SMF & GDPR Personally Identifiable Information

Started by kitz, April 11, 2018, 01:35:54 PM

Previous topic - Next topic

kitz

I've been watching a couple of items on BBC breakfast news over the past couple of days.   Yesterday there was someone saying they weren't going to make much difference over the old DPA.   That there's been confusion because many smaller firms appear to be taking the lead from very large corporations and attempting to follow suite when it may not be likely for them to do so.

There's also an interview this morning with the Information Commissioner which states that membership groups are likely exempt as you expect to receive email notifications etc when you join up.   They (ICO) are targeting the likes of social media platforms which may have personal data such as stored photographs of you  [they use facial recognition software] and large organisations which are amassing personal data.   Anyhow you can watch the interview with the IC which was on BBC breakfast news at ~7.42 this morning on i-player.

One thing that we do need to do within out privacy policy which hasn't so far been discussed is state how the data is stored.   eg you could say information is stored on a server in a secure data centre.

Aleksi "Lex" Kilpinen

Quote from: SpacePhoenix on May 25, 2018, 02:17:36 AM
Also what about when servers collect the IP address of any user automatically (is there any country(s) that actually require sites/hosts to store IP addresses for a certain amount of time)?
Yes, legislation like that does exist in many countries - mostly aimed at the ISP, but still....
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Medo42

Quote from: kitz on May 25, 2018, 04:55:20 AM
They (ICO) are targeting the likes of social media platforms which may have personal data such as stored photographs of you  [they use facial recognition software] and large organisations which are amassing personal data.

The danger to small noncommercial forum communities is probably not so much from the regulatory authorities (who are the ones who can actually impose the big fines that have been mentioned everywhere). At least in Germany they have neither the manpower nor apparently the inclination to go after them (there were statements that you may only get a warning and some guidance at first if you're a small player and try to do the right thing). The bigger issue for small sites in Germany is probably from lawyers trying to make money from Abmahnungen (C&D letters with a fee). The cost you can expect from one of those is a lot lower than the maximum fines from the authorities (at a guess you should probably expect to pay up to 2000 Eur), but the danger of actually being the target of one is a lot higher. It has been a matter of debate though just how much of that is going to happen with the introduction of the GDPR. It's worth noting that many of the things people are only fixing now could have been served with an Abmahnung even before the GDPR, so in that sense the danger might not really be much higher now.

Quote from: SpacePhoenix on May 25, 2018, 02:17:36 AM
Just been reading through some of (hxxp:www.itgovernance.eu/blog/en/how-the-gdpr-affects-cookie-policies [nonactive]) and had to laugh a bit:
This is just from what I pieced together myself, but here is how I understand the cookie situation:

The GDPR only mentions cookies once (hxxp:gdpr-info.eu/recitals/no-30/ [nonactive]), saying that a cookie with a unique identifier could constitute personal data since it may allow tracking a user. It is mentioned on one level with things like IP addresses.

What I take from this is that setting a session cookie should be viewed similarly to collecting an IP address.

Also, using a cookie is pretty much technically required for running a forum, at least for logged-in users. And I would guess you are not using the cookie for any purpose other than providing the forum. So from my point of view, it should be enough to just inform about it in your privacy policy as something that you do to provide the forums, just like you inform about storing the user's email address. And likewise, revoking consent is only possible through deleting your forum account, since as mentioned the cookie is technically required (people also could not keep using the forums if they revoked consent for processing their email address, right?)

The consent is thus already given by accepting the privacy policy. Separate consent and the option to separate consent withdrawal would only be required if the cookie was used for some other purpose that is not required for providing the forums, like website analytics.

This is the only way that I can currently make sense of the situation, but someone better informed should feel free to correct me.

Concerning cookies though: I have noticed that SMF still sets a PHPSESSID cookie for people who are not logged in. Since this should not be necessary for just viewing the forums and guests did not give free consent to this one, it is probably an issue. Does anyone know what that cookie is actually used for and whether it can be disabled? Deleting it when you are logged in does not appear to have any effect, so I've considered letting my webserver filter it out and see if anything bad happens.

Nomada_Firefox

Quote from: vbgamer45 on May 20, 2018, 09:13:08 PM
Minor update you can install over the old one.

1.0.4
!Minor language update
+Checks for SSL if not adds a warning
+Version check now includes link to download new version
Great addition. Thanks.

SpacePhoenix

Quote from: Medo42 on May 25, 2018, 05:42:04 AM
Concerning cookies though: I have noticed that SMF still sets a PHPSESSID cookie for people who are not logged in. Since this should not be necessary for just viewing the forums and guests did not give free consent to this one, it is probably an issue. Does anyone know what that cookie is actually used for and whether it can be disabled? Deleting it when you are logged in does not appear to have any effect, so I've considered letting my webserver filter it out and see if anything bad happens.

Any interactive website will set a session cookie the moment you visit the site, there can't be too many interactive sites that don't rely on sessions i some way

feline

Quote from: SpacePhoenix on May 25, 2018, 03:16:50 PM
Any interactive website will set a session cookie the moment you visit the site, there can't be too many interactive sites that don't rely on sessions i some way
Not true .. It will works without any session cookie.
Look at our Site .. before you not accept cookies, no cookie is set .. also no session cookie


a10

Quote from: feline on May 25, 2018, 04:22:51 PM
Quote from: SpacePhoenix on May 25, 2018, 03:16:50 PM
Any interactive website will set a session cookie the moment you visit the site, there can't be too many interactive sites that don't rely on sessions i some way
Not true .. It will works without any session cookie.
Look at our Site .. before you not accept cookies, no cookie is set .. also no session cookie

What I see on my forum: no cookie for guest browsing, only when member logs in, deleted when loging out.
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

petb

Quote from: a10 on May 25, 2018, 05:01:28 PM
Quote from: feline on May 25, 2018, 04:22:51 PM
Quote from: SpacePhoenix on May 25, 2018, 03:16:50 PM
Any interactive website will set a session cookie the moment you visit the site, there can't be too many interactive sites that don't rely on sessions i some way
Not true .. It will works without any session cookie.
Look at our Site .. before you not accept cookies, no cookie is set .. also no session cookie

What I see on my forum: no cookie for guest browsing, only when member logs in, deleted when loging out.
In my installation, there is always a session cookie sent to the user.

SpacePhoenix

Quote from: feline on May 25, 2018, 04:22:51 PM
Quote from: SpacePhoenix on May 25, 2018, 03:16:50 PM
Any interactive website will set a session cookie the moment you visit the site, there can't be too many interactive sites that don't rely on sessions i some way
Not true .. It will works without any session cookie.
Look at our Site .. before you not accept cookies, no cookie is set .. also no session cookie
Wrong! I just logged out, cleared all cookies for the smf site, then went to the home page and checked again 6 cookies were set

Doug Heffernan

I have a question and I hope that someone familiar with the new privacy law can help me. Say, if an user wants me to delete his/her account and all the posts associated with that account, am I legally obliged to do that?

Aleksi "Lex" Kilpinen

Quote from: doug_ips on May 26, 2018, 01:44:34 AM
I have a question and I hope that someone familiar with the new privacy law can help me. Say, if an user wants me to delete his/her account and all the posts associated with that account, am I legally obliged to do that?
In theory if you do not have a legal interest to protect by saving the posts, yes. But I'd say a forum could easily claim legal interest in keeping the discussions intact and readable.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Doug Heffernan

Quote from: Aleksi "Lex" Kilpinen on May 26, 2018, 01:49:52 AM
Quote from: doug_ips on May 26, 2018, 01:44:34 AM
I have a question and I hope that someone familiar with the new privacy law can help me. Say, if an user wants me to delete his/her account and all the posts associated with that account, am I legally obliged to do that?
In theory if you do not have a legal interest to protect by saving the posts, yes. But I'd say a forum could easily claim legal interest in keeping the discussions intact and readable.

Thanks for the reply.

SpacePhoenix

Just been reading an article about the GDPR where it looks like banning members or deleting members who don't agree to cookies etc could equally fall foul of the GDPR regs

petb

#253
Quote from: SpacePhoenix on May 26, 2018, 02:38:59 AM
Just been reading an article about the GDPR where it looks like banning members or deleting members who don't agree to cookies etc could equally fall foul of the GDPR regs
What?
If users do not accept the privacy policy,
then you can not lock them out?
For real?



EDIT:
Quote from: petb on May 25, 2018, 05:15:21 PM
Quote from: a10 on May 25, 2018, 05:01:28 PM
Quote from: feline on May 25, 2018, 04:22:51 PM
Quote from: SpacePhoenix on May 25, 2018, 03:16:50 PM
Any interactive website will set a session cookie the moment you visit the site, there can't be too many interactive sites that don't rely on sessions i some way
Not true .. It will works without any session cookie.
Look at our Site .. before you not accept cookies, no cookie is set .. also no session cookie

What I see on my forum: no cookie for guest browsing, only when member logs in, deleted when loging out.
In my installation, there is always a session cookie sent to the user.
And just found out, after a "guest" is closing the browser and re opening it, there is till one forum cookie in the browser.
Any way to stop the cookie usage by the forum?

Aleksi "Lex" Kilpinen

Quote from: SpacePhoenix on May 26, 2018, 02:38:59 AM
Just been reading an article about the GDPR where it looks like banning members or deleting members who don't agree to cookies etc could equally fall foul of the GDPR regs
Please do tell more, because to me this really doesn't make any sense at all, and I'm fairly sure someone has misinterpreted something here.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Aleksi "Lex" Kilpinen

Quote from: petb on May 26, 2018, 02:44:11 AM
Any way to stop the cookie usage by the forum?
Simple answer: No. The forum needs cookies to work.
Long answer: Could perhaps be done, at the expense of security and functionality.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

SpacePhoenix

Quote from: Aleksi "Lex" Kilpinen on May 26, 2018, 02:57:22 AM
Quote from: SpacePhoenix on May 26, 2018, 02:38:59 AM
Just been reading an article about the GDPR where it looks like banning members or deleting members who don't agree to cookies etc could equally fall foul of the GDPR regs
Please do tell more, because to me this really doesn't make any sense at all, and I'm fairly sure someone has misinterpreted something here.
Think this is the same article (on a different computer atm) http://www.dailymail.co.uk/sciencetech/article-5770969/The-Latest-LA-Times-site-offline-EU-amid-new-data-rules.html

Aleksi "Lex" Kilpinen

OK, now... Pretty much from the top part of that
Quote
Companies should be informing their customers about the new regulations and giving them the choice of whether to continue giving them access to their data - but still be able to use their sites if they don't.
In the case of the named examples, this would be impossible. The services can not work without access to some personal information as defined under the GDPR..
This is just someone trying to test the limits of new legislation I'd guess...
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

SpacePhoenix

IANAL. Realistically is it going to need x versus y in court to determine what cookies are deemed to be personal information?

Aleksi "Lex" Kilpinen

All legislation usually requires courts to actually create examples of how the law is supposed to be interpreted. Before a law has seen court, it is just text up to interpretation.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Advertisement: