Fixed Moderators can access user email addresses via spam cleaner (GDPR legal issue)

[Sim]

Affected version

v1.x and v2.x

I know this is as original designed - moderators have always been able to access user email addresses via the spam cleaner, but in a post-GDPR world, I'm not sure this is the best policy anymore.

While this is kind of a suggestion, I do feel that this is serious enough to warrant a "bug report" since it has privacy and legal implications and should really have been changed in the GDPR related releases we've had recently.

I wasn't actually aware that moderators could see user email addresses - indeed I was only alerted to it when one of my mods mentioned that he had Googled the email address of a new member and was concerned about what he found.

After an extensive search of my settings to work out what I had missed - I found a post here on xenforo.com which mentioned that mods can see the email via the spam cleaner.

The fact that he knew to use the spam cleaner to find the email address shows that it is a practice that has been going on for some time - there was no spam posted by this user, so no reason for the mod to be using the spam cleaner function for anything other than finding out information about the user.

Given that my moderators are not employees of my company and yet I am potentially liable for any actions they may take by using those email addresses, this is a serious issue with potential legal implications.

I need my moderators to be able to spam ban people, so disabling access to the spam cleaner is not an option. The moderators do NOT need to be able to see the user's email address to complete the task of spam banning someone.

We go to the trouble of hiding the email address from the moderators in all other parts of the UI, why should they necessarily have access to it in the spam cleaner?

I will be making template edits to hide email addresses from moderators in the UI to fix this for now - but I strongly believe that this should be a configurable option in the moderator permissions UI, something like:



This applies to both v1.x and 2.x

 

[S Thomas]

It's not limited to that - admins with template permissions can pull all kind of data aswell.

 

[Sim]

It's not limited to that - admins with template permissions can pull all kind of data aswell.

I'm not sure there's any way to really prevent that? If you give them access to modify templates, they can pull pretty much any data they want out of the database - that's just the way it is. Template access is basically a developer function, and developers will have access to a lot of data because they are developers.

If that's a problem, only give your developers/designers access to a dev/test site and never to production data.

 

[Alpha1]

Why would it be a GDPR issue? Its not. It concerns spammer data which is required to protect your site from abuse. That data is not protected in any way. Even if it would, then your right to protect your site from abuse would overrule the GDPR.

 

[S Thomas]

If that's a problem, only give your developers/designers access to a dev/test site and never to production data.

I don't see a reason why someone who just changes styles for e.g. events (= premade styles, you just need to activate or override default) or colors ("only css" changes) should have write access to templates. Read should be more than enough for those jobs to be effective. These people are not devs / designers. They are more like super moderators. Actually, I would entrust mods with these jobs if it was possible.
Ultimately, just splitting style and template would be enough already. It's a combined permission right now.

 

[Sim]

Why would it be a GDPR issue? Its not. It concerns spammer data which is required to protect your site from abuse. That data is not protected in any way. Even if it would, then your right to protect your site from abuse would overrule the GDPR.

Whether it is a GDPR issue or not - it is still a privacy issue. Moderators are being given access to data they don't really need access to and that I didn't want them to have access to and didn't believe they had access to until just recently.

It's not just spammer data - any recently registered user's private details (email address) can be accessed, regardless of whether they are indeed a spammer. That data can then be misused by moderators without your knowledge - leaving you open to potential legal issues under various privacy laws.

Either way, this is exactly the kind of thing that GDPR is trying to get people to take note of - controlling how private data is used and by whom.

Use of the spam cleaner does not require the moderators to have access to the email address for it to function correctly - so it should simply be up to the forum operator to decide exactly who should be able to see that information.

 

[Alpha1]

I see your point. Its indeed not needed to have the email address visible to the moderator using the spam cleaner. In fact: we never even look at it.

 

[Robust]

That's an awfully specific permission you suggest implementing. Whether this is worth it or not, well, I'm not sure.

I wasn't actually aware that moderators could see user email addresses - indeed I was only alerted to it when one of my mods mentioned that he had Googled the email address of a new member and was concerned about what he found.

This sounds like a good usage of moderators seeing emails.

This is definitely a case of using personal data in normal business operations. This probably wouldn't be a GDPR violation, if it were properly disclosed in a general term, these are legitimate business interests with data visible to (presumably) vetted moderators. Don't make a user a moderator if you think they'd abuse the access they have.

 

[Sim]

That's an awfully specific permission you suggest implementing. Whether this is worth it or not, well, I'm not sure.

This sounds like a good usage of moderators seeing emails.

This is definitely a case of using personal data in normal business operations. This probably wouldn't be a GDPR violation, if it were properly disclosed in a general term, these are legitimate business interests with data visible to (presumably) vetted moderators. Don't make a user a moderator if you think they'd abuse the access they have.

This is why I suggested a setting rather than simply hard-coding it to hide the value from moderators. Some people won't mind moderators accessing email addresses. Others don't want them to. I am firmly in the latter camp. Adding this permission solves the issue for everyone - you are either happy for them to see it of you aren't, and the system will be able to cater to both.

You'll notice that there is nowhere else in the UI where moderators can access the email address of users - so presumably, the devs thought it was something they didn't need to see in the ordinary course of their duties. That's why I highlighted it as a bug rather than a suggestion - the incongruous nature of the visibility in the spam cleaner compared to other parts of the UI makes it seem like an oversight rather than a feature. (Yes, I get why the email address is shown there - but the world has changed since that was developed, and it is not actually required!).

Indeed, in a pre-GDPR world, we didn't tend to think much about these things - the likelihood of misuse is generally low. But it is not zero, and combined with the fact that moderators can be as anonymous as the users themselves, you could conceivably end up in legal trouble through their actions which is an entirely preventable outcome.

Similarly, the fix is rather trivial - I've already fixed it on my sites by implementing the following template modification. It's a rather crude fix in that it's tied to an entire usergroup (email in spam cleaner is only shown to Administrators), while my proposed solution for the core will allow us to set this on a user-by-user basis using moderator permissions which gives much more flexibility.

XF1.5 - Find in template spam_cleaner:

<dt>{xen:phrase email}:</dt>
                    <dd>{$user.email}</dd>

Replace (my Administrator group has a usergroup id of 3):

<xen:if is="{xen:helper ismemberof, $visitor, 3}">
                    <dt>{xen:phrase email}:</dt>
                        <dd>{$user.email}</dd>
                </xen:if>

 

[Chris D]

Although I fundamentally disagree that this is a GDPR concern, we've gone ahead and removed the email address in both XF1 and XF2 anyway. This place is the only place that a user's email address is "leaked" to a moderator, so at best it seems inconsistent.

 

[Mr Lucky]

Although I fundamentally disagree that this is a GDPR concern, we've gone ahead and removed the email address in both XF1 and XF2 anyway. This place is the only place that a user's email address is "leaked" to a moderator, so at best it seems inconsistent.

Thanks Chris, I think that is a good move. A related issue for me is administrators with permissions to administrate users have the ability to generate a complete list of email addresses, which I think is something that is not usually needed and quite risky.

Granted all admin should be trustworthy, but imagine a disgruntled admin who could leave with the entire list of emails. It would make sense to me that they can do expected user admin stuff without this ability to create and download such a list of sensitive personal addresses that has value on the dodgy spammer market.

Emailing the entire membership and /or generating the email list is something IMO only Superadmins should be able to view.

 

[Sim]

Although I fundamentally disagree that this is a GDPR concern

Yeah, fair enough - I acknowledge it is a fairly low risk of being subject to wide-scale abuse, given that typical spam cleaner settings limit the potential exposure (eg spam cleaner is generally only usable on newly registered users). It's not as if a mod could easily generate a list of forum all email addresses by trivial means through exploiting this UI inconsistency.

Thanks for following up.

 

[Paul B]

This change is hugely irritating.

Having to access the ACP to check an email address which was previously available via the front end is just annoying additional work.

Perhaps it would have been useful to retain the email address for administrators with permission to manage users.

 

[Sim]

This change is hugely irritating.

Having to access the ACP to check an email address which was previously available via the front end is just annoying additional work.

Perhaps it would have been useful to retain the email address for administrators with permission to manage users.

Having to use the spam cleaner to access that information is rather incongruous with the intention though.

I think having some admin-only information displayed directly on the user's profile in the front end (eg email address, user status, etc) would be useful and would solve your issue.

 

[S Thomas]

Having to use the spam cleaner to access that information is rather incongruous with the intention though.

Not really, it is actually a valid case. If the email is in no spam list, a moderator would need to manually check the email, which is not possible anymore.

 

[Chris D]

This change is hugely irritating.

Having to access the ACP to check an email address which was previously available via the front end is just annoying additional work.

Perhaps it would have been useful to retain the email address for administrators with permission to manage users.

The email address will now still be visible if the visitor is an admin with the "user" permission (in both XF1 and XF2).