New GDPR (General Data Protection Regulation) and phpBB

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
User avatar
tojag
Registered User
Posts: 408
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag »

:twisted:
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by 2600 »

tojag wrote:
Fri Jan 31, 2020 8:55 pm
Hello
As the founder of this topic, I want to say that for 2-3 years nothing has changed in the phpBB group's approach to the GPDR directive...
I talked to some lawyers at the freeadvice website and they told me that if you reside in the U.S. you don't have to comply with Europe's GDPR requirements.

However, I have made a bit of an effort on the GDPR crap anyway. I have a brief privacy policy that states there is the use of cookies and what not and I allow any member to delete their account and/or delete their posts. I do this even though I'm an American and the server is in the U.S. Even my host is in the U.S.

I wonder. Do Europeans have to comply with COPPA? That is in fact a U.S law of 15 U.S.C. §§ 6501–6506 and has no merit in the EU once so ever. Unless of course the EU has their own version and if so should be coded into the phpBB core for its use.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
Lumpy Burgertushie
Registered User
Posts: 68179
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by Lumpy Burgertushie »

and, if you read the COPPA law , it only applies to a very limited number of sites and only in certain circumstances.
gee, kind of like the GDPR law....
robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.3 Styles by PlanetStyles.net

If nobody is in the forest, does a tree really fall?
User avatar
KaileyT
Community Team Member
Community Team Member
Posts: 2845
Joined: Mon Sep 01, 2014 1:00 am
Location: sudo rm -rf /
Name: Kailey Truscott
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by KaileyT »

John connor wrote:
Fri Jan 31, 2020 10:18 pm
COPPA [snip] That is in fact a U.S law of 15 U.S.C. §§ 6501–6506
Personally, I would like to see COPPA made into an extension and removed from the core, but then again I feel the same way about birthdays too. :cry:
Kailey Truscott - Community Team
User avatar
Talk19Zehn
Registered User
Posts: 567
Joined: Tue Aug 09, 2011 1:10 pm
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by Talk19Zehn »

Hi, @apollodriver
[RC] Privacy protection (DSGVO) please test perhaps that approach: https://www.phpbb.de/community/viewtopi ... 2#p1400122
Note the following information: https://www.phpbb.de/community/viewtopi ... 4#p1400124
kinerity wrote:
Fri Jan 31, 2020 10:58 pm
...[...]...
Personally, I would like to see COPPA made into an extension and removed from the core, but then again I feel the same way about birthdays too.
Yeah, I agree because I believe these requirements are underestimated. :(

Regards
heinrich_k
Registered User
Posts: 221
Joined: Fri Jul 17, 2009 11:40 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by heinrich_k »

david63 wrote:
Fri Jan 31, 2020 6:48 pm
The bottom line here is that it is the board owner who is responsible for complying with the law that appertains to the country that they are in and/or operate in.
Yet, any software offered to board owners, like phpBB, should provide the means to do so, or else the offering is only worth as much as the ability of the board owner to modify said software.

If one has to modify or extend the software in question, one pretty soon comes into areas, where one can't guarantee that the whole construct will work as intended.
John connor wrote:
Fri Jan 31, 2020 10:18 pm
I wonder. Do Europeans have to comply with COPPA?
As of wikipedia, COPPA only affects persons and legal entities who are under U.S. jurisdiction, and it is a law posing restrictions on the.
GDPR, by design, is a law that grants rights to EU citizens and imposes restrictions. These rights EU citizens get shall be upheld by everyone who offers their service in the EU (or even EU citizens living abroad). If one wouldn't want to comply to that laws, by merit of being not under EU justidiction, should find means to exclude EU citizens from their service. Which of course is technically difficult, for geo-blocking IPs would hinder non-EU users currently residing in the EU (or using a EU based ISP) while proxy-servers provide means for EU citizens to cericumvent a geo-block...


In any case, the base functions of phpBB, like creating logs with IP adresses, should undergo some reevaluation. What is the merit of logging the IPs in question, indefinately ?

Should an anonymisation of IP addresses be a core functionallity and turned on by default - just so that people who use the board out of the box aren't liable ? I mean, if someone wants it, and understands it, it can be turned on, but a faily high number of people probably wouldn't care if the IPs were in the logs or not.

And, I'd like to point out, that the "privacy policy" that phpBB ships with the board becomes invalid, if certain extensions or even styles are included into the board. Those extensions and styles aren't marked and a phpBB owner isn't warned, that styles may load jquery, fonts or stuff like that from google, or wherever. Well, if you have HSTS activated on your server, you probably realise soon that your board doesn't work properly...

As I pointed out in a similar topic a few months back, even this very board "phpBB.com" is in breach of it's own Privacy Policy, or at least was when I last checked. Because, I'm guaranteed that no information is given to third parties, yet once I load the board, my IP, time of access and several other information is given to google analystics.
User avatar
david63
Registered User
Posts: 18441
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by david63 »

heinrich_k wrote:
Sat Feb 01, 2020 8:24 am
david63 wrote: ↑
Yesterday, 18:48
The bottom line here is that it is the board owner who is responsible for complying with the law that appertains to the country that they are in and/or operate in.

Yet, any software offered to board owners, like phpBB, should provide the means to do so, or else the offering is only worth as much as the ability of the board owner to modify said software.
I reiterate the point - it is the board owner's responsibility and if a particular software package does not meet their requirements then do not use it and find one that does. It really is that simple.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored
KYPREO
Registered User
Posts: 392
Joined: Fri Feb 02, 2018 9:56 am
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by KYPREO »

heinrich_k wrote:
Sat Feb 01, 2020 8:24 am
As I pointed out in a similar topic a few months back, even this very board "phpBB.com" is in breach of it's own Privacy Policy, or at least was when I last checked. Because, I'm guaranteed that nop information is given to third parties, yet once I load the board, my IP, time of access and several other information is given to google analystics.
Strictly speaking, with the way Google Analytics works, no information is actually handled by the board or "given" to Google.

The Javascript for Google Analytics is downloaded by the user directly from Google (not from the origin webhost) and then the script is executed by the user's browser, with the resultant being sent directly to Google.

When the board administrator accesses their Google Analytics account they can only see an interpretation of the data collected by Google directly from the user. In accordance with Google's terms of service, this data is anonymised. You cannot retrieve user IP addresses. Any record of browser, location, etc is just a number and not attributable to any personally identifiable information, be that IP address, email etc. ;)
phpBB user since 2002
www.AusRotary.com
User avatar
Mick
Support Team Member
Support Team Member
Posts: 22834
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket probably.

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by Mick »

I still don’t understand why people are so concerned about IP addresses, no really useful ‘personal’ information, addresses and such, is available from them. I’d be more concerned about CCTV, Traffic cams and webcams.
"The more connected we get the more alone we become" - Kyle Broflovski©
User avatar
david63
Registered User
Posts: 18441
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by david63 »

Mick wrote:
Sat Feb 01, 2020 9:17 am
I still don’t understand why people are so concerned about IP addresses, no really useful ‘personal’ information is available from them.
It can be if you have a fixed IP address and certainly will be if IPv6 ever gets rolled out.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored
User avatar
Mick
Support Team Member
Support Team Member
Posts: 22834
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket probably.

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by Mick »

Maybe but are static IPs going in to households? My host has implemented IPv6 now where possible.
"The more connected we get the more alone we become" - Kyle Broflovski©
User avatar
david63
Registered User
Posts: 18441
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by david63 »

Mick wrote:
Sat Feb 01, 2020 9:25 am
are static IPs going in to households?
Not many - but could be if you run a business from home.
Mick wrote:
Sat Feb 01, 2020 9:25 am
My host has implemented IPv6 now where possible.
But how many ISP's have?
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored
User avatar
Mick
Support Team Member
Support Team Member
Posts: 22834
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket probably.

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by Mick »

Points taken but I still think people are panicking for nothing.
"The more connected we get the more alone we become" - Kyle Broflovski©
User avatar
david63
Registered User
Posts: 18441
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by david63 »

Mick wrote:
Sat Feb 01, 2020 9:35 am
Points taken but I still think people are panicking for nothing.
Agreed👍
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored
KYPREO
Registered User
Posts: 392
Joined: Fri Feb 02, 2018 9:56 am
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by KYPREO »

Mick wrote:
Sat Feb 01, 2020 9:17 am
I still don’t understand why people are so concerned about IP addresses, no really useful ‘personal’ information, addresses and such, is available from them. I’d be more concerned about CCTV, Traffic cams and webcams.
An IP is not "personal information" but it is definitely "personally identifiable information". This, when combined with another data source, can reveal the identity or other personal information about a user. This might be doing a WHOIS search and finding out the user's place of work or the university where they study.

Or, the more likely scenario and the most concerning one, the IP address can be used to cross reference against other data collected from that user through other browsing/app activity. Say, for example, a board administrator sold user data to a data analytics company that compiles data from multiple sources then sells consumer data to advertisers, businesses etc. Armed with the IP address used at a specific time and date, you could build a dossier of the user from the forum data (email address, birthday, political beliefs, hobbies etc) combined with other data sources where the user may have disclosed their name, residential address, job, credit card number etc.

If you don't appreciate that this is actually happening, I suggest you educate yourself on Big Data and privacy principles in general.

Moreover, GDPR compliance is a real issue for administrators within the jurisdiction of the EU. Your opinion on the merits of GDPR or the value of an IP address is frankly irrelevant to the real question of whether this affects GDPR compliance. To trivialise and dismiss genuinely held concerns about GDPR compliance is somewhat unfair, to say the least.
phpBB user since 2002
www.AusRotary.com
Post Reply

Return to “phpBB Discussion”