EU Privacy Law Compliance

Knubbi · Post by **Knubbi** » Thu Mar 01, 2018 2:10 pm

Very rigid privacy policy things have to be considered beginning May 2018 (at least in Germany with its "Datenschutzgrundverordnung").

Any insight, what personal information is stored when and why? Please note, that German law considers an IP address as personal information.

Internetseite there any PHPBB related privacy policy template, that could be used?

Your feedback would be very much appreciated.

david63 · Post by **david63** » Thu Mar 01, 2018 2:18 pm

See - viewtopic.php?f=6&t=2451756

Knubbi · Post by **Knubbi** » Thu Mar 01, 2018 2:41 pm

The mentioned thread is totally unhelpful if you realize the fact, that there are European PHPBB users, that have no choice but to be obliged to follow the upcoming privacy legislation.

**My CDB Contributions** · Post by **HiFiKabin** » Thu Mar 01, 2018 4:41 pm

If you read that topic properly you will have a greater insight into GDPR than most people (IMHO of course)

The GDPR is designed to apply to big businesses with their mailing lists and campaigns, rather than forums (assuming the forum is not used as a marketing tool)

Other than the information that a user inputs (and see my post here for my opinion on that) the only information that a phpBB forum collects is the ip address the post is made from, which while being classed as 'personable information' comes under the 'archive' designation of the GDPR (IMHO of course)

As a forum owner, you must be able to keep Email address, username and ip information for the purposes of blacklisting (should that be appropriate)

At least that will be my defence if needed.

Knubbi · Post by **Knubbi** » Thu Mar 01, 2018 5:25 pm

I checked the SQL tables and found, that following stored information should be noted in the privacy policy:

* For each user, the IP address and email address is stored in clear text.

* For each separate posting, the poster's IP address is stored in clear text.

Please note, that the same privacy laws apply to one-man companies as well. A judge does not distinguish between a Facebook and a Onemanshow.

**My CDB Contributions** · Post by **HiFiKabin** » Thu Mar 01, 2018 5:36 pm

Knubbi wrote: ↑Thu Mar 01, 2018 5:25 pm I checked the SQL tables and found, that following stored information should be noted in the privacy policy:

* For each user, the IP address and email address is stored in clear text.

* For each separate posting, the poster's IP address is stored in clear text.

Please note, that the same privacy laws apply to one-man companies as well. A judge does not distinguish between a Facebook and a Onemanshow.

Exactly as I said. I know the same laws apply no matter how big or small, I was just pointing out the 'problems one size fits all' sort of legislation poses, and what is required for the running of a forum as opposed to running a sales/marketing business.

AmigoJack · Post by **AmigoJack** » Fri Mar 02, 2018 9:29 am

There are even more/older topics discussing this:

No, there is no privacy policy template available for this - you either have to do this on your own or have to consider not using phpBB.

Knubbi · Post by **Knubbi** » Fri Mar 02, 2018 9:39 am

Strange and difficult to accept, that PHPBB handles COPPA well but ignores to handle privacy laws.

This will certainly hit a LOT of users in the EU beginning with May 2018.

Post by **CHItA** » Fri Mar 02, 2018 11:56 am

Knubbi wrote: ↑Fri Mar 02, 2018 9:39 am Strange and difficult to accept, that PHPBB handles COPPA well but ignores to handle privacy laws.

This will certainly hit a LOT of users in the EU beginning with May 2018.

We will try to do our best to make it possible to comply with the GDPR directive. The problem with GDPR in comparison to COPPA is that COPPA is a federal law (thus the same rules apply in every state in the US), while GDPR is an EU directive, which means that as of now you (should) have 28 implementations of it (each EU member state will have its own laws, thus there is no common regulation).

What we have is a tool to comply with COPPA, that feature doesn't guarantee that anyone actually complies with the law. We might implement some similar tools to make it easier for system administrators to comply with GDPR, however, there is no way to provide a complete solution to administrators. For example, you could collect other personal information about users in the custom profile fields, so it would be difficult to deal with that.

Knubbi · Post by **Knubbi** » Fri Mar 02, 2018 12:36 pm

Yes, it is true, that privacy laws are tricky and we small companies/individual are struck down with the same sledgehammer actually designed for the Goofaceapple gorillas.

Please consider follwing options for PHPBB:

Store hash values derived from trunkated IP addresses instead of plain IP addresses.
Store email addresses and profile fields with AES encryption.
Add a template to the terms of service template, mentioning what is saved and why.

This would be a good start.

**My CDB Contributions** · Post by **HiFiKabin** » Fri Mar 02, 2018 12:45 pm

What I will be doing is using David63's loginredirect extension to direct all members to a page with the privacy policy which means that all members old and new must visit that page before proceeding further. Whether they actually bother to read it or not is up to them (for example does anyone actually read the iTuned or Microsoft T&C before proceeding? No of course they done)

Post by **CHItA** » Fri Mar 02, 2018 1:20 pm

Knubbi wrote: ↑Fri Mar 02, 2018 12:36 pm Please consider follwing options for PHPBB:

Store hash values derived from trunkated IP addresses instead of plain IP addresses.

