Delete My Account

Full anonymization option - Delete My Account

Full anonymization option

by tojag » Mon Mar 26, 2018 10:11 am

Hi BrokenCrust
Thanks for your extension!

As You wrote:
"assigns any posts to the guest user with the name Deleted User plus the users old ID (e.g. Deleted User 342)"

This behaviour can give possibility to filter user with name DeleteUSerXXX and from contexts of posts text is really possible to assign name to this user. In according to GDPR this can be treat as nonpermissible deanonymisation.
So, could You add an option to assigns posts to the guest user with the name Deleted User without the users old ID? This can help administrators from EU to achieve compliance with GDPR in this area.
Sorry my english. I hope You understand what I mean.
User avatar
tojag
Registered User
Posts: 400
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: Full anonymization option

by BrokenCrust » Mon Mar 26, 2018 9:25 pm

I don't agree. There is no way to track this person after the delete, since all you have left is the number and that number in your system no longer contains any information about that person, since it was deleted and the posts transferred to a single anon account with no profile data. It might be possible to infer from publicly available data in the persons posts who that person was but that is not solved by removing the number. Of course you still have this persons PII in your sites backup data and you might need to think about that, but it is not in the current system and cannot be reconstructed from the number since there is no other source. All you can say, at best, is that the posts marked with a particular number are all from the same account (and only then if you are not allowing anonymous posting anyway).

I think that the deletion process is compliant for GDPR for the (private) PII any user might have entered into their account, but there remains the question of whether you must also remove that persons (public) post data as well, or if you must edit some of them to remove posted data. It is not clear if this is your responsibility and I suppose this will depend on what the user posted about themselves in their posts (i.e. that they included PII in their own posts). The only way to be absolutely certain of total GDPR compliance is to delete all their posts with the account, or failing that review all of their posts to ensure that there is nothing personal left in them - and even then they might have been quoted in other users posts too, or quoted on another site even or be in RSS feed data that long since past out of your control. It's a tricky business and you need to decide for yourself how you'll comply.

Also did you notice that you cannot search for the posts of user Deleted User 123? That user does not exist and so you cannot look up these posts with the search function in that way.

The number is useful to see that two or more deleted users were having a conversation, rather than one deleted user posting a weird thread on their own. That is all it does; it is no longer a key to a particular individual.
User avatar
BrokenCrust
Registered User
Posts: 60
Joined: Mon Feb 11, 2008 8:43 pm
Contact:

Re: Full anonymization option

by tojag » Tue Mar 27, 2018 7:38 pm

Unfortunately, one "SELECT * FROM phpbb_posts WHERE post_username = DeletetUserXX" is enough to extract the data of a specific deleted user and based on the content of posts to set a large extent his profile.

Yes, you are right to completely delete the data you need to delete posts. This is also my opinion. But here on this forum I have asked about it many times and always everyone wrote that posts are not personal data. Review my topics about GDPR. Of course, admins would prefer to keep posts so as not to lose content.

As for data backups, some members of this forum are mistakenly convinced that one can keep personal data in archives without a legal basis. You can not if the user requests to delete the data. There is then no legitimate purpose for processing these data in archives. Such a goal would have to be determined already at the data collection stage and consent should be obtained. And when the user requests the right to be forgotten, even this will not help. Remember that according to GDPR, you can not keep PII in the archives. Only in special cases can it be done.
I think that even the phpBB forum has a big problem with the implementation of GDPR. But this is separately topic...

Back to topic...
If we acknowledge that we can leave posts, according to GDPR we need to deanonimized without the possibility of reversing it, without assigning any numbers that can extracts the data of a particular user.
I think that this is a small change in your script based solely on the option of adding or not an extra identifier. This option would significantly improve the extension function for people as me, who want to do full anonimization of deleted users names.
Sorry my english. I hope You understand what I mean.
User avatar
tojag
Registered User
Posts: 400
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: Full anonymization option

by BrokenCrust » Wed Mar 28, 2018 5:06 pm

If we acknowledge that we can leave posts, according to GDPR we need to deanonimized without the possibility of reversing it, without assigning any numbers that can extracts the data of a particular user.
If we accept that leaving the post data is OK (if it is not a location for PII) then there is no PII for the number in the table to be attached to any more. It is no longer a key, except to a related set of anonymous posts which are public domain non-PII data, so 100% not covered by GDPR (except perhaps if the username was the same as the userID and that person was also well known as that number, but it seems unlikely).

