New GDPR (General Data Protection Regulation) and phpBB

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Ideas Centre
Post Reply
User avatar
tojag
Registered User
Posts: 242
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

New GDPR (General Data Protection Regulation) and phpBB

Post by tojag » Sat Apr 22, 2017 8:20 pm

As you know for the year in the EU will be the GPDR (20.05.2018).
https://en.wikipedia.org/wiki/General_D ... Regulation

Is phpBB fully compatible with GDPR? For example, the protection of correspondence of PM.
Is it sufficient to secure the site by ssl?
Will it be able to keep posts after user opt out of the forum?
Will it be able to show publicly the time of posting posts or user logins?
etc.
Regards


[edit]
I corrected the shortcut ;)
Last edited by tojag on Tue Mar 06, 2018 1:46 pm, edited 2 times in total.

User avatar
AmigoJack
Registered User
Posts: 5155
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by AmigoJack » Mon Apr 24, 2017 8:35 am

tojag wrote:
Sat Apr 22, 2017 8:20 pm
GPDR
You seem to mean GDPR.
For years I have already seen BDSG being misspelled, too.
tojag wrote:
Sat Apr 22, 2017 8:20 pm
Is phpBB fully compatible with GPDR?
Except of being able to import user data: yes.
tojag wrote:
Sat Apr 22, 2017 8:20 pm
protection of correspondence of PM
Yes: by design phpBB will show PMs only to its senders and recipients, never to unrelated users.
tojag wrote:
Sat Apr 22, 2017 8:20 pm
Is it sufficient to secure the site by ssl?
If by that you mean HTTPS: no, never - securing the network transport is unbound to securing a software.
tojag wrote:
Sat Apr 22, 2017 8:20 pm
Will it be able to keep posts after user opt out of the forum?
phpBB has this option already, as well as having the option to erase all posts related to an account. See the manual 3.5.7.5: Prune users.
tojag wrote:
Sat Apr 22, 2017 8:20 pm
Will it be able to show publicly the time of posting posts or user logins?
phpBB never did this to guests, but members can always see other member's posts, their post count and their last activity time - like yours.
tojag wrote:
Sat Apr 22, 2017 8:20 pm
etc.
GDPR is aimed at helping consumers or named people, whereas bulletin boards like phpBB nowhere store names, only pseudonyms. Those few installations which aggregate all the data for further purposes can only do this based on IP addresses and e-mail addresses. Effectively encrypting posts would result in not being able to search the board anymore. Exporting your own data is easy - just search your own posts.

After all, GDPR can only target legal persons using a software, not the software or its developers themselves.
The worst thing about censorship is ███████████

User avatar
tojag
Registered User
Posts: 242
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by tojag » Fri May 12, 2017 8:21 am

Thanks for Your reply.
tojag wrote: ↑
Sat Apr 22, 2017 9:20 pm
Will it be able to keep posts after user opt out of the forum?
AmigoJack wrote:phpBB has this option already, as well as having the option to erase all posts related to an account. See the manual 3.5.7.5: Prune users.
Yes, I known it, but can I keep these posts in data base or have to erase it thogether with user account? What is GPDR compatible?
AmigoJack wrote:GDPR is aimed at helping consumers or named people, whereas bulletin boards like phpBB nowhere store names, only pseudonyms.
GPDR requires that you do not use the nickname/pseudonym of the user who closed the account. I would like to change the authors of such posts to "Anonymous". I think I have thousands of posts from closed accounts (my forum has over 500 000 posts), where the user name has remained unchanged. Do I have to use SQL commands directly in the database? How do I find out there posts unrelated to any active account?

Regards

User avatar
AmigoJack
Registered User
Posts: 5155
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by AmigoJack » Fri May 12, 2017 8:50 am

tojag wrote:
Fri May 12, 2017 8:21 am
can I keep these posts in data base or have to erase it thogether with user account?
Yes. No. Read again: those are options, both is possible.
tojag wrote:
Fri May 12, 2017 8:21 am
What is GPDR compatible?
Both, as the user can choose.
tojag wrote:
Fri May 12, 2017 8:21 am
change the authors of such posts to "Anonymous"
That's not yet possible - you could delete an account and retain the posts, which means the posts will only have a textual username and no author ID anymore - afterwards you'd have to do i.e. this:

Code: Select all

UPDATE phpbb_posts 
   SET post_username= '' 
 WHERE post_username='name of deleted account';
tojag wrote:
Fri May 12, 2017 8:21 am
How do I find out there posts unrelated to any active account?
If by that you mean to find all posts that are not associated to any account (anymore), then run:

Code: Select all

SELECT post_id, poster_id, post_username 
  FROM phpbb_posts 
 WHERE poster_id= 1 OR post_username<> '';
The worst thing about censorship is ███████████

User avatar
tojag
Registered User
Posts: 242
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by tojag » Fri Aug 18, 2017 12:05 pm

Thanks for the answer. It's very useful.

User avatar
AmigoJack
Registered User
Posts: 5155
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by AmigoJack » Mon Aug 21, 2017 6:52 am

Which one?
The worst thing about censorship is ███████████

User avatar
tojag
Registered User
Posts: 242
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by tojag » Mon Aug 21, 2017 7:40 pm

Code to change user name. I'm not a phpbb specialist. Thanks.

Jacob23
Registered User
Posts: 10
Joined: Fri Nov 18, 2011 4:58 am

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by Jacob23 » Tue Aug 22, 2017 1:15 am

AmigoJack wrote:
Fri May 12, 2017 8:50 am
tojag wrote:
Fri May 12, 2017 8:21 am
change the authors of such posts to "Anonymous"
That's not yet possible - you could delete an account and retain the posts, which means the posts will only have a textual username and no author ID anymore
You can change the username to "JamesBond006" and then delete the account. The next one would be 007, of course. And so on.

silenus
Registered User
Posts: 7
Joined: Tue Aug 15, 2017 4:56 am

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by silenus » Tue Mar 06, 2018 9:50 am

tojag wrote:
Sat Apr 22, 2017 8:20 pm
GDPR is aimed at helping consumers or named people, whereas bulletin boards like phpBB nowhere store names, only pseudonyms.
Hi

Not only names are regarded as personal data.
In france, actually laws considers, and it will still available with GDPR, a IP adress is a personnal data (because with an IP adress you can deduct a name)
Same as a pseudonyme , or all data from which you can deduct a name (pseudonym can deduce IP adress which can deduce a name). (you can read more here in english langage https://www.cnil.fr/en/personal-data-definition )

GDPR requires to encrypt personnal data. Actually phpBB encrypt only passwords.
"(83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption."
http://eur-lex.europa.eu/legal-content/ ... 79&from=FR

These laws applies to most of phpbb webmasters ("(18) This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity").

If you are a US webmaster and when to collect personnal data from UE users, even if your datacenter is not localized in Europe", you must be GDPR compliant.

So, I think phpBB is in question about software implementation, not only a organizing process.

User avatar
Mick
Support Team Member
Support Team Member
Posts: 18889
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by Mick » Tue Mar 06, 2018 10:03 am

silenus wrote:
Tue Mar 06, 2018 9:50 am
with an IP adress you can deduct a name
I’m not sure that’s true but you can certainly find information via Windows command line, does that mean all the OS’s will need re-writing? How about components (hardware) that have IP addresses?
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.
Forza Garibaldi

CHItA
Development Team Member
Development Team Member
Posts: 109
Joined: Sat Dec 06, 2008 10:27 pm
Location: Budapest, Hungary

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by CHItA » Tue Mar 06, 2018 10:25 am

silenus wrote:
Tue Mar 06, 2018 9:50 am
GDPR requires to encrypt personnal data. Actually phpBB encrypt only passwords.
"(83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption."
I don't really see how this sentence require anyone to do anything. It mentions encryption as one of the possible solutions, at least that is my understanding.

User avatar
AmigoJack
Registered User
Posts: 5155
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by AmigoJack » Tue Mar 06, 2018 11:08 am

Resolving an IP address to a name only means you have the internet access owner, not necessarily the person having used said address. Several law suits found out about this obviousity.
The worst thing about censorship is ███████████

User avatar
tojag
Registered User
Posts: 242
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by tojag » Tue Mar 06, 2018 11:08 am

Hi Silenus, You are quoting AmigoJack. It is not my words.
Hi, Chita, You are quoting Silenus. It is not my words.
Is there a problem with quoting or is it mistake?


I think the phpbb team has no lawyer in this area. I wrote about this in 2014y. when I asked how to enforce periodical password change for a group of administrators. Polish law required this a long time ago.
IP has been treated in some countries for a long time as data that, in combination with others, can identify a specific natural person. Now it is valid throughout the EU.
At present, GDPR requires planning and risk assessment as early as at the stage of creating the system. If someone wants to use phpbb then he must know if he will meet the requirements of GDPR.
GDPR has many different technical requirements (or refer to strict national rules), e.g. it requires that the user explicitly consent to the processing of data, not via a next button but via the check box. On my forum I did it using a checkbox but it is not perfect. Of course, ssl is the minimum necessary on login pages.
This is a very difficult topic and a lawyer from this area would be helpful.
Regards

User avatar
tojag
Registered User
Posts: 242
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by tojag » Tue Mar 06, 2018 11:23 am

AmigoJack wrote:
Tue Mar 06, 2018 11:08 am
Resolving an IP address to a name only means you have the internet access owner, not necessarily the person having used said address. Several law suits found out about this obviousity.
GDPR wrote:Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

CHItA
Development Team Member
Development Team Member
Posts: 109
Joined: Sat Dec 06, 2008 10:27 pm
Location: Budapest, Hungary

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by CHItA » Tue Mar 06, 2018 11:23 am

Yeah, sorry, I wasn't editing the quote tag correctly.

Post Reply

Return to “phpBB Discussion”

Who is online

Users browsing this forum: andrewilley, cyrilca, Tbot [Bot], Yandex [Bot] and 15 guests