New GDPR (General Data Protection Regulation) and phpBB

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Anti-Spam Guide
andrewilley
Registered User
Posts: 114
Joined: Fri Sep 12, 2008 7:28 pm
Location: Birmingham UK
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by andrewilley »

maxrpg wrote: Sun Apr 22, 2018 2:21 pm That leaves us with email and IP addresses and as already discussed these can easily be erased, scrambled and anonymised to prevent them being traced back to a specific person.
I'm still trying to get my head around all this, but I think there are other issues relating to data storage which I'm still not clear about. For example, I thought that ALL personally identifiable data held in databases/etc is meant to be stored in encrypted formats only (so that if a site or server ever got hacked or stolen, nothing sensitive can get compromised anyway - in effect, security by ground-up design). This includes backups too. As far as I know, that sort of encryption only applies to the password field (hashed) in phpBB's SQL database at present.

This is a very laudable goal of course, and if everything had been done that way from the start then all these massive hacks, with huge loss of people's private data, that we hear about almost every week would have been far less serious. But trying to retro-fit that policy onto existing systems (often end-of-life legacy stuff, that otherwise works perfectly well and no-one was planning to touch again) will be next to impossible.

Andre
--- Admin of www.portorleans.org
LaxSlash1993
Registered User
Posts: 182
Joined: Sat Sep 22, 2012 2:20 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by LaxSlash1993 »

The password field in phpbb is not encrypted. It is hashed.

Technically by the law, yes. It does all have to be encrypted. But again, not everyone wants to do that. Personally, I think that the encryption requirements will be one of the first to be shot down in court.

For those interested, my site is doing a temporary geoblock, a privacy policy change, and letting go our mods that are in the EU. I'll post the notification as well as privacy policy we're going to be using as a template.
User avatar
GanstaZ
Registered User
Posts: 1187
Joined: Wed Oct 11, 2017 10:29 pm
Location: GZOverse

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by GanstaZ »

I don't know where you get an idea about e-mail address should be encrypted. Data that is sent with mails should be secured, not the address itself. Encrypted e-mail addresses doesn't do nothing, bots will still get you. Anyone who knows little coding can create e-mail address auto-generator for any domain and any name there is or isn't.
Usus est magister optimus! phpBB pre-Triton & latest php environment.
When answer lies in the question, question becomes redundant!
andrewilley
Registered User
Posts: 114
Joined: Fri Sep 12, 2008 7:28 pm
Location: Birmingham UK
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by andrewilley »

GanstaZ wrote: Sun Apr 22, 2018 3:28 pm I don't know where you get an idea about e-mail address should be encrypted.
I think the logic is that anything that can be traced directly back to an individually identifiable human being who is an EU citizen - which according to the GDPR includes IP addresses and email address - should be encrypted anywhere that it is stored, and have a ton of documented privacy safeguards over who can access it. That way, if that storage location ever got hacked, no personal data can be stolen - by fundamental design rather than add-on layers of access-restriction security. But given that email addresses (and server logs of emails) are often still sent and stored as plain text across the whole internet anyway, I think that ship has already sailed.

Andre
--- Admin of www.portorleans.org
LaxSlash1993
Registered User
Posts: 182
Joined: Sat Sep 22, 2012 2:20 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by LaxSlash1993 »

GanstaZ wrote: Sun Apr 22, 2018 3:28 pm I don't know where you get an idea about e-mail address should be encrypted.
Don't ask me, ask the EU.

(Actually, unless I'm thinking about the EU ePrivacy regulation that's coming out soon after? This is a fun one as well, btw...)

E: Andre, yeah, that's the "logic." But it's the same as saying your storage garage full of tools must be protected by bank vault level doors, have iris recognition, a pack of guard dogs, and a sniper guard on duty at all times.
User avatar
GanstaZ
Registered User
Posts: 1187
Joined: Wed Oct 11, 2017 10:29 pm
Location: GZOverse

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by GanstaZ »

I'm from EU & i see this identification bs daily) Only minimum amount of people should have access to data (if it's not a firm, then only owner should have that access) & only need to use it when it is required. Database, server access and local storage (copy, backup) should be secured as highly as possible & that is all.
Usus est magister optimus! phpBB pre-Triton & latest php environment.
When answer lies in the question, question becomes redundant!
LaxSlash1993
Registered User
Posts: 182
Joined: Sat Sep 22, 2012 2:20 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by LaxSlash1993 »

GanstaZ wrote: Sun Apr 22, 2018 3:47 pm Only minimum amount of people should have access to data (if it's not a firm, then only owner should have that access) & only need to use it when it is required.
Disagree with only the owner having access to it. In the case of our forum, all top-level administrators currently have read access to it. Only a couple people have write access (myself and one other lead administrator). We do this for several reasons. While, yeah, you could argue in our case that we have legitamite interest, in the case of a hobby site/forum/database not dealing with actually sensitive info... it should be up to the owner to delegate who gets access. The whole logic of regulating access based on "need" is stupid too... if they own it/pay for it, they should be able to access it whether they need to or just want to. The government needs to not intervene in these sorts of things. We're not storing CC numbers, not storing SSNs, etc.
Database, server access and local storage (copy, backup) should be secured as highly as possible & that is all.
We store our database backups on Google drive as is. Not something that's going to be changing any time soon. It's easy, convenient for the lead administration team, and free. As far as database server access security - we were planning on upgrading this anyways before GDPR was even a thought (or, well, before we even heard of it), but again. I don't need government telling me what security controls I must have in place at a minimum for a forum.

Here's my issue with all of this. When a house is broken into, we don't go after the homeowner. When a car is broken into, we don't go after the registrant. We go after the person that committed the crime. The criminal. Maybe if the government spent less time legislating against the site owners, and more time figuring out ways to pursue and catch cyber-criminals as opposed to letting them hide and conceal their identities better... maybe then we'd have less of these hacks and data breaches taking place.

Anyways, /rant on that portion of it.

--
tojag wrote: Sat Apr 21, 2018 10:20 pm Please try answer to my question - can I keep post on my forum when user delete account or not? But the first read my previous post carefully.
Yes, you can.

The GDPR contains six grounds for the basis of refusing the right to erasure, one of which is archiving. You could argue in your policy if you wish to comply with this whole thing, that posts that have been responded to/are past a certain point are retained for archival purposes, and that only you/the forum staff reserves the right to modify posts past that certain point. You could also consider conceivable legitamite interest in doing so. Example:
Poster A:
"I have a tube guitar amp without any speaker cabinet. Can I just turn my amp on?"

Poster B:
"Yes, you will be fine. Though don't know what you plan to achieve without any sound! :P"

Poster C:
"NO. DO NOT DO THIS. You will blow your amplifier. You need some form of load on the speaker outputs."

Poster D:
"^ this. Anyone who tells you otherwise is an idiot."
Then, a couple of years later or whatever...

Code: Select all

Poster C: "Delete my data."
The above scenario then becomes:
Poster A:
"I have a tube guitar amp without any speaker cabinet. Can I just turn my amp on?"

Poster B:
"Yes, you will be fine. Though don't know what you plan to achieve without any sound! :P"

Poster D:
"^ this. Anyone who tells you otherwise is an idiot."
And thus, anyone that does a Google search now for this and trusts it is probably now out a considerable amount of money. Those tube amps aren't always cheap, ya know. ;)

As far as checking posts manually, you could argue with the EU that it's too much of a burden. IIRC, that's something that can be considered when dealing with non-compliance cases, according to the ICO.
andrewilley
Registered User
Posts: 114
Joined: Fri Sep 12, 2008 7:28 pm
Location: Birmingham UK
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by andrewilley »

LaxSlash1993 wrote: Sun Apr 22, 2018 4:14 pm I don't need government telling me what security controls I must have in place...
Spoken with the spirit of a true American. :) The EU on the other hand seems to think it should meddle and supervise every tiny little aspect of its citizens existence (even though perhaps with the best of intentions). That is one of the main reasons that I (a Brit) voted to leave the whole bureaucratic EU behemoth - I liked the original idea of a community of nations trading freely with each other, which we voted to join 40 years ago, but not the over-arching superstate that the EU has since become.

Andre
Last edited by andrewilley on Sun Apr 22, 2018 4:45 pm, edited 1 time in total.
--- Admin of www.portorleans.org
andrewilley
Registered User
Posts: 114
Joined: Fri Sep 12, 2008 7:28 pm
Location: Birmingham UK
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by andrewilley »

Well I've now put together a slightly modified Terms of Use for my forums, along with a new site-wide Privacy and Cookies Policy, which I hope will suffice for now. I've deliberately kept them human-friendly (often casual in fact) as that is one of the requirements of the GDPR which I actually think is a very good thing (the less lengthy, multi-clause, "hereinafter referred to as the party of the first part" legalistic gobbledegook the better as far as I'm concerned).

If anyone is bored and wants to have a look and let me know what they think, the forum Terms of Use are HERE and the Privacy and Cookies Policy is HERE.

I also plan to enforce acceptance of the overall Privacy and Cookies Policy site-wide after 25 May for any accesses made from EU countries, otherwise the site will be blocked. Which I know is utterly stupid, as a VPN can walk all over that, but at least I can say I tried as far as technologically possible. Currently the only difference is EU visitors see some extra text in red at the top of the Policy page which the rest of the world does not.

Andre
--- Admin of www.portorleans.org
User avatar
GanstaZ
Registered User
Posts: 1187
Joined: Wed Oct 11, 2017 10:29 pm
Location: GZOverse

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by GanstaZ »

I agree with those examples & i have the same point of view about gdpr & all that bs. The point of gdpr is not to help/protect, but to make as much money as possible and they do it by spreading around fear and unclarity.
Usus est magister optimus! phpBB pre-Triton & latest php environment.
When answer lies in the question, question becomes redundant!
maxrpg
Registered User
Posts: 95
Joined: Thu Jul 30, 2009 12:33 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by maxrpg »

LaxSlash1993 wrote: Sun Apr 22, 2018 4:14 pm .....
The GDPR contains six grounds for the basis of refusing the right to erasure, one of which is archiving. You could argue in your policy if you wish to comply with this whole thing, that posts that have been responded to/are past a certain point are retained for archival purposes, and that only you/the forum staff reserves the right to modify posts past that certain point. You could also consider conceivable legitamite interest in doing so
.......
I have just looked that up and I think you may have found the holy grail there. topics/Posts could be retain for archiving purposes because erasing them could render the rest of them unusable/gibberish and as you say could contain valuable information that others may want to know "public interest".

So based on that I wonder if it would be a good idea to create a modification..

If a user makes a topic and that topic doesn't get any replies within say 30/60/90 days then with the topic being inactive it could be automatically archived for future reference. A modification could be used to detect inactive topics and after X number of days lock it and prevent user deletion. Could also have something in the t&c's stating that users have X number of days from topic creation to delete the topic after which time it will be archived.
My go to phpBB based site and hangout is Codenstuff
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by thecoalman »

maxrpg wrote: Sat Apr 07, 2018 4:44 pm "...you, the user, individual, person agree when registering for membership that all topics/posts/replies/comments/files/images or any other site relevant content submitted by you under your chosen membership username shall become the property of {our website} at such time should you choose/request/demand/inform us that you wish to have your account removed."
You cannot claim their content as your property and that has nothing to do with these regulations, you do not own the copyright to the text and files someone posts on your forum. What you can claim is a license to use it and how that fits into these regulations I don't know.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
LaxSlash1993
Registered User
Posts: 182
Joined: Sat Sep 22, 2012 2:20 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by LaxSlash1993 »

thecoalman wrote: Sun Apr 22, 2018 11:33 pm
maxrpg wrote: Sat Apr 07, 2018 4:44 pm "...you, the user, individual, person agree when registering for membership that all topics/posts/replies/comments/files/images or any other site relevant content submitted by you under your chosen membership username shall become the property of {our website} at such time should you choose/request/demand/inform us that you wish to have your account removed."
You cannot claim their content as your property and that has nothing to do with these regulations, you do not own the copyright to the text and files someone posts on your forum. What you can claim is a license to use it and how that fits into these regulations I don't know.
You own that copy of the content. You can't claim that you made that content. Same thing with music CDs and music downloads. Can an artist demand that you delete their music file/destroy their CD? No.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by thecoalman »

LaxSlash1993 wrote: Mon Apr 23, 2018 12:08 am You own that copy of the content. You can't claim that you made that content. Same thing with music CDs and music downloads. Can an artist demand that you delete their music file/destroy their CD? No.
I'm not a lawyer but did have the privilege of belonging to a video/audio forum that had a copyright lawyer as a memeber who covered many of these topics in depth.

Splitting hairs but "Own" is the wrong terminology, only one person or entity can own a copyright and that is granted instantly to the person who created it. One exception to that is when the person doing the creating is under legal contract in which case the copyright is granted to their employer. For you to obtain it requires a legal transfer that goes beyond what you can do with a registration form.

When you purchase a CD what you own is a plastic disc. You do not own the content but do have a license to use it for personal use. You would not be able to play that disc in a bar you own as one example because the license does not cover that. You would not even be able to make legal copies (MP3's) of it for your own personal within the US if not for a special provision carved out of copyright law called "The Home Recording Act". Nobody would be able to demand you delete those files because you are legally entitled to them within the scope of the license and the law. If you sold the disc the license is tied to the disc and you would be legally obligated to delete any files you created.

Getting back to phpBB and the registration agreement you can include a permanent licensing agreement, you can even have an exclusivity provision. Since most of us can't afford a $400 an hour lawyer the best thing to do is view the TOS of major providers like Youtube to see how they have worded worded it.

This is US law but copyright laws are pretty common. As I already noted I do not know how this fits into the privacy regulations.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag »

Right to archive.
thecoalman you're right. The content can be licensed and so I have in my regulations.
The right of archiving applies only to public goods strictly defined in GDPR, for example a medical clinic can archive patient cards. Your forum is your private business and you have no right to archiving for pubic goods.

Allowing for posts editing.
If I could edit my posts and know that the forum owner does not delete them, I would edit them all by typing 'bla bla'. it's the same as deleting them before deleting the account. In addition, it makes moderation difficult.
Anyway, users do not remember what they wrote and it's about the data they forgot about, including photos with faces, and after some time someone can hit them accusing me. So alowing to edit post does not resolve problem.
Post Reply

Return to “phpBB Discussion”