Advertisement:

Author Topic: SMF & GDPR Personally Identifiable Information  (Read 18192 times)

Offline Si6776

  • Jr. Member
  • **
  • Posts: 184
Re: SMF & GDPR Personally Identifiable Information
« Reply #120 on: May 14, 2018, 04:32:06 PM »
The law has to be 'reasonable', and if it states that a person can request to have their data removed, then we obviously would comply with that request, and all of their personal data, including IP address, would be removed from posts.  But if they don't request it, then I don't see why it should be removed, unless there is a specific timeframe legislated for 'orphaned' data removal.

Offline petb

  • Semi-Newbie
  • *
  • Posts: 98
Re: SMF & GDPR Personally Identifiable Information
« Reply #121 on: May 14, 2018, 05:17:34 PM »
So, how are dynamic IP addresses dealt with?  And how do you deal with users who, like myself, access the forum from different locations, and therefore, have different IP addresses all the time?
Yes, this makes it difficult for prosecution, so it is also not sure that the IP is always sufficient for identification and that is also a reason why it should not be saved for a post.


The law has to be 'reasonable', and if it states that a person can request to have their data removed, then we obviously would comply with that request, and all of their personal data, including IP address, would be removed from posts.  But if they don't request it, then I don't see why it should be removed, unless there is a specific timeframe legislated for 'orphaned' data removal.
If even a player as big as Telekom can not store IP addresses forever, why should a forum operator be allowed to do so?
Always provided the storage is not mandatory, e.g. at a pay system to create bills, etc. And even then the operator can be expected to make his billing so timely that the IP addresses are deleted in a reasonable time.

Initiatives against the storage of IP addresses have been illuminating the issue for years and I can not reproduce everything that they cite.
But I see that their comments by the DGSVO get more substance.

To put it bluntly, I find that all very stupid, but it is how it comes.

Offline Si6776

  • Jr. Member
  • **
  • Posts: 184
Re: SMF & GDPR Personally Identifiable Information
« Reply #122 on: May 14, 2018, 05:36:17 PM »
I'd further dispute whether an IP address can be seen in law as 'personally identifiable information'.  All it indicates is the device that the post came from.  That doesn't explicitly identify the person who operated the said device at any given time.

Offline hugbear

  • Semi-Newbie
  • *
  • Posts: 28
  • Gender: Male
Re: SMF & GDPR Personally Identifiable Information
« Reply #123 on: May 14, 2018, 08:15:27 PM »
IMHO the IP is NOT Personally Identifiable Information since a forum owner has no legal means to compell the user's ISP to provide the identity of the user.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 56,494
  • Gender: Male
    • Kindred-999 on GitHub
Re: SMF & GDPR Personally Identifiable Information
« Reply #124 on: May 14, 2018, 08:20:31 PM »
and I disagree with your contention, Petb... The IP address is required information for all users. It gets stored for as long as you are a user. period. end of story....  I disagree with any contention that it should or must be deleted unless the account itself is deleted


However, hugbear and si6776 00 the GDPR does actually set out the IP as considered PII.

Just makes it more clear that the politicians are complete idiots

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline Ben_S

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 11,707
  • xxx
Re: SMF & GDPR Personally Identifiable Information
« Reply #125 on: May 16, 2018, 07:53:12 AM »
I'd further dispute whether an IP address can be seen in law as 'personally identifiable information'.  All it indicates is the device that the post came from.  That doesn't explicitly identify the person who operated the said device at any given time.

You can dispute it all you like, but it doesn't change the fact it has been ruled as personal data in court - https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases.

GDPR is quite clear that an IP address should be considered as personal data.
Liverpool FC Forum with 14 million+ posts.

Offline hugbear

  • Semi-Newbie
  • *
  • Posts: 28
  • Gender: Male
Re: SMF & GDPR Personally Identifiable Information
« Reply #126 on: May 16, 2018, 10:48:54 AM »
[IP] has been ruled as personal data in court
That paper states quite clearly that the court has ruled that IP is PII in some cases, like when the operator has access to both the IP and the ID of the user (i.e. ISPs). On the other hand, on forum that has no way of getting both information, IP is not considered PII:
Quote
Where a piece of information (such as an IP address) does not directly identify a person, that piece of information will nevertheless be personal data in the hands of any party that can lawfully obtain sufficient additional data to link the information to a person's real world identity.
On the other hand, that same piece of information will not be personal data in the hands of a party that has no legal means of obtaining sufficient additional data to make such a link.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 56,494
  • Gender: Male
    • Kindred-999 on GitHub
Re: SMF & GDPR Personally Identifiable Information
« Reply #127 on: May 16, 2018, 10:54:09 AM »
unless, like most people, they have used their ISP account name as their email address or even as their forum account name -- in which case, the IP, in combination with those is now PII.


So - unless you have some way to check whether a user has used their ISP account name when they signed up or for their email address, you must ASSUME that the IP is part of the PII
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline Si6776

  • Jr. Member
  • **
  • Posts: 184
Re: SMF & GDPR Personally Identifiable Information
« Reply #128 on: May 16, 2018, 11:08:42 AM »
Essentially though, the IP is required to administer the user's forum account, so unless a user requests an account deletion, forums have a legal basis for storing IP addresses, don't they?  There doesn't seem to be anything specific about the length of time data can be stored, as yet.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 56,494
  • Gender: Male
    • Kindred-999 on GitHub
Re: SMF & GDPR Personally Identifiable Information
« Reply #129 on: May 16, 2018, 11:24:37 AM »
exactly...

when the account is requested to be deleted, we have to remove the username, email address and IP address.
We can keep the posts.

Until the account deletion request is submitted, though, we can keep IP for as long as the forum runs. There is no hard time period and anyone who argues that we don't need the IP after X period can go pound sand.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline hugbear

  • Semi-Newbie
  • *
  • Posts: 28
  • Gender: Male
Re: SMF & GDPR Personally Identifiable Information
« Reply #130 on: May 16, 2018, 01:03:41 PM »
they have used their ISP account name as their email address or even as their forum account name
I don't quite get it. However, my „getting it” bears no relevance to this:

Say a user decides to willingly identify himself to the public by entering revealing personal info into various fields (username, profile fields, public posts etc.). In this case, the IP is clearly linked to his real-life identity, but those pieces of information are already in the open. As you pointed out, in this case the IP is required for the proper function of the forum, so - no deletion.

At some point though, this user requests that his account be deleted and points out all the personal info to be removed. After the admin conforms to his request and his account becomes anonymized,  all links between his IP(s)  and his RL ID will have been severed! Therefore, deletion of IPs becomes pointless.  :)

Offline Si6776

  • Jr. Member
  • **
  • Posts: 184
Re: SMF & GDPR Personally Identifiable Information
« Reply #131 on: May 16, 2018, 01:09:04 PM »
At some point though, this user requests that his account be deleted and points out all the personal info to be removed. After the admin conforms to his request and his account becomes anonymized,  all links between his IP(s)  and his RL ID will have been severed! Therefore, deletion of IPs becomes pointless.

In that case, so would keeping it.  :)

Offline hugbear

  • Semi-Newbie
  • *
  • Posts: 28
  • Gender: Male
Re: SMF & GDPR Personally Identifiable Information
« Reply #132 on: May 16, 2018, 01:21:45 PM »
Not quite. Maybe the forum owner, his helpers, members of the forum or guest can no longer ID him. But law enforcing agencies, with the proper lawful auhorisation, can correlate the IP/timestamp with information from the ISP to build evidence.

However, that's besides the point. The point is that after anonymization, the IP ceases to be PII. Therefore there's no longer any reason for it's deletion to be enforced.

Offline jppialasse

  • Newbie
  • *
  • Posts: 4
Re: SMF & GDPR Personally Identifiable Information
« Reply #133 on: May 16, 2018, 03:41:22 PM »
What is the time period for that intended use? I would argue at times it could be a long time if you have ever encounter a legal issue.

for IP in France this is one year according to the local regulation. The current situation make it difficult for a person to ask for the information, and penalties were difficult to enforce and fees were small. With enforcement of GDPR, there are chances this will be more frequent, and the fees are really higher.

Driving for 10 years 50 km/h higher than the limit without being fine is not a proof you can keep on driving fast. The longer you do it wrong the highest the chances you get caught.

This is one year in France but maybe some other countries have no regulation or ask for 24 months or anything else. So this could be just an option to enforce with an amount of time to be set. So if the option is present it is up to the admin to enable itaccodring to his local regulation.

Offline jppialasse

  • Newbie
  • *
  • Posts: 4
Re: SMF & GDPR Personally Identifiable Information
« Reply #134 on: May 16, 2018, 03:45:40 PM »
I disagree with your contention, jppialasse - and I would disagree with the removal of IP being a standard feature in SMF.

The GDPR allows the user to request the removal when the account is deleted.... other than that... nope, it stays!
You can disagree with me, but the regulation states you can not keep the IP for more than one year if you are in France. This is whether the user is still a member, or opt out. With BDPR enforce, we have to give the user all personal data we have about him, so he will know that we have IP for more than one year, again still in France. other country may or may not have regulation on IP conservation.

I do not speak of making deletion of IP a standard feature of SMF enforced by default, I speak about adding the option to comply with local regulation. With his GDPR add on, this could be a great opportunity.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 56,494
  • Gender: Male
    • Kindred-999 on GitHub
Re: SMF & GDPR Personally Identifiable Information
« Reply #135 on: May 16, 2018, 04:58:30 PM »
OK, how about this: I disagree with your interpretation of the regulation...

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline kitz

  • Jr. Member
  • **
  • Posts: 116
    • kitz.co.uk
Re: SMF & GDPR Personally Identifiable Information
« Reply #136 on: May 16, 2018, 06:19:26 PM »
@vbgamer45

Thank you so much for this mod.   I've installed it this evening and one of the first things I notice is this on the footer.   
I presume this is because I'm using a template other than the default.   

Can anyone give me guidance please on the best way to fix this please?


Offline Bigguy

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,545
  • Gender: Male
  • Be nice, or else....
    • smfbigguy on GitHub
    • Whats Ur Beef
Re: SMF & GDPR Personally Identifiable Information
« Reply #137 on: May 16, 2018, 06:39:54 PM »
Could be just a css fix. (I think)

Offline kitz

  • Jr. Member
  • **
  • Posts: 116
    • kitz.co.uk
Re: SMF & GDPR Personally Identifiable Information
« Reply #138 on: May 16, 2018, 10:15:02 PM »
Could be just a css fix. (I think)

I have tried to look into this and sort it myself but really don't know what I am doing when it comes to modifications.  My forum is based on 'Core Theme' which is (or at least used to be) extremely popular.

From what I can see it's the insertion of <br> within a list which is causing the problem.  As soon as you enter a line break it all scrambles.

Code: [Select]
<div id="footerarea" class="headerpadding topmargin clearfix">
  <ul class="reset smalltext">
    <li class="copyright"> <span class="smalltext" style="display: inline; visibility: visible; font-family: Verdana, Arial, sans-serif;"><a href="https://forum.kitz.co.uk/index.php?action=credits" title="Simple Machines Forum" target="_blank" class="new_win">SMF 2.0.15</a> | <a href="http://www.simplemachines.org/about/smf/license.php" title="License" target="_blank" class="new_win">SMF &copy; 2017</a>, <a href="http://www.simplemachines.org" title="Simple Machines" target="_blank" class="new_win">Simple Machines</a><br />
      <a href="https://forum.kitz.co.uk/index.php?action=gpdr;sa=privacypolicy">Privacy Policy</a> </span></li>
    <li><a id="button_xhtml" href="http://validator.w3.org/check?uri=referer" target="_blank" class="new_win" title="Valid XHTML 1.0!"><span>XHTML</span></a></li>
    <li><a id="button_rss" href="https://forum.kitz.co.uk/index.php?action=.xml;type=rss" class="new_win"><span>RSS</span></a></li>
    <li class="last"><a id="button_wap2" href="https://forum.kitz.co.uk/index.php?wap2" class="new_win"><span>WAP2</span></a></li>
  </ul>
</div>

Like I say, I know nothing about mod packages, but would it not be more correct for the package to insert the privacy policy as a new list item <li> rather than just inserting a <br> which can have varying behaviour depending on browser type.

Something like:
Quote
Search for 'blahblah'
Replace with <li class="copyright"><a href="https://forum.kitz.co.uk/index.php?action=gpdr;sa=privacypolicy">Privacy Policy</a></li>
may work better for all forums not just those using the Curve Theme.

Apols if I'm barking up the wrong tree...  so after I've just tried to find out what's wrong..  now I still have no clue what I should be changing in my files or rather which files I should be editing.   
My concern is if I do a manual edit then it will complicate things if there is a future update to the GDPR mod and or I need to uninstall.  :(




« Last Edit: May 16, 2018, 10:34:27 PM by kitz »

Offline Conay

  • Semi-Newbie
  • *
  • Posts: 19
Re: SMF & GDPR Personally Identifiable Information
« Reply #139 on: May 16, 2018, 10:50:18 PM »
The right to erase

The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable you to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

On the forum, this can be dealt with by requesting to delete your account. A deletion will have to be approved by an administrator (to protect against accounts being deleted maliciously). Posts can be individually deleted, and can be deleted en masse. A full deletion requires a request being sent to the email above.

Your new ToS is excellent, but there seems to be a somewhat grey area around the removal of all posts should a member wish to delete their account.  If indeed, this is not a requirement, providing the member has been fully anonymised, would it be slightly misleading to say that posts can be deleted 'en masse', as how would you distinguish 'en masse'  from 'all posts'?  I would be inclined to remove the 'en masse' part, and add something along the lines of:

Quote
... In the case of a full deletion, please note that post content is not subject to the ‘right of erasure’. All posts from a deleted account will be anonymised so no trace will be left to the post author, however, any identifiable information in posts themselves won't be deleted.

How sure are we that post content isn't subject to the rights of erasure?

Thanks for this, I much prefer that phrasing. Admittedly my initial inclination was that I didn't actually mind users deleting all their posts, but having spoken to other admins the consensus appears to be against that.

Separately I've actually updated a huge part of the ToS having looked at a number of different companies and how they've approached it. IANAL so it's been quite a challenge figuring out what needs to be said in as few words as possible.