Advertisement:

Author Topic: About the GDPR  (Read 40385 times)

Offline CoreISP

  • Server Admin
  • Server Team
  • SMF Super Hero
  • *
  • Posts: 18,003
  • Gender: Male
  • Liroy van Hoewijk
    • coreisp on GitHub
    • liroyvh on LinkedIn
    • @liroyvh on Twitter
About the GDPR
« on: June 02, 2018, 09:08:21 PM »
Dear users,


Many of you had questions about the GDPR and how to comply with this EU law about processing personal data of EU-citizens.
To make things easier for you, our next releases will include multiple features to help you with that. :)

The current list of features we are expecting to add to SMF is as follows:
- Data export, so users may (if you allow them to) export their profile data. (Profile including IP address(-history), posts (optional), personal messages (optional)). In the future, SMF might get an option to restore the basic profile of another site.
- Include unsubscribe links in newsletter emails if you set them to be marketing related (functional emails will remain being sent if someone opts out of marketing emails, depending on notification settings.)
- Opt-in checkbox for marketing emails during registration
- Force users to agree to new registration agreement, keep track of who consented and when they did, and the ability to see who have not agreed (yet).
- We are considering making it possible to show the privacy policy separate from the registration agreement during registration
- Show Privacy Policy link in the footer
- Ability to, when deleting a user/user has requested deletion of their data, check a box to remove IP-history from posts and anonymise their posts; which is to say their user/nickname is automatically changed to something other than what they registered with. Of course you still retain the ability to remove their posts as well. Even though this is not strictly required by GDPR if your policy checks out! (Note that you can already (pseudo-)anonymise their posts by first changing their nick before removing their profile, but we figured it would be nice to automate this in the future.)
- Extra prune functions, like expunging IP history for users as far as (technically) reasonably possible, to limit the amount of personal data you have on record. (Use with care.)

These functions will likely not all be introduced at once and some features will be expanded/improved with later updates.
We are aiming to get the basics introduced first (such as ability to add privacy policy, basic profile export, opt-out function for newsletters and forcing users to agree again to a (changed) registration agreement/privacy policy and log that). More features may be added later. If you think we forgot something, you may also post suggestions here - but please keep in mind that we are limited in time and resources. :) We have decided to implement these features in to SMF itself rather than releasing it as a modification (mod), so when you update SMF: these features will be available to you instantly.

The features will be optional for you to enable/disable, so if you do not want to use or activate them: that is possible.
We have been working hard on this and will release it as soon as possible. Our estimate is a release around the end of this month/begin of July, but please do not consider that a promise. Keep in mind that these tools are to help you with being/becoming GDPR-compliant, only activating them doesn't necessarily make you compliant. We advise you to read up on the laws and obtain legal advice if you are unsure whether or not you are compliant or have to be and what you should put in your privacy policy.


As for our own site, we will post a Privacy Policy soon to make it easier for you to see what we do with the very limited amount of data that you provide us with and information about what your rights are. And of course we will introduce the above features here as well as they will be included in SMF itself. :)

Last but not least, we apologize for the delay in introducing these features. Once we became aware of this new law, we wanted to get to the bottom of it and get some legal advice first. And as we are all volunteers: there are some time constraints as well. We are working very hard on it though and will release the features soon. :)

Thank you!


Kind regards, on behalf of;
- SMF Team
- Simple Machines
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Offline GigaWatt

  • The Smiley Guy
  • Support Specialist
  • SMF Hero
  • *
  • Posts: 2,187
  • Gender: Male
    • Macedonian electronics forum
Re: About the GDPR
« Reply #1 on: June 02, 2018, 09:21:00 PM »
Will this be included in the Core features section and will it be turned on or off by default?

And with the term "our next release", do you mean the next major update (the 2.1 branch) or the current stable branch (2.0.x)?
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

Offline CoreISP

  • Server Admin
  • Server Team
  • SMF Super Hero
  • *
  • Posts: 18,003
  • Gender: Male
  • Liroy van Hoewijk
    • coreisp on GitHub
    • liroyvh on LinkedIn
    • @liroyvh on Twitter
Re: About the GDPR
« Reply #2 on: June 02, 2018, 09:24:21 PM »
Will this be included in the Core features section and will it be turned on or off by default?

Good question on the Core features section, I'll ask the devs. :)
It will be turned off by default as we don't want to impose this on everybody, plus if you enable it you have to take extra actions such as populating your Privacy Policy.

Quote
And with the term "our next release", do you mean the next major update (the 2.1 branch) or the current stable branch (2.0.x)?

Both! :)
But SMF 2.0 gets it first as that's the current stable version and thus what most people are using.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Offline GigaWatt

  • The Smiley Guy
  • Support Specialist
  • SMF Hero
  • *
  • Posts: 2,187
  • Gender: Male
    • Macedonian electronics forum
Re: About the GDPR
« Reply #3 on: June 02, 2018, 10:21:09 PM »
Than you for the prompt answer ;).
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

Offline petb

  • Jr. Member
  • **
  • Posts: 106
Re: About the GDPR
« Reply #4 on: June 04, 2018, 08:41:33 AM »
Thank you,
i appreciate that very much.

Offline Rock Lee

  • Native Language Support Specialist
  • SMF Hero
  • *
  • Posts: 3,006
  • Gender: Male
  • I also speak english :D
    • BomberCode.Oficial on Facebook
    • RockLee-BC on GitHub
    • @Bomber_Code on Twitter
    • Bomber Code ~ La nueva era del conocimiento
Re: About the GDPR
« Reply #5 on: June 04, 2018, 07:52:51 PM »
Well, little by little, for several communities, it should be applied, although personally I do not really give much importance. Although it is really appreciated as quickly as possible, this new law was acted upon!


Regards!
¡Regresando como cual Fenix! ~ Bomber Code © 2018
Ayudas - Aportes - Tutoriales - Y mucho mas!!!


Ayudame via PayPal

Offline GravuTrad

  • Senior Translator
  • SMF Hero
  • *
  • Posts: 8,641
  • Gender: Male
  • One of the french SMF translators
Re: About the GDPR
« Reply #6 on: June 10, 2018, 05:47:21 PM »
Cool news. Thanks for this effort.
On a toujours besoin d'un plus petit que soi! (Petit!Petit!)


Think about Search function before posting.
Pensez à la fonction Recherche avant de poster.

Offline Bigguy

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,994
  • Gender: Male
  • Be nice, or else....
    • smfbigguy on GitHub
    • What's Ur Beef
Re: About the GDPR
« Reply #7 on: June 12, 2018, 06:25:42 PM »
Very nice to hear and should be well appreciated by members. :)

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,699
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: About the GDPR
« Reply #8 on: June 17, 2018, 02:31:35 AM »
Will this be included in the Core features section and will it be turned on or off by default?

Good question on the Core features section, I'll ask the devs. :)
It will be turned off by default as we don't want to impose this on everybody, plus if you enable it you have to take extra actions such as populating your Privacy Policy.
As this wasn't yet answered, I'll just mention that it would appear to be the plan for 2.0 to use the Core features section for this. :)
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline GigaWatt

  • The Smiley Guy
  • Support Specialist
  • SMF Hero
  • *
  • Posts: 2,187
  • Gender: Male
    • Macedonian electronics forum
Re: About the GDPR
« Reply #9 on: June 17, 2018, 03:35:22 AM »
Well, IMO that was also kind of logical, so that's why I asked ;).
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,856
    • StoryBB/StoryBB on GitHub
Re: About the GDPR
« Reply #10 on: June 17, 2018, 05:39:31 AM »
Ugh, not Core Features! It actually is a barrier to entry because people don't know it's there half the time.

(This is why it was removed in 2.1)
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,699
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: About the GDPR
« Reply #11 on: June 17, 2018, 05:48:04 AM »
But in context of 2.0 it is only logical to use it.
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline Illori

  • Project Manager
  • SMF Legend
  • *
  • Posts: 51,455
Re: About the GDPR
« Reply #12 on: June 17, 2018, 05:54:11 AM »
But in context of 2.0 it is only logical to use it.

but we dont need to continue to be logical ;) we need to make sure the users can find how to enable the feature and go from there.

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,699
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: About the GDPR
« Reply #13 on: June 17, 2018, 05:55:22 AM »
Granted, that is true as well.
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,856
    • StoryBB/StoryBB on GitHub
Re: About the GDPR
« Reply #14 on: June 17, 2018, 06:00:03 AM »
So... don't put it in Core Features, add a new menu to the admin panel called Privacy and put all the things in there.

In context of 2.0, burying stuff in Core Features only guarantees people having to ask where to find it.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline vbgamer45

  • Customizer
  • SMF Super Hero
  • *
  • Posts: 21,626
    • smfhacks on Facebook
    • VBGAMER45 on GitHub
    • @createaforum on Twitter
    • SMF For Free
Re: About the GDPR
« Reply #15 on: June 17, 2018, 08:13:37 AM »
Glad core features is going away that was always odd and agree people never really checked it.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Offline landyvlad

  • Sr. Member
  • ****
  • Posts: 863
  • Gender: Male
    • Michael Reed on Facebook
    • GSX1400 Owners ORG
Re: About the GDPR
« Reply #16 on: July 08, 2018, 11:17:22 PM »
Just did a search on GDPR and found this post - great to know that it's being worked on.
Please do not PM, IM or Email me with questions on astrophysics or theology.  You will get better and faster responses by asking homeless people in the street. Thank you.

To paraphrase Kindred: "There are no technical solutions to social problems."

No hack nor blackhats, just persistent asshats.

Offline wintstar

  • Jr. Member
  • **
  • Posts: 129
Re: About the GDPR
« Reply #17 on: August 09, 2018, 03:19:39 AM »
alberlast has implemented this well for the upcoming version 2.1. The European Data Protection Act stipulates that data protection is displayed even if the website is in maintenance mode or the website can be accessed even if there are system errors. If the forum is in maintenance mode, privacy cannot be displayed. For this, a possibility would have to be given that the data protection in maintenance mode or system error, where the forum is to be called, is given.

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,699
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: About the GDPR
« Reply #18 on: August 09, 2018, 03:26:50 AM »
Actually no, I really do not think the GDPR requires that, or even could require that. The whole regulation is built on clauses like "unless requiring unproportioned effort or technically impossible"...
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline wintstar

  • Jr. Member
  • **
  • Posts: 129
Re: About the GDPR
« Reply #19 on: August 09, 2018, 03:32:35 AM »
Actually no, I really do not think the GDPR requires that, or even could require that. The whole regulation is built on clauses like "unless requiring unproportioned effort or technically impossible"...
That is necessary:

Sorry is of german.
https://www.kreativ-web-marketing.com/de/news/meldungen/dsgvo-datenschutz-weisse-webseite.php

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,856
    • StoryBB/StoryBB on GitHub
Re: About the GDPR
« Reply #20 on: August 09, 2018, 03:47:22 AM »
So if there is a system error that means the privacy policy physically can't be displayed (maintenance mode aside), it's now a GDPR violation. In fact, in almost every single possible circumstance under that, you'd have to display the privacy notice. Even if the site is in hard maintenance where not even admins can log in, you STILL have to display it on almost every webhost ever set up because it still goes into access logs so even though the site isn't accessible, the fact it's been visited at all still counts.

Congratulations, that's the second dumbest thing I've heard yet coming out of the German interpretation of the GDPR, the first being that if patients request their healthcare data to be deleted under RTBF, electronic records must be deleted, while the paper copies (that are fundamentally incomplete, if say, you have cancer where you'll have CTs and treatment plans and all that stuff as 95% of that won't ever make it to paper and even if it did, it wouldn't be especially useful anyway) must be kept for 30 years.

Fortunately the ICO is not quite so asinine about any of this. It's getting increasingly less worth the effort to run a website the way this is going.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,699
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: About the GDPR
« Reply #21 on: August 09, 2018, 03:50:35 AM »
I still think that must be a misunderstanding, or very very poor local implementation because no such requirement can be seen in the actual GDPR.

EDIT:

As far as I know, this is THE point in GDPR that has been interpreted as the need of a privacy policy available:

Quote
The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

In my understanding, appropriate measures does not mean it has to be available at all cost at all times, it simply means to make it public and clear where you can obtain the information if needed.

