Advertisement:

Author Topic: SMF & GDPR Personally Identifiable Information  (Read 7631 times)

Offline petewadey

  • Jr. Member
  • **
  • Posts: 121
Re: SMF & GDPR Personally Identifiable Information
« Reply #100 on: May 12, 2018, 06:19:52 AM »
I'm very curious why this forum hasn't done anything about GDPR yet? As it holds the same personal data as mine or anyone else's Simple Machines Forum?

we are in the process of consulting a lawyer for what we need to do.

Thanks. I will wait and see the outcome.

Offline Si6776

  • Jr. Member
  • **
  • Posts: 173
Re: SMF & GDPR Personally Identifiable Information
« Reply #101 on: May 12, 2018, 06:13:40 PM »
Does the GDPR Helper record when members agree to the User Agreement and Privacy Policy?  If not, is there any way to do this, or is the fact that they have to have consented to access the forum enough?

Online Bigguy

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,510
  • Gender: Male
  • Be nice, or else....
    • smfbigguy on GitHub
    • Whats Ur Beef
Re: SMF & GDPR Personally Identifiable Information
« Reply #102 on: May 12, 2018, 10:16:45 PM »
I have over 1000 posts on my site. When I try to download my content I get this error:
Quote
More than 1000 messages in selected range please make your range smaller to export
If I make the range smaller how do I download ALL my data. ??? An error comes with this:
Code: [Select]
Invalid argument supplied for foreach()Profile.template.php Line 1473
I am sorry if this post is in the wrong place. If it needs to be moved that's cool.

Online vbgamer45

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 19,985
    • smfhacks on Facebook
    • VBGAMER45 on GitHub
    • @createaforum on Twitter
    • SMF For Free
Re: SMF & GDPR Personally Identifiable Information
« Reply #103 on: May 12, 2018, 10:25:08 PM »
Does the GDPR Helper record when members agree to the User Agreement and Privacy Policy?  If not, is there any way to do this, or is the fact that they have to have consented to access the forum enough?
Yes it does.

I have over 1000 posts on my site. When I try to download my content I get this error:
Quote
More than 1000 messages in selected range please make your range smaller to export
If I make the range smaller how do I download ALL my data. ??? An error comes with this:
Code: [Select]
Invalid argument supplied for foreach()Profile.template.php Line 1473
I am sorry if this post is in the wrong place. If it needs to be moved that's cool.
So you would do in portions with a start and end index.
If the forum has 100k messages and you posted 2000 times. I would try first a starrt index of 1 and end index of 50000 then repeat for the second part a start index of 50000 and end index of 100000
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Online Bigguy

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,510
  • Gender: Male
  • Be nice, or else....
    • smfbigguy on GitHub
    • Whats Ur Beef
Re: SMF & GDPR Personally Identifiable Information
« Reply #104 on: May 13, 2018, 12:04:31 AM »
I'll give that a shot, thanks. :)

Offline petewadey

  • Jr. Member
  • **
  • Posts: 121
Re: SMF & GDPR Personally Identifiable Information
« Reply #105 on: May 13, 2018, 04:00:19 AM »
Has the GDPR Helper unticked members "Allow users to email me" by default, or has that always been the case? It makes sense if it does.

Offline Si6776

  • Jr. Member
  • **
  • Posts: 173
Re: SMF & GDPR Personally Identifiable Information
« Reply #106 on: May 13, 2018, 04:47:19 AM »
Does the GDPR Helper record when members agree to the User Agreement and Privacy Policy?  If not, is there any way to do this, or is the fact that they have to have consented to access the forum enough?
Yes it does.

Sorry to be thick, but where would this record be, should we be asked for it?

Offline @rjen

  • Jr. Member
  • **
  • Posts: 236
  • Gender: Male
    • FJR-club Nederland
Re: SMF & GDPR Personally Identifiable Information
« Reply #107 on: May 13, 2018, 06:25:08 AM »
Does the GDPR Helper record when members agree to the User Agreement and Privacy Policy?  If not, is there any way to do this, or is the fact that they have to have consented to access the forum enough?
Yes it does.

Sorry to be thick, but where would this record be, should we be asked for it?

See this reply: https://www.simplemachines.org/community/index.php?topic=559841.msg3970969#msg3970969

But getting at the data now requires a query in PHP admin.
It would be nice to have a list of this data present in the admin menu as well, for easy access should this be requested in future...
Running SMF 2.0 with Tinyportal 1.5.0 at www.fjr-club.nl
Testing SMF 2.1 beta 4 with Tinyportal 2.0 at http://test2.fjr-club.nl/

Offline Si6776

  • Jr. Member
  • **
  • Posts: 173
Re: SMF & GDPR Personally Identifiable Information
« Reply #108 on: May 13, 2018, 06:45:50 AM »
Does the GDPR Helper record when members agree to the User Agreement and Privacy Policy?  If not, is there any way to do this, or is the fact that they have to have consented to access the forum enough?
Yes it does.

Sorry to be thick, but where would this record be, should we be asked for it?

See this reply: https://www.simplemachines.org/community/index.php?topic=559841.msg3970969#msg3970969

But getting at the data now requires a query in PHP admin.
It would be nice to have a list of this data present in the admin menu as well, for easy access should this be requested in future...

Thanks, I missed that.  I agree, it would be good to have this available in the Admin Control Panel. 

Offline jppialasse

  • Newbie
  • *
  • Posts: 4
Re: SMF & GDPR Personally Identifiable Information
« Reply #109 on: May 14, 2018, 12:01:02 PM »
PDF, I'm not even sure if you can make a machine interpret the content normally?
In which case, I wonder if PDF is even an acceptable interchangeable format and would be more inclined to say it'd have to be something like CSV.

Yes, I saw that and it's great work. But if the member wans to stay active, I would like to be able deleting the IP on older topics. Especially on those, where the member already have been deleted.

Maybe I understand wrong, but if a member wants to stay active, that means they keep giving you their consent.
In which case, I don't think they have the right to selectively ask you to "forget" things. You can't demand to only selectively give consent for an agreement. It's an all or nothing scenario, either you give consent or you retract consent; they can't demand "I give you consent for section A to E but not for sections F to K" - that's not how it works. That means everyone could potentially get a tailored agreement, that'd be disastrous.

Moreover, collecting IP's of active users is a genuine processing case to keep track of spam and account changes...

Sorry for the late answer to this post in the thread, but an option to delete IP, from ALL posts, after a certain amount of time is a legitimate option, even before GDPR.

If you take the situation in France, you can and even have to collect IP as a provider of services and keep them up to one year. After that you have to anonymize the IP ( for reference :  "La loi du 21 juin 2004 pour la confiance dans l'économie numérique et le décret  du 25 février 2011". ) .   Also with the GDPR, there is an emphasize on the fact that data has to be kept for the time it is useful for its initial purpose.

So I am ok with the fact that the ip are used to fight against SPAM, but what about an IP logged 12 years ago ? What is its purpose today ? Knowing that the user was in Barbados in July 2006 is a little intrusive, isn't it ? The geoiplookup might even not be accurate with possibles changes.

In other words we do not have a legitimate reason to keep them as SMF currently do and it should be purged after X months ( have to be set depending on your local legislation)

Offline Si6776

  • Jr. Member
  • **
  • Posts: 173
Re: SMF & GDPR Personally Identifiable Information
« Reply #110 on: May 14, 2018, 12:21:04 PM »
PDF, I'm not even sure if you can make a machine interpret the content normally?
In which case, I wonder if PDF is even an acceptable interchangeable format and would be more inclined to say it'd have to be something like CSV.

Yes, I saw that and it's great work. But if the member wans to stay active, I would like to be able deleting the IP on older topics. Especially on those, where the member already have been deleted.

Maybe I understand wrong, but if a member wants to stay active, that means they keep giving you their consent.
In which case, I don't think they have the right to selectively ask you to "forget" things. You can't demand to only selectively give consent for an agreement. It's an all or nothing scenario, either you give consent or you retract consent; they can't demand "I give you consent for section A to E but not for sections F to K" - that's not how it works. That means everyone could potentially get a tailored agreement, that'd be disastrous.

Moreover, collecting IP's of active users is a genuine processing case to keep track of spam and account changes...

Sorry for the late answer to this post in the thread, but an option to delete IP, from ALL posts, after a certain amount of time is a legitimate option, even before GDPR.

If you take the situation in France, you can and even have to collect IP as a provider of services and keep them up to one year. After that you have to anonymize the IP ( for reference :  "La loi du 21 juin 2004 pour la confiance dans l'économie numérique et le décret  du 25 février 2011". ) .   Also with the GDPR, there is an emphasize on the fact that data has to be kept for the time it is useful for its initial purpose.

So I am ok with the fact that the ip are used to fight against SPAM, but what about an IP logged 12 years ago ? What is its purpose today ? Knowing that the user was in Barbados in July 2006 is a little intrusive, isn't it ? The geoiplookup might even not be accurate with possibles changes.

In other words we do not have a legitimate reason to keep them as SMF currently do and it should be purged after X months ( have to be set depending on your local legislation)

Does it have any bearing that only Admins can see IPs?  Also, I've been with my ISP for 11 years, and have always had the same fixed IP address, so it's quite possible that older IPs could still be attached to a current user.  The only way around this that I can see would be to delete all users who haven't logged in for a given period of time.  But, at the moment the legislation surrounding forums is quite woolly, so I'm not about to start deleting swathes of members, until I know that I have to.

Offline jppialasse

  • Newbie
  • *
  • Posts: 4
Re: SMF & GDPR Personally Identifiable Information
« Reply #111 on: May 14, 2018, 02:39:14 PM »

Does it have any bearing that only Admins can see IPs?  Also, I've been with my ISP for 11 years, and have always had the same fixed IP address, so it's quite possible that older IPs could still be attached to a current user.  The only way around this that I can see would be to delete all users who haven't logged in for a given period of time.  But, at the moment the legislation surrounding forums is quite woolly, so I'm not about to start deleting swathes of members, until I know that I have to.
It is still an issue as you shall not keep data for longer than they are intended to be used.

The easy solution I see, is for all posts older than X months/years, replace the ip by 127.0.0.1 or another local loop IP in  smf_members and smf_messages  and for all elements also older than this amount of time   just flush the lines from  smf_log_errors smf_log_floodcontrol

Online vbgamer45

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 19,985
    • smfhacks on Facebook
    • VBGAMER45 on GitHub
    • @createaforum on Twitter
    • SMF For Free
Re: SMF & GDPR Personally Identifiable Information
« Reply #112 on: May 14, 2018, 02:43:52 PM »
What is the time period for that intended use? I would argue at times it could be a long time if you have ever encounter a legal issue.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Offline Si6776

  • Jr. Member
  • **
  • Posts: 173
Re: SMF & GDPR Personally Identifiable Information
« Reply #113 on: May 14, 2018, 02:58:36 PM »
It would be difficult to define a period of use.  If someone joins a forum, seeing as that's what we're talking about here, it's not usually stipulated how long they will be a member for, therefore the 'period of use' can only be determined as indefinite, or until the member closes their account. 

I guess it could be argued that any members who don't re-consent could be considered no longer active members, but it's all ifs buts and maybes.  My understanding is that data does not have to be deleted unless there is a request to do so.  So, who is to decide whether and when to delete a member through inactivity?

Also, what happens in the event of a deceased member?  They obviously can't request that their account and data is deleted, so should forum owners take that decision upon themselves?

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 56,075
  • Gender: Male
    • Kindred-999 on GitHub
Re: SMF & GDPR Personally Identifiable Information
« Reply #114 on: May 14, 2018, 03:48:21 PM »
I disagree with your contention, jppialasse - and I would disagree with the removal of IP being a standard feature in SMF.

The GDPR allows the user to request the removal when the account is deleted.... other than that... nope, it stays!
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline petb

  • Semi-Newbie
  • *
  • Posts: 67
Re: SMF & GDPR Personally Identifiable Information
« Reply #115 on: May 14, 2018, 04:04:55 PM »
........... as you shall not keep data for longer than they are intended to be used.
I agree with this point.
The EU requires the data to be deleted as soon as they are no longer needed to fulfill the service.
The EU generally says that only data may be stored which are essential for the service to be granted.
Since the IP address for the operation of the forum is not mandatory (?) It should not be stored at all.
Why does the forum need the IP?
There is no legal obligation to keep an IP.

Online vbgamer45

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 19,985
    • smfhacks on Facebook
    • VBGAMER45 on GitHub
    • @createaforum on Twitter
    • SMF For Free
Re: SMF & GDPR Personally Identifiable Information
« Reply #116 on: May 14, 2018, 04:09:11 PM »
I disagree there is a legal need to keep an ip address if someone posts/uploads something. You  will need to turn off over some information.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Offline Si6776

  • Jr. Member
  • **
  • Posts: 173
Re: SMF & GDPR Personally Identifiable Information
« Reply #117 on: May 14, 2018, 04:12:15 PM »
........... as you shall not keep data for longer than they are intended to be used.
I agree with this point.
The EU requires the data to be deleted as soon as they are no longer needed to fulfill the service.
The EU generally says that only data may be stored which are essential for the service to be granted.
Since the IP address for the operation of the forum is not mandatory (?) It should not be stored at all.
Why does the forum need the IP?

Every website uses an IP address to connect to the user.  IP addresses are essential on forums to manage bans, guard again spammers / hackers, and in case there is a legal request for information.

Offline petb

  • Semi-Newbie
  • *
  • Posts: 67
Re: SMF & GDPR Personally Identifiable Information
« Reply #118 on: May 14, 2018, 04:21:21 PM »
There is no obligation to collect data to make it easier for criminal authorities to identify disturbers.
Because that would put any user under criminal suspicion, which may not be synonymous.

For a long time, there have been initiatives that investigate exactly storing the IP addresses as illegal.
Why else were there e.g. the Telekom allowed only a storage time of 80 days?
Only because they were granted that they are needed for 80 days for settlements or their complaint by the participant, as proof of the settlement.

There have been many discussions that the IP is just not needed for flatrates. Etc. etc..
And the whole thing is exacerbated by the GDPR now.

........... as you shall not keep data for longer than they are intended to be used.
I agree with this point.
The EU requires the data to be deleted as soon as they are no longer needed to fulfill the service.
The EU generally says that only data may be stored which are essential for the service to be granted.
Since the IP address for the operation of the forum is not mandatory (?) It should not be stored at all.
Why does the forum need the IP?

Every website uses an IP address to connect to the user.  IP addresses are essential on forums to manage bans, guard again spammers / hackers, and in case there is a legal request for information.
If this is listed as a reason, then it is worth considering which law is rated higher.
The right to your own data or the possible defense against interferers?
Since it is clear what a judge will say, "the potential risk of possible interference weighs less"
And to ward off interferers hackers, etc., the IP may indeed be saved!
But just "not burdensome long" in a post by a user.
And that's the point here.

It is not necessary to save the IP for the post of a user.
If it interferes, the user account can be locked.
No IP storage is necessary for this.

Storing the IP detached from the user name to prevent further interference via firewalls, acceslists, etc. is another matter.
The context of storage is important.

Offline Si6776

  • Jr. Member
  • **
  • Posts: 173
Re: SMF & GDPR Personally Identifiable Information
« Reply #119 on: May 14, 2018, 04:28:34 PM »
So, how are dynamic IP addresses dealt with?  And how do you deal with users who, like myself, access the forum from different locations, and therefore, have different IP addresses all the time?