name: intro layout: true class: center, middle, inverse — # OpenAppStack Take back control over your data! .footnote[Project site: [openappstack.net](https://openappstack.net)] — layout: false # Contents of this talk – Problem – Alternatives – OpenAppStack — # The problem (1/3) Question 1: – How many different companies did you interact with for RightsCon attendance? ??? Leaving out – airline companies – hotels, etc. Just the companies that got some of your personal information leading up to this event — ## 3-5 companies *directly* – Eventbrite – Sched – Engaging networks (e-activists) – OpenWater – Visa application – Travel support – Session proposals – Google (mostly for speakers) – Preliminary program – Session Organizer’s Guide – Moderator Training RSVP ??? – Eventbrite — attendance – Sched — program – Engaging networks (e-activists) — mailing – If you’re a speaker: – Google — training, program and guide – Preliminary program – Session Organizer’s Guide – Moderator Training RSVP – OpenWater — submitting proposals — ## Privacy policies Now let’s take a look at some of the privacy policies of these applications. ??? Eventbrite, (and everything actually) – Scroll down to footer – Scroll down some more Note: RightsCon’s data usage policy links to them directly (although does not mention OpenWater) **Luckily, they make it easy for you with an overview** — ### Eventbrite ![eventbrite-privacy-overview](/assets/2019-06-12-rightscon-presentation/eventbrite-privacy-overview.png) — ### Eventbrite *"We may store Personal Data itself or such information may be stored by third parties to whom we have transferred it in accordance with this Privacy Policy. We take what we believe to be reasonable steps to protect the Personal Data collected via the Services from loss, misuse, unauthorized use, access, inadvertent disclosure, alteration and destruction. However, no network, server, database or Internet or e-mail transmission is ever fully secure or error free. Therefore, you should take special care in deciding what information you send to us electronically. Please keep this in mind when disclosing any Personal Data."* ??? Note: third parties are not named in the privacy policy. Also note — ### Eventbrite *"We may store Personal Data itself or such information may be stored by third parties to whom we have transferred it in accordance with this Privacy Policy. We take what we believe to be reasonable steps to protect the Personal Data collected via the Services from loss, misuse, unauthorized use, access, inadvertent disclosure, alteration and destruction. However, no network, server, database or Internet or e-mail transmission is ever fully secure or error free. **Therefore, you should take special care in deciding what information you send to us electronically. Please keep this in mind when disclosing any Personal Data.**"* ??? *take special care in deciding* But they ask for — ### Eventbrite ![eventbrite-information](/assets/2019-06-12-rightscon-presentation/eventbrite-information.png) ??? Sometimes not really giving you an option — ### OpenWater ??? Now let’s take a look at "OpenWater", – Visa applications – Travel support – Session proposals Try to find the privacy policy on this page. I’ll make it a bit bigger — ### OpenWater ![openwater-privacy-policy-zoomed](/assets/2019-06-12-rightscon-presentation/openwater-privacy-policy-zoomed.png) ??? 1. Used to be very limited 2. Got a GDPR appendix, tells us: — ### Openwater Direct access to data: – Certain OpenWater staff Access to some data – File storage: AWS (Amazon) – Web/DB servers: Azure (Microsoft) – Cloudflare – Google Analytics ??? Actually the privacy policy itself is read from an AWS link — ### Sched: Infrastructure providers alone: – AWS – Cloudflare – Eventbrite – Google (for internal communication) – New relic – Recurly – Mailchimp ??? Under other parts of the privacy policy: – Facebook (friend finder) – Slack (support) – Google and two other analytics companies — ## Conclusion – 3-5 companies with direct access to your data for RightsCon alone: – 6 additional companies with indirect access to (meta)data. **NOTE**: Not all these companies get access to all the data! ??? Direct access: – Eventbrite – Sched – Engaging networks (e-activists) – OpenWater – Google (mostly for speakers) Indirect access: – Amazon AWS – Microoft Azure – Cloudflare – New relic – Recurly – Mailchimp **NOTE**: Not all these companies get access to all the data! — # The problem (2/3) Question: – How does that make you feel? ??? – How does that make you feel? — temperature check — # The problem (3/3) This is not different for: – NGO’s – A lot of journalists – Activists ??? – Small companies – Not a lot of money – Convenience > data privacy – Bigger NGOs – Also convenience > data privacy – Free applications don’t require a tender! – Journalists & activists: – Everybody already has account – Everybody is familiar with the software – Don’t want to familiarise with 1 of the many alternatives — # Alternatives (1/2) – Open source – Self hosted ??? The rest of this talk is not about conference organising, but small organisations, journalists and activist groups. – Open Source – Also free (in terms of money) – Shared responsibility over application security – Adaptable – Self hosted – *You* decide which infrastructure/platform provider to trust – Moving is relatively easy – You have ownership over the data — # Alternatives (2/2) – Nextcloud – Collabora – Matrix and Riot Goals: – File sharing – Document editing – Communication — ## Nextcloud Replaces: – Dropbox – Google Drive – Microsoft office 365 file storage Adds: – Encryption – Federation – Choose file storage location – Extra apps – Linux desktop app (missing for Google Drive) – Windows phone app ??? Extra apps include simple audio/video chat service and many other options — ## Collabora CODE Replaces: – Google docs – Microsoft office 365 document editing Adds: – Save documents to NextCloud ??? Saving to NC gives you all the advantages of NC Collabora CODE can basically do what the others do too: – save documents in odt or doc(x) formats – edit documents collaboratively – however: limited use in unpaid version – max 10 documents open – max 20 connections open — ## Matrix Replaces: – Signal/WhatsApp/Telegram – Slack/Hangouts/Discord Adds: – Federated – Anonymity – Several choices in chat client – Replaces different phone and desktop protocols with one centralised chat for the organisation. ??? – Federated – You can run your own server, but servers can communicate with each other, like email – Combine phone apps w/ desktop apps: – Replaces both Signal, WhatsApp and Telegram as well as more team driven communication tools like Slack or Hangouts – Anonymity (no phone number or google account required, depending on the server, though) – **NOTE**: We’re not certain yet if we are going to use Matrix specifically, we need your input. — # The problem (4/3) Maintenance. – System administrators are expensive – Updates – Security ??? OK we might have held back 1 problem. — ## OpenAppStack – Open Source – Self updating – Easy to deploy – Integrated ??? – Open Source – Deploys the previously described open source applications – Is itself open source too – Self updating – Automatically updates after the OAS team confirms updates don’t break the system – Easy to deploy – Ideally deployed with the click of 1 button, or by running 1 script if you want to run it on your own infrastructure – Integrated – 1 account for all the included application – SSO — # User input We need your input, come talk to me after!