Store email addresses and profile fields with AES encryption.

Add a template to the terms of service template, mentioning what is saved and why.

I strongly doubt we would do any of those as applying these points make no sense.

To your first point, hashing truncated IP addresses would mean that we cannot use them for what we are using them for, thus a better option would be to just allow to not collect them in some contexts (e.g. for post validation/moderation purposes).

To the second point: it just doesn't make sense. Either because this data is displayed publicly anyway, or otherwise it would only be readable if your board is compromised, in which case, the attacker could have access to your encryption keys as well, so you suggesting to introduce something that would require a lot of extra performance for marginal added security, which doesn't make much sense. Simply trying to do our best to keep phpBB secure against attacks seems to me as sufficient protection for this kind of data. If you really want to store sensitive information about your users in custom profile fields, then you should take care of the extra security required yourself (this should never happen realistically).

And finally to your last point: terms of service is a legal document, and as such, we cannot write one which complies with any actual laws, as we do not know nor the law, nor how one of our users handles data. Just by providing some template (which has zero actual value, as which law should we base it on?), some users might think that they have a valid "terms of service page" just by copy-pasting it.

A_Jelly_Doughnut · Post by **A_Jelly_Doughnut** » Mon Mar 05, 2018 8:14 pm

Knubbi wrote: ↑Fri Mar 02, 2018 9:39 am Strange and difficult to accept, that PHPBB handles COPPA well but ignores to handle privacy laws.

A couple reasons for this:

COPPA was enacted in the US in 2000, so it existed when phpBB was first created. phpBB's implementation goes back to 2002 when I first used phpBB
COPPA is relatively trivial to comply with. Web sites are obligated to provide a way to notify guardians if a user under age 13 registers. Even so, I don't believe I've ever seen a phpBB install configured to enable the COPPA feature. When I was on the Developer team years ago, we discussed removing the feature because it seemed so unused.
No one seems to know exactly what GDPR requires, even though we are only 70 days from its effective date. For example, one GDPR requirement is to view one's own collected data, but it certainly isn't clear to me how that affects phpBB. For example, would it be sufficient to add a page which shows you the list of IP addresses you have ever posted from?

CHItA wrote: ↑Fri Mar 02, 2018 1:20 pm And finally to your last point: terms of service is a legal document, and as such, we cannot write one which complies with any actual laws, as we do not know nor the law, nor how one of our users handles data. Just by providing some template (which has zero actual value, as which law should we base it on?), some users might think that they have a valid "terms of service page" just by copy-pasting it.

As far as I can tell from articles explaining to U.S.-companies how to comply, GPDR is supposed to be uniformly applied across the EU. But apparently each member state will have a separate commission to enforce the regulations, which defeats the point of a uniform regulation.

tojag · Post by **tojag** » Tue Mar 06, 2018 2:46 pm

In my opinion, a good solution would be a user's log that would be available to him. contain:
- IP and registration time,
- IP and change time of password / login / email,
- IP and login time, including unsuccessful login.
GDPR requires reporting incidents related to data protection. With such a log, the user can report to the admin, e.g. attempts to log into his account.

GDPR requires an analysis of the risk of unauthorized access to personal data. What I suggest in this forum is to make better protection for accounts by introducing two factor authentication (2FA), e.g. using Google Authenticator.

Another issue is whether private messages should be encrypted in the database? There are opinion that yes.
Can e-mail communication reveal the address of the user sending the message? At the moment there is not even a warning that this will happen when we send an email.

The next elements are checkboxes to express consents for the collection and processing of data at registration and in contact forms.

This is more unfortunately...

Post by **CHItA** » Tue Mar 06, 2018 3:30 pm

tojag wrote: ↑Tue Mar 06, 2018 2:46 pm In my opinion, a good solution would be a user's log that would be available to him. contain:
- IP and registration time,
- IP and change time of password / login / email,
- IP and login time, including unsuccessful login.
GDPR requires reporting incidents related to data protection. With such a log, the user can report to the admin, e.g. attempts to log into his account.

You could a suggest a log like that in the ideas forum. Also it is rather funny, that this idea comes to someone by worrying about GDPR.

tojag wrote: ↑Tue Mar 06, 2018 2:46 pmGDPR requires an analysis of the risk of unauthorized access to personal data. What I suggest in this forum is to make better protection for accounts by introducing two factor authentication (2FA), e.g. using Google Authenticator.

There is an extension for 2FA. Not really sure whether or not you mean phpBB by "this forum" or actually the forum on .com. I think this topic is in general about phpBB's GDPR compliance.

tojag wrote: ↑Tue Mar 06, 2018 2:46 pmAnother issue is whether private messages should be encrypted in the database? There are opinion that yes.

No way they will be by default in the near future, however, someone might create an extension one day to do so. I think if you are worried about private messages, just add a policy that no personal information can be shared in them (so you comply with GDPR).

tojag wrote: ↑Tue Mar 06, 2018 2:46 pmCan e-mail communication reveal the address of the user sending the message? At the moment there is not even a warning that this will happen when we send an email.

Not sure what you are talking about here.