As far as I can tell, nobody said so (or I missed it). I said (and others did to) there is a problem (small or large) which I'd like a) other users to know about and b) the devs to consider one way or the other. This is the way improving the design, the concept or the code (sometimes) work through this forum. Different opinion - sure ! Talking about paranoia, panic, and all the rest without sound knowledge of the underlying risks is ... useless,
1 Like
Why just Google? Couldn't anything that causes the user to contact any third-party for a resource fall foul of this?
Obviously. Any third party connection is a potential problem. (But the German court only dealt with a very specific Google fonts case, you cannot generalise it)
But Laurent‘s comment is quite important. Joplin is open source. I am not sure if the GDPR applies. That’s a really interesting question.
Back to the topic of Hunspell: Perhaps it is desirable for Joplin to follow the same rules that apply to companies with regard to the GDPR. At least in the long run. If external request become a bigger problem in the future some solutions may pop up which Joplin can follow.
Actually I just looked again at one of the translations above (by Google Translate 
) and it has an opinion that starts:
Attorney Plutte's comment: What does the decision mean?
- The Munich judgment only applies to the popular Google Fonts service as an example. The principles established by the court apply to all web services originating in the USA. This does not just mean alternative offers such as Adobe Fonts or MyFonts , but literally every US service that is dynamically integrated into a website. (My emphasis)
EDIT: Removed some rubbish I wrote...
Why is there a correlation between software being open source and a legal framework?
Anybody is free to develop software, open or closed. GDPR just means a data-controller (the business/organisation responsible for the personal data processed) needs specific agreements with its data-processors (business providing a service to the data-controller), among other things information security related.
If a EU business chooses to:
- Use Joplin personal with third party sync, the service provider offering sync must be procured with proper data-processing-agreements (DPA).
- Use Joplin Cloud, Laurents business provides the sync service and storage. Business must have a DPA with Laurent.
- Use a hoster for their 'private Joplin Cloud' with Joplin Server same thing.
- Use Joplin Server on premise, all other things GDPR apply for that business, but there doesnt need to be a DPA.
So there is no legal obligation to develop things left or right.
But if Joplin is going B2B with EU customers, then these checks will show up.
I encounter many 'handy apps' that become unprocurable, maybe no business to sign a DPA, or they themselves use subprocessors without proper DPA's.
Compared with Linux. You cant procure it from Linus Torvalds. But lots of businesses offer hosting etc.
Joel, did you just compare Laurent Cozic with Linus Torvalds?
Yes, but only as a compliment. 
2 Likes
Joel, what you have written sounds completely plausible to me. However, let me add that there are three different concerns that are talked about in this thread:
- The original concern that there is a connection to some Google server when Joplin is started. As this is a generic request for some spellcheck dictionary, the only information that is transmitted is that some computer with some IP requests a to download a dictionary. It is not related to any content of your Joplin.
- The recent case in Germany, where it was ruled that a website that you visit is not allowed to automatically do something that transmits your IP address to third-party servers (e.g. to download fonts from google). Due to GDPR, the user must be able to consent (or reject) this.
- The topic Joel mentioned: If you sync your Joplin somewhere, the content of your notes need to be stored on some server (that's how sync works). Due to GDPR, if the content of your notes contains any personal information about your customers or similar, you need to have a contract with the server provider that basically states that the data is handled in a certain way (security etc).
1 Like
Regarding the original topic: I suggest to generally disable features that make external connections, once they are known. Add some toggle that allows the user to enable them. State somewhere on the website that Joplin aims at minimizing its "online footprint", i.e. make little to no external connections, but that this is not guaranteed.
This would align both with the goals of privacy and with the goal to not become too entangled with chasing external connections for each release of a component that Joplin uses.
2 Likes
After reading the whole tread carefully, my understanding is that without the users action, google has the opportunity to collect metadata every time Joplin starts. It seems to me that this is primarily an electron design decision, the amazing people here could provide a workaround, in my best case.
Dictionaries do not update frequently. I could understand if there is a connection once, when a new dictionary gets activated for the sake of convenience. On every start that really seems gross. Personally, I wouldn't mind to download the dictionaries my self and add them to Joplin.
It might be of value to create a wiki entry, with the instructions for the privacy aware user, to make sure no metadata leaks to big tech. I always was of the opinion that Joplin is completely offline, therefore I volunteer to contribute to that.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.