New GDPR (General Data Protection Regulation) and phpBB

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Get Involved
User avatar
david63
Jr. Extension Validator
Posts: 13894
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by david63 » Tue Mar 06, 2018 10:27 pm

Let's just calm down a bit.

In the UK, I don't know about other EU countries, we have had since 1984 various versions of the Data Protection Act which essentially is the the same as GDRP where the storing of "personal identifiers" has been subject to controls - in fact at one point I had to register to keep that data. Furthermore these regulations cover the keeping of such data not only on a computer but also on paper.

Never in the last 34 years has anyone ever asked me for a copy of their data and if the same applies with GDPR that you can make a "reasonable" charge to provide that data then I doubt for one minute many will be requesting the data from a BB when they have to pay for it.

There is nothing new here, at least not in the UK, and as far as I am aware nobody has ever been prosecuted for holding data on a BB. These regulations are aimed at businesses/organisations/government departments that hold masses of personal data about all of us and the way in which that data is protected.

As I have said before I am not ignoring GDPR but neither am I over reacting to it. In my view there is very little if anything other than a brief note that is required for a vanilla phpBB install. If you modify your phpBB install to capture other data then that becomes your responsibility - not phpBB's and is outside of this discussion.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
3Di
Registered User
Posts: 12365
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by 3Di » Tue Mar 06, 2018 10:38 pm

david63 wrote:
Tue Mar 06, 2018 10:27 pm
These regulations are aimed at businesses/organisations/government departments that hold masses of personal data about all of us and the way in which that data is protected.
You are correct here, I spent some time informing myself about all of this, this time I got to read the page (in this case of one of the biggest companies involved in this personal data's storage, guess .. F*a*e*ook), and I did read it line by line in my native language.

It's more, IMHO, much a do for nothing here. Being nitpickers.. yes, an extension could provide some sort of extra "insurance" but honestly, I hardly believe somebody could be issued here.

As already said, change the TOS at registration and mass-mail the already existing users about the changes, request a sort of OPT-IN like a mail-reply and you will be done.
Want to compensate me for my interest? Donate
Please PM me only to request paid works. Thx.
Extensions, Scripts, MOD porting, Update/Upgrades
My development's activity º PhpStorm's proud user

User avatar
tojag
Registered User
Posts: 240
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag » Tue Mar 06, 2018 11:03 pm

I think that you can solve this problem with small steps. We should start with the basic things that are obvious - first and foremost, user consent.
In my forum I added an additional field in the registration form. This field is required and is described as consent to the collection and processing of data, has a link to my board regulations and user can choose YES or NO, but if NO, he can not register. This field is then seen as an additional field in the user's profile. Something better is needed.

David63 is Your Cookie Policy does not save cookies before user agrement? And what to do with external cookies, e.g. google adsense?

From the GDPR entries, I understand that you can not number anonymous users, eg anonymous1, anonymous2, ... Because it will allow you to extract its content (posts), which can allow you to create a profile, or even identification. So everyone would have to have one name - anonymous.
I know it's a bit stupid but I did not create it.

Google, Facebook, Oracle, IBM, Microsoft are not European companies and have long since implemented compliance with GDPR. Of course, it's a big business for them.

Regards

CHItA
Development Team Member
Development Team Member
Posts: 109
Joined: Sat Dec 06, 2008 10:27 pm
Location: Budapest, Hungary

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by CHItA » Tue Mar 06, 2018 11:29 pm

tojag wrote:
Tue Mar 06, 2018 11:03 pm
I think that you can solve this problem with small steps. We should start with the basic things that are obvious - first and foremost, user consent.
In my forum I added an additional field in the registration form. This field is required and is described as consent to the collection and processing of data, has a link to my board regulations and user can choose YES or NO, but if NO, he can not register. This field is then seen as an additional field in the user's profile. Something better is needed.
That is doable.
tojag wrote:
Tue Mar 06, 2018 11:03 pm
David63 is Your Cookie Policy does not save cookies before user agrement? And what to do with external cookies, e.g. google adsense?
I believe 3.2 has some cookie script by default (cookieconsent? not sure). Also phpBB doesn't set any cookies but one for your session, which can be set without consent as it is needed for the site to run. I'm pretty sure it is the case in your country as well as it is in the directive.
tojag wrote:
Tue Mar 06, 2018 11:03 pm
From the GDPR entries, I understand that you can not number anonymous users, eg anonymous1, anonymous2, ... Because it will allow you to extract its content (posts), which can allow you to create a profile, or even identification. So everyone would have to have one name - anonymous.
I know it's a bit stupid but I did not create it.
I just wouldn't bother removing posts and usernames. If I were you. You could rename the user, you could replace the username in quote tags, but users could refer to each other by username in a topic (as i believe we have an example for that in this topic as well). There is no possible way for anyone to replace those, especially if ones username is a commonly used word. If you have a large forum, you just couldn't remove it or it would take days at least.

IMO, it could be argued that a username is not even unique identifier (anyone can use mine on an other site, and it is indeed taken on many). It can be, but it is not. It also can be sensitive data, as you could use your sexual orientation, religion, political views and banking information as your username.

Regardless of these, we can create some tools to remove usernames/posts or whatever.

User avatar
tojag
Registered User
Posts: 240
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag » Wed Mar 07, 2018 8:39 am

I found info that my national Data Protector Supervisor is organizing a conference. Unfortunately there are no places :(
The topics are interesting.
I. Standards in the protection of personal data. Testing and monitoring the effectiveness of security measures:
1. The normalizing GDPR map - what we have today and what are the prospects.
2. Evaluation of the effectiveness of the use of security.
3. Analysis of the risk of personal data processing - regulatory basis.
4. Practical aspects of risk assessment in IT security.
5. Costs of incorrect risk estimation.
II. A new approach to documenting data protection processes.
1. Documentation of the processing of personal data in the Union's institutions European Union.
2. Accountability in the field of data management, rights management access and preservation of access traces.
3. Data processing by advertising networks displaying advertisements on Publisher websites.
III. Practical aspects of IT security.
1. Types of services supporting the process of effective data protection personal information.
2. Outsourcing in GDPR opportunities and threats.
3. How to measure the level of personal data security breach?
4. IOD tools - a practical dimension of risk assessment and audit data security in a micro-companies.
5. IT security through the work of forensic experts in the field of computer science.
6. Beacons - benefits and threats to the rights and freedoms of individuals.
7. Blockchain technology selected aspects of data protection.

ad. I.2 There will probably be something about passwords, login, ssl, maybe also about 2fa and other security enhancements.
ad. II.2 Maybe something about logs. What should contain how much time to store. etc.
ad. II.3 It may be interesting in relation to, for example, Adsense.
ad. III.2 Not related to phpbb but interesting. Most of us use servers from service providers. Minimum contracts are required to provide data for storage on the servers of the service provider. Personally, I have such a contract.

Unfortunately, at this moment I will not be able to attend this conference.

User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 2688
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by HiFiKabin » Wed Mar 07, 2018 10:38 am

I totally agree with David63. (now theres a first :P :lol: )

IMHO (unless you use the data for marketing and/or sales) there is very little in the GDPR that you (as the Boards owner) need to worry about. Yes of course the GDPR still applies to you but if you clearly state what data you collect and what that data is used for that will cover it. Editing David63's cookie policy to encompass this is easy and you can force all users (both existing and new) to accept this and you are done.

Keep the data as safe as you can (ie don't leave printouts in a taxi ;) ) and do not forget the 'right to archive' that is within the GDPR.

Its not scary (unless you try to read all the documentation, which I have tried to do) and who is likely to fine a no/low money making forum
Up to €20 million, or 4% annual global turnover – whichever is higher.


Well, I guess they can have 4% of my turnover :roll:

User avatar
tojag
Registered User
Posts: 240
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag » Wed Mar 07, 2018 12:40 pm

HiFiKabin wrote:
Wed Mar 07, 2018 10:38 am
Up to €20 million, or 4% annual global turnover – whichever is higher.

Well, I guess they can have 4% of my turnover :roll:
Rather, they want 20 million Euro because it can be more :D
--
The right to archive is only for specific purposes - for example to document the breaking of the law. It is not used to store the personal data of the user against his will. Of course, this is about e-mail and IP data.
But that's why the question remains open: do I need to delete user posts when he deletes an account or not? I would prefer not to deprive the site of content. But can posts be treated as personal data?
Of course, they may contain full personal details if someone post such a post but I do not allow it in the rules of the forum. For this, however, I have on the list of reasons for moderation the position "post contains personal data".

I would like to have as much optimism as you do :)
I am afraid, however, that various activities of even law firms or cunning users will start, based on GDPR, to demand large compensations for any problem with the compatibility of the website with GDPR.
I hope I'm wrong.
I also hope that by May we will be able to explain a few the most important elements related to the phpbb itself, so as not to be afraid.

silenus
Registered User
Posts: 7
Joined: Tue Aug 15, 2017 4:56 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by silenus » Wed Mar 07, 2018 1:38 pm

david63 wrote:
Tue Mar 06, 2018 10:27 pm
In the UK, I don't know about other EU countries, we have had since 1984 various versions of the Data Protection Act which essentially is the the same as GDRP where the storing of "personal identifiers" has been subject to controls - in fact at one point I had to register to keep that data. Furthermore these regulations cover the keeping of such data not only on a computer but also on paper.
As in france since 1978 (also on paper).
GDPR brings some new contraints beside : portability / export file ...
As webmaster, in relation 1978 laws, most often requests are : delete all my data, change my personnal data : actually, phpBB can do that.
Recently I do SQL queries to test anonymyze an account on another database.
It is easy for me.
This has led to questions being raised about how a phpBB webmaster which is not familiar with SQL and phpBB database structure will meet the demand if he is not able to SQL query.

I agree with comment its it a lawyer concern.
If phpBB team wants to their software GDPR compliant, they may have been in touch with European Open Source associations, some have legals competences, to set a requierement specification.

I don't know about reprisals if complaint against a website out of UE which will not respect RGPD : block access...

Leaving aside laws, I think this is a good pratice for consumers : to keep control its personnal datas, one of mains spearhead from open source community.

CHItA
Development Team Member
Development Team Member
Posts: 109
Joined: Sat Dec 06, 2008 10:27 pm
Location: Budapest, Hungary

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by CHItA » Wed Mar 07, 2018 2:33 pm

silenus wrote:
Wed Mar 07, 2018 1:38 pm
GDPR brings some new contraints beside : portability / export file ...
Well, if you can request the data stored about you, then that is an exporter. Although it is quiet nonsensical functionality in this specific case as where would you take your data? To another BB? Where will they insert your posts? So I wouldn't worry too much about this one. Just give the user some text dump.
silenus wrote:
Wed Mar 07, 2018 1:38 pm
This has led to questions being raised about how a phpBB webmaster which is not familiar with SQL and phpBB database structure will meet the demand if he is not able to SQL query.
That's why we discussed what features we could implement to help admins out. The only thing many of us pointed out, that tools will not guarantee that you comply with GDPR, and there is no way to be compliant with GDPR out of the box.

Probably the most important thing is to have some sort of privacy policy which states what data you store and how you use it. We cannot write that for you, so it will be the job of the board admin. Also, it is very unlikely that any of GDPR will be enforced on anyone, just the same as the cookie law as GDPR is just as bad of an EU directive as that one was.

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 48889
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by stevemaury » Wed Mar 07, 2018 6:15 pm

When you post on a public forum accessible to Google, that is NOT "personal data".
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. PM or email me.

All unsolicited PMs will be ignored.

CHItA
Development Team Member
Development Team Member
Posts: 109
Joined: Sat Dec 06, 2008 10:27 pm
Location: Budapest, Hungary

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by CHItA » Wed Mar 07, 2018 7:25 pm

stevemaury wrote:
Wed Mar 07, 2018 6:15 pm
When you post on a public forum accessible to Google, that is NOT "personal data".
Sir, how dare you underestimate the stupidity of the regulatory bodies of the EU?

User avatar
3Di
Registered User
Posts: 12365
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by 3Di » Thu Mar 08, 2018 4:52 am

CHItA wrote:
Wed Mar 07, 2018 2:33 pm
Probably the most important thing is to have some sort of privacy policy which states what data you store and how you use it. We cannot write that for you, so it will be the job of the board admin. Also, it is very unlikely that any of GDPR will be enforced on anyone, just the same as the cookie law as GDPR is just as bad of an EU directive as that one was.
Exactly, BTW that's more or less what I said here.

To add, there has been a quite exhaustive discussion about all of this already, months ago, here.
Want to compensate me for my interest? Donate
Please PM me only to request paid works. Thx.
Extensions, Scripts, MOD porting, Update/Upgrades
My development's activity º PhpStorm's proud user

User avatar
tojag
Registered User
Posts: 240
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag » Thu Mar 08, 2018 9:37 am

Let's stop talking about the stupidity of officials. It has already happened and they will not withdraw it. Let's focus on how to meet these requirements.

In my opinion, we need one additional box of consent for the collection and processing of data for the purposes of the forum's functionality. This is to be the field required for registration. Currently I have it done as an additional custom field. But this is not technically perfect because after changing the number of fields, everything can go bad.

How to make:
1. After registration, the email notifications are turned off by default (Edit notification option: Email - all disabled)
2. Default - Users can contact me by email: No.
3. Default - Administrators can email me information: - set up on the registration form.
4. Additional field on contact form - "Yes, I agree to the collection and processing of my data contained in this form for the purpose of answering".

It would be best if this first three items were pre-set by the user during registration. It would meet the requirements of GDPR with an informed choice of individual data processing goals.

There will be a solution to the problem of deleting or not posting users along with deleting the account, but this is a non-technical legal problem.
And security improvements. Really today the main direction is 2FA, which appears everywhere and I vote for it. My smartphone is my confirmation code generator. It is enough for owner and admin accounts, because they have access to email and IP users. That would be a big plus in the GDPR risk assessment.
You could still do something like the one described in the SiteGuard extension (though it supposedly does not work well, but the idea is good), that is, users would have information about successful or unsuccessful login attempts, just like a Google account has.

Regards

User avatar
Mick
Support Team Member
Support Team Member
Posts: 18868
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by Mick » Thu Mar 08, 2018 10:03 am

I think you (not us) need to decide exactly what you want to suit your country’s laws then either request an extension or add it as an idea. At the moment this is just going round in circles.
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.
Forza Garibaldi

CHItA
Development Team Member
Development Team Member
Posts: 109
Joined: Sat Dec 06, 2008 10:27 pm
Location: Budapest, Hungary

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by CHItA » Thu Mar 08, 2018 10:07 am

There is already an extension for 2FA. I'm not sure about the contact form, as the data is not stored. I don't think that the default settings make that much of a difference either as far as GDPR goes.

Post Reply

Return to “phpBB Discussion”

Who is online

Users browsing this forum: Alexa [Bot], Mick, thecoalman and 27 guests