Article 13 in itself will not come in to play, if the server is down - because no information is then collected, and the user does not have to be informed of that.
« Last Edit: August 09, 2018, 04:04:07 AM by Aleksi "Lex" Kilpinen »
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline wintstar

  • Jr. Member
  • **
  • Posts: 129
Re: About the GDPR
« Reply #22 on: August 09, 2018, 04:18:10 AM »
...
Congratulations, that's the second dumbest thing I've heard yet coming out of the German interpretation of the GDPR, the first being that if patients request their healthcare data to be deleted under RTBF, electronic records must be deleted, while the paper copies (that are fundamentally incomplete, if say, you have cancer where you'll have CTs and treatment plans and all that stuff as 95% of that won't ever make it to paper and even if it did, it wouldn't be especially useful anyway) must be kept for 30 years.

Fortunately the ICO is not quite so asinine about any of this. It's getting increasingly less worth the effort to run a website the way this is going.
That's not German, that's European crap. And I also see it in such a way, that it is not worthwhile itself in Europe slowly privately a web page to operate.
This DSGVO is actually made to bring even more members to the social networks. The private websites will be broken. But that's not the topic here. The laws are made, then you should also see to implement them as far as possible. alberlast has already solved it.

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,699
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: About the GDPR
« Reply #23 on: August 09, 2018, 04:32:36 AM »
The actual GDPR is EU crap, but each country will have to write it in their own legislation, so if german legislation says what you say it does, then that is german crap, not EU crap, sorry.
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,856
    • StoryBB/StoryBB on GitHub
Re: About the GDPR
« Reply #24 on: August 09, 2018, 04:43:34 AM »
I have done this, I have spoken at great lengths with the ICO, the U.K. equivalent. And they are not so asinine about it.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,699
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: About the GDPR
« Reply #25 on: August 09, 2018, 04:47:51 AM »
So far I have yet to see a very extreme approach to this in Finland too, so far the local interpretation seems almost reasonable.
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline feline

  • SMF Hero
  • ******
  • Posts: 1,638
  • Gender: Female
Re: About the GDPR
« Reply #26 on: August 09, 2018, 07:18:10 AM »
If the Forum in "Maintenace Modus" not Userdate is Handled or Saved, because he can simple not login.
So I think, this can simple ignored ...

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,856
    • StoryBB/StoryBB on GitHub
Re: About the GDPR
« Reply #27 on: August 09, 2018, 08:00:51 AM »
The user still gets entered into the access log and therefore apparently all the privacy notices have to be shown.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline feline

  • SMF Hero
  • ******
  • Posts: 1,638
  • Gender: Female
Re: About the GDPR
« Reply #28 on: August 09, 2018, 08:41:07 AM »
The user still gets entered into the access log and therefore apparently all the privacy notices have to be shown.
Well .. I just have implemented this feature ...
It's very simple to handle that  ;)

In the index.php just before this
Code: [Select]
return 'InMaintenance';
check if the request the impressum or the gdpr policy  ;)

Easy to handle that ..

Offline petb

  • Jr. Member
  • **
  • Posts: 106
Re: About the GDPR
« Reply #29 on: November 10, 2018, 02:19:44 AM »
How far is the matter in the meantime?
Is there any progress to report?

Online d3vcho();

  • Sempiterno
  • Lead Localizer
  • SMF Hero
  • *
  • Posts: 3,945
  • Gender: Male
    • frandominguez03 on GitHub
Re: About the GDPR
« Reply #30 on: November 10, 2018, 04:09:55 AM »
Our developers are working hard to implement this feature both in 2.0.x and 2.1.x. We'll have to wait a bit more because this is something serious that need to be dicussed and properly implemented but, for everyone's relief, we're much more closer than we were a few months ago.

"Greeting Death as an old friend, they departed this life as equals."

Offline live627

  • Development Contributor
  • SMF Hero
  • *
  • Posts: 5,620
  • Gender: Male
    • live627 on Facebook
    • live627 on GitHub
    • live627 on LinkedIn
    • @live627 on Twitter
    • livemods
Re: About the GDPR
« Reply #31 on: November 10, 2018, 04:34:49 AM »
Properly implementing this takes time. We want to get this right. We must also consider existing installs and how best to not disrupt them.
Try not to become a man of success, but rather try to become a man of value.
- Albert Einstein

Offline petb

  • Jr. Member
  • **
  • Posts: 106
Re: About the GDPR
« Reply #32 on: May 12, 2019, 01:47:10 PM »
How far is the matter in the meantime?
Is there any progress to report?