You, even as the admin, can not tell me the PII of a deleted user after they are deleted even if you look at their posts with an SQL query, which most people cannot do. Of course if you can work out PII of the user from the posts, then the answer is that you must delete them too. If you delete all the posts then there is no more issue with the number, since this isn't recorded once all the posts are deleted. So I think that it is compliant.

You seem to think that you can link the person to the number somehow after the deletion. How would you do that (ignoring the post data and backup data routes)?
User avatar
BrokenCrust
Registered User
Posts: 60
Joined: Mon Feb 11, 2008 8:43 pm
Contact:

Re: Full anonymization option

by tojag » Thu Mar 29, 2018 9:20 am

Because GDPR allows you to save data if it's anonymized, I want to use it. However, GDPR also requires that this anonymisation can not be reversed.
I assume that the posts do not contain personal data. This is one of the reasons for submitting a post to moderation on my forum. But I can not exclude that the post of such data does not contain or that someone did not quote in which the old username and data have been made. You can easily assign such data to the one or more posts of the deleted user, and then extract all other posts of that person by creating a profile.
If I have only "deleted user" not "deleted user XX", it will not be possible to extract posts from one person. This is anonymization.
If I have "deleted user XX", it will be pseudonymization.
GDPR says: "The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly."

This is just my suggestion to upgrade your extension as an additional option in ACP (with user ID or not). You will do as you like. You did a good job.
Regards
Sorry my english. I hope You understand what I mean.
User avatar
tojag
Registered User
Posts: 400
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: Full anonymization option

by WelshPaul » Sat Mar 31, 2018 5:07 pm

If you want to remove the user id from the "Deleted User" username then open ucp/main_module.php and find:

Code: Select all

$new_name = sprintf($this->user->lang['DELETED_USER'], $this->user->data['user_id']);
Replace with:

Code: Select all

$new_name = $this->user->lang['DELETED_USER'];
Open language/en/info_ucp_delete_my_account.php and find:

Code: Select all

'DELETED_USER' => 'Deleted User %s',
Replace with:

Code: Select all

'DELETED_USER' => 'Deleted User',
If you want to remove the user id from the logs contained within the acp upon account deletion too, open ucp/main_module.php and find:

Code: Select all

$log = sprintf($this->user->lang['LOG_USER_DELETED'], $this->user->data['username'], $this->user->data['user_id']);
Replace with:

Code: Select all

$log = sprintf($this->user->lang['LOG_USER_DELETED'], $this->user->data['username']);
Open language/en/info_ucp_delete_my_account.php and find:

Code: Select all

'LOG_USER_DELETED' => 'User %s (ID %s) has deleted their own account. ',
Replace with:

Code: Select all

'LOG_USER_DELETED' => 'User %s has deleted their own account. ',
You can of course just edit the language files.
User avatar
WelshPaul
Registered User
Posts: 350
Joined: Tue Aug 19, 2014 2:09 pm
Contact:

Re: Full anonymization option

by tojag » Tue Apr 03, 2018 4:34 pm

Thanks for explanation. I though about an additional option rather in ACP, but I understand it needs more job. "on/off user ID" option would be cool. Stay it for the future version if You want.
Regards
Sorry my english. I hope You understand what I mean.
User avatar
tojag
Registered User
Posts: 400
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: Full anonymization option

by BrokenCrust » Thu Apr 19, 2018 5:44 pm

I will probably add this in a future release. However to be clear, this mod does not make you 100% GDPR complaint and it can never do that.
User avatar
BrokenCrust
Registered User
Posts: 60
Joined: Mon Feb 11, 2008 8:43 pm
Contact:

Re: Full anonymization option

by Qudis » Sun Feb 10, 2019 8:45 am

I think posts are not personal data and you can not determine the natural person simply because you have a set of posts. You have not any data of the natural person except if there are some in the text of the posts.
Qudis
Registered User
Posts: 9
Joined: Tue Sep 04, 2018 5:09 pm

Re: Full anonymization option

by BrokenCrust » Tue Jul 30, 2019 7:49 pm

I'm not sure their is a definitive answer to personal data in posts, except to delete it when asked even if it is public.
User avatar
BrokenCrust
Registered User
Posts: 60
Joined: Mon Feb 11, 2008 8:43 pm
Contact: