General Data Protection Regulation (GDPR)

Posted on by The Bot Framework Team

Overview
In May 2018, the General Data Protection Regulation (GDPR), is due to take effect. The GDPR imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents. If you are unsure how GDPR affects you or your organization, refer to your legal counsel.

Microsoft products and services are available today to help you meet the GDPR requirements. Read more about Microsoft Privacy policy at Trust Center.

From a Bot perspective, your bot developed using the Azure Bot Service may store data about your bot’s interaction with your users on your behalf. There are two classes of data to be aware of. 

  • Conversation data – data that indicates a user interacted with your bot (excluding any content of the conversation itself).  This is limited to the Kik, Facebook, and DirectLine channels 
  • Bot State data – information your bot stores to keep track of the state of a conversation either indirectly using the BotBuilder SDK or directly via the Bot State service API.  Depending on your implementation it may have been stored in the Bot State Service (deprecated) or in your bots’ own storage. 

To enable you to better manage your bot’s  users’ privacy, we are providing APIs (ExportBotStateDataAsync, GetConversationAsync, DeleteConversationMember, SetUserData, and SetConversationData) which developers can use to export, retrieve, and delete both the conversation record and Bot State data to protect the privacy of their users. 

First, let’s talk about the desired user experience for processing GDPR requests, and then we’ll go over the APIs and their descriptions. Finally, we’ll have a suggested design for implementing web interface for developers to provide to their users. 

To allow users to request their personal data to be exported or deleted, the bot will need to implement some interaction that lets the user know what the available options are; possibly through help or a card with options to choose. If the user makes one of those requests, the bot should respond in a timely manner. It is possible that the request might take hours to process, and the user shouldn’t wait for the bot to complete the processing. To avoid the wait, one solution is to provide a link to a web site in the bot’s response that the user can go to check the status of their request. 

Prerequisites
Your bot will need to be upgraded to Microsoft.Bot.Builder version 3.15.0 of the NuGet package to consume the APIs described in this document.

Conversation Data

The Azure Bot Service (ABS) identifies users based on a unique ID provided by each channel. A user can have several different IDs provided by the different channels they participate in. For example, if your user interacts with your bot via Skype, Webchat, and Facebook, the Bot Service treats these as three different users. 

Given the ABS cannot correlate IDs across channels, if a user wishes to make a GDPR request, the user must authenticate with that channel to get the unique channel id. The bot can handle a GDPR request directly from the user. For bots which support more than one channel, you must explain to your users that when they make a GDPR request, they will need to authenticate/sign in to all other supported channels they may have visited and make GDPR requests for those channels also. 

Currently, three channels store user information – Direct Line, Kik, and Facebook. Direct Line and Kik both support group conversations with many users. In addition, it is important to reiterate that the channels can only store information about user participation in conversations, and not the actual message activity of the conversation itself. 

GetConversationsAsync uses a continuation token pattern to retrieve conversations associated with users. An empty list is returned for channels which do not record user participation.

DeleteConversationMember can be used to remove information that a specific user participated in a conversation. The conversation record is also deleted if the user to be deleted was the last participant.

ExportBotStateDataAsync makes a client connection to a state service, whether it is the default Azure Bot State service or your own, and returns a list of all BotState objects associated with a user.

SetUserData passing in null to this method deletes the user data.

SetPrivateConversationData passing in null to this method deletes the private conversation data.

Bot developers using the Bot Framework should stop using the default Bot State Service. The default state service will also soon be deprecated on March 31st, 2018.

Create a Web Server for GDPR requests to ABS

Create a web server which will perform the heavy lifting for processing GDPR requests from the user. Using a separate web server will allow your bot to continue running while the web server is processing GDPR requests. If the bot were to process the requests, the bot may become unresponsive depending on how many records for conversation and user data need to be processed. Also using a web server provides a convenient location for users to download their personal exported data.

Any reliable web server will be sufficient to process REST calls. Requests from the user to the web server will be processed as follows:

  1. Bot generates a GUID and makes a REST call to your web server to process GDPR requests, providing the channel id, user id, bot id, and GUID. The URL link presented to the user can be protected using the GUID and will ensure privacy for the user’s request.
  2. Web server sends a response back to the bot to notify the user of the status of their GDPR request, along with a URL serving a web UI for the user to check on the status of the request.
  3. Web server processes the export or delete request using the APIs described above. The web server will need to use the bot’s MicrosoftAppId and MicrosoftAppPassword. This tell Azure Bot Service to perform request on behalf of the user.
  4. Web server renders the information to the user on the web UI when the request is completed and provide UI options for the user to export/delete their data.

(Note: before the request is finished, the web UI might simply inform the user that their request is being processed)

We hope that this will information will help our bot developers to be GDPR compliant in a timely manner.

References
Official EU GDPR homepage
Personally identifiable information

Posted in Bot Framework