Offline m4z

  • Localization Team Apprentice
  • Jr. Member
  • **
  • Posts: 359
Re: About the GDPR
« Reply #33 on: May 12, 2019, 04:01:47 PM »
Oh, I never saw this topic until today...  :-X

Disclaimer: IANAL, everything that follow is just AFAIK.

An important part of the German DSGVO (I don't know it it's also part of the GDPR, but I would assume so) seems to be that in your privacy policy, you need a list of all third-party sites with access to personal data (f.e. IP address, which means basically any third-party site) and information about what exact data these sites receive, and how to access their privacy policy page if you want to object/reject them from handling your data (and under the German DSGVO, as the forum host, you apparently even need to have "commissioned data processing" (German: "Auftragsdatenverarbeitung") contracts with all of these sites).

Will SMF by default contain this data for the mandatory and optional built-in services, like JQuery, reCAPTCHA, Gravatar, ...?
"Faith is what you have in things that don't exist."
--Homer Simpson

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,856
    • StoryBB/StoryBB on GitHub
Re: About the GDPR
« Reply #34 on: May 12, 2019, 05:34:24 PM »
2.0 has none of those built in, 2.1 comes with its own copy of jQuery which doesn't need to be external (unless you set it to use CDN), and not everyone will use either reCAPTCHA or Gravatar - but I doubt it will automagically identify what combinations of settings you use, etc.

Especially with the ad management mod, that has no way to know which providers are in use - so that really should be on the site owner to deal with.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline m4z

  • Localization Team Apprentice
  • Jr. Member
  • **
  • Posts: 359
Re: About the GDPR
« Reply #35 on: May 13, 2019, 02:37:44 AM »
2.1 comes with its own copy of jQuery which doesn't need to be external (unless you set it to use CDN)

That's not 100% correct, the 2.1 default (for Configuration -> Features and Options -> General -> "Source for the jQuery Library") seems to be "Auto", which, according to the docs, "[...] will use the CDN first and if not available fall back to the local source". This is what was seeing, and this took me by surprise, because I had expected the feature to work the other way around: Try local first, and if that fails, go for CDN. (And that's why I assumed jquery was a "mandatory" feature, although I didn't specifically say that.)


and not everyone will use either reCAPTCHA or Gravatar - but I doubt it will automagically identify what combinations of settings you use, etc.

That was kinda what my query was about, the SMF PP should by default include all the info for all these third-party sites (not only the enabled-by-default ones), independent of the site actually using it. This is waaaay more practical than putting documentation somewhere (that 99.9% of users won't ever bother to read) that instructs the remaining 0.1% that if they enable feature X, they would also have to adjust the PP. Also, the forum owners can't really judge (with reasonable effort) how all those features work and what kind of personal information will be available to those third parties.


Especially with the ad management mod, that has no way to know which providers are in use - so that really should be on the site owner to deal with.

I agree that SMF can't reasonably solve this problem for mods (and I didn't ask for that).
"Faith is what you have in things that don't exist."
--Homer Simpson

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,856
    • StoryBB/StoryBB on GitHub
Re: About the GDPR
« Reply #36 on: May 13, 2019, 03:46:56 AM »
It is 100% correct, jQuery is mandatory but it doesn’t have to use a CDN, I have always set my 2.1 to be local and it’s been that way for the last 5 years, because I had frequent spells of not having an internet connection.

The PP should not by default include things that are not enabled by default. And good luck to you to write the translated  version of the privacy policy that patches all the bits together. Hint: other forum platforms that have had GDPR features for more than a year don’t try to solve this - at the end of the day, you are the site owner, you are responsible for it being correctly listed, not the software, and if the software has defaults there is a fair bet someone will be on the wrong side of it for assuming it is magically correct when it is not.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline petb

  • Jr. Member
  • **
  • Posts: 106
Re: About the GDPR
« Reply #37 on: May 13, 2019, 05:51:01 AM »
I did not mean that with my question about progress.
I thought to have read that there should also be a solution in the 2.0.x by SMF directly?

That also in the 2.0.X the privacy policy, as well as the terms of use, etc.
separately activate each and can view and confirm,
as well as the user can export his data and
the admin can then also delete a user DSGVO compliant, etc.?

Without the need of an extra mod?

Or did i choose the wrong topic here?

EDIT:
No, found this here:
....
Quote
And with the term "our next release", do you mean the next major update (the 2.1 branch) or the current stable branch (2.0.x)?

Both! :)
But SMF 2.0 gets it first as that's the current stable version and thus what most people are using.

Offline m4z

  • Localization Team Apprentice
  • Jr. Member
  • **
  • Posts: 359
Re: About the GDPR
« Reply #38 on: May 13, 2019, 06:16:29 AM »
It is 100% correct, jQuery is mandatory but it doesn’t have to use a CDN[…]

The correctness was about your phrasing, it sounded like the default jQuery setting was local-only, and the admin needs to explicitly change the setting to use the CDN. (And yes, it is of course mandatory, I was just pre-coffee rambling... :-X)


The PP should not by default include things that are not enabled by default. […] Hint: other forum platforms that have had GDPR features for more than a year don’t try to solve this - at the end of the day, you are the site owner, you are responsible for it being correctly listed, not the software, and if the software has defaults there is a fair bet someone will be on the wrong side of it for assuming it is magically correct when it is not.

I disagree, I think it should include all those third parties, and maybe prefix each one with something like "If this site is configured to use the Gravatar option, your personal data (including IP address, email address, …) will be processed by them, blah blah blergh…".
Otherwise, as a site owner, you would have to test all user-configurable options to see if any of them have an effect on any specific forum page, resulting in traffic to additional third-party sites.
Being on the other "wrong side", that is, including a "this external site might be processing your data under these circumstances"-prefixed reference to a site that isn't actually used, shouldn't be a problem.


And good luck to you to write the translated  version of the privacy policy that patches all the bits together.

I don't understand. I'm asking for one static policy that includes all of this. Not multiple versions, and not code-including sections based on features used.
"Faith is what you have in things that don't exist."
--Homer Simpson

Offline m4z

  • Localization Team Apprentice
  • Jr. Member
  • **
  • Posts: 359
Re: About the GDPR
« Reply #39 on: May 13, 2019, 06:21:14 AM »
I did not mean that with my question about progress.
I thought to have read that there should also be a solution in the 2.0.x by SMF directly?

[…]

Or did i choose the wrong topic here?

This is the correct topic. AFAICT, the feature is not yet implemented in 2.0 or 2.1 RC2 (for the 2.1 branch, part of it is scheduled for RC3).
"Faith is what you have in things that don't exist."
--Homer Simpson

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,856
    • StoryBB/StoryBB on GitHub
Re: About the GDPR
« Reply #40 on: May 13, 2019, 07:28:04 AM »
Surely there’s an issue if my PP says “data goes to reCAPTCHA” if I’m not using reCAPTCHA?
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline m4z

  • Localization Team Apprentice
  • Jr. Member
  • **
  • Posts: 359
Re: About the GDPR
« Reply #41 on: May 13, 2019, 07:46:52 AM »
Surely there’s an issue if my PP says “data goes to reCAPTCHA” if I’m not using reCAPTCHA?

Full ACK. That's why I'm proposing to have these sections statically prefaced by "If this site is configured to use this (/the 'foo') option[…]".
"Faith is what you have in things that don't exist."
--Homer Simpson

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,856
    • StoryBB/StoryBB on GitHub
Re: About the GDPR
« Reply #42 on: May 13, 2019, 08:13:54 AM »
How would the person reading the PP know that? Assume they’re reading the T&Cs before going to registration, they’re going be presented with “if the site is using reCAPTCHA” which they realistically cannot know at that point.

And since mods cannot be done with this, why not just avoid the whole problem by making it the site owner’s responsibility in the first place, maybe by offering this information in the config screen.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline m4z

  • Localization Team Apprentice
  • Jr. Member
  • **
  • Posts: 359
Re: About the GDPR
« Reply #43 on: May 13, 2019, 09:03:47 AM »
How would the person reading the PP know that? Assume they’re reading the T&Cs before going to registration, they’re going be presented with “if the site is using reCAPTCHA” which they realistically cannot know at that point.

Does the user have to know? Sure, if "optional service x" is the straw to break the camel's back, and the user reads it might be active, then that might keep a user from registering in the forum. But I'd err to the benefit of the site owner and document everything (in the case of a static document).


And since mods cannot be done with this, why not just avoid the whole problem by making it the site owner’s responsibility in the first place, maybe by offering this information in the config screen.

That would be a possibility, too, indeed. I haven't thought of that (but I still prefer the static catch-all document, I think). I, possibly mistakenly (is this even valid english? ???), interpreted your previous replies kind-of as "this is not SMFs problem, the site owner is on his/her/* own to solve this".
"Faith is what you have in things that don't exist."
--Homer Simpson

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,699
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: About the GDPR
« Reply #44 on: May 13, 2019, 09:46:09 AM »
Any if statement will not work, as then you are still not telling the user what you are required to tell them, you are just saying this may happen - but not telling them if it will.
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline m4z

  • Localization Team Apprentice
  • Jr. Member
  • **
  • Posts: 359
Re: About the GDPR
« Reply #45 on: May 20, 2019, 02:59:41 PM »
Any if statement will not work, as then you are still not telling the user what you are required to tell them, you are just saying this may happen - but not telling them if it will.

Yes, again, IANAL, but I'd naively assume it's very much less of a legal problem to say, f.e.:
Quote
If you're accessing a thread that contains a [youtube] BBC tag, your PII will be sent to YouTube, Google, and Doubleclick, and here's their Privacy Policies.

(and then be wrong about 99% of threads), than to not mention this fact to the users, which seems like an obvious disregard of the GDPR. (And, just to remind you, the GDPR doesn't apply to EU organizations and private site owners only, but to everybody worldwide that is handling PII of EU/EEA citizens.)

(I'll take the safe route for now and disable the [img] BBC in the forum I'm setting up, because it can include basically any URL (and the focus is on text anyway)...)
"Faith is what you have in things that don't exist."
--Homer Simpson

Offline peterbehlendorf

  • Newbie
  • *
  • Posts: 9
Re: About the GDPR
« Reply #46 on: October 01, 2019, 03:12:59 PM »
It would also be nice to have a cookie banner with the position customisable (as much as I dislike them) just to be on the safe side pointing towards the privacy policy.

Offline shadav

  • Jr. Member
  • **
  • Posts: 208
  • Gender: Female
Re: About the GDPR
« Reply #47 on: October 01, 2019, 05:07:06 PM »
It would also be nice to have a cookie banner with the position customisable (as much as I dislike them) just to be on the safe side pointing towards the privacy policy.
you mean like this: https://custom.simplemachines.org/mods/index.php?mod=3693

Offline peterbehlendorf

  • Newbie
  • *
  • Posts: 9
Re: About the GDPR
« Reply #48 on: October 01, 2019, 07:29:20 PM »
It would also be nice to have a cookie banner with the position customisable (as much as I dislike them) just to be on the safe side pointing towards the privacy policy.
you mean like this: https://custom.simplemachines.org/mods/index.php?mod=3693

Yes exactly like that! Thank you. I'm a bit new to using SMF.

I read through the posts here on this thread and didn't see anything about it.

Offline m4z

  • Localization Team Apprentice
  • Jr. Member
  • **
  • Posts: 359
Re: About the GDPR
« Reply #49 on: October 02, 2019, 01:23:37 AM »
It would also be nice to have a cookie banner with the position customisable (as much as I dislike them) just to be on the safe side pointing towards the privacy policy.
you mean like this: https://custom.simplemachines.org/mods/index.php?mod=3693

According to the mod site, it's not compatible with 2.0.15 or 2.1rc2...
"Faith is what you have in things that don't exist."
--Homer Simpson

Online Antechinus

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 24,799
  • Master of BBC Abuse
Re: About the GDPR
« Reply #50 on: October 02, 2019, 01:47:00 AM »
Compatible with 2.0.10, so should work with emulation on 2.0.15. I was actually going to test it myself later, but I want to set up a fresh local site first.