GDPR discussion thread

[Chris D]

It is useful, thanks. It tells me that, as a data controller, I could (the usage of may and could throughout those quotes is interesting) keep a history of what changes I make to a policy so that if a subject requests what they specifically consented to, I can inform them of that.

My personal approach to this would be to keep a document or a thread where I document the full text of a policy by date. So if I have an initial release of my policy on 22nd May 2018, and I revise it in February 2019 and again in January 2020, then a subject who last agreed to the policy in March 2019 can be shown the text from the February 2019 version.

Not every single part of complying with these regulations requires a complex software solution.

 

[RobParker]

It is useful, thanks. It tells me that, as a data controller, I could (the usage of may and could throughout those quotes is interesting) keep a history of what changes I make to a policy so that if a subject requests what they specifically consented to, I can inform them of that.

My personal approach to this would be to keep a document or a thread where I document the full text of a policy by date. So if I have an initial release of my policy on 22nd May 2018, and I revise it in February 2019 and again in January 2020, then a subject who last agreed to the policy in March 2019 can be shown the text from the February 2019 version.

Not every single part of complying with these regulations requires a complex software solution.

Surely a versioning/history is a much much better solution?

User X agreed to v4.1 on 1st march 2018
v4.1 consists of:

 

[Sim]

Just check your privacy policy wording into source control (eg Git) and make a new commit every time you change it. Makes it very easy for you to see what has changed and when (and prove it!). I've been doing this for many years already.

 

[RobParker]

Just check your privacy policy wording into source control (eg Git) and make a new commit every time you change it. Makes it very easy for you to see what has changed and when (and prove it!). I've been doing this for many years already.

But you can't prove when someone agreed to it so don't know what they agreed to...

 

[Chris D]

I never said you wouldn't be able to prove when someone agreed to it.

I just said we weren't going to provide a very complex software solution (for which there are many reasonable alternatives) to record what they agreed to.

 

[RobParker]

Fair enough, I just don't get why you'd only half do it. If you're tracking when, it just makes sense to also track what.

XF has enough version/edit history stuff that I'm assuming keeping versions of policies should be trivial. If it's not then I retract this

 

[Chris D]

Upcoming changes in XF 2.0.6 and XF 1.5.20:
https://xenforo.com/community/threads/upcoming-changes-for-gdpr-compliance-in-xf1-and-xf2.146888/

 

[DragonByte Tech]

We never like to delete accounts since this also deletes posting history, IP addresses used, reports, etc. We use a lot of this information to detect possible bad members who may sign up in the future, among other reasons.

What would be wrong with changing the username of the account, setting their profile privacy options to "Nobody," and emptying all of the user's profile fields?

I think the problem people brought up in the discussion thread is that some members may have shared information that, while not directly identifiable, may be used by a digital detective to connect someone's forum username (anonymised or not) to their real name.

For instance, on a forum that I manage, before we upgraded from vB4 to XF2 (which was the best decision we ever made, btw getting rave reviews from all the active members), we had username change history public.
I received a request from a member to erase a certain username from the change log history because that username is now a username this person goes by on sites of a more personal nature. It was 45 seconds of work in the database, no big deal.

Could you argue "well just don't use that username anywhere else then, problem solved" - sure. Doesn't change the fact that the other site may not be so favourable to the idea of erasing that username from their records, whereas I was happy to help.

In short: Simply anonymising the profile itself may not be enough for everyone.

Are you within your rights to refuse a right to anonymising their posts? I believe so.
Does that mean the option shouldn't exist? Absolutely not.


Fillip

 

[Kirby]

This is great news

What does XenForo recommend in regards to

• Logging of IP addresses
  As far as I know it is currently not possible out of the box to turn off or at least limit the time for wich IP addresses are being logged
• Anti-Spam Services
  Personal identifiable data (at least IP, in some cases also E-Mail) does get transmitted to 3rd pary services Google reCAPTCHA, textCAPTCHA, keyCAPTCHA, Solve Media, StopForumSpam, Poject Honeypot and Akismet without being disclosed to the user and without getting prior consent
  Furthermore the IP address might get transmitted to whatismyipaddress.com even if none of those features is enabled
• Gravatar Support
  Enabling this features causes personal identifiable information (email hash) being pubically displayed
• Image Hotlinking, eg. [IMG] without using image proxy
  In this case personal identifiable information (IP address, et) does get transmitted to 3rd parties without explicit consent provided by the viewer
• External Resources
  Pretty much the same as [IMG] if resources like jQuery and FontAwesome do get loaded from external sources
• Embedded Content (YouTube Videos, Twitter, etc.)
  Pretty much the same as [IMG] plus the added possibility for the media sites to run their own JavaScript tracking magic
• Processing data of non-adults
  Article 8 GDPR seems to require prior consent from parents before processing data (IP & E-Mail-Address) from children < 16

?

Apparently WoltLab does recommend

• To turn off for external images
• To turn off Gravatar support
• To turn off logging of IP addresses
• To put information about every used media site and external resource (script, font, etc.) into the privacy policy

https://www.woltlab.com/article/105-umsetzung-der-dsgvo/

What would be wrong with changing the username of the account, setting their profile privacy options to "Nobody," and emptying all of the user's profile fields?

I am not a lawayer, but if you also make sure that no personal identifiable information (eg. IPs, email, location, etc) of the user is left in the database (userchangelog!) and serverlogs afterwards it should be fine.
If that would not be the case it would most likely not be sufficient.

 

[kaieivindm]

Excellent news! This looks really good, I am more interested in seeing how the members will take it.

 

[Chris D]

Excellent news! This looks really good, I am more interested in seeing how the members will take it.

The ironic thing is that the sheer majority probably won’t care in the slightest and more likely view things like being forced to accept policies as being an unnecessary hindrance.

 

[DragonByte Tech]

The ironic thing is that the sheer majority probably won’t care in the slightest and more likely view things like being forced to accept policies as being an unnecessary hindrance.

I sure wish there was some form of internet-wide database of "yes I accept everyone's bloody cookies, stop blocking the content I clicked on you swines"


Fillip

 

[trapped_soul]

The ironic thing is that the sheer majority probably won’t care in the slightest and more likely view things like being forced to accept policies as being an unnecessary hindrance.

Agreed. We all know how it is really.
You'd swear the world was caving in.
Oh well, onwards and upwards and all that.

 

[Davyc]

I think the problem people brought up in the discussion thread is that some members may have shared information that, while not directly identifiable, may be used by a digital detective to connect someone's forum username (anonymised or not) to their real name.

This is reasonable point to raise on the face of it, however, a name alone is not enough to identify an individual - you would need additional information. For example, if you find out the users real name is John Smith, how many John Smiths are out there? If you had that persons address, or something else more personally identifiable, then you could possibly find out who that person is. But by name alone, and generally in a forum it is an assumed name that may be unique to a particular site, cannot personally identify an individual.

On here I use a different name to that on other sites - someone may be able to connect the two and say you are on one two sites, three sites or more with different names, but I know you are the same person; nice detective work, but do you really know who I am? Where I live? Where I work? If I'm married or single? If I am ... just keep adding to the list.

Without other information it would not be easy to find out who I really am. So a name alone is not enough, especially and assumed name.

So to those concerned about usernames, forget it. Anonymise the user by all means, but even if they are quoted in a post, who can say who they really are. I think the XF team have come up with a reasonable assessment of what is needed and addressed concerns as far as can be expected.

 

[Claverhouse]

This is great news

• Anti-Spam Services
  Personal identifiable data (at least IP, in some cases also E-Mail) does get transmitted to 3rd pary services Google reCaptcha, StopForumSpam, Poject Honeypot and Akismet without being diclosed to the user and without getting prior consent
  Furthermore the IP address might get transmitted to whatismyipaddress.com even if none of those features is enabled

Maybe the EU will get agitated on behalf of poor spammers meanly trapped in honeypots without their consent...


Do you want something new? Look at this site. Only here the choice of girls for every taste and completely free! They are obedient slaves, they will do everything you say!

URL

 

[DragonByte Tech]

This is reasonable point to raise on the face of it, however, a name alone is not enough to identify an individual - you would need additional information.

First of all, I believe you may have misunderstood the point I was trying to make. If you notice, I believe I explicitly stated there isn't a legal requirement to remove all post contents.

Secondly, I'm not sure you're aware of the fact that it is possible to identify someone based on their style of writing. This is the first article I found based on a quick search: https://www.schneier.com/blog/archives/2011/08/identifying_peo_2.html

Please do note that I am not talking about legal identifiers here, I am not talking about whether using this sort of semantic analysis would hold up in court. I am purely talking from the standpoint of "a determined individual such as a stalker may be able to find you across multiple usernames using this sort of tool", if that makes sense.

In other words, if I registered to a site and used a different user name, someone could in theory determine with statistically significant confidence levels that the account probably belongs to me. Unless, of course, I took steps to write in a different way to throw off the scent.

I bring this up because awareness of this type of analysis may be a reason why someone would request you delete all their posts from your site.


Fillip

 

[Kirby]

We have no control over your Google Analytics data so, unfortunately, it’s very much a case of something you have to remove manually if that’s required for compliance.

Unfortunately, I think that it might not be "that easy":
XenForo out of the box does offer a feature for the admin to jut put a google analytics property ID into the settings to make XenForo embed anyltics JavaScript into the page.

Using this implementation, Google automatically generates a client ID which isn't linked to the user account on the forum.
Now, if a user is using multiple devices, he might (will?) get several Google Analytics client IDs assigned.

If the user requests to be deleted, the admin has no knowledge of those client IDs and hence is not even able to remove logged data from Google analytics, even if Google does private a fature to remove data by proving the Google Analytics client ID.
The only way would be to ask the user to provide the current Google Analytics Client IDs from all devices he ever used to access the forum.
And even if he manages to do so (which I doubt any normal user would be able to do), this still might not cover all IDs - if at any time in the past he has deleted cookies he might have gotten a new ID.

So if it is a requirement by GDPR (which I don't know if it is the case) to delete all data from Google Analytics I think that some software adjustments would be necessary, eg. to either keep track of Google Analytics Client IDs in XenForo or, which might probably be easier, to generate a unique but random Analytics User ID for each XenForo user and pass that as user id to Google Analytics.
If the latter is done, the admin could just delete data from Google Analytics by using that ID - maybe Google even offers an API for that in the future so it could be fully automated.

 

[Chris D]

I’ll get around to answering the other points but on the subject of GA, the problem is that currently the data collected is anonymous, by default, so as soon as you start adding identifiers to this, it ceases to be so.

However, the GDPR considers IP addresses to be personal information (huge mistake IMO on multiple counts) so that will indeed be problematic. If the IP addresses were not collected, or could be anonymised, then the issue goes away.

But then it falls down to responsibility. Whose responsibility is it to anonymise that information? Ideally it would be down to Google to provide that functionality, and I think they do so we may be able to provide an option for that.

If you as an admin decide to de-anonymise the data by tracking users specifically (with user IDs etc.) then really it’s your own responsibility, to be honest.

 

[Davyc]

First of all, I believe you may have misunderstood the point I was trying to make. If you notice, I believe I explicitly stated there isn't a legal requirement to remove all post contents.

No I didn't misunderstand - I was agreeing that some people are concerned about being able to identify someone from a username. I quoted your comment because some people do believe that you can determine who someone is from a username in the context of the GDPR, but the GDPR states that a name alone cannot be used to identify a person, there needs to be some additional information to tag onto the name. From the ICO:

An individual is 'identified' if you have distinguished that individual from other members of a group. In most cases an individual’s name together with some other information will be sufficient to identify them. A name is the most common means of identifying someone. However, whether any potential identifier actually identifies an individual depends on the context. By itself the name John Smith may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual . (Obviously, if two John Smith's, father and son, work at the same place then the name, John Smith, and company name alone will not uniquely identify one individual, more information will be required).

This is something a lot of people have raised when someone asks to be deleted as a member and whether their posts should be deleted as well because it could be considered personal data, which it isn't lol.

In other words, if I registered to a site and used a different user name, someone could in theory determine with statistically significant confidence levels that the account probably belongs to me. Unless, of course, I took steps to write in a different way to throw off the scent.

Of course this is plausible - we all have unique writing styles and little quirks that are unique to us, but all it would lead to is that Mr One is the same person as Mr Two on another site, but it would not tell them who you really are or where you lived and so on.

 

[RobParker]

However, the GDPR considers IP addresses to be personal information

Does it? There was an EU ruling last year that IP adresses are PII if there is a way for the person storing them to have legitimate access to a system that can link it to an individual (i.e. they work at an ISP).

Has GDPR superseded that?