Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

EU General Data Protection Regulation (GDPR) German: EU Datenschutz-Grundverordnung (DSGVO)

Dr_SommerDr_Sommer Dr. of tender Programing ;) ✭✭

Hi, as aspected, the panic begins... :lol:

Intro:
So with the new EU General Data Protection Regulation, there is a lot to do to keep the data of the users save... especially with on eye on the possible penaltys... :blush:

So I decided to start this Discussion for all possible Questions and Answers in this direction

Comments

  • Dr_SommerDr_Sommer Dr. of tender Programing ;) ✭✭
    edited May 2018

    So my first Question:

    After turning off IP logging, as RJ (Not) recommended, I proudly announced in my forum, that I`m killing it in therms of GDPR... :lol::winky:

    BUT.. a friend of mine then checked my Website and found this:

    So can somebody tell me what this thing does and is it storing Userdata?

    I just did turn it off with:

    $Configuration['Garden']['Analytics']['Enabled'] = false;

    should that be enough?

    ThX for any info on that... :+1:

  • LincLinc Detroit Admin
    edited May 2018

    First, you are allowed to log IP addresses under the GDPR. That modification does not change your compliance with it. (I think not logging IPs is a great move if you can do it, I just don't appreciate confusing GDPR with general privacy improvements.)

    Second, the analytics tick is what increments your page view data. If you removed it entirely, it would stop pages views from changing.

    Third, disabling that config setting will kill your Dashboard statistics. We do centrally store some basic site data; we do not store personally identifiable information. It's the bare minimum needed to generate the graphs and know what software versions are being used to run Vanilla (which informs decisions we make about basic requirements).

    If you want actually useful information about how the GDPR effects forums, I suggest this resource we put together: https://blog.vanillaforums.com/community-answers-to-common-questions-about-gdpr-community-forums

    There is a lot of misinformation about what GDPR means for websites. My tl;dr is this: Vanilla has always been super responsible and minimalist in its data collection, so the impact on folks running Vanilla sites is minimal (unless they've added a bunch of third-party Javascript widgets that collect more data).

  • R_JR_J Ex-Fanboy Munich Admin

    @Linc thanks for putting that online. It would be extremly helpful if your company can share experiences with the community in case you will get requests based on the GDPR, how you have reacted and if that was sufficient.

    I just wanted to add a link to give a solid foundation to some of your assumptions: https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en

    For user generated content ("UGC") the blog post wasn't really straight forward. The link above makes it perfectly clear:

    Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data.

    Therefore deleting a user and keeping the content is enough (with respect to the fact that the UGC may include information which sets the UGC in identifyable relation to the author).


    I think some practical advices might be helpful. One of this is how much time there is to react on any request. See Art. 12 (3) for that:

    The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. 2That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. 3The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

    Although an action should be taken immediately, there is a one month period granted without any problems. Especially for small forums it should be easily explainable that it needs more time to react appropriately which would give a three month reaction period.

    There is a list of examples given in the first link for what personal data is and based on that list and what I know about Vanillas database structure, I would say that for a default Vanilla installation those tables need to be looked at:

    The easy ones

    Possibly containing some personal data like names, IP- or email-addresses

    • GDN_User: at least IP addresses, name and mail address, perhaps location
    • GDN_UserMeta: holds PofileExtender fields
    • GDN_Invitation: contains mail addresses
    • GDN_AccessToken, GDN_UserAuthenticationToken, GDN_UserAuthenticationNonce: All related to SSO in one or the other way and potentially holding information which makes user identifyable
    • GDN_Session: holds the session id related to the cookie
    • GDN_UserMerge, GDN_UserMergeItem: if the users account is a "product" of two merged users, you would have to dig deeper and find all data connected to the old user, too
    • GDN_Ban: holds IP-Addresses (moderators are users, too)

    The tedious work

    User generated content can include personal data which has been inserted by the user (or in worst case some other user)

    • GDN_Discussion - forum entries
    • GDN_Comment - forum entries
    • GDN_Draft - "future" forum entries
    • GDN_Media - attachments can contain sensible, user related information, too
    • GDN_ActivityComment - "Wall" posts
    • GDN_Activity - contains only small snippets, but just to be a 100% sure...
    • GDN_Conversation - if you allow conversation subjects, you should have a look at that
    • GDN_ConversationMessage - the conversations of a user shall not be forgotten
    • GDN_Flag - contains user comments
    • GDN_Log - logged changes

    Four examples that show why it is quite hard to follow users wishes to be "forgotten":
    1. User has written his phone number in a comment. You would have to either delete all of his content or look through all of his content to search for things like that
    2. User has written his phone number in a comment and later on edited that comment to delete the number. It will still reside in GDN_Log!
    3. User "John Doe" has written his phone number in a comment and another user has quoted that comment. Even if you delete all content of John Doe, his name and number will still be in your forum
    4. A comment of user "John Doe" has been flagged by another user who commented on that "John Doe is never learning that he is not allowed to post things like that!" which would result in a connection between the user id in GDN_Flag and the users identity

    And that is no Vanilla specific problem, this is a "user is allowed to enter free text"-problem. But I have faith that the courts will take such problems into consideration when a forum admin tries to "forget" a user and e.g. not all quoted comments are wiped or there is some server log that still holds an IP address of that user.

  • R_JR_J Ex-Fanboy Munich Admin

    Finding user related content could be easier, if there was some Facebook like feature: when writing some text, nearly every word is matched against the user names (that must cause a horrible lot of traffic!) and if a user is found, there is a connection made. Therefore it should be relativly easy to find every post that mentions another user even if the mentioning wasn't an intention but only happened "on the fly".
    But I really cannot imagine a way to do that without causing ridiculous high traffic. That might be okay for desktop users, but on mobile that would be a no-go. But there might be some magic which would make it possible and cause responsible traffic usage, too.

    At least writing mentions down to database could be a start so that those posts can be found quite easily. I've once started a plugin but never finished it. Making that an in-built would be a step to make it easier to find "user related" content and it would look nice in the users profile below "Discussions", "Comments" :wink:

  • LincLinc Detroit Admin
    edited May 2018

    @R_J My position is it is the user's responsibility to identify comments that they feel are compromising to their identify, and then moderators will take appropriate action. I'm very against 1) Putting an onus on moderators to conduct manual audits, 2) Automatically editing other users' posts, even if they quote or mention them, or 3) Blanket deletion of all content by a user.

    What one person thinks is personal info another may disagree. I think it's appropriate for the user requesting removal to make that judgement and ask the moderators directly. (That request process I think would be great for automation.)

    The only case I would edit another user's posts is if they'd quoted particularly identifiable information and it was brought to my attention. Writing a tool that auto-edits others' posts en masse is super dangerous; we usually won't even do that for migrations.

  • R_JR_J Ex-Fanboy Munich Admin

    @Linc said:
    Writing a tool that auto-edits others' posts en masse is super dangerous

    I fully agree on that!

    @Linc said:
    @R_J My position is it is the user's responsibility to identify comments that they feel are compromising to their identify

    The judges will tell us that. But here is the reason why I doubt that:

    The Euoraean Commission said:
    Personal data is any information that relates to an identified or identifiable living individual.

    That obviously includes UGC.

    Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.

    Let's assume I want to be forgotten here and you leave my comments online. In more than one of those comments I have a link to one of my GitHub repos with my name. That comment is by definition personal data and as such shall not exist any more when I ask for erasure of my data.

    Article 17 (1) said:
    The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay

    A user doesn't have to specify which personal data has to be erased, he could simply demand "erase all data" and in the example above my comment with the link would be a problem


    All those information related parts of the GDPR should be no problem, but what really will cause huge efforts is a person that likes to be forgotten. I don't see a better alternative than dumping the database and do some grep-magic on it.

  • LincLinc Detroit Admin
    edited May 2018

    @R_J

    Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.


    Let's assume I want to be forgotten here and you leave my comments online. In more than one of those comments I have a link to one of my GitHub repos with my name. That comment is by definition personal data and as such shall not exist any more when I ask for erasure of my data.

    This is actually a great example, because I contend that LINK is not personal data. The personal data is that you've added your REAL NAME to your GitHub account, which is their GDPR concern, not the forum's.

    @R_J
    A user doesn't have to specify which personal data has to be erased, he could simply demand "erase all data" and in the example above my comment with the link would be a problem

    My position is that removing personal data on a forum means removing their IP & email addresses - the definitive personally identifiable information. All other modifications are up to the user to specify what they think is identifiable. No tool in the present or foreseeable future can intelligently parse thousands of comments and definitively determine if something within them is personally identifiable. What if you happen to describe the location of your house using entirely landmarks in the course of an essay? You think even a human is going to figure that out if you ask them to skim 3000 comments? It's absurd on the face of it.

  • Dr_SommerDr_Sommer Dr. of tender Programing ;) ✭✭
    edited May 2018

    @Linc: It`s just a small Forum, so if its no problem for the forumsoftware to shut down IPs and the analytics tick, its no problem for me... :mrgreen:

    Yes indeed, there is a lot of misinformation about GDPR... so I decided to not make me more crazy, as I allready am... :mrgreen:

    I just wanted a more or less clean start... an as RJ pointed out, If somebody wants something from us, we have about a month/ 3 Months to react... this should be enough... :+1:

    ThX for this discussion, it helps... :+1:

  • phreakphreak Vanilla*APP (White Label) & Vanilla*Skins Shop MVP
    edited May 2018

    I may have over read this part in this discussion. But from what i understood regarding the GDPR... removing the last two digits of IP addresses seems to be legit for processing IPs according to GDPR rules. My hosting company did this for example. Or am I wrong?

    Vanilla has about 4 fields per user in the GDN_User that deal with IPs. Would it make sense to have a plugin that would strip the last two digits or exchange them for a "XX". What could be affected by changes like this? Core functionalities? Plugins like "StopForum SPAM"?

    • VanillaAPP | iOS & Android App for Vanilla - White label app for Vanilla Forums OS
    • VanillaSkins | Plugins, Themes, Graphics and Custom Development for Vanilla
  • R_JR_J Ex-Fanboy Munich Admin

    A good read (in German) with links to some examples you might need for your page can be found here: https://www.heise-regioconcept.de/online-marketing/dsgvo-fuer-website-betreiber

    The main action item for you is to inform your users. And you have to do that, no matter what other actions you take.

    If you have stored your data securely before, you do not need to change anything. You must inform how you ensure the security of the data.


    It doesn't make sense to snip some numbers from the IP address. Your hosting company might do this to reduce the personal data that they store, but they have a lot more information available which is far more sensible than your IP address e.g. your bank account.
    And the same goes for your forum. If you allow signing in with Facebook, you store your users Facebook identity in your database and make it visible to others, too. For me as a user that would be far more interesting than the fact that the forum own knows the IP address.

  • Dr_SommerDr_Sommer Dr. of tender Programing ;) ✭✭

    @RJ:
    But I think, if you anonymize the IPs, GDPR isn`t aplyable any more...

    Der Prozess der Anonymisierung bietet die Möglichkeit, IP-Adressen so zu verarbeiten, dass das Datenschutzrecht gar keine Anwendung mehr findet. Denn schutzbedürftig sind nur diejenigen Informationen, die sich auf eine identifizierte oder identifizierbare natürliche Person beziehen.

    Source

  • R_JR_J Ex-Fanboy Munich Admin

    @Dr_Sommer said:
    @RJ:
    But I think, if you anonymize the IPs, GDPR isn`t aplyable any more...

    Der Prozess der Anonymisierung bietet die Möglichkeit, IP-Adressen so zu verarbeiten, dass das Datenschutzrecht gar keine Anwendung mehr findet. Denn schutzbedürftig sind nur diejenigen Informationen, die sich auf eine identifizierte oder identifizierbare natürliche Person beziehen.

    Source

    Where's the sense in masking IP addresses when you still have to store users mail addresses?


    If you manage to anonymize each and every user data, you would still have to inform the users about that. That's GDPR.
    But I think the rest of the DSGVO wouldn't apply to you (and all your users would be called "Anonymous")

  • phreakphreak Vanilla*APP (White Label) & Vanilla*Skins Shop MVP

    @R_J: I‘m with you on this. I thought that for example using Vanilla statistics could then be left out of the inform your users part as personal info would then not be traceable to a person anymore.

    Also one can say that it is interesting to offer anonymization to users where possible and it‘s a good move if you can tell your users we anonymize yor data where possible > IPs.

    • VanillaAPP | iOS & Android App for Vanilla - White label app for Vanilla Forums OS
    • VanillaSkins | Plugins, Themes, Graphics and Custom Development for Vanilla
  • R_JR_J Ex-Fanboy Munich Admin

    I still think that masking IP addresses should not be done on the script side but on the server side.

    I've done a little research and it seems as if you would need additional modules for Apache to do so. I think that might be a reason why this no way for people using shared hosting services.

    If for some reason you want to alter the IP address, you can do so by adding something to the /conf/bootstrap.before.php which is better than my previous "advise", to alter class.request.php
    Quite often I use different browsers/private mode to open my test forum the same time as admin, a normal user and a guest. There is no problem with that although all three browser sessions have the same IP which makes sense since Vanilla identifies users by the browsers cookie.

    You can exchange the users IP with some fake IP like that.

    $originalIP = $_SERVER['REMOTE_ADDR'];
    $fakeIP = '8.8.8.8';
    foreach ($_SERVER as $key => $value) {
        if ($value == $originalIP) {
            $_SERVER[$key] = $fakeIP;
        }
    }
    

    "8.8.8.8" is the IP of a public DNS server iirc, but who cares since your users will not see this address.

    I do not see any advantage to store crippled IPs over the above approach since wrong information is wrong information, but if you like to, you can do it like that:

    $originalIP = $_SERVER['REMOTE_ADDR'];
    $ipParts = explode('.', $originalIP);
    $ipParts[3] = 0;
    $fakeIP = implode('.', $ipParts);
    foreach ($_SERVER as $key => $value) {
        if ($value == $originalIP) {
            $_SERVER[$key] = $fakeIP;
        }
    }
    

    Some servers might add additional headers with the users IP and therefore I would not only alter the REMOTE_ADDR but also look for other appearances of the IP address.

    Preventing Vanilla from "knowing" the IP address will keep you from looking through each and every table.

  • Dr_SommerDr_Sommer Dr. of tender Programing ;) ✭✭

    @R_J said:

    @Dr_Sommer said:
    @RJ:
    But I think, if you anonymize the IPs, GDPR isn`t aplyable any more...

    Der Prozess der Anonymisierung...........

    Where's the sense in masking IP addresses when you still have to store users mail addresses?


    If you manage to anonymize each and every user data, you would still have to inform the users about that. That's GDPR.
    But I think the rest of the DSGVO wouldn't apply to you (and all your users would be called "Anonymous")

    Correct me if I`m wrong, but I have 2 Kind of Users:

    1. Anonymous Guests
    2. Registered Forumusers

    So the masking of the IP is for the Anonymous Users, that come to visit my Site..

    The registered Users or new Users, that want to register have to read the "Therms of use" and the "data protection specifications" for my Site an have to confirm it! :+1:
    For them I could store personal information, IP, etc..

  • R_JR_J Ex-Fanboy Munich Admin

    As far as I know, Vanilla doesn't store guests IP addresses.

Sign In or Register to comment.