we_are_borg
Well-known member
What do you think usernames, age, sex and emails are in GDPR.
Review resources before approving them (XF Community)
- Thread starter Dadparvar
- Start date
- Status
What do you think usernames, age, sex and emails are in GDPR.
RobinHood
Well-known member
Interesting article here, it's the FAQ for Wordpress Plugin developers and talk about quite of a few of the processes for how it all works, it also goes into a little detail about how a developer can setup their data to display all the relevant info in the plugin directory, including cover photos, videos descriptions, standards for change logs etc.
https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/
It seems the initial submission is human reviewed and can take up to 7 days for small plugins, although there is no average. Part of the human review process is to create and correct slugs so it all works well with the plugin management system in the ACP.
It seems like a fair bit of work on the part of WordPress, but boy does it pay off in terms of user experience for site admins discovering, installing and maintaining them on their sites.
That entire plugin handbook is full of good info:
https://developer.wordpress.org/plugins/
IMO a system like this would be a great way forward for XF in the long run.
https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/
It seems the initial submission is human reviewed and can take up to 7 days for small plugins, although there is no average. Part of the human review process is to create and correct slugs so it all works well with the plugin management system in the ACP.
It seems like a fair bit of work on the part of WordPress, but boy does it pay off in terms of user experience for site admins discovering, installing and maintaining them on their sites.
That entire plugin handbook is full of good info:
https://developer.wordpress.org/plugins/
IMO a system like this would be a great way forward for XF in the long run.
Last edited:
But what does it have to do with code review here on XenForo, specifically?
Or is this another tenuous link that because we allow unaudited code in the RM, if someone site was breached that it would fall back onto us? Now I know the EU has a pretty historic failing of understanding how the internet works, but I doubt they are that far out of touch. Though feel free to point me to the relevant section of the legislation.
ichpen
Well-known member
Excellent topic.
Fundamentally as I think Chris or someone mentioned this whole discussion is moot until XF Staff express an actual interest in creating (and policing) some guidelines, QA mechanisms and associated reputational artifacts (automated or otherwise).
Legally speaking this does not imply liability (at least in NA) with well crafted EULAs however it does offer many other ancillary benefits such as marketing value (customers like the idea of a regulated addon marketplace for peace of mind), risk mitigation (this is not news but some of the biggest hacks were via vulnerabilities in Wordpress plugins - this could happen here on a smaller scale), growth (like it or not you need regulation to grow in any marketplace, all major social and CMS platforms now offer some degree of quality validation however basic it may be).
So XF Staff you may be pondering this on the sidelines but the TL;DR is you'll need to do it, like it or not if you want to grow the marketplace.
Fundamentally as I think Chris or someone mentioned this whole discussion is moot until XF Staff express an actual interest in creating (and policing) some guidelines, QA mechanisms and associated reputational artifacts (automated or otherwise).
Legally speaking this does not imply liability (at least in NA) with well crafted EULAs however it does offer many other ancillary benefits such as marketing value (customers like the idea of a regulated addon marketplace for peace of mind), risk mitigation (this is not news but some of the biggest hacks were via vulnerabilities in Wordpress plugins - this could happen here on a smaller scale), growth (like it or not you need regulation to grow in any marketplace, all major social and CMS platforms now offer some degree of quality validation however basic it may be).
So XF Staff you may be pondering this on the sidelines but the TL;DR is you'll need to do it, like it or not if you want to grow the marketplace.
we_are_borg
Well-known member
Because in the GDPR we the customer need to have privacy and security first in mind, we can’t adjust XF or Add-ons to take that into account unless where developers. So XF is the only protection we have as customer to be inline with GDPR. People can say well forums have nothing to worry about if running a forum well maybe but if something happens and have a security breach or privacy issue then i dont want to be on the other end of government fines etc, one way or another you will pay the fine.
This has nothing to do with EU and understanding Internet, they are aware that most companies cant be trusted with reporting breaches in security and privacy. Now they have a stick behind the door to hit companies with heavy fines. Its the samething about the cookie law people think its only about the cookies but thats only a small part of that law, the same we see with GDPR its a very complicated law. But even if XF would not be liable if something went wrong your now saying we do not care what happens to you our customers we will not check anything while we can (like wordpress and WBB) if we want to.
Robust
Well-known member
You are now pushing your own responsibilities onto XenForo.
As I've said earlier, you should work with add-on developers to ensure the code they make is up to your standards. Do all your due diligence via the methods I stated in my long post. The risk of the results is, to some extent, on you. You can't push all your homework onto XenForo and expect them to do it all.
This isn't a huge market with lots of money to be doing thorough reviewing of the thousands of add-ons on the RM. It's not economic for XF and it's too much trouble for add-on devs.
The GDPR increases liability on forum owners, it has nothing to do with XenForo or the responsibility you think it legally has over the content in the RM. You are choosing to host that content on your website, if that means your website mishandles personal data that liability falls on you, as a data controller, for using software that allowed that to happen. I'm sure the software takes some liabilities as well, but really, I'd imagine most the risk is on you. You're trying to push it away onto XenForo and add-on developers when that's just not the case with the GDPR - it has no effect here and really we're just going off topic with the issue.
And talking about the issue, I really don't see the problem in this thread anymore. XenForo's current limited moderation of the RM seems enough to me. I don't see major issues with resources posted in that section, and hence don't understand people's complaints here.
Robust
Well-known member
Most add-on developers have clauses limiting liability. IANAL, so I don't know the scope of those clauses legally, but XenForo has similar clauses too as well as most software developers in general. I don't think there is any liability on XenForo or the add-on developer if there's mishandling of personal data. The GDPR enforces unlimited liability on the data controller, which is you as a forum owner. It doesn't try to extend the scope of that to software developers, to the best of my knowledge.
But this still isn't a discussion on the GDPR and we're all throwing around nonsense here. AFAIK, nobody here is a lawyer so if you have concerns with the GDPR you should perhaps see one. It really doesn't relate to the issue of add-on reviewing on XenForo.
And honestly, the GDPR is quite the stretch in this circumstance. I'm not aware of a single case of mishandling of personal data caused by an incompetent developer and a buggy add-on. There are add-ons with flaws, but none, to my knowledge, would result in GDPR violations. Perhaps AndyB's misuse of prepared statements (documentation for developers would resolve issues like that in the future), but I don't think that was even exploited. So really, you're all over-reaching here. I think server security is a much bigger concern for potential GDPR violations and data leaks - how many of you are contacting your web hosts and bugging them to reinforce their security, or hiring professional sysadmins to do audits on your servers?
Alpha1
Well-known member
The GDPR explicitly forces privacy and security by design of software. I am not sure how that affects things. If at all. One thing is sure: the need for site security will become even more urgent with the GDPR multimillion fines looming over webmasters. I think this will force a change in xenforo customer attitude next year or after the first forum admin gets hit by such a fine. Especially when a non-EU forum gets fined and people realize it can affect anyone.
Alpha1
Well-known member
I suspect that GDPR compliance will become and issue and even a selling point for hosts.
Robust
Well-known member
They're not going to fine 10% of international GDP (as someone said earlier) or even $10k to a forum owner making $40k/yr and had a leak of usernames, emails, ages and genders. That kinda stuff is leaked all the time by forums. The bigger fines are going to be towards Google, Apple, government agencies, companies like Equifax, etc. Governments are the worst for data security - they have a lot more to worry about with the GDPR than a forum owner. EU has a decent enforceability record, but almost all forums are still wayyyy too small scale to chase after for data that's barely personal. Just look at VAT MOSS, it's enforced fairly well, even against non-EU companies (ESEA was fined for an undisclosed sum last year and forced to pay VAT on behalf of all customers as well, and they're not *that* large), yet most people ignore VAT MOSS regulation. Very few businesses on this forum adhere to VAT MOSS, even large companies like Zendesk are completely ignoring it and getting away with it.
GDPR is going to require changes and as data controllers people should absolutely adhere to it, but to think any forum owner is going to be slapped with fines is still over-reaching. Also a bit strange if you only suddenly care about the security of your data after possible EU fines. The GDPR really isn't relevant to this discussion.
Last edited:
Quite, so lets drop discussion on it as something related to code review.
Jake B.
Well-known member
Random sidebar, but $10M or $20M or whatever the max fine is isn't anywhere close to 10% of international GDP so idk where that goofy math came from. Total international GDP is between $75 and $150 trillion depending on where you look, but international GDP is definitely above 1-2 billion (especially considering there are individual people with a net worth of more than 1-2 billion)
we_are_borg
Well-known member
No i am not i am responseble for my own site, but it comes down to can i MAKE some one else fiancially responseble if something would happen to me.
And how would i do that if i need an add-on i see first if its made all ready. Due dillagence is for me read the reviews of that add-on and then you get into the next snag that developers here start complaining if they get a bad review what i have been toled it happened a few times.
But yet Wordpress and WBB can do a first scan of add-ons they are opensource company and a verry small company. The trouble for add-on developers would only be to deliver better or standard qaulity of code. Can it be that you as developer have issues with getting that quality or maintaining it?
Yes liabillity is for the owner of the site, but XF can help the site owner to lessen the impact of security and privacy issues. Its to protect your own customers from exploits and fines. What do think is going to happen with a company that is been toled that security and privacy needs to come first, wheather it is companies that make ERP, CMS or forums for that matter. The company that get fined is going to blame those companies that delivered the software or allowed 3rth party developers to give away or buy there software. Even if the software company is liable or not does not matter think of the bad PR it gets or other owners of the software that demand action to be taken thats going to cost more. Your not going to be fined like the owner of the site bad your going to pay with bad PR and people demanding that you take acction, that will cost more then doing it slowly.
The current moderation of RM is after something goes wrong so its always a little to late. You dont see major issues do you have AndyB on ignore he needed to tell people that add-ons where not save before a specific date not one add-on or two but like almost 20. I heard enough stories that XF stepped in and revoked add-ons because there where issues, but the developer did not care. Thumbs up for XF for that but its still after the effect.
RobinHood
Well-known member
Wordpress’ primary contributer Automattic has over 600 employees, has raised over $300M and is valued at over $1B.
So even though the software is open source theres a lot of funding behind it. A huge part of the reason WordPress is so popular, so widely used and has grown so large though, is because of their rich, well designed and maintained plugin and developer ecosystem.
Last edited:
AndrewSimm
Well-known member
I guess XF is a UK company, and I can't speak to laws there, but in the US simply hanging a sign does not remove all responsibility. XF best defense is they take action when problem mods are discovered.
we_are_borg
Well-known member
Works the same way here B2B its no problem to lessen responsibillity you can do a lot but for B2C its another issue. Consumers have very good protection in the EU.
Dakota Storm
Well-known member
Just so we are clear how how WordPress, manages the reviews, the fact of the matter is. They don't, not directly at least. there a a core team of volunteers that handle it. WordPress simple provides the means and the space where it is managed from. but it is a team of unpaid supporters that does all the work.
Robust
Well-known member
WordPress is a much, much bigger community than XenForo. We have < 20 active XenForo add-on developers that publish somewhat regularly here, and 20 is perhaps still being kind, it's probably around 15.
Sites quote things like:
It's a market with competition, lots of demand, plenty of developers and hence manpower and requirement for staffing and review.
Let's not compare against something on a very different scale. Strict regulation being applied is *not* going to attract more developers into this community and that should be what customers want above anything else. I'd start with clear documentation and a clear list of guidelines that resources should meet (again, lightly enforced as it is now) and see where that gets us. That should be the first priority for XenForo before certifications or any of the other suggestions in this thread.
Again, there isn't really a big issue with the RM.
- Status
Similar threads
- Suggestion
