News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

SMF & GDPR Personally Identifiable Information

Started by kitz, April 11, 2018, 01:35:54 PM

Previous topic - Next topic

SpacePhoenix

What would happen under GDPR if a user (not necessarily on a site running SMF) gets banned, then requests deletion under GDPR? Would that leave them free to create a new account and make it impossible to ban people who create multiple accounts?

Aleksi "Lex" Kilpinen

One small thing I'd like to mention here - the GDPR actually has a lot of stipulations to allow completely ignoring most of the demands set out in the GDPR. Like, you can keep any data legally collected to protect a legal interest of your own as long as the data is relevant and necessary to protect that legal interest. To protect a legal interest ( such as securing the forum, technically make possible a service, gaining ad revenue, etc.. ) you are not required to get explicit consent, because in the GDPR consent and legal interests afe 2 different justifications for keeping data. You are also not required to fulfill the data portability and accessibility parts of the GDPR if it would be technically unfeasable or require an unproportionate  effort. Also the whole thing mostly applies to registered business entities, not so much private forum owners.

Or this is my understanding of the GDPR at the moment, after spending some time going through material from different sources, including the original text of the GDPR.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

kitz

Quote from: kitz on May 16, 2018, 10:15:02 PM
Quote from: Bigguy on May 16, 2018, 06:39:54 PM
Could be just a css fix. (I think)

I have tried to look into this and sort it myself but really don't know what I am doing when it comes to modifications.  My forum is based on 'Core Theme' which is (or at least used to be) extremely popular.

From what I can see it's the insertion of <br> within a list which is causing the problem.  As soon as you enter a line break it all scrambles.


OK I've played around with the css and found an acceptable solution which fixes this.
In index.css On or around line 1285 amend code to as follows


#footerarea ul li.copyright
{
display: block;
font-size: small;
line-height: 1;
padding: 0em;
}




Hopefully this will help others who are also using Core based Themes.

Louis

Let me jump on the IP and mail addresses stored with posts once more...

Do these two fields (poster_email and poster_ip) serve any special purpose within SMF? Or could they just be omitted?
I would expect all spam protection etc taking place before storage in smf_messages table - and thus finally populating the fields should no longer be necessary. Esp. as messages seem to be linked to author via the ID_member field....
It is your mind that creates this world (Buddha)

Conay

Quote from: SpacePhoenix on May 17, 2018, 01:31:18 AM
What would happen under GDPR if a user (not necessarily on a site running SMF) gets banned, then requests deletion under GDPR? Would that leave them free to create a new account and make it impossible to ban people who create multiple accounts?

I would argue they still have the right to deletion/being anonymised on their posts, however the forum would have the right to keep a record of email address, IP address and hostnames to keep the ban. You as a forum owner have a legitimate interest in maintaining this data. I include this (partially) in my forum's PP:

QuoteWe have two principle bases for processing your data:

  • Consent: You are required to agree to terms and conditions prior to registering on the forum, which gives us explicit consent to process your data. You are also required to check a box to confirm you are happy with our privacy policy and our use of cookies.
  • Legitimate interest: For some data we collect, such as IP addresses and forum posts, we have a legitimate interest in collecting such data, including:

    • Providing a safe and enjoyable user experience, and
    • Protecting our users.

Louis

Quote from: vbgamer45 on May 02, 2018, 08:03:51 AM
Yes in the database there are fields in the smf_themes table
gpdr_policydate - privacy policy date
gpdr_agreementdate - member agreement date
Why is that in the themes table? Shouldn't it be part of smf_settings? After all, GDPR is valid independently from the current theme.

Even nicer would be to have it in the individual members record, something like a last_acceptance_privacy and last_acceptance_tos, perhaps even with Y/N result. Taking that a step further would open possibilities to restrict those users (who have not accepted the most recent policies) to the "export data" area and let them delete their forum account (or request deletion from a forum admin)....
It is your mind that creates this world (Buddha)

vbgamer45

In  the themes data since it i is user member data. And it required no edits to database tables.  the settings table would not work for this.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Si6776

I'm getting lots of emails from companies basically saying "this is our new privacy policy, but you don't have to do anything to carry on as you were".  One of them was from my local authority, with which I do contract work for.  So, the email seems to imply that previous consent is enough to continue with consent, as long as there is an obvious option to remove consent. This is for newsletters, communications, etc.

Are we all running round in circles trying to find ways to get members to re-consent to T&C's and PPs, when previous consent is actually enough, as long as they are notified that the policies have been changed?

Louis

Quote from: vbgamer45 on May 17, 2018, 08:03:17 AM
In  the themes data since it i is user member data. And it required no edits to database tables.  the settings table would not work for this.
But it still results in new acceptance after a theme change as the user options are stored per user per theme. Probably not much to worry about.....
I'll keep it in the back of my head for a future wishlist ;)


Quote from: Si6776 on May 17, 2018, 08:08:56 AM
Are we all running round in circles trying to find ways to get members to re-consent to T&C's and PPs, when previous consent is actually enough, as long as they are notified that the policies have been changed?
IIRC GDPR requires explicit proof of consent (actually as a documented opt-in) in case of disputes. I'm no lawyer so I cannot judge whether these "if you don't act upon this mail we assume you're fine with the new agreements" are really GDPR compliant - I have some doubts, but time will tell...
It is your mind that creates this world (Buddha)

akalebic

So the GDPR compliance is already implemented on many sites (non SMF) and it is pretty much clear how it should look. I visited several bigger companies and for sure their lawyers already swallowed the rules. So the SMF is for sure non compliant and therefore the it can be very costly especially if is run by companies. The penalties for companies can go up to 20 millions € or 4 percent of profit income whichever is greater.  So definitely is not for joking.

vbgamer45

Quote from: akalebic on May 17, 2018, 09:28:13 AM
So the GDPR compliance is already implemented on many sites (non SMF) and it is pretty much clear how it should look. I visited several bigger companies and for sure their lawyers already swallowed the rules. So the SMF is for sure non compliant and therefore the it can be very costly especially if is run by companies. The penalties for companies can go up to 20 millions € or 4 percent of profit income whichever is greater.  So definitely is not for joking.
Is there anything that I am missing from my addon?
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

akalebic

Quote from: vbgamer45 on May 17, 2018, 09:32:44 AM
Is there anything that I am missing from my addon?

Where I can see your add-on in action?

vbgamer45

Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Conay

Quote from: vbgamer45 on May 17, 2018, 09:38:32 AM
Quote from: akalebic on May 17, 2018, 09:37:07 AM
Quote from: vbgamer45 on May 17, 2018, 09:32:44 AM
Is there anything that I am missing from my addon?

Where I can see your add-on in action?
https://www.smfhacks.com [nofollow]
Details: https://www.smfhacks.com/index.php?action=downloads;sa=view;down=207 [nofollow]

Firstly this is a really useful modification, I've installed it on my forum and really it seems like the final bit of work that needed for compliance.

The only thing I'd probably recommend adding is the inclusion of known IP addresses/hostnames, etc. to the info downloaded. I don't know if PMs are included, but if not they should be. But really this is minor adjustments.

@rjen

I am still missing the custom profile fields in the download . Some of those are PII in my case..
Running SMF 2.1 with latest TinyPortal at www.fjr-club.nl

Kindred

personally, I don't think that PMs should be or need to be part of the download.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

kitz

Quote from: Si6776 on May 17, 2018, 08:08:56 AM
I'm getting lots of emails from companies basically saying "this is our new privacy policy, but you don't have to do anything to carry on as you were".  One of them was from my local authority, with which I do contract work for.  So, the email seems to imply that previous consent is enough to continue with consent, as long as there is an obvious option to remove consent. This is for newsletters, communications, etc.

Are we all running round in circles trying to find ways to get members to re-consent to T&C's and PPs, when previous consent is actually enough, as long as they are notified that the policies have been changed?

Actually you have a valid point.  I just looked at the emails that I've gotten from some very large organisations who would have resources to proper legal representation and the vast majority just say along the lines of "We've updated our privacy policy. Please take a look at our updated Privacy Policy and Cookies Policy."    or "We are committed to protecting your personal details and to giving you access to them. To find out more, please read our Viewer Promise, including our Privacy Policy and Terms & Conditions"  Thats it.

kitz

Quote from: Conay on May 17, 2018, 11:36:30 AM
I don't know if PMs are included, but if not they should be. But really this is minor adjustments.

Why?  They're not public - they are private between person a and person b. Why would PMs ever need to be portable?
TBF I'd rather keep PM's totally private and I have no inclination of ever wanting to see what correspondence has taken place between 2 people.   
Are we now starting to go overboard?

Si6776

Quote from: kitz on May 17, 2018, 12:34:24 PM
Quote from: Si6776 on May 17, 2018, 08:08:56 AM
I'm getting lots of emails from companies basically saying "this is our new privacy policy, but you don't have to do anything to carry on as you were".  One of them was from my local authority, with which I do contract work for.  So, the email seems to imply that previous consent is enough to continue with consent, as long as there is an obvious option to remove consent. This is for newsletters, communications, etc.

Are we all running round in circles trying to find ways to get members to re-consent to T&C's and PPs, when previous consent is actually enough, as long as they are notified that the policies have been changed?

Actually you have a valid point.  I just looked at the emails that I've gotten from some very large organisations who would have resources to proper legal representation and the vast majority just say along the lines of "We've updated our privacy policy. Please take a look at our updated Privacy Policy and Cookies Policy."    or "We are committed to protecting your personal details and to giving you access to them. To find out more, please read our Viewer Promise, including our Privacy Policy and Terms & Conditions"  Thats it.

Exactly.  And large organisations are probably more at risk of heavy fines for non-compliance than a small tin-pot forum, so they're not likely to try to circumvent any legal requirements. 

I'm fairly sure that these new regulations are being implemented so as to give the EU a big stick with which to beat the likes of Google, Facebook, etc.  In my opinion, the risks of them sending expensive lawyers to chase after individuals and small concerns are pretty low, so whilst we need to be compliant, and not complacent, I don't think we need to make hard work of it.  Providing we have basic compliance in place by the 25th May, anything else can be looked at on an ongoing basis.

kitz

Quote from: Kindred on May 17, 2018, 12:25:43 PM
personally, I don't think that PMs should be or need to be part of the download.

I would tend to agree.   See
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/

  • The right to data portability gives individuals the right to receive personal data they have provided to a controller
  • Information is only within the scope of the right to data portability if it is personal data of the individual that they have provided to you.
  • If the requested information includes information about others (eg third party data) you need to consider whether transmitting that data would adversely affect the rights and freedoms of those third parties.

    IMHO PM's aren't portable because how could you possibly port them to elsewhere.   As per the guidelines data portability is for say transferring wedding gift lists, tracking lists,  or personal data resulting from observation of an individual's activities (eg where using a device or service).

Advertisement: