New GDPR (General Data Protection Regulation) and phpBB

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
Post Reply
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

New GDPR (General Data Protection Regulation) and phpBB

Post by tojag »

As you know for the year in the EU will be the GPDR (20.05.2018).
https://en.wikipedia.org/wiki/General_D ... Regulation

Is phpBB fully compatible with GDPR? For example, the protection of correspondence of PM.
Is it sufficient to secure the site by ssl?
Will it be able to keep posts after user opt out of the forum?
Will it be able to show publicly the time of posting posts or user logins?
etc.
Regards


[edit]
I corrected the shortcut ;)
Last edited by tojag on Tue Mar 06, 2018 1:46 pm, edited 2 times in total.
User avatar
AmigoJack
Registered User
Posts: 6108
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by AmigoJack »

tojag wrote: Sat Apr 22, 2017 8:20 pmGPDR
You seem to mean GDPR.
For years I have already seen BDSG being misspelled, too.
tojag wrote: Sat Apr 22, 2017 8:20 pmIs phpBB fully compatible with GPDR?
Except of being able to import user data: yes.
tojag wrote: Sat Apr 22, 2017 8:20 pmprotection of correspondence of PM
Yes: by design phpBB will show PMs only to its senders and recipients, never to unrelated users.
tojag wrote: Sat Apr 22, 2017 8:20 pmIs it sufficient to secure the site by ssl?
If by that you mean HTTPS: no, never - securing the network transport is unbound to securing a software.
tojag wrote: Sat Apr 22, 2017 8:20 pmWill it be able to keep posts after user opt out of the forum?
phpBB has this option already, as well as having the option to erase all posts related to an account. See the manual 3.5.7.5: Prune users.
tojag wrote: Sat Apr 22, 2017 8:20 pmWill it be able to show publicly the time of posting posts or user logins?
phpBB never did this to guests, but members can always see other member's posts, their post count and their last activity time - like yours.
tojag wrote: Sat Apr 22, 2017 8:20 pmetc.
GDPR is aimed at helping consumers or named people, whereas bulletin boards like phpBB nowhere store names, only pseudonyms. Those few installations which aggregate all the data for further purposes can only do this based on IP addresses and e-mail addresses. Effectively encrypting posts would result in not being able to search the board anymore. Exporting your own data is easy - just search your own posts.

After all, GDPR can only target legal persons using a software, not the software or its developers themselves.
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
  • "My reaction is not to everyone, especially to you." Raptiye, 2021-02-28
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by tojag »

Thanks for Your reply.
tojag wrote: ↑
Sat Apr 22, 2017 9:20 pm
Will it be able to keep posts after user opt out of the forum?
AmigoJack wrote:phpBB has this option already, as well as having the option to erase all posts related to an account. See the manual 3.5.7.5: Prune users.
Yes, I known it, but can I keep these posts in data base or have to erase it thogether with user account? What is GPDR compatible?
AmigoJack wrote:GDPR is aimed at helping consumers or named people, whereas bulletin boards like phpBB nowhere store names, only pseudonyms.
GPDR requires that you do not use the nickname/pseudonym of the user who closed the account. I would like to change the authors of such posts to "Anonymous". I think I have thousands of posts from closed accounts (my forum has over 500 000 posts), where the user name has remained unchanged. Do I have to use SQL commands directly in the database? How do I find out there posts unrelated to any active account?

Regards
User avatar
AmigoJack
Registered User
Posts: 6108
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by AmigoJack »

tojag wrote: Fri May 12, 2017 8:21 amcan I keep these posts in data base or have to erase it thogether with user account?
Yes. No. Read again: those are options, both is possible.
tojag wrote: Fri May 12, 2017 8:21 amWhat is GPDR compatible?
Both, as the user can choose.
tojag wrote: Fri May 12, 2017 8:21 amchange the authors of such posts to "Anonymous"
That's not yet possible - you could delete an account and retain the posts, which means the posts will only have a textual username and no author ID anymore - afterwards you'd have to do i.e. this:

Code: Select all

UPDATE phpbb_posts 
   SET post_username= '' 
 WHERE post_username='name of deleted account';
tojag wrote: Fri May 12, 2017 8:21 amHow do I find out there posts unrelated to any active account?
If by that you mean to find all posts that are not associated to any account (anymore), then run:

Code: Select all

SELECT post_id, poster_id, post_username 
  FROM phpbb_posts 
 WHERE poster_id= 1 OR post_username<> '';
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
  • "My reaction is not to everyone, especially to you." Raptiye, 2021-02-28
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by tojag »

Thanks for the answer. It's very useful.
User avatar
AmigoJack
Registered User
Posts: 6108
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by AmigoJack »

Which one?
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
  • "My reaction is not to everyone, especially to you." Raptiye, 2021-02-28
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by tojag »

Code to change user name. I'm not a phpbb specialist. Thanks.
Jacob23
Registered User
Posts: 10
Joined: Fri Nov 18, 2011 4:58 am

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by Jacob23 »

AmigoJack wrote: Fri May 12, 2017 8:50 am
tojag wrote: Fri May 12, 2017 8:21 amchange the authors of such posts to "Anonymous"
That's not yet possible - you could delete an account and retain the posts, which means the posts will only have a textual username and no author ID anymore
You can change the username to "JamesBond006" and then delete the account. The next one would be 007, of course. And so on.
silenus
Registered User
Posts: 11
Joined: Tue Aug 15, 2017 4:56 am

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by silenus »

tojag wrote: Sat Apr 22, 2017 8:20 pmGDPR is aimed at helping consumers or named people, whereas bulletin boards like phpBB nowhere store names, only pseudonyms.
Hi

Not only names are regarded as personal data.
In france, actually laws considers, and it will still available with GDPR, a IP adress is a personnal data (because with an IP adress you can deduct a name)
Same as a pseudonyme , or all data from which you can deduct a name (pseudonym can deduce IP adress which can deduce a name). (you can read more here in english langage https://www.cnil.fr/en/personal-data-definition )

GDPR requires to encrypt personnal data. Actually phpBB encrypt only passwords.
"(83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption."
http://eur-lex.europa.eu/legal-content/ ... 79&from=FR

These laws applies to most of phpbb webmasters ("(18) This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity").

If you are a US webmaster and when to collect personnal data from UE users, even if your datacenter is not localized in Europe", you must be GDPR compliant.

So, I think phpBB is in question about software implementation, not only a organizing process.
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26504
Joined: Fri Aug 29, 2008 9:49 am

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by Mick »

silenus wrote: Tue Mar 06, 2018 9:50 amwith an IP adress you can deduct a name
I’m not sure that’s true but you can certainly find information via Windows command line, does that mean all the OS’s will need re-writing? How about components (hardware) that have IP addresses?
  • "The more connected we get the more alone we become" - Kyle Broflovski©
  • "The good news is hell is just the product of a morbid human imagination.
    The bad news is, whatever humans can imagine, they can usually create.
    " - Harmony Cobel
CHItA
Development Team Member
Development Team Member
Posts: 166
Joined: Sat Dec 06, 2008 10:27 pm
Location: London, UK

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by CHItA »

silenus wrote: Tue Mar 06, 2018 9:50 am GDPR requires to encrypt personnal data. Actually phpBB encrypt only passwords.
"(83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption."
I don't really see how this sentence require anyone to do anything. It mentions encryption as one of the possible solutions, at least that is my understanding.
User avatar
AmigoJack
Registered User
Posts: 6108
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by AmigoJack »

Resolving an IP address to a name only means you have the internet access owner, not necessarily the person having used said address. Several law suits found out about this obviousity.
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
  • "My reaction is not to everyone, especially to you." Raptiye, 2021-02-28
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by tojag »

Hi Silenus, You are quoting AmigoJack. It is not my words.
Hi, Chita, You are quoting Silenus. It is not my words.
Is there a problem with quoting or is it mistake?


I think the phpbb team has no lawyer in this area. I wrote about this in 2014y. when I asked how to enforce periodical password change for a group of administrators. Polish law required this a long time ago.
IP has been treated in some countries for a long time as data that, in combination with others, can identify a specific natural person. Now it is valid throughout the EU.
At present, GDPR requires planning and risk assessment as early as at the stage of creating the system. If someone wants to use phpbb then he must know if he will meet the requirements of GDPR.
GDPR has many different technical requirements (or refer to strict national rules), e.g. it requires that the user explicitly consent to the processing of data, not via a next button but via the check box. On my forum I did it using a checkbox but it is not perfect. Of course, ssl is the minimum necessary on login pages.
This is a very difficult topic and a lawyer from this area would be helpful.
Regards
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by tojag »

AmigoJack wrote: Tue Mar 06, 2018 11:08 am Resolving an IP address to a name only means you have the internet access owner, not necessarily the person having used said address. Several law suits found out about this obviousity.
GDPR wrote:Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
CHItA
Development Team Member
Development Team Member
Posts: 166
Joined: Sat Dec 06, 2008 10:27 pm
Location: London, UK

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by CHItA »

Yeah, sorry, I wasn't editing the quote tag correctly.
Post Reply

Return to “phpBB Discussion”