GDPR - Extension needed

[deleted]

Hi All,

There are numerous topics around GDPR on discuss - too many for me to list here, but GDPR is still very much the elephant in the room for those of us who run communities within the EU - or indeed entertain access from clients originating from the EU.

Sadly, it seems that Flarum has yet to adopt what I'd consider a critical extension in order to remain compliant in terms of GDPR. Previously, myself, @luceos, @katos embarked on a journey to see what could be accomplished here, and I'm also aware that @luceos created a base framework which was a step in the right direction. However, this project seems to have gone cold in the sense that it lost momentum. GDPR is a contentious subject, but anyone hosting a forum is in scope if they handle or process data pertaining to EU residents.

For clarity, I'm a security/privacy expert by trade, and the lack of a functional GDPR extension concerns me greatly. Flarum is fantastic, and I'm happy to support and foster it's growth (as I actively do as a backer, extension contributor, and payment for extension updates) - I also adopt several premium extensions as a means of providing financial support for the project, and it's developers.

The issue I have here is one of privacy and compliance. I'm happy to fund the initial (and probably ongoing) development of an extension for GDPR - not one that simply ticks boxes, but allows the user to perform a download of all his/her data, allows for corrections, and just about everything else which is considered a base requirement of GDPR. My take here is that Discourse has something in place, so why not Flarum? I know it's been discussed previously, but little action has been taken to actually address with a dedicated extension.

My position sadly means that without this fundamental extension, I cannot continue to use Flarum for any project where data of EU residents is in scope with no means of addressing the compliance side.

Again - I'm happy to fund extension development, and also happy to engage in discussion (probably via Discord) as to how this should work etc. A lack of a basic GDPR framework could well render Flarum's uptake in the EU dead, and this is something I personally do not want to see happen.

All devs - let's do something about this - please !

luceos

[deleted] Mark you raise a valid point. My thoughts:

The collaboration on the GDPR extension and advice received were huge, it helped shaping the extension and I think we need to guarantee having a couple of experts as a requirement.
I still want that GDPR extension to be completed (and maintained).
It now lives under Bokt, but I bet it will be either be moved to FoF or Blomstra.
I will only tolerate the extension to be open source and I think we need to vouch (as a community) that it is maintained, functional and above all compliant.
Blomstra will probably have an interest in having such an extension for clients too, so we can provide man hours for that either with @IanM or myself, but we have other priorities right now. This means we will be able to co-maintain it or start working on it later this year.

Sibert

[deleted] There are numerous topics around GDPR on discuss

I have seen nowhere mentioned in this thread, one of the major GDPR issues. It is more or less prohibited in the EU to use a server or service hosted by a "state controlled" company. Azure (amongst other) is therefore abandoned or prohibited by some countries in the EU.

Justoverclock

i can offer help with italian translation (maybe integrated into the extension), if someone need that, and as a tester of course

[deleted]

luceos Thanks for this - very comforting to know that this is still "out there" (so to speak) and there is incentive and momentum via Blomstra

I will only tolerate the extension to be open source and I think we need to vouch (as a community) that it is maintained, functional and above all compliant.

This point is pertinent, and means the most to me as a community member. I'm more than happy to contribute both in code, knowledge, and expertise in the field (as you know)

luceos we have other priorities right now. This means we will be able to co-maintain it or start working on it later this year.

Again, this is also very comforting. I fully understand the priorities, but on the flip side, Blomstra would need to be compliant in order to offer it's services 🙂

I need to reinforce that my view here isn't just "well, there's no GDPR extension, so I'm off..." - it's about the interests of Flarum as a wider project, and it's uptake in the EU, which we cannot ignore - both for project longevity and legal reasons.

[deleted]

luceos I think we need to guarantee having a couple of experts as a requirement.

I'd like to think I fit this requirement - happy to contribute 🙂

luceos

[deleted] Again, this is also very comforting. I fully understand the priorities, but on the flip side, Blomstra would need to be compliant in order to offer it's services

The communities we host might need to be compliant. But yes we are well aware of the weight of having such an extension to the validity of our services.

[deleted] I'd like to think I fit this requirement - happy to contribute

You do, I think I meant having a +1 would be helpful too just for having another set of eyes on the subject.

[deleted] I need to reinforce that my view here isn't just "well, there's no GDPR extension, so I'm off..." - it's about the interests of Flarum as a wider project, and it's uptake in the EU, which we cannot ignore - both for project longevity and legal reasons.

I feel your personal pain. I apologize for not sharing it yet. I guess that's part of having so many responsibilities. Having a GDPR extension is in no way a responsibility of the core team as they should provide a kick-ass framework for extensions to work with. It's also not a responsibility of FoF as their goal is to guarantee existing open source extensions are maintained. It is a wishlist item for Blomstra, but we need to get things going in order to be able to invest time into this.

That is why I believe this is a responsibility of the community. The drawback is that development capacity right now is limited.

I don't want to say this isn't going to happen, I do think that someone needs to be swayed into continuing the previous efforts for something to happen within weeks. Maybe @IanM @clarkwinkelmann @askvortsov wants to give it a shot?

Reference to extension: https://github.com/Bokt/flarum-gdpr

askvortsov

luceos Sure, I'd be happy to take a look!

katos

I am happy to assist in crowd-funding this extension, and also willing to provide my legal background assistance, as well as my background in IT.

Wadera

katos I am happy to assist in crowd-funding this extension

+1 from me 😉

luceos

askvortsov let me know if you do, @IanM also had some time the coming days otherwise.

Changed the repo to https://github.com/blomstra/flarum-ext-gdpr

[deleted]

I really am flattered that this is gathering such pace so quickly. Thanks everyone !

luceos

[deleted] most developers capable of picking this up are taxed with other responsibilities right now, especially with the next release imminent. That's why there isn't that much momentum, including with calls for paid work.

Justoverclock

i'm planning to work on a GDPR extension (if no one is involved now), but i'm not sure about how this extension need to be developed.

These are my questions:

can i use localstorage instead of classic cookies?
Must be present a link to extended privacy policy and extended cookie policy? (link to a post on flarum i suppose)

what else?

[deleted]

Justoverclock You should check with with @askvortsov and @IanM as they have begun work in coordination with myself and @katos

Justoverclock

[deleted] oh ok if u guys are working on this i will stay behind the scene 🙂

Justoverclock

actually (because i've not seen any extension) i'm working on that:

for now i have mandatory cookies and google analytics cookies. If Google Analytics is not checked, google analytics code will be stopped)

google analytics code managed through admin panel.

[deleted]

Justoverclock looks great, but more cookie consent centric than actual GDPR.

Darkle

Justoverclock It looks really good, I would recommend you to include a reject button (which automatically blocks all unneeded cookies), this button is being one of the main reasons for the massive NOYB (European Center for Digital Rights) complaints that started this year.

The NOYB said that their complaints are directed at both companies like Google and Twitter as well as local sites "that have a relevant number of visitors" what? we are really putting Google on the same level as a local site? insane.

All this seems ridiculous to me, I mean cookies should be managed 100% by the browsers they should be in charge of the user's consent with the cookies of each site etc...

Hari

Justoverclock looks great, could you include a small mode too. maybe a bottom bar or small-sized card view.

not only EU but google AdWords made it mandatory to advertise in search or display network

1Dot

Justoverclock I think you can make something like that you did in Keywords extension Like at place of word take input as name for example Ramesh Script and in definition input you can take script or html used and now use the input Justoverclock here at the place of Google analytics and if the user unselect ramesh script then stop loading Ramesh Script and I have something great to share that only load script or css when user select anything you can use if condition here see the demo code below:

  if (r == true) {
          // Get HTML head element
        var head = document.getElementsByTagName('HEAD')[