1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Attachment System Improvements in 1.1 - Privacy concerns

Discussion in 'General XenForo Discussion and Feedback' started by jwiechers, Oct 2, 2011.

  1. jwiechers

    jwiechers Member

    Not to be a killjoy, but this function walks a very fine line if you wish to give it the benefit of the doubt, it flat out violates EU data privacy laws if you don't. You (as a service provider) are *not* at liberty to "keep up with what the users are doing in private conversations", not even attachment-wise. You are allowed to inspect things like this, under very narrowly defined circumstances, varying by country.
    A function that can be easily accessible, that would display attachments of personal conversations whenever you inspect the regular attachment list, or that would be accessible to moderators as well would be problematical, to put it very mildly.

    Unless, of course, you put it in your ToS that private conversations aren't private and are routinely beeing snooped if attachments are present... suboptimal, if you ask me.
    Ingenious, Digital Doctor and kyrgyz like this.
  2. Trekkan

    Trekkan Well-Known Member

    Not everyone lives in the EU and not all forums are public. Fair enough point you made, but let's try and stop having software limit those that don't have such restrictions and have administrators be responsible for their own actions/configurations.
  3. jwiechers

    jwiechers Member

    Well, let me put it like this: you've got to be creative to find any western country where you're allowed to do what this browser allows, even the US, which is worse than some banana republics with regard to data privacy and whose check-ups on companies who declare Safe Harbor compliance is dismal, has provisions that very likely forbid this. ;-)

    I've got nothing against the function though, if the ToS clearly state that it's there it's still not entirely fine for many countries, but you'll likely get away with it unless we're talking pretty major players.
    I just wanted to mention that this *is* a very hot topic.
  4. Alfa1

    Alfa1 Well-Known Member

    AFAIK PMs are not recognized anywhere as private data, like email and physical letters are. Could you please reference your claims that browsing PM attachments might not be legal?
    zaiger and erich37 like this.
  5. Marc

    Marc Well-Known Member

    I always thought that there were conversations that allow people to contact others directly as apposed to being private messages. Could just be me ;)
  6. Kevin

    Kevin Well-Known Member

    Or, if you live in such a country (I know Germany, for example, is pretty stringent) you could just not give your users permissions to do PM attachments while the rest of the world goes along happy with the new functionality.
  7. James

    James Well-Known Member

    The feature is named Conversations, there is no privacy implied. The only feature it allows is a one-on-one (or group) conversation.
  8. kyrgyz

    kyrgyz Well-Known Member

    I imagine Kier/Mike/Ashley did get their lawyers' advice before making attachments in personal conversations searchable by admins.

    First the definition:
    Additional thoughts:
  9. jwiechers

    jwiechers Member

    Whatever gave you that idea?
    I know this argument has been advanced previously, but never understood why people figured that it was the case.

    Depending on the jurisdiction, a forum membership is either an actual contractual relationship, semicontractual or quasicontractual, and you're considered a service provider, which comes with a lot of baggage.

    Privacy laws are formulated with a vague language in order to apply to a very wide class of scenario, irrespective of the technologies used, there generally isn't a data privacy law specifically forbidding tapping emails or faxes or private messages because there are wider provisions on wiretapping, interception of communication and other means of invasion of privacy that adequately cover the issue and courts generally let the it boil down to the very simple consideration whether the user can reasonably expect that a certain information is "private" or directed to a specific audience of his choosing. If that's the case, stuff is likely private, no matter how trivial it is for you to look at it with phpMyAdmin.

    In the US, the most likely starting point would be the Stored Communications Act, only recently invoked in a number of cases, in the EU you may look into the Data Protection Directive (95/46/EC), in the UK, the Data Protection Act of '98 is your friend.

    As a caveat, I have to say that US federal law on the matter is considerably weaker than EU or British law, even though some states have quite strong auxilliary provisions, but in general, while I am not aware of a court case actually testing this, I wouldn't bet my hat on coming out on top if I had to argue that user "private messages" are generally understood by the users to be "not private". Calling them conversations likely won't change that, because those, too, are generally assumed and understood to be conversations "among the participants".
    Yeah, it's a nice case to make money off, arguing that thing up to the high courts, but generally, you prefer not to be part of that argument as a party.

    Then again, Vitamin Water got away with the "Our customers are idiots if they assume our stuff is healthy"-defense in the US...

    /edit Thank you kyrgyz for already posting the SCA and auxilliary materials. :)
    kyrgyz likes this.
  10. kyrgyz

    kyrgyz Well-Known Member

    In any case, if XenForo is even slightly or vaguely in the wrong, they should watch out. IB might use it against XenForo to drain them financially by stealthily being behind a possible lawsuit.
  11. James

    James Well-Known Member

    jwiechers, have you seen an official reference to conversations being private anywhere on the XenForo software (excluding threads/posts)?
  12. Marcus

    Marcus Well-Known Member

    The discussion regarding the private messages is very interesting. Someone could open up a thread and the posts from this topic could be moved into it.

    Coming back to topic, I'd love to see that some attachment types would need the admins approvement, while others don't.
  13. kyrgyz

    kyrgyz Well-Known Member

    I think this kind of argument won't fly well in the courtroom.

    From Legalese:
    Take for example contracts:
  14. James

    James Well-Known Member

    Have XenForo implied that conversations are private? As far as the software goes, they're merely conversations used for one-to-one or group conversation purposes that aren't fit for a thread.
  15. Kier

    Kier XenForo Developer Staff Member

    We don't use the term 'private' anywhere.
  16. erich37

    erich37 Well-Known Member

    on the other hand a webmaster is responsible of what happens on his website. so there needs to be a tool to check what is going on.
  17. Slavik

    Slavik XenForo Moderator Staff Member

    Your undertstanding of the law is just plain wrong.

    What xenforo has added in is ENTIRELY legal and not even open to debate unless your forum specifically states otherwise that personal conversations are confidential.
  18. jwiechers

    jwiechers Member

    I hope nothing I wrote came across as confrontational, it wasn't meant like that, it's just that these things are rather annoyingly complex and I've had my fair share of intra- and inter-corporate as well as private battling over the topic and so I'm sensitized with regard to the issue.

    Obviously, I cannot tell what courts would decide, especially since far too many variables come into this, but whether something is explicitly called "private" likely doesn't play such a big role. As kyrgyz pointed out as well, the primary question to resolve in those cases is what the "reasonable", "typical" user will expect from a certain function and how the users rights for privacy relate to the justifiable rights of the service provider to curtail those in order to provide his services. A "Conversation" feature that allows someone to have a "conversation" with a single person or a specified group of people would (I'd think) likely fall under this as well.

    As said, I'm just sensitized, and while I am not aware of court cases involving forum software and private messages/conversations specifically, I'd find it a tough sell to argue they are different, or, more precisely, that the user can reasonably expect them to be open to the administrators of a website if he is able to specifically address them to certain people. That is, unless there is a clear and justifiable reason for doing so that *exceeds* the users generally pretty highly valued right for privacy: e.g. if user X accuses user Y of threatening behavior (and certain conditions are met), a service provider *is* allowed and may even be compelled to provide otherwise private information to relevant authorities. What constitutes such private information, well, that depends on who you ask ... but there have been court cases over forwarded emails and other internet messages which have swung either way depending on jurisdiction and specific content.

    Disclaimer: I'm not a lawyer, but I've served as liaison between management and lawyers in a couple of data privacy matters more than once in differing forms of organizations and/or companies, specifically with regard to data privacy harmonization and internet privacy concerns. I didn't mean to be confrontational in anything, but wanted to voice this because issues surrounding these things (particularly the privacy of any form of electronic messages) flare up *very* regularly. I realize my initial post was written a bit too bluntly. I'm sorry for that.

    /edit A clarification added to the end ("That is...")
    /edit2 Another bit.
    Ingenious likes this.
  19. kyrgyz

    kyrgyz Well-Known Member

    Judge for yourself.

    About importing vB Private Messages:
    Personal = of or relating to the private aspects of a person's life: personal letters a personal question
  20. ibnesayeed

    ibnesayeed Well-Known Member

    This means, all email services are allowed to peep inside your data? :)

Share This Page