RocketChat
Cannot delete OmniChannel Contacts or disable 'Add to Contacts'
Description:
Cannot delete OmniChannel Contacts.
This is illegal under GDPR.
Cannot remove/disable the 'Add to Contacts' prompt when commencing a chat.
Steps to reproduce:
Go to OmniChannel Contacts.
omnichannel-directory/contacts
Try to delete a Contact.
Expected behavior:
You should be able to delete a Contact and their PI as per GDPR.
Actual behavior:
Cannot remove the Contact. No way to disable 'Add to Contacts'.
Server Setup Information:
- Licence type eg CE/Starter/Pro : Starter
- Number of users: various under 50
- Server hardware: VPS
- Version of Rocket.Chat Server: 7.3.x
- Operating System: CentOS/Ubuntu
- Deployment Method: docker
- Number of Running Instances: 1
- DB Replicaset Oplog: Yup
- NodeJS Version: As per docker install
- MongoDB Version: 7.x
I’d like to work on this issue. GDPR compliance is super important, and it’s critical users can delete their data properly. Let me know if there’s anything specific I should keep in mind or if you have any suggestions.
This is a very complex issue and is with the team.
I have added this as a reference.
Please do not work on it.
Hey everyone,
Thanks for reporting your findings - and concerns as well - Let's make sure we're all aware of existing features and potencial gaps for further discussions. As context: A brand-new Contact entity came out with release 7.1, becoming the entity that represents "visitors" across multiple channels. Such a capability introduces, also, the ability to merge visitors into one single contact upon identity verification. That means that the old/legacy Visitor entity still exists representing a given individual within a given channel and the Contact behaves as a holist entity across multiple channels.
That said, let's go through the "red-flags" shared above:
Cannot delete OmniChannel Contacts.
Actually you can. There is a REST API endpoint for that action: https://github.com/RocketChat/Rocket.Chat/blob/develop/apps/meteor/app/livechat/server/api/v1/visitor.ts#L154
This is illegal under GDPR.
Our Livechat widget solution provides GDRP-compliance mechanisms to handle data privacy and protection needs.
Cannot remove/disable the 'Add to Contacts' prompt when commencing a chat.
Actually you can. You just need to disable the corresponding permissions in order to get the product to behave accordingly.
What the product doesn't yet provide is the ability to remove contacts from the UI, which is something we have intentions to deliver as soon as we go through design phase and manage to get engineering capacity to address the use case.
We're open to getting insights about how to meet compliance standards under different privacy and data protection standards.
As context: A brand-new Contact entity came out with release 7.1, becoming the entity that represents "visitors" across multiple channels. Such a capability introduces, also, the ability to merge visitors into one single contact upon identity verification. That means that the old/legacy Visitor entity still exists representing a given individual within a given channel and the Contact behaves as a holist entity across multiple channels.
Irrelevant to the issue. This is about data removal, not addition.
Our Livechat widget solution provides GDRP-compliance mechanisms to handle data privacy and protection needs
So first, many times people close the chat by closing a tab or going to a different site and do not delete their data. So then we have their data but we can't delete it, and the onus is on us to do so if requested.
The "Forget/Remove my data" isn't good enough because under GDPR (and I believe probably Brazilian law too) they can agree to the data processing, and subsequently ask for the data to be removed. That is 'removal of consent' and is legally binding except in a few very specific cases, and none of which would apply to us.
Actually you can. There is a REST API endpoint for that action:
We HAVE to be able to delete them, and we should NOT have to do it via an API. I don't have the time for that. It also assumes you are set up for API work, and I am not. Never use it.
If a contact is that easy to add it, it should be that easy to remove.
And there should be a simple facility in Omnichannel settings to disable it, permanently. ON/Off.
So, lets try looking for how to disable it and delete a contact with the API. Should be simple........
After a lengthy search I managed to find:
You can set a contact manager for a visitor/contact using
Register or Update Omnichannel Contact
Register a guest user as a new omnichannel contact. Permission required: view-l-room
Search perms for view-l-room. Nada.
Note: This endpoint will be replaced
Joy. Lets try a link.
Register a new omnichannel contact. Permission required: create-livechat-contact
Search for create-livechat-contact. (Why isn't this capitalised like the actual settings?)
Find Create Omnichannel contacts. Uncheck various boxes.
OK, so I presume that is disabled. That was simple then. Obligatory Douglas Adams reference Finding the plans
So how do I delete?
I can Create, and I can Update and Search and get History, but I want to delete them entirely. Nothing I can see in the API for that?
So where is it exactly (and don't tell me I just have to empty the data - I want them gone completely with a simple delete _id) I presume it isn't there for the same reason there is no simple Delete function in the manager. Quite simply we can't because the code does not exist.
What the product doesn't yet provide is the ability to remove contacts from the UI, which is something we have intentions to deliver as soon as we go through design phase and manage to get engineering capacity to address the use case.
As above, I'm not sure you can even do it via the API.
But this should have been done at the outset, and I understand that it will not be simple, which means it will take a long time, during which I can get sued. As can anyone else in the EU. It only takes ONE complaint.
We're open to getting insights about how to meet compliance standards under different privacy and data protection standards.
This is not the first time I have raised issues with GDPR. It is well known. Rocket claim to be compliant, but clearly not.
Knowing that it should have been implemented in initial design phase (I believe it was considered, but I understand it was too difficult ?), not as some after thought.
Right now we'll probably have to disable our LiveChat because it no longer compliant as I cannot delete the Contact record, which is the reason I started using RocketChat in the first place. That will cost us money, though not as much as if we got sued.
Note I am not the only one. And I suspect that there will be more in time as they realise what has gone on - as an admin I don't usually see this sort of thing and I only stumbled over it because of this:
https://open.rocket.chat/channel/support?msg=w4s2d7qLNL7DSN6xW
So ultimately, how long until this is fixed and my legal liability relieved?
@reetp i can work on this
See my earlier response (you must read and understand all the comments first).
https://github.com/RocketChat/Rocket.Chat/issues/35399#issuecomment-2700236943
This is highly complex and will need to be resolved internally.
Renato did advise this:
What the product doesn't yet provide is the ability to remove contacts from the UI, which is something we have intentions to deliver as soon as we go through design phase and manage to get engineering capacity to address the use case.
This should have been done at the outset and I have no idea what they were thinking.
I am not sure how long this will take - I suspect a long time.
I also note that the current attitutude seems to they would prefer to sell you new features than fix existing urgent compliance issues - see the response here:
https://open.rocket.chat/channel/support?msg=w4s2d7qLNL7DSN6xW
For us we are now investigating alternative compliant sysrtems as we cannot afford the legal risks involved with Rocket.
We recognize the feedback regarding GDPR capabilities and the need for stronger data privacy controls. While we may not be implementing every request exactly as suggested, we are committed to meaningful, scalable improvements that address the core challenges of data compliance within Rocket.Chat.
Our focus now is on enhancing the Data Retention Policy mechanism, ensuring it covers Omnichannel conversations and allows for automated lifecycle management of chat data. This will enable organizations to define and enforce retention policies more effectively while also providing automation to support the right to be forgotten.
Rather than making isolated changes, we are taking a comprehensive approach to improve GDPR-related capabilities in a way that benefits the entire community. We appreciate your input and look forward to delivering enhancements that strengthen data privacy across the platform.
We intend to release major improvements with version 7.6 (Late April, 25).
I 100% agree that we should have an easier way to delete Omnichannel contacts. I was talking to a few engineers and our DPO a couple of days ago about this one and it seems to be the general understanding. Even if we have an API that allows us to delete contacts, we should still have a way to do it on Rocket.Chat's interface.
Renato,
you should know by now you are picking an argument with the wrong person so I will treat your corporate nonsense response with the contempt it deserves. It might foll a few corporate suits, but ordinary people can see the simple facts.
Julio,
Even if we have an API that allows us to delete contacts,
See my previous.
You don't even have that. I've documented it.
Knowing Rockets claims to be GDPR compliant, this tells us it was incompetence or laziness at the design stage,
I'll let you choose which.
I am here, as I am trying to figure out how to delete my test-livechats from 2022, that I am not able to delete. I get this error message instead: "Error removing inquiry"
I am really annoyed, that you publish something, that creates more issues to users than help. It's called enshittification and I hoped this does not happen with OpenSource software. But here we are, being forced into the "starter" license #33989 and not able to delete without using the API.
Please don't conflate issues.
This has absolutely nothing to do with which licence you use, or open source.
Take your grievances elsewhere.
is this open to work?
Please don't @ me.
You will help yourself a lot of you actually read ALL the comments. Answered above.
https://github.com/RocketChat/Rocket.Chat/issues/35399#issuecomment-2700236943
Alright would take care of it
Unlikely. You probably ought to read the code first.
It is hugely complex to the point they never included it because it was too difficult.
It should be fixed urgently as it makes Rocket GDPR 'non compliant' as we cannot remove PI, but they are more interested in selling you shiny things than fixing huge issues like this.
Find something easier.
Am I right in thinking this is a fix?
https://github.com/RocketChat/Rocket.Chat/pull/36228
Also https://github.com/RocketChat/Rocket.Chat/pull/36589
Think this appears to be fixed in 7.11.0
I added a test contact and was able to delete them as well.
Closing.