Simple Machines Community Forum

SMF Development => Bug Reports => Fixed or Bogus Bugs => Topic started by: Yikesfactor on October 11, 2018, 02:49:35 AM

Title: Missing delete all posts option needed for GDPR.
Post by: Yikesfactor on October 11, 2018, 02:49:35 AM
Under GDPR, if someone requests you delete all their posts, we are required to do so.

Yet there is no mechanism I can find which does this.

Ideally, we need an admin function where random poss are deleted automatically, and posts which begin a thread bring up the split option to save posts in the thread, before deleting the OP and whatever is left in the thread after the split.

I have 1 person demanding I do this already, and have no way of doing it. Search of mods returns nothing.

Is there any way of doing this already I'm missing?

If not, this becomes a bug which must be solved, otherwise GDPR is going to hit some board owner for 6 in the near future.

I've got the GDPR mod, but renaming posts is not enough when the user asks for their total deletion. I cant see anything in the pro version to indication deletion is included in it.
Title: Re: Missing delete all posts option needed for GDPR.
Post by: Arantor on October 11, 2018, 03:07:50 AM
Actually, you’re really not required to do so. You are required to delete personal data from posts however the majority of posts simply won’t constitute personal data.

Simplest solution: rename the account to “Anonymous” or similar, delete the account. That immediately fixes 90% of the problem, the only remaining is to fix logged IP addresses and email addresses which are stored with posts.

IPs you can even argue are necessary to prevent people requesting deletion just before they go on a rampage.

As for personal information in posts, skim through their posts and edit or delete the ones that contain personal information. (Before you delete the account, really.)
Title: Re: Missing delete all posts option needed for GDPR.
Post by: Yikesfactor on October 11, 2018, 06:07:11 AM
The GDPR mod does the change of name on all posts when the account is deleted. This is ok for some people.

But unfortunately, my forum has people who consider every word they type to be copyrighted information, and the reason they left the last one was because the new owners considered everything on the forum theirs to do as they liked.

Hence, I'm taking GDPR very seriously, and to the point where if someone wants their posts deleted, it has to happen. While I'm not totally up to speed on GDPR limits, some of my members are. ASnd if they want a total deletion, I need to be able to accomodate them, without spending days on the one task. On the previous forum to mine, some posters had in excess of 10,000 posts. It took some of them weeks to remove just the ones they considered essential to remove, simply because the mods were instructed not to do any full deletions. So some of my members are not only fully aware of GDPR, but have just been kicked up the arse by people who are defying it, and had to manually delete thousands of posts. This SML forum had the ability for mods to request all posts deleted, (but the new admin forbade them using it after the first few were done), but I cant find a mod which does it. I suspect it was a custom change made by a previous owner who could code.

Not a good situation, and I want to be ahead of it. And as I said, I have a request for full deletion I cant action.

Going with the GDPR mod was the simple solution. But some people want more, and I feel obliged to be able to.

And my understanding of GDPR is if someone in Europe asks for a complete delete, forum owners are legally bound to do it. No ifs, buts, or half measures, legally bound to complete the request. Where the forum is located or who owns it is not relevant. To not do it, carries fines I cant meet. And that's assuming it doesn't go legal.

This is a minefield, and the simplest solution is to be able to do a full delete of a person's posts in one click.

The question is, how do we do it?

If the simplest answer is a php file we execute from a browser with the database details plugged in, I'll take that. A mod would be better.
Title: Re: Missing delete all posts option needed for GDPR.
Post by: Arantor on October 11, 2018, 06:20:15 AM
It honestly doesn’t matter what these people say. Their content is not covered by article 17 unless it contains personally identifiable information, or in some very specific cases, information that could be used to profile or identify them.

Assuming their deletion request is acceptable under 17 (1)(b) and that (c) doesn’t apply, I would then point them at 17 (3)(a), regarding that deletion isn’t required under “exercising the right of freedom of expression and infirmation”.

I would then remind them of 4 (1), what is legally defined as personal data under the GDPR: any information relating to an identified or identifiable natural person; an identifiable natural person is who one can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

So, again, change the name of the account to something not identifiable and delete it, this fixes the identifiers clause. As long as posts have no identifiable information in them, they have no legal basis to demand it.

I have confirmed this at length with the U.K. regulator, the ICO, and they confirmed this interpretation, though sadly I don’t have it in writing. I would also note that XenForo Ltd have independently come to the same conclusion.
Title: Re: Missing delete all posts option needed for GDPR.
Post by: Yikesfactor on October 11, 2018, 07:04:29 AM
Fine.

I'd still like to be able to do it.
Title: Re: Missing delete all posts option needed for GDPR.
Post by: Tonyvic on October 11, 2018, 07:19:50 AM
I thought it was built into SMF, I can delete all of a members posts and topics from the Members Profile/Actions/Delete this account section. I don't need a Mod to do it. :P ;)
Title: Re: Missing delete all posts option needed for GDPR.
Post by: Yikesfactor on October 11, 2018, 09:05:39 AM
I thought it was built into SMF, I can delete all of a members posts and topics from the Members Profile/Actions/Delete this account section. I don't need a Mod to do it. :P ;)

I had no idea that existed.

Any idea what happens to threads when included in the delete? Does it delete everything in the thread, or just the first post?
Title: Re: Missing delete all posts option needed for GDPR.
Post by: Illori on October 11, 2018, 09:08:48 AM
it should delete the complete topic.
Title: Re: Missing delete all posts option needed for GDPR.
Post by: Yikesfactor on October 11, 2018, 09:14:03 AM
it should delete the complete topic.

That's what I thought.

Which means one should check to see if anything should be saved before blindly deleting posts not made by the deletee.

Still, most of a facility is better than none.  :)
Title: Re: Missing delete all posts option needed for GDPR.
Post by: Kindred on October 11, 2018, 04:35:30 PM
you can NEVER delete the first post in a thread and leave the rest of the thread...   

so, there is no way to do what you are suggesting.

It's an all or nothing sort of thing.

Delete user account
Choose to delete all posts (aka delete responses but leave threads)
or
Choose to delete all posts and threads (delete all individual responses and delete any thread which the user started)
or
Choose to leave the posts and threads by this user and display the original login name for the account. (hence the suggestion to change the account name to "anonymous" before doing the account delete)

there is not and never will be an option to "select which posts to delete"
Title: Re: Missing delete all posts option needed for GDPR.
Post by: Yikesfactor on October 11, 2018, 08:27:57 PM
To delete the first post, you split off the rest of the rest, leaving it as a single post, then delete thread.

The second post becomes the new first post on what is left.

I dont see why this would be hard to automate. The existing split code just needs to be popped up for each time a first post needs to be deleted.

This kind of split happens periodically when the second post is a hijack and the rest of the thread follows the hijack. Split at post 2, leaving post 1 intact. Only in this case it's the opposite, so post one is being split off, and then deleted.
Title: Re: Missing delete all posts option needed for GDPR.
Post by: Kindred on October 11, 2018, 09:43:34 PM
But that makes no logical sense...

Post 1 —-   I think that xyz is the best combination of letters
Post 2 —-   No, you are wrong
do things the way you suggest,
new post 1—-  no, you are wrong

 

It makes no sense.
Honestly, allowing people to delete content even out of the middle of a conversation makes no sense, since the post is required to have the conversation make sense... and you are not required to do it, by gdpr rules.
Title: Re: Missing delete all posts option needed for GDPR.
Post by: Yikesfactor on October 11, 2018, 10:03:31 PM
Post 1 - This topic is for XXXXXXX.

Post 2 - Why do we even need this topic? I dont even what anyone talking about this topic so I'm going to hijack it and make everyone discuss if we should have this topic or not.

Split.

Topic 1 - This is for XXXXXXX.

Topic 2 - Split from topic 1. Renamed as Do we need need topic 1 discussion?

Topic 2 is cast off into the off-topic area. Topic 1 begins again.

This has happened 3 times already in a less than a month old forum. The off topic area contains a people-behaving-badly zone, into which such thread hijacks get put. (Among other things).

And before anyone asks, yes. The forum has certain topics which a lot of people want shut down, or confused to the point of uselessness.

And while sometimes a first poster wants out, the remainder of the thread remains relevant. The second post might seem strange as a starter to the casual reader after the split, but that's what Moderator comments at the beginning are for. I wouldn't mind admin being able to take control of such a first post, and turn the original post content into a not-attributed quote, with anything specific to the poster removed. This allows the thread to continue without the original poster at all, but retaining the essence of the first post. This happens if someone deletes their account, without deleting posts first, as they get re-named to guest-###. I have a very active example of this. Would be better if the thread was owned by admin now, rather than have no actual ownership anymore.
Title: Re: Missing delete all posts option needed for GDPR.
Post by: Kindred on October 11, 2018, 10:21:16 PM
If you have to enter a moderator comment at the start, then you have to do it manually anyway, so an automatic split and delete would be useless anyway.

In other words, what you are asking for might seem good for your forum, but would be mostly useless for 99.9% of the other sites out there.
Also, in 25+ years of having run forums, I have literally never done what you said...

So no.
Title: Re: Missing delete all posts option needed for GDPR.
Post by: Yikesfactor on October 11, 2018, 10:39:58 PM
Also, in 25+ years of having run forums, I have literally never done what you said...

I'm renown for doing things no-one ever thought of before.  ;)

Or should I say, they happen to me all the time.  ;D
Title: Re: Missing delete all posts option needed for GDPR.
Post by: Kindred on October 12, 2018, 12:27:17 AM
It’s not that it hasn’t been though of....  its that I have never seen a forum where it has been needed or done.
Title: Re: Missing delete all posts option needed for GDPR.
Post by: Yikesfactor on October 12, 2018, 12:38:40 AM
It’s not that it hasn’t been though of....  its that I have never seen a forum where it has been needed or done.

<<<<<chalks up another first.  ;D

Here's the scenario.

The pool of people from which members come from includes a black hat type sub-set. These people do anything they can to stop themselves from being outed, including hiring trolls to derail forum and FB threads. At all costs, they want discussion about them stopped, including behavior designed to get a thread locked or deleted.

People get hurt in the process, and decide to remove themselves from the forum/group, and in doing so, they want everything they posted removed. In some cases, these people started key threads. Without them, the thread continues, but sometimes I need to be able to delete the first post in the thread to let them go.

But the one thing I dont want is to let these people shut down discussion. And freaking the thread starter into leaving and getting the whole thread deleted is a tactic I want to be able to stop from working.
Title: Re: Missing delete all posts option needed for GDPR.
Post by: Kindred on October 12, 2018, 09:04:07 AM
So, don't delete the thread.... and don't delete the first post either.

plain and simple.

ban the trouble makers and delete their posts.

plain and simple.

Seriously, you are overthinking the problem as well as addressing the symptom and not the actual issue.
If the issue is troublemakers posting -- then remove and prevent the troublmakers