News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

GDPR - easy way for forum admin to anonymise forum username when member leaves?

Started by outdoors-stuff, November 20, 2017, 01:01:06 PM

Previous topic - Next topic

outdoors-stuff

Hi

Trying to get my head around some of this evil data protection stuff, including the right to be forgotten.

At the moment it looks like once GDPR becomes law next year, when someone leaves an organisation with a forum (in our case, an internal one just for the membership), then the law seems to require that the forum threads get ripped to shreds. ie that the ex-member and all their data (posts) have to be deleted.

I may be wrong on this as there's limited info out there at the moment... But that's my understanding of the effect of GDPR on membership-based forums at the moment.

So to solve the issue as simply as possible - is there any way we can have an admin option to change the ex-member's forum username. That way we can make any posts of an ex-member anonymous (keeping us legal data privacy-wise once GDPR comes into force) but current members still gain benefit from the information in the forum's historical posts without it's threads rapidly becoming very broken through deletion of previous members postings.

Arantor

Definitely the account has to go. I'd rename the account before deleting (or approving deletion) which would fix that part of it. It doesn't fix the part where user email addresses are left in the database, though.

As for post contents, no one can agree whether forum posts entirely count or not. It's a complicated issue because there are grounds to argue that a forum thread is collaborative and that deletion of posts infringes on others' rights. If there isn't any data that is personally identifiable left, it's a tough argument.

outdoors-stuff

Thanks for the quick response Arantor :)

Agree, no question that the account itself gets deleted. But currently remaining posts get left with the users original name greyed out (and I understood the username to be unchangeable once set) attributed as guest rather than member. (ie no forum user record available)

Hence my request for an admin option to allow changing of the username.

Good that there are some grounds to argue that the posts can be kept thouhh - it's going to make complete nonsense of a lot of forums if they can't be. Anonymising them seemed like the only way around it to me though?

Arantor

You can change it by editing the post if memory serves, but ideally rename the user before deletion. (And don't let users just delete accounts. You are entitled to review the deletion request and users have no grounds for auto self deletion. They make a request, you have a month to action it.)

Anonymising only counts if there's personal data to anonymise. This post on its own does not identify me, therefore there aren't really any grounds to delete it. The only issue is if you can connect it to me through other data, IP addresses.

The real test is whether or not renaming an account to something generic is then considered sufficient pseudonymisation or not, assuming IP addresses and access logs were scrubbed.

The other fun issue is what happens to IP addresses for banned users. Even a banned troublemaker can request their data be removed. But... that implies removing the ban too. However I'd argue that there is sufficient grounds to preserve bans and banned IPs on the basis of it being conditional to the service to collect them in the first place.

Reattribute posts will have to go away though, I think.

outdoors-stuff

I take it back - there is a way for admin to change the name of existing members :) (Puzzled as I know I looked for that last time a member left and it wasn't possible, but must have changed since then!)

That'll sort us as is I reckon going forwards :)

And does look as if I can edit the post to rename the user on historic posts where the username wasn't changeable before their account was deleted.  That's going to be a major headache that doesn't bear thinking about though :(

(So far it's only been admin who can delete members - and we've only done that when they cease to be members. Technically it seems members can request deletion, but it requires an admin (or mod) to action it. Our issue with usernames is that being a small and closed membership organisation we do require members to use their real names as their forum username. So the username has to be changed once the member leaves if we are able to keep their former posts. (Which it really seems daft if GDPR truly means we can't - surely that'll break a lot of forums if so!)

Glad to hear your thoughts that it's not neccessarily saying that is the case, but it doesn't remotely surprise me that whether posts can be kept or not is grey area.


Arantor

It's been debated on some forums, and it's certainly been debated in other contexts where it's a platform with a forum - I've been part of the discussions about the Moodle e-learning platform too, and their position is more draconian than mine on the subject, but the law leaves a lot of room for interpretation on this.

lax.slash

Where is your forum based out of? Many US based forums, including ours, have plans to refuse compliance with this. There's no way that an EU law holds any ground on something based in and hosted in the United States, despite what the EU may say. Another forum I'm a member of is setting up a firewall to prohibit access from anywhere within the EU.

To be honest, so long as you're not in the EU, I would just carry on as normal.

On the other hand, if you are in the EU, all you can hope for is that something happens where this law gets stopped before it goes into enforcement in May.

Arantor

If only it were that simple, but it almost certainly isn't.

First of all, there's Privacy Shield. If you happen to be hosted with someone who implements Privacy Shield, they're actually potentially liable under having signed up. Which means... if someone in the EU complains and their supervisory authority agrees, the complaint will certainly land at their door along the way - and it's likely they'll just suspend or terminate the account.

GoDaddy, for example, is signed up here. As are other hosts.

If you have subscriptions or ads, again, they're *going* to have to be compliant even if you aren't, so you can likely expect those revenue streams to disappear.

As for setting up a firewall to keep out the EU, this baffles me on some levels. Sure, for local or regional forums, you wouldn't need that. But for broader matters, why exclude a target market larger than the entirety of the US? (US population ~315m, EU population ~504m)

Also, consider what it is you're actually saying: you don't care about your members' privacy? You don't want their data to be properly protected?

lax.slash

Quote from: Arantor on November 24, 2017, 11:29:35 AM
If only it were that simple, but it almost certainly isn't.

First of all, there's Privacy Shield. If you happen to be hosted with someone who implements Privacy Shield, they're actually potentially liable under having signed up. Which means... if someone in the EU complains and their supervisory authority agrees, the complaint will certainly land at their door along the way - and it's likely they'll just suspend or terminate the account.

GoDaddy, for example, is signed up here. As are other hosts.
This is interesting. I didn't know Privacy Shield was a voluntary thing. We actually self host, so we wouldn't be involved with this anyways... my understanding of privacy shield was it was something for corporations that the FTC mandated.

Quote
If you have subscriptions or ads, again, they're *going* to have to be compliant even if you aren't, so you can likely expect those revenue streams to disappear.
How so? We don't have ads, but even if we did, it's none of their business what we collect or what we keep.

Quote
As for setting up a firewall to keep out the EU, this baffles me on some levels. Sure, for local or regional forums, you wouldn't need that. But for broader matters, why exclude a target market larger than the entirety of the US? (US population ~315m, EU population ~504m)
I wasn't the one behind this decision, so I can't say for sure. My best guess is to just not have to deal with the headache of it all.

Quote
Also, consider what it is you're actually saying: you don't care about your members' privacy? You don't want their data to be properly protected?
I care more about being legally mandated by a government to delete data that's not being sold off for commercial gain. We care very much about internal data privacy, and go well above and beyond to protect the data that's internal to us. We also will redact (but keep the post) any kind of personal info (names, city, state) posted by mistake when a user asks us nicely, and it doesn't cause too much harm to the overall quality of the content. In the cases of accidentally posted highly-sensitive personal info, we always delete this stuff even if the user doesn't ask us to. However, we always retain accounts, logs, IP addresses, e-mail addresses, etc for moderation and administrative purposes. This is where we drew the line. Things that are distributed to us internally (ie, e-mail address, birthdate, age) shouldn't have been given to us in the first place if they didn't want us to have it.

Arantor

Privacy Shield is voluntary in concept. If you don't comply with it, you have no right to EU data anyway - that's on the US side, not the EU side. The EU has quite strong principles about not giving out data to areas with fewer protections in law than it does and long since declared US protections of user data inadequate. They also declared Safe Harbor inadequate.

How are ads going to have to be compliant? Because the provider is going to have to be compliant in their own right unless you're dealing with someone totally outside the EU that explicitly doesn't collect user data. Google Adsense will have to be compliant. So will PayPal.

The government puts things in place so that users' rights are covered - because a large amount of this continent knows in living memory what living in a surveillance state looks like and takes privacy very seriously. The right to deletion is simply to protect user personal data - if you can prove a suitable case for not deleting it, that's fine. For example in my day job I work with universities who are somewhat freaking out about the GDPR right now, because they're trying to reconcile right to deletion with the fact that they have to keep records of learning for years.

As for 'it shouldn't have been posted publicly in the first place', you've never done anything that you've regretted, ever, online? You've never made a mistake in your life, ever? Also, I'm guessing you've never had to deal with identity theft either on a simple level like someone just pretending to be you on a forum, or having your life turned upside down by your entire identity being compromised. THAT is why this is important.

lax.slash

Quote from: Arantor on November 24, 2017, 11:48:40 AM
Privacy Shield is voluntary in concept. If you don't comply with it, you have no right to EU data anyway - that's on the US side, not the EU side. The EU has quite strong principles about not giving out data to areas with fewer protections in law than it does and long since declared US protections of user data inadequate. They also declared Safe Harbor inadequate.
In that case, it's on the user to not use our site.

Quote
How are ads going to have to be compliant? Because the provider is going to have to be compliant in their own right unless you're dealing with someone totally outside the EU that explicitly doesn't collect user data. Google Adsense will have to be compliant. So will PayPal.
PayPal we don't really care about, since we don't store information that comes from when a user makes a donation to us. We never did. Dealing with financial things is much more of a headache than we'd like to deal with :P As far as ads go, same thing with PayPal. They can delete anything they want to on their side, but we're more concerned with our own retention. (If we ever did offer ads, we'd make this an opt-out thing, anyways).

QuoteThe government puts things in place so that users' rights are covered - because a large amount of this continent knows in living memory what living in a surveillance state looks like and takes privacy very seriously. The right to deletion is simply to protect user personal data - if you can prove a suitable case for not deleting it, that's fine. For example in my day job I work with universities who are somewhat freaking out about the GDPR right now, because they're trying to reconcile right to deletion with the fact that they have to keep records of learning for years.
The question is what constitutes an acceptable right, who makes that determination, and what happens when an acceptable right to a company is declared unacceptable by the EU?

QuoteAs for 'it shouldn't have been posted publicly in the first place', you've never done anything that you've regretted, ever, online? You've never made a mistake in your life, ever? Also, I'm guessing you've never had to deal with identity theft either on a simple level like someone just pretending to be you on a forum, or having your life turned upside down by your entire identity being compromised. THAT is why this is important.
I edited that part of my post because it sounded way worse than I intended it to be/completely different from what I meant.
Quote
I care more about being legally mandated by a government to delete data that's not being sold off for commercial gain. We care very much about internal data privacy, and go well above and beyond to protect the data that's internal to us. We also will redact (but keep the post) any kind of personal info (names, city, state) posted by mistake when a user asks us nicely. In the cases of accidentally posted highly-sensitive personal info, we always delete this stuff even if the user doesn't ask us to. However, we always retain accounts, logs, IP addresses, e-mail addresses, etc for moderation and administrative purposes. This is where we drew the line. Things that are distributed to us internally (ie, e-mail address, birthdate, age) shouldn't have been given to us in the first place if they didn't want us to have it.

Arantor

QuoteIn that case, it's on the user to not use our site.

Good luck telling the authorities that.

QuoteThe question is what constitutes an acceptable right, who makes that determination, and what happens when an acceptable right to a company is declared unacceptable by the EU?

Oh, you, assuming the EU has this figured out :P It doesn't. The law as worded basically puts the onus on data controllers to make a judgement call as to what they collect, whether they collect sufficient data to carry out their purposes or not, whether they should cut back on what they have, and what they do with it. This needs to be communicated to people so they can make an informed decision as to whether they want to use the service or not.

In terms of what is acceptable, it's a really fine line. My current thinking - and one that seems to be vaguely backed up by the authorities here, as non-committal as they always are about any of this - is that accounts and account data should all be purged if a user asks for it to be purged, but posts should not (because posts are a collaborative work)... unless that post has something in it that is personally identifiable.

The remnants of a deleted account should not include the username as originally posted with but all be reverted to a generic 'Guest' post or similar because even that could potentially be used to identify someone (as it potentially includes the ability to glue data together, see under pseudonymisation)

The reality is that this is a nightmare of compliance, and I can fully see why you don't want to bother with it. However unfortunately some of us are stuck with it. And I don't want to let you believe you're as immune to it as you might not actually be...

The problem with the 'if they didn't want us to have it' is that people make mistakes of judgement and then it bites them later on without them realising it. Which is why this is a thing in the first place, it's all about being able to do something to try to fix a mistake you made rather than it going on forever more.

Broadly your comment there is actually reasonably in line with the intent of the law, with the part about retaining account info. You can certainly put forward the case that you retain it for moderation and administrative purposes (you'd have to give a list of what these are, but being able to prevent bans is certainly a valid case) - though having some kind of expiry on this would be a good idea because keeping the data forever on the off chance it might ever be useful is not such a valid case: they're quite big on 'once you don't need it any more, don't keep it'.

The problem is that none of this is set out in actual law, and we won't know what's truly considered acceptable until someone actually falls foul of it. But there is certainly a decent amount of precedent with existing data protection laws to have some idea of what is acceptable and the simple case of making a good faith effort goes a long way. The really big scary stuff (where the much discussed 4% of global revenue or €20M whichever is higher fine) is only really an issue if you have a data breach and/or (probably and) are wildly and flagrantly abusing the personal data you have.

If you remove data when the user asks you to - and remember, it's only for *information that could be used to identify a person* that needs to be purged, and you state what you keep and why, you're almost certainly in the clear if the terms of what you keep are 'reasonable'... whatever that means.

The guidance I have so far is that if you keep moderation type stuff (IPs, emails etc.) for 6 months for ban purposes and see no ban activity, it's probably safe to remove that, because at that point your troublemaker is unlikely to return and you've no real reason to keep the data any more. (If they kept coming back, you'd be able to demonstrate that you still need to keep the data because they broke your T&Cs etc.)

Of course, I'm not a lawyer, this is just my interpretation of it and what I plan to do for implementation going forward...

lax.slash

Quote from: Arantor on November 24, 2017, 12:37:10 PM
Good luck telling the authorities that.
It's a matter of free-will/reading what you click on/etc/etc.

Quote
Broadly your comment there is actually reasonably in line with the intent of the law, with the part about retaining account info. You can certainly put forward the case that you retain it for moderation and administrative purposes (you'd have to give a list of what these are, but being able to prevent bans is certainly a valid case) - though having some kind of expiry on this would be a good idea because keeping the data forever on the off chance it might ever be useful is not such a valid case: they're quite big on 'once you don't need it any more, don't keep it'.
Expiry isn't something we'd do, nor have we ever done any form of expiry. We have had cases before similar to what you described, where an individual comes back a year or more later, only to cause more trouble.

Quote
The problem is that none of this is set out in actual law, and we won't know what's truly considered acceptable until someone actually falls foul of it.
That in itself presents another problem with the law, and is scary in itself. Something where a fine in the millions is threatened should be laid out more clearly.

Quote
But there is certainly a decent amount of precedent with existing data protection laws to have some idea of what is acceptable and the simple case of making a good faith effort goes a long way. The really big scary stuff (where the much discussed 4% of global revenue or €20M whichever is higher fine) is only really an issue if you have a data breach and/or (probably and) are wildly and flagrantly abusing the personal data you have.
I'm on the fence in regards to data breaches/the punishments set out by this law. If a company is breached, there's a lot more factors that should go into even determining to what extent the company should be held legally responsible, or even if at all. Ie, was it a known security issue that was irresponsibly ignored by the company, was it a breach caused by someone that's internal to the company, etc. We actually do have some similar stuff in the states here for breaches, but it's a lot more conditional than EU law seems to be.

Quote
Of course, I'm not a lawyer, this is just my interpretation of it and what I plan to do for implementation going forward...
Of course. I've seen about 500 interpretations of this law online and all across services, including some from lawyers that don't have a clue either. I'll probably see a lot more by the time this goes into effect (still maintaining hope for those that run websites in the EU that this is somewhat nerfed by then).

I did some research on Privacy Shield and what it actually is. It turns out it's a completely voluntary thing that's offered by the DOC to companies. There's no requirement/obligation to participate in it. The only legal requirement for those that don't participate in it is for those that don't to not say they do. For communities/organizations that don't fall under the DOC, or that don't participate in the privacy shield, it appears there's nothing to worry about at all with it. It's only mandated the the DOT for international air carriers and travel agencies.

Advertisement: