New GDPR (General Data Protection Regulation) and phpBB

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Ideas Centre
User avatar
AmigoJack
Registered User
Posts: 5799
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by AmigoJack »

LaxSlash1993 wrote:
Sun Apr 01, 2018 3:30 am
I'll make a post here about what GDPR compliance would look like.
Sadly you haven't used any formattings I can refer to, so I'll reply per paragraph:

#2: hashing IP addresses makes them unseekable - if you manage address ranges and want to see if an address is within this range you're not able to do so with hashes anymore. Well, you could, but that would end in comparing any hash of the range with the issued hash - they're not numerals anymore where you can predict "oh, this one is too high to even fit the range at all" or "if it won't fit the next 5 then I can skip all others". Hashes can't be the answer, as those are more or less worthless to efficiently detect intruders and unwanted clients. But I wonder if it's legal to recode addresses just to my own numbering system: I could still work on that (somehow; it will still be less efficient) but it can't be considered valuable anymore to anyone in case of unauthorized access to the data.

#3: then phpBB wouldn't know anymore if a person voted or not (hint: re-voting). Not to speak about changing one's vote(s). In the case of non-consent using polls should be forbidden.

#4: e-mail addresses are already stored whenever a user changes them - just look at your log. But since e-mail addresses are not numeric in the first place storing hashes of them would be an alternative. Now tell me how to detect unwanted members who use the same e-mail account name but a different domain... (this may be approached by storing account, domain and TLD all separately in hashes, but then again recognizing "spam2" from "spam1" would still be impossible thru hashes only).

#6: if it's reversible it isn't a hash.

#8: I understand this from the view of a person who realized that any further existing of his texts will harm him. But in my experience so far users only used this as a revenge and/or to ignite chaos. How do I protect myself from inappropriate use of that?

#9: why not prune posts and account as well? The way you read it the GDPR wants to turn BBSes into chats. Ironically I think most Facebook and alike users just use the internet like a chat nowadays: in a volatile kind.

#10: here comes the funny part: I'll just quote a couple of posts and suddenly they will also appear in "my" backup. If you look at Google's format then you'll see it can't be imported anywhere; and if you indeed let users choose amongst severals formats they will surely complain why PDF and JPG is none of them.

#11: can you elaborate? I mean, why listing this point if it should be in #10 already? Additionally this will the staff starting to use codes, just like supermarket employees do today already: "143 the 203" (stuck in toilet, medium priority).

#12: just like #8 I experienced way more misuse of this (new name to irritate others and not associate bad behaviour with your old name anymore) than understandable cases.

#18: that would require the owners to know their birthday at all - how can they assure?

#19: oh great - I'll be the first one wanting to turn off Sphinx and the extension database, as nobody has my consent - let's see how this works.

#20: don't be afraid - I encountered countless "administrators" which should never put their fingers onto a database for less reasons already. I see no big impact here, unless you have responsible people that would do that for hotfixing. This is basically a rule to not provide first aid because the victim did not consent: yes, first aid can do harm, but in most cases it's still better than not doing it.

#21: session tracking is next to impoosible without cookies, it will definitly change the user's "experience". And I thought we finally learnt it the hard way in the last years that the cookie laws were too void of technical understanding. Same thing again now?

#22: can you elaborate on "that must be done automatically by the websites/forums administration" as I'm very interested on how this can be achieved (when the baord does it it's automated, when a person does it it's manual).

#25: how do I distinguish "European" data from the rest?

#26: oh great - finally all those CDNs and third party scripts will die. Finally!

#27: immediately, I guess. Including a note that they did so.

#28: thank you, I waited to see where the GDPR can be turned into money to those who invented it. I really hope nobody uses that as argument against it...
  • The worst thing about censorship is ███████████
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
User avatar
tojag
Registered User
Posts: 409
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag »

LaxSlash1993 wrote:
Sun Apr 01, 2018 3:30 am
I'll make a post here about what GDPR compliance would look like. I'll try and keep this all as unbiased as possible, but note that some may show through.
Most of what you have written is true but not all.

- Let's start with IP Addresses.
Can we keep old user's email addresses, old names, used IPs? I think so, until the user knows about it and as long as he has an account. We have a contract with him, in which we described what services we provide and what data we collect and why. The forum's usage history may be important to the user, so it is a good reason for the data to be kept. If user cancels his account, you must delete old emails and usernames. If you keep posts without personal information, they must be anonymised.

- Polls.
I always think that anonymous surveys are more reliable. I do not see the point of holding in the database who and how he voted. Technically, this may be needed to not allow a vote again.

- Account deletions.
GDPR talks about personal data and not about other data. If we write on this forum that phpBB is cool and GDPR is bad, then there is no personal data in this content. So if we anonymize the authors of posts, in my opinion we can keep the posts, of course, with the appropriate provisions in the Regulations. The question remains whether this is a good interpretation. I asked about it here many times and the answer is none. A lawyer would have to tell.

- Affiliates.
That's right. You can provide data but the user needs to know who and why and must agree to it. You must have a third party data entrustment agreement.

- E-mail addresses.
You can keep them in the database and do not have to be encrypted although it would increase security. Only the entity specified in the user agreement can have access to this data. If I set up an account here and enter into a contract with "phpBB Team", then phpBB must be an organization with the indicated physical address, eg to send cancellations, the indicated place of data storage. If the administrators act on behalf of the "phpBB Team" with the rights resulting from, for example, a contract of employment, and the place where they process data are identifiable and specific, then of course they can have access to users' e-mails and IP.

- Usernames and user info.
Yes. GDPR preffer pseudonimization.

- Posts
As I wrote earlier - if the posts do not contain personal data and you have appropriate entries in the Regulations, I do not see the reason why they should be deleted. GDPR concerns personal data.

- Retention periods.
This is an interesting issue. I was supposed to ask about it in a separate topic - how long do you keep the data in the logs? I am releasing older than 5 years.

- Export functions for the user.
You can always use SQL to manually create information from user's profile and possibly posts and send them to an email. GDPR does not require that such a function is available from the account level. GDPR also provides for the possibility of charging or denying if the user abuses this function and asks you to do so too often. Maybe someone will make such an extension;)

- Access rights... this includes user notes, as well as any administrative and moderation logs about that user.
Yes. As I wrote only for people who have rights granted by the data controller.

- Old usernames can no longer be retained after x days in the user logs, since there's no reason to keep them after a certain point.
Yes. As my DPO wrote me - user name can be JohnWalker02041956London, we need anonymization after account deletion.

- If you integrate your forums with like Discord/Steam/etc, you must delete any and all data gathered from those platforms should a user delete their account from that platform.
You must also tell the user in advance that you will transfer his data there. You must have a contract with these entities.

- Extensions must implement these functions by default, due to the "Privacy by Design" parts of the GDPR.
Yes.

- It must be hard set that a user has to be at least 16 years old to sign up
Like COPPA in the US. The lawyer told me that the parents' consent does not have to be paper, it can be electronic. Personally, I do not know how to prove that it is real then.

- A user can request that all of his/her data from before their 18th birthday is erased, completely.
Yes

- Extensions must be individually opted into by each individual user.
No. You can write - I change the Regulations for 14 days, if someone does not agree, please close your account.

- Administrators must never be allowed to access their website database through something like phpMyAdmin
That's right. phpMyAdmin does not record actions. I've asked my hosting provider for this a long time ago. He did not have a solution for me.

if you own a website but someone else develops it for you
You can not give access to the database to an independent developer if you do not have a data transfer agreement with him.

- Users must be allowed to not opt-in to cookies/tracking/data collection/etc, and it must not effect their experience at all.
Yes. If someone uses additional cookies such as Google, how to block them independently? How to delete all cookies not only phpBB cookies?
Google propose eg https://www.civicuk.com/cookie-control/index

- If you ban a user, that user must still be allowed access to their profile settings as well as personal messages.
My suggestion, instead of banning, is to transfer users to a group without permissions to publish posts and PM

- Cookies must be off by default, and must be explicitly turned on by the end user.
Yes. Although it is generally assumed that they work according to the browser settings.

- The ACP options to select a user's options/privacy settings for them must go.
Probably yes.

- You must have a European moderator/administrator acting as your DPO. If not, all European data must be stored in Europe.
Not always.

- You can not integrate with platforms such as Steam/Discord, unless they are GDPR compliant. Same with advertisers that use targetted advertising - which also must be explicitly opted into.
I will write the same again - you must have data transfer agreements, of course they must ensure compliance with GDPR, the user must know this in advance.

- Those that don't consent will have to have all of their data removed.
If you previously acquired data illegally - Yes. If you have obtained them legally, e.g. at the time of registration with the consent of the user, you do not have to delete this data until the user wants it.

- A license to run your forum may be required to be purchased from the ICO. See https://ico.org.uk/for-organisations/re ... ssessment/ for details.
This applies to the old law (1998). GDPR does not require registration unless you collect sensitive data, e.g. health.

- For groups in phpBB capable of receiving messages...
Perhaps. I don't know.

In my opinion, the phpBB website must be quickly adapted to these requirements. Whatever it may be difficult, phpBB should give a certain pattern to the users of the script, how to use it to be lawful.
I am waiting for David63 extension.
Regards
User avatar
david63
Registered User
Posts: 18612
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by david63 »

tojag wrote:
Wed Apr 04, 2018 2:36 pm
- Administrators must never be allowed to access their website database through something like phpMyAdmin
That's right. phpMyAdmin does not record actions. I've asked my hosting provider for this a long time ago. He did not have a solution for me.
If that is a fact, which I doubt, then every website in the EU will have to close.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored
User avatar
tojag
Registered User
Posts: 409
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag »

David, I think the officials creating the law are not always aware. I guess they are not really :D
Have you noticed in the last year very high activity of MS, Oracle, IBM in the range of the offer of tools compatible with GDPR? I always say that the law is for the big to be even bigger.
User avatar
Mick
Support Team Member
Support Team Member
Posts: 22919
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket probably.

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by Mick »

There’s a lot of bandwagon stuff going on as well. Dozens of companies offering GDPR help, preying on the weak and unknowing. I suspect some these companies may be the same ones who made billions keeping the millennium bug fallacy alive.
"The more connected we get the more alone we become" - Kyle Broflovski©
User avatar
GanstaZ
Registered User
Posts: 804
Joined: Wed Oct 11, 2017 10:29 pm
Location: Zverse

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by GanstaZ »

I re-read it in my 2 native languages & it's not that scary as a lot think of it. Yes, there are some new points, an owner must react to those & inform team members so they would know what, where and when as well. Main point with GDPR is responsibility and to keep up with new changes as soon as possible. I did a gdpr ready survey & got 92.5 points out of 100. About privacy, phpbb has the right info on privacy page about data storage, it can be modified with easy, same goes for a lot of things, that can be changed/modified if needed.
"When answer lies in the question,.. question becomes redundant!"
User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 5029
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by HiFiKabin »

GanstaZ wrote:
Wed Apr 04, 2018 4:58 pm
I re-read it in my 2 native languages & it's not that scary as a lot think of it.<snip>
AT LAST!! Someone else who has actually bothered to read the bloody thing.

Its not scary at all, unless you read the arious blogs and experts out there who would like you to employ them to do it for you.


... at a vast fee of course.


... which is increased every week/month/year


I have just had a letter from an unrelated charity to which I belong about the GDPR. The text of it (put simply) is:-

How can we contact you?

Your details will be kept for 25 years AFTER you no longer support us.

... and that is it. If the UK Charity Commissioners are happy with that, who are we to buck against it?
User avatar
tojag
Registered User
Posts: 409
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag »

I read the entire GDPR. That's why I had and I have questions and doubts.
It's not a problem that you keep data for 25 years. If you need it, it is reasonable and the users/customer knows it and give a consent.
The problems are consents, their acquisition and registration in phpBB. The problem is the procedures for access to data by moderators and admins. The problem is the procedures for moderating, deleting data and accounts in phpBB. And many more like these elements. This should be worked out in line with GDPR.
We do not know what procedures and systems UK Charity Commissioners have. Maybe they have been working on a GDPR compatible system for a long time? The previous law of 1998 also had quite specific requirements. Now, the difference is that GDPR predicts high fines, which were previously not. You take a chance?
User avatar
Mick
Support Team Member
Support Team Member
Posts: 22919
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket probably.

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by Mick »

I didn’t realise this has been going on since a first draft was leaked in November 2010.
"The more connected we get the more alone we become" - Kyle Broflovski©
User avatar
tojag
Registered User
Posts: 409
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag »

Mick, at 1995 EU was announcement Directive 95/46/EC. Accordance to this directive EU countries created own regulations compatible with this. Eg. in UK it was at 1998 https://www.legislation.gov.uk/ukpga/1998/29/contents.
At 2017 EU was announcement GDPR as a direct regulation not a directive. It will obligatory from 26 may 2018. EU countries can aplied own law for more specify some issues but GDPR applies direct.
User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 51682
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by stevemaury »

Anyone here know what a "Charlie Foxtrot" is? Because this is one.
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)
User avatar
tojag
Registered User
Posts: 409
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag »

Maybe it is foxtrot, maybe not.

"Mark Zuckerberg said today his company intends to implement Europe’s beefed-up privacy standards across its entire global network.
The move would give Americans and other Facebook users outside of the European Union access to some of the world’s toughest data protection rules, including the potential for people to revoke how data is used by the social network if they believe their digital information is being misused.
"
https://www.politico.eu/article/zuckerb ... -globally/

After FB, other big players will do it, and GDPR will basically be a global standard with small changes in some countries. Some have respected this for a long time. The biggest set standards because they have to be lawful to earn money. We will either adapt to them or die.
User avatar
KaileyT
Community Team Member
Community Team Member
Posts: 2860
Joined: Mon Sep 01, 2014 1:00 am
Location: sudo rm -rf /
Name: Kailey Truscott
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by KaileyT »

tojag wrote:
Fri Apr 06, 2018 10:19 pm
After FB, other big players will do it, and GDPR will basically be a global standard
I don't see this happening. Just because FB does something does not mean the world has to follow.
Kailey Truscott - Community Team
User avatar
3Di
Former Team Member
Posts: 16053
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milano 🇮🇹 - Frankfurt 🇩🇪
Name: Marco
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by 3Di »

Occasionally I went into my privacy's setting at bigG today, I can confirm they are already up-to-date.
To request support for our extensions you can also contact me here: phpBB Studio

Please PM me only to request paid works. Thx. Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
🚀 Looking for a specific feature or alternative option? We will rock you! 🚀
maxrpg
Registered User
Posts: 80
Joined: Thu Jul 30, 2009 12:33 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by maxrpg »

On the subject about anonymity and members wishing to have their accounts removed.
I am already planning on adding text to the registration agreement stating that

"...you, the user, individual, person agree when registering for membership that all topics/posts/replies/comments/files/images or any other site relevant content submitted by you under your chosen membership username shall become the property of {our website} at such time should you choose/request/demand/inform us that you wish to have your account removed."

Some mumbo-jumbo like that. By having that there I think it covers me if a member asks to be removed from the site so that I can keep the posts. I would hate to have a member who has posted thousands of topics turn around and...for whatever reason..want their account removed and then I have to delete all those topics which make up a large chunk of my sites content.

phpBB should have an option in ACP where when we go to remove/delete a users account and retain their posts, to also change those posts username to anonymous, scramble the IP logs for those posts etc.

We should be covered legally if we kept a users posts in that way as they no longer contain any personal/identifiable information?
Post Reply

Return to “phpBB Discussion”