From 57eb67ec41baf0809585318e797b3eb36c6aea27 Mon Sep 17 00:00:00 2001
From: Kerry Archibald <kerrya@element.io>
Date: Tue, 27 Sep 2022 16:38:52 +0200
Subject: [PATCH] matrix_client_information: opt in and security considerations

---
 spec/matrix_client_information.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/spec/matrix_client_information.md b/spec/matrix_client_information.md
index b180e5f..4a5da13 100644
--- a/spec/matrix_client_information.md
+++ b/spec/matrix_client_information.md
@@ -31,6 +31,8 @@ All properties are strings. `url` property is optional.
 
 ## Client advisory
 
+Storage of client information should be opt-in.
+
 When starting the client after login or update:
 1. Upsert an account data event with the type `io.element.matrix_client_information.<device_id>` for the current device
 
@@ -45,7 +47,9 @@ Pruning of events depends on implementation of [MSC3391: Removing account
 data](https://github.com/matrix-org/matrix-spec-proposals/pull/3391)
 
 ## Security considerations
-N/A
+Storage of client information in account_data exposes information about user sessions to server administrators.
+The goal of the feature is to make session management easier, particularly identification of suspicious sessions.
+For this reason client information events will not use secret storage.
 
 ## Implementations