GDPR fun

Posted on
Page
of 3
/ 3
Last Next
  • So the GDPR is possibly an existential threat to this forum, in that it's quite costly to get all the legal advice necessary to comply and this place runs almost exclusively on donations and we couldn't afford it and if we get sued we definitely cease to exist.

    So... I have a plan.

    The plan is: Store nothing that isn't needed.

    This means:

    • No Google Analytics
    • No server log files
    • No IP addresses logged

    This might seem obvious to you and make you go "Well the GDPR works then", and largely I'd agree. However it's going to come with some downsides. Such as it being a lot harder to make any improvements because I won't have data on how the site is used. And it's going to be a lot harder to stop spam as I won't have any data there either.

    There is only one thing that I definitely know: You gave me an email address when you signed in.

    That's it. I don't know if it's your email address, if it identifies you, if it's a throwaway one... just that you gave me an email address.

    You might argue I know your username, but not really. There's no processing done on it and it's just a blob field. You could well put your passport number in there but I wouldn't know it if I saw it, and you might put a name in there but I have no idea whether this is your name... it's just a word and I have no sense of identity from it.

    The one and only thing I'll know is your email.

    I'm burning everything else that could even be argued to be data.

    If you make a GDPR request then I shall fulfil this electronically by providing you with a link to access everything I know... and it is this link (except with your user id, and if you are logged in you can see your private messages in there too):
    https://www.lfgss.com/search/?q=type:mic­rocosm+type:conversation+type:event+type­:profile+type:huddle+type:comment+author­Id:47686

    The API returns everything I know, and everything else I'm burning (configuring servers to not produce logs, etc).

    You may wish to contact auth0 to obtain from them your login history, but their logs only go back 2 days and they keep no history beyond that (we are on the free tier, very limited logging), and over there is your email address, IP address (if signed in within the last 2 days), and possibly the ID within Google or Microsoft of the account ID your login is linked to. That's on the auth0 server and not my server.

    I know nothing except for your email which is required for login, notifications, and account verification.

    Feel free to ask questions... they may well be answered with "I don't know", and I do not believe that the existing T&Cs are impacted by GDPR due to the fact that we always stored virtually nothing and now explicitly store less.

  • Things I am uncertain of:

    1. Whether I can continue to embed maps (because they could cookie you without consent)
    2. Whether I need to interstitial every link to a 3rd party (because they could cookie you without consent)

    Things I should clarify:

    • I do not know if you uploaded a file. The API de-duplicates and all I know is that an attachment is linked to 1 or more comments... but this is very different from file ownership (of which I have no data).
    • Comments and other user generated content is not kept in a structured way, and the database is really only being used as a file system with textual search... there is no processing of the content other than to render it as HTML. From everything I have read I do not believe that unstructured blobs of user generated data requires me to do anything other than keep it secure. The onus is actually on you to not put things in there if it's sensitive.
    • PMs are the exceptions to the above... only in that they are guaranteed to be hard deleted from the server once all parties have deleted them.
    • Everything is encrypted on the servers, this is via full disk encryption rather than item level encryption.
  • Good work boss man.

  • Also disabling all performance beacons and Cloudflare experiments that were active.

    There will be no logs at all.

  • That's it. I don't know if it's your email address, if it identifies you, if it's a throwaway one... just that you gave me an email address.

    Which is personal data of course. Is it stored on the lfgss server or auth0's?

    It sounds like you've got access requests covered, but have you got consent covered?

    Consent must be "clear, easily distinguishable and provided in an intelligible and accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it."

    Under the GDPR there is no such thing as opt out consent and silence, inactivity, pre-ticked boxes etc. won't cut it. Consent needs to be unambiguous, which requires some clear affirmative action.

    Have you explicitly got everyone's consent to store their email? And could they easily withdraw it?

  • From what he says above, I think he'd fall into "legitimate interests" so no need for consent?

  • Email is the only thing for which consent will be required, and I'm looking to change the login form to add a consent checkbox to the auth0 form and force it to be required (you won't be able to login without providing consent).

    It will not be possible to use any of the forums I host without consent to a working email address.

    The option to withdraw consent will be achieved by destroying the email stored against your account (this isn't account deletion, it's just email destruction) and this in turn will permanently and irrevocably orphan the account (as we store nothing that identifies you, we will never be able to re-unite you to any content that was created by an account). Withdrawing consent for any forum on Microcosm will orphan the account for all forums that you access, as each unique email only has a single account across the 300+ forums.

    Withdrawing consent to store the email is very destructive and cannot be reversed. Choosing to consent again in future will create a new account and you will not have access to any of the content on a prior account, including the name associated to that account or any other content created.

    The consent withdrawal shall be via a checkbox and confirm flow available via the edit profile page.

    Scratch that...

  • So I've now read https://ico.org.uk/for-organisations/gui­de-to-the-general-data-protection-regula­tion-gdpr/lawful-basis-for-processing/le­gitimate-interests/ and http://eur-lex.europa.eu/legal-content/E­N/TXT/PDF/?uri=CELEX:32016R0679&from=EN (47-49) and think I'm OK to keep email (for a very long time) and not offer consent withdrawal on it.

    Consent is already asked for and given via Google and Microsoft login methods, and so I only need to add a consent notification to the email for the login code method.

    Legitimate use does cover retaining the email, as it is used for fraud detection, impersonation detection, to block trolls and abusers, etc.

    Which means I don't have to offer consent withdrawal for email at all... saves me some work, and it would have been hugely destructive to ones own account if anyone had clicked it.

  • Ah that's good. I'm in no way an expert by the way, just trying to get my head around it for work at the moment...

  • Why not continue to use GA and give people choice of opting out?

  • Are you actually responsible for embedded 3rd-party cookies?

    I mean, you're not the one adding the map links to the site, you just provide a forum for people to add content to. That's an odd one.

  • It'll mean all the youtube threads will be 'linkified' too.

  • Re removing GA, as long as you're not linking user IDs to the data itself (ie. using it for general trends, event counts etc, rather than x user did y), you should be able to keep that too, right?

  • It's not worth the risk.

  • And you're aware of this? https://panopticlick.eff.org/

    It's far too easy to de-anonymise anyone on the internet.

    I'll store nothing at all... but it will still be possible if someone could MITM my hosting (which with pinned HSTS and DNSSEC should be impossible).

  • Shift the whole site to the dark web - just to be sure?

  • Not safe enough.

    One of you feckers would hold me to ransom. Only safe thing to do... burn all the things (but not the site itself).

  • .


    1 Attachment

    • coppola.png
  • That looks like a happy man who runs a forum.

  • .


    1 Attachment

    • images.jpg
  • Just had a mail, of which this is an extract. Does it mean that the gdpr here is effectively my responsibility / problem? Lols!

    “...we have updated our Professional Profile Policy. In accordance with this policy, we wanted to remind you that as required by GDPR, you may use personal data made available to you through (company name) only for the purposes for which it was provided to you.”

  • Look at processor/controller responsibilities.

  • I had someone hand me a big document and ask me to sign to say I agree(and the document putting lots of the data in my control/responsibility), told them to look at how/why they are sending me such data and restructure. Not had a reply but should be errr fun.

  • Cheers @salmonchild and @Clockwise, will explore both for lols as I have no responsibility to them but am just intrigued:)
    More news presently...

  • Post a reply
    • Bold
    • Italics
    • Link
    • Image
    • List
    • Quote
    • code
    • Preview
About

GDPR fun

Posted by Avatar for Velocio @Velocio

Actions