SMF & GDPR Personally Identifiable Information

Started by kitz, April 11, 2018, 01:35:54 PM

Previous topic - Next topic

vbgamer45

Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

petb

I apologize.

I have fooled myself and have looked at the "language" directory and did not remember
that ich had uninstalled the mod.
So there could not be any gdpr.english-utf8.php to find... so I thought something was going wrong.  :-[ O:)

My mistake, thanks for your reference.

vbgamer45

Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

SeduzioneItaliana

Hi vbgamer45,
my english it's terrible but i will tray to explain. My best compliments to your mod who i install on my SMF 1.21.
All it's right but after the installation and click the redirect exit,  the label of your mod in the admin panel disappears...
after, it's impossible to call the pages of the app.
Cam you help me please? I put a picture of the problem. Thanks a lot.

PS: we did a translation of the agreement in italian. If you need to translate the entire text in italian, ask me ;)



vbgamer45

You also have to translate modifications.english.php i add text to that file too.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

SeduzioneItaliana

I translate the text in english.modifications.php of your mod and paste it in italian.modifications.php.
But i can't see the label to call the mod...  :-[
What i have to do?

(thanks for your help)



vbgamer45

That should do it unless your theme also has a languages folder with modifications.english.php then you have to do the same there
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

SeduzioneItaliana

GREAT vbggamer45!!

It runs. I copy the strings of english.modifications.php in the italian.modifications.php in my personal theme folder language.

Tomorrow (it's 3:13 o clock here ) i will post the italian translations. This way, if you want do a multilanguage version, you have a very little bit less of the job at to do. (sorry for my english)


Thanks a lot for your help!!!!!


SeduzioneItaliana

I'm testing the "localized" version, but i have some problems.
a) deleting an user, the username was not anonymyzed.
b) I get an error starting the mod in gpdr.php:

Messaggio8: Undefined index: admin_menu_name
File: /home/seduzion/public_html/forum/Sources/gpdr.php
Linea: 271


Can you help me please?

Thank you.

Armada

A quick question - what is the correct setting for:

Force all members to agree to the privacy policy when changed
Force all members to agree to member agreement when changed

Is it a case of balancing inconvenience and strict compliance?

The Privacy Policy as far as I can see does not take away any rights from an user, it gives right to them, so why do they need to be forced to agree with it?

The risk is that people who log into the forum, relying on the cookie to log them in (rather than a password they may have forgotten) could find themselves unable to get back in.

Also, it would be great if the page that people are confronted with (if the "force" option is on) has a friendly introduction (which isn't part of the privacy policy).

Any thoughts at all?
--- SMF Rocks even more than YabbSE---

gloups

Quote from: hugbear on May 17, 2018, 01:27:22 PM
Technically, personal messages in SMF, while definitely not public, are not private either. The forum software does not guarantee that a controller's representative (i.e. the website admin) can't access the content of PMs. Just nit-picking...

GDPR exhorts  encryption on sensitive datas : "83/ In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption".
(Porting to GDPR compliant a web software, I encrypt (aes_encrypt) : email adresses, MP content (not IP adresse despites it is legally considered as a personnal data) : it is only to guard against SQL injection access... supposing php file including crypt passphrass is of course not compromise ; of course webmaster may always be intrusive and aes_decrypt datas). 

gloups

Quote from: kitz on May 18, 2018, 02:19:27 PM
TBF I'm not even sure if forum posts nvm PMs apply to the right to data portability. 
I agree, MP may contains personnal data, ... but maybe not.

What is a personnal data (in GDPR context) is explained here
hxxp:ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en [nonactive]

(I am newbie here , I don't know if this guide to developper has been mentionned :  GDPR – A Practical Guide For Developers  hxxp:techblog.bozho.net/gdpr-practical-guide-developers/ [nonactive] )

Si6776

Quote from: Armada on May 24, 2018, 01:18:11 PM
A quick question - what is the correct setting for:

Force all members to agree to the privacy policy when changed
Force all members to agree to member agreement when changed

Is it a case of balancing inconvenience and strict compliance?

The Privacy Policy as far as I can see does not take away any rights from an user, it gives right to them, so why do they need to be forced to agree with it?

The risk is that people who log into the forum, relying on the cookie to log them in (rather than a password they may have forgotten) could find themselves unable to get back in.

Also, it would be great if the page that people are confronted with (if the "force" option is on) has a friendly introduction (which isn't part of the privacy policy).

Any thoughts at all?

The mod only asks for the consents the first time a member logs in after either or both the User Agreement and Privacy Policy has been changed.  So, if you get it right the first time, they'll only need to do it once.  What I did on my forum was to send out a quick email before I made the changes, just explaining what was happening, and that it was to comply with GDPR.  I've not had any complaints.

petb

#233
Because i have my own link there to an html privacy policy,
how can i remove the "privacy policy" link in the footer?

And what is the difference between the two files:
privacy_template.txt
privacypolicy.txt

It looks like only the privacypolicy.txt was changed after edit,
so the privacy_template.txt is just like a secure copy,
a simple template if someone delete his content in privacypolicy.txt?

Armada

Quote from: Si6776 on May 24, 2018, 02:50:20 PM

The mod only asks for the consents the first time a member logs in after either or both the User Agreement and Privacy Policy has been changed.  So, if you get it right the first time, they'll only need to do it once.  What I did on my forum was to send out a quick email before I made the changes, just explaining what was happening, and that it was to comply with GDPR.  I've not had any complaints.

Thanks for that - it's good to hear how others are doing this.

I don't feel it's a good idea to send out an email to everybody on our forum, simply because there are over 200,000 of them.

Did you manage to customize the agreement page to make it look a bit friendlier?

--- SMF Rocks even more than YabbSE---

vbgamer45

Quote from: petb on May 24, 2018, 03:14:04 PM
Because i have my own link there to an html privacy policy,
how can i remove the "privacy policy" link in the footer?

And what is the difference between the two files:
privacy_template.txt
privacypolicy.txt

It looks like only the privacypolicy.txt was changed after edit,
so the privacy_template.txt is just like a secure copy,
a simple template if someone delete his content in privacypolicy.txt?
Yes it is a template.
To delete the link You would have to remove from Sources/QueryString.php
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Si6776

Can I suggest, if you want to keep your own Privacy Policy, you could replace the one in the mod with your own.  Then you would have a link in your footer and the 'force to accept' function would still work. 

petb

#237
Quote from: vbgamer45 on May 24, 2018, 04:13:21 PM
Quote from: petb on May 24, 2018, 03:14:04 PM
Because i have my own link there to an html privacy policy,
how can i remove the "privacy policy" link in the footer?

And what is the difference between the two files:
privacy_template.txt
privacypolicy.txt

It looks like only the privacypolicy.txt was changed after edit,
so the privacy_template.txt is just like a secure copy,
a simple template if someone delete his content in privacypolicy.txt?
Yes it is a template.
To delete the link You would have to remove from Sources/QueryString.php
Great thank you
I commented out the two preg_replace lines in the install package.

Now I have to change the link here:
$ txt ['gpdr_txt_privacy_desc'] = 'We collect personal information when you use our online services. We use cookies to identify you and personalize your experience. For details, please see our <a href="'. $scripturl.'?action=gpdr;sa=privacypolicy" target="_blank"> Privacy Policy </a> ';

to
$ txt ['gpdr_txt_privacy_desc'] = 'We collect personal information when you use our online services. We use cookies to identify you and personalize your experience. For details, please see our <a href="/myownprivacy_policy_file.html" target="_blank"> Privacy Policy </a> ';

..then I should have touched everything so that my HTML privacy policy is always displayed?
Or are there other links like this somewhere?
I think i saw another place with such a link?

EDIT:
Found another one at the "<file name="$languagedir/Modifications.english.php">" section
$txt['gpdr_txt_privacy_desc'] = 'We collect personal information when you use our online services. We use cookies to identify you and to personalize your experience. For details, please see our <a href="' . $scripturl . '?action=gpdr;sa=privacypolicy" target="_blank">Privacy Policy</a>';

This parts i also have to translate and to put them into: $languagedir/Modifications.german-utf8.php !?

May i ask:
Can you make it possible that the privacy policy was full shown during the installation process, instead of showing only the link to it?

And what about a input field where the user can point to his own policy?
So that it will be also shown in that stage,
i cant remember right now.... i believe it was, when the user was in the forum active and was directed to accept?

So this is also shown with html tags, instead of only possible BBC tags?

Quote from: Si6776 on May 24, 2018, 04:28:26 PM
Can I suggest, if you want to keep your own Privacy Policy, you could replace the one in the mod with your own.  Then you would have a link in your footer and the 'force to accept' function would still work. 
Yes, but I want to display a html version of it.
Because I get delivered everything ready, always when something has changed.
And I'm afraid that one or the other change will come over time.

And i still have placed Buttons in the forum menu bar for the German needed "Impressum" and "Datenschutzerklärung".

Armada

Petb,

We display the privacy policy on a page of its own, but using the privacypolicy.txt of the mod, and don't use a link provided by the mod.

To do so, we had to modify the text file so that the square brackets [    ]  are angle brackets  <   >. This means we still get the bold bits parsed in the privacy policy.

Then the new page, we called privacy.php looks something like this:



<?php
$pagetitle 
'Privacy Policy';
include (
'top.inc');
?>



                        <div id="main_content">
                        <div class="cat_bar">
                                <h3 class="catbg">Privacy Policy</h3>
                        </div>
                        <div id="help_container">
                                <div class="windowbg2">
                                        <span class="topslice"><span></span></span>
                                        <div id="helpmain">

<img src="/forum/content/a-pretty-image.jpg" />
<br />
<p>
<?php echo (nl2br(implode(''file('privacypolicy.txt')))); ?>


</p>

                                        </div>
                                        <span class="botslice"><span></span></span>
                                </div>
                        </div>
                        </div>
                        <div id="bottom">
                                <div id="bottom_l">
                                        <div id="bottom_r">
                                                <a class="backtop" href="#"></a>
                                        </div>
                                </div>
                        </div>

<?php
include ('bottom.inc');
?>



The top.inc and bottom.inc are the header and footer of the page that matches with the rest of the forum (the header has the SMF ssi_include or whatever it's called).

--- SMF Rocks even more than YabbSE---

SpacePhoenix

Just been reading through some of (https://www.itgovernance.eu/blog/en/how-the-gdpr-affects-cookie-policies) and had to laugh a bit:

QuoteImplied consent is no longer sufficient. Consent must be given through a clear affirmative action, such as clicking an opt-in box or choosing settings or preferences on a settings menu. Simply visiting a site doesn't count as consent.

Quote'By using this site, you accept cookies' messages are also not sufficient for the same reasons. If there is no genuine and free choice, then there is no valid consent. You must make it possible to both accept or reject cookies. This means:

Can't think of any other way that a given site could note that someone has refused consent for cookies other then storing a cookie. Also any site that relies on sessions will create a cookie when a user first visits a site

QuoteIt must be as easy to withdraw consent as it is to give it. If organisations want to tell people to block cookies if they don't give their consent, they must make them accept cookies first.

Sites will need to provide an opt-out option. Even after getting valid consent, sites must give people the option to change their mind. If you ask for consent through opt-in boxes in a settings menu, users must always be able to return to that menu to adjust their preferences.

afaik the only way that could work is if the user never, ever visits the site again, with sessions creating cookies whenever anyone visits a site that uses sessions.

Also what about when servers collect the IP address of any user automatically (is there any country(s) that actually require sites/hosts to store IP addresses for a certain amount of time)?

Advertisement: