company, you can simply withold your email address. You can send them snail mail. Then they have to pay someone to scan it and react. This is in fact what I do.

I include an XMPP address along with OMEMO fingerprints in the letterhead. It’s mostly symbolic. No one actually uses it. Exceptionally, some attempt to use my XMPP address as an email address. So now I write “note: xmpp is not email” next to the xmpp address.

I’ve installed Deltachat but not experimented at all with it. What happens if someone sends an unencrypted msg to an email account that uses Deltachat? I would expect the msg to still be accepted by the mail server and MS to still see the unencrypted traffic.

If the gov can use email to send a msg, then the payload is seen by MS before it reaches the gateway.

I find XMPP to be /more/ reliable than email, which is largely due to anti-spam zealots like #SpamHaus who block or blackhole email on the basis of IP address, along with countless other anti-spam techniques that cause collateral damage to legit email. I actually cannot send email to Google or MS users because of this crazed zealotry that has lost sight of the purpose of security: availability.

XMPP is certainly glitchy and has a variety of issues, but at least it has not yet been sabotaged by anti-spam zealots, and large corps using anti-spam measures as an excuse to break the platform for those not patronising a large corp.

The other alternative is they provide a website

That’s for person→gov msgs. It is not something I can put in my letterhead as a way for them to reach me. Also, the webforms likely just result in an email transmission that traverses MS servers in-the-clear anyway.

Anonaddy.com is (AFAIK) the only forwarding service that will encrypt inbound msgs using your pgp pubkey. And I use it, but it is useless for cutting Microsoft out of the loop. MS has already seen the payload before it even arrives at the forwarding server.

Thanks for pointing out ArcaneChat. I had not heard of it. First glance, it looks like Deltachat. What happens if an MS email user sends a msg in-the-clear to an ArcaneChat recipient?