Thomas Lant

It was drawn to our attention this afternoon that there is a bug in our GDPR data portability tooling that resulted in the data dump including some events that should not have been included.

This tooling has recently been updated (here is the new code), and the bug only affects reports generated with the updated tool. So far we have generated one report using the updated tooling.

The bug affects events which:

• were sent in rooms in which, at the point at which the message was sent, the message visibility was set to 'shared' or 'world readable', and
• were pulled in over federation from another server after the data subject left the room

As a reminder, 'shared' message visibility means anyone in the room can view the message, from the point in time at which visibility was set to 'shared' and 'world readable' means anyone can read the messages without joining the room, from the point in time at which visibility was set to 'world readable'.

Events are pulled onto a homeserver over federation when a user on that homeserver tries to access events which, for whatever reason, their homeserver does not already have a local copy. This most often happens when their homeserver is offline for any period of time, but can also happen when a user is the first user from their homeserver to join a room with active participants on other homeservers.

We're still analysing the data but so far it looks like the bug resulted in only a small number of events that were not publicly-accessible being shared (there were also publicly-accessible events mistakenly included). At this stage we have identified 19 events from 4 users across 2 rooms (the dump contained ~3.5 million events). This is not to diminish the severity of the bug - just to reassure that the scale of its impact appears to be extremely limited.

It is also worth noting that any encrypted events erroneously included in the dump will not have been decryptable (since the data subject would not have had access to the keys).

Update (2019-08-06)

In our original analysis we stated that 19 events were shared erroneously. On closer analysis we missed 5 other timeline events - the correct figure is 24 timeline events originating from 4 users over 2 rooms. However, this figure focused on timeline data and does not take into account all state events (such as user joins, parts, topic changes etc). When considering these too, a further 56 state events were erroneously shared, referencing 64 users across these 2 rooms (mainly detailing when users had joined/left the room after the requesting user themselves had left). These membership events contained avatar & display name details which may not have been public (but in practice, the vast majority appear to be public data).

Aside from the events referenced above, the full dump contained ~20,000 events that also ought not to have been included; however these events were already publicly accessible due to being part of publicly accessible rooms (eg Matrix HQ) and so we do not consider them a breach of data.

What caused the bug?

Events that are pulled in over federation are assigned a negative 'stream ordering' ID. This is designed to avoid their being sent down the sync (where they would likely be out of sequence). In normal operation (accessing your homeserver via a Matrix client) these events would be appropriately filtered, but a bug in the data dump tooling caused them to be included.

The bug was introduced as a result of two factors:

• The event filtering code assumes that the user is currently in the room - this was not intuitive, and was not called out in the documentation
• When we fetched the events from the database, we tried to limit to events sent before the user left the room. On reflection, we used the wrong ordering mechanism (stream ordering instead of topological ordering), resulting in the inclusion of events that were fetched from a remote server after the data subject had left

We are working to fix the bug, and we'll update here when it is resolved. As a reminder, please do report security bugs responsibly as per the Security Disclosure Policy so we can validate the issue and mitigate abuse.

As is standard practice for any data breach, we have notified the ICO.

As a step towards implementing Terms of Service for Sydent Identity Servers (MSC2140), we're rolling out a couple of changes to the two Identity Servers run by New Vector (running at vector.im and matrix.org):

1. We have erased all of the data where there is any chance that the data subject didn't understand how, why or with whom their data was being shared.
2. We've made a change to Sydent so that it no longer persists new associations relating to users on homeservers not run by New Vector.

The impact of these changes is that users on homeservers not run by New Vector will no longer be discoverable by their email or telephone number via the Identity Servers running at vector.im and matrix.org. As we roll out the rest of the changes for Terms of Service for Identity Servers, this functionality will again be made available for users who make an informed choice to opt in.

Registration with Email and Password Reset

In the short term, the New Vector Identity Servers will continue to support registration with email (signing up with an email address as well as a matrix username) and password reset. However, as we continue to improve Identity Server data hygiene practices, we will phase out their use in registration with email and password reset entirely. We have already made the change to Synapse to support password reset without relying on an Identity Server (though this can optionally be re-enabled).

Once Synapse can support registration with email without relying on an Identity Server we will announce a schedule for disabling registration with email and password reset in our Identity Servers entirely. After this point, homeserver administrators will have to make sure their homeservers are configured to send email to keep registration with email and password reset working. More details on this to follow - please watch this space.

Hi all,

As mentioned in our last blog post on GDPR, to make sure that everyone has read and understood the important details about how their personal data is processed by the matrix.org homeserver, users who haven't yet agreed to the privacy notice and terms and conditions will be blocked from sending new messages until they have.

Users will continue to be able to receive messages, so they won't miss out on any messages sent to them before they've agreed to the terms.

The System Alerts room has already sent every user their unique link to review and agree, and if anyone missed that message, the latest Riot.im web and mobile will display a helpful error message guiding users who are yet to agree through the agreement process.

If you have any questions or difficulties, please let us know at [email protected].

Thanks!

Tom

If you've connected to the matrix.org homeserver today, you'll have noticed some activity in support of GDPR compliance. The most obvious of these is an invite from System Alerts (aka @server:matrix.org):

We've rolled out the System Alerts feature to communicate important platform information to all of a homeserver's users. Today, we're using it to communicate the arrival of our new (and much-improved) Privacy Notice and Terms and Conditions to users on matrix.org.

The System Alerts service takes the form of an (unrejectable) invite to a room. We took this approach to support maximum compatibility with the myriad Matrix clients (since all Matrix clients can support conversations in a room ?).

When we first rolled out System Alerts, we didn't allow users leave the System Alerts room. Sorry! We got a bit overexcited - we've fixed that now (though please do provide your agreement before you leave).

What do I need to do?

At some point today the System Alerts service will provide you with unique link, directing you to review the new terms and provide your agreement.

For us to process your personal data lawfully, it's really important that we know you understand and agree to our Privacy Notice and Terms and Conditions. For that reason, we will shortly be blocking any users who haven't indicated their acceptance, so please act quickly when you receive your link.

Once the block is enabled, users who haven't accepted the terms will see an error when they try and send a message, join a room, or send an invite. This message will also include the unique link to review and accept the terms, so users who haven't seen the message from System Alerts will know what to do.

Don't worry if you're reading this some time after May 25 - accepting the terms at any time will unblock message sending on your account, and you won't have missed any messages sent to you.

If you have any thoughts or suggestions on the legal documentation, you can provide comment via github.

Press/Media Contact

You can reach us by email at [email protected], or reach Matthew or Amandine on Matrix via Riot.im (or your favourite Matrix client).

Who is Matrix.org?

Matrix.org is the world leader in decentralised encrypted communication, with project lead Matthew Hodgson a regular speaker at conferences such as FOSDEM and decentralisation/privacy summits. In Sept 2016 Matrix released the world's first ever publicly audited end-to-end encryption “Olm”, based on the Double Ratchet Algorithm.

Matrix core team is based in London (UK) and Rennes (France).

Branding Identity

Matrix logo, black on transparent background, PNG format (also available in SVG)

Matrix logo, white on transparent background, PNG format

Hi Synapsefans,

Synapse 0.22.0 has just been released! This release lands a few interesting features:

• The new User directory API which supports Matrix clients' providing a much more intuitive and effective user search capability by exposing a list of:
  • Everybody your user shares a room with, and
  • Everybody in a public room your homeserver knows about
• New support for server admins, including a Shutdown Room API (to remove a room from a local server) and a Media Quarrantine API (to render a media item inaccessible without its actually being deleted)

As always there are lots of bug fixes and performance improvements, including increasing the default cache factor size from 0.1 to 0.5 (should improve performance for those running their own homeservers).

You can get Synapse 0.22.0 from https://github.com/matrix-org/synapse or https://github.com/matrix-org/synapse/releases/tag/v0.22.0 as normal.

Changes in synapse v0.22.0 (2017-07-06)

No changes since v0.22.0-rc2

Changes in synapse v0.22.0-rc2 (2017-07-04)

Changes:

• Improve performance of storing user IPs (PR #2307, #2308)
• Slightly improve performance of verifying access tokens (PR #2320)
• Slightly improve performance of event persistence (PR #2321)
• Increase default cache factor size from 0.1 to 0.5 (PR #2330)

Bug fixes:

• Fix bug with storing registration sessions that caused frequent CPU churn (PR #2319)

Changes in synapse v0.22.0-rc1 (2017-06-26)

Features:

• Add a user directory API (PR #2252, and many more)
• Add shutdown room API to remove room from local server (PR #2291)
• Add API to quarantine media (PR #2292)
• Add new config option to not send event contents to push servers (PR #2301) Thanks to @cjdelisle!

Changes:

• Various performance fixes (PR #2177, #2233, #2230, #2238, #2248, #2256, #2274)
• Deduplicate sync filters (PR #2219) Thanks to @krombel!
• Correct a typo in UPGRADE.rst (PR #2231) Thanks to @aaronraimist!
• Add count of one time keys to sync stream (PR #2237)
• Only store event_auth for state events (PR #2247)
• Store URL cache preview downloads separately (PR #2299)

Bug fixes:

• Fix users not getting notifications when AS listened to that user_id (PR #2216) Thanks to @slipeer!
• Fix users without push set up not getting notifications after joining rooms (PR #2236)
• Fix preview url API to trim long descriptions (PR #2243)
• Fix bug where we used cached but unpersisted state group as prev group, resulting in broken state of restart (PR #2263)
• Fix removing of pushers when using workers (PR #2267)
• Fix CORS headers to allow Authorization header (PR #2285) Thanks to @krombel!

Hi all,

Synapse 0.21.0 was released a moment ago. This release lands a number of performance improvements and stability fixes, plus a couple of small features.

For those of you upgrading https://github.com/matrix-org/synapse has the details as usual.  Full changelog follows:

Changes in synapse v0.21.0 (2017-05-17)

Features:

• Add per user rate-limiting overrides (PR #2208)
• Add config option to limit maximum number of events requested by /sync and /messages (PR #2221) Thanks to @psaavedra!

Changes:

• Various small performance fixes (PR #2201, #2202, #2224, #2226, #2227, #2228, #2229)
• Update username availability checker API (PR #2209, #2213)
• When purging, don't de-delta state groups we're about to delete (PR #2214)
• Documentation to check synapse version (PR #2215) Thanks to @hamber-dick!
• Add an index to event_search to speed up purge history API (PR #2218)

Bug fixes:

• Fix API to allow clients to upload one-time-keys with new sigs (PR #2206)

Changes in synapse v0.21.0-rc2 (2017-05-08)

Changes:

• Always mark remotes as up if we receive a signed request from them (PR #2190)

Bug fixes:

• Fix bug where users got pushed for rooms they had muted (PR #2200)

Changes in synapse v0.21.0-rc1 (2017-05-08)

Features:

• Add username availability checker API (PR #2183)
• Add read marker API (PR #2120)

Changes:

• Enable guest access for the 3pl/3pid APIs (PR #1986)
• Add setting to support TURN for guests (PR #2011)
• Various performance improvements (PR #2075, #2076, #2080, #2083, #2108, #2158, #2176, #2185)
• Make synctl a bit more user friendly (PR #2078, #2127) Thanks @APwhitehat!
• Replace HTTP replication with TCP replication (PR #2082, #2097, #2098, #2099, #2103, #2014, #2016, #2115, #2116, #2117)
• Support authenticated SMTP (PR #2102) Thanks @DanielDent!
• Add a counter metric for successfully-sent transactions (PR #2121)
• Propagate errors sensibly from proxied IS requests (PR #2147)
• Add more granular event send metrics (PR #2178)

Bug fixes:

• Fix nuke-room script to work with current schema (PR #1927) Thanks @zuckschwerdt!
• Fix db port script to not assume postgres tables are in the public schema (PR #2024) Thanks @jerrykan!
• Fix getting latest device IP for user with no devices (PR #2118)
• Fix rejection of invites to unreachable servers (PR #2145)
• Fix code for reporting old verify keys in synapse (PR #2156)
• Fix invite state to always include all events (PR #2163)
• Fix bug where synapse would always fetch state for any missing event (PR #2170)
• Fix a leak with timed out HTTP connections (PR #2180)
• Fix bug where we didn't time out HTTP requests to ASes (PR #2192)

Docs:

• Clarify doc for SQLite to PostgreSQL port (PR #1961) Thanks @benhylau!
• Fix typo in synctl help (PR #2107) Thanks @HarHarLinks!
• web_client_location documentation fix (PR #2131) Thanks @matthewjwolff!
• Update README.rst with FreeBSD changes (PR #2132) Thanks @feld!
• Clarify setting up metrics (PR #2149) Thanks @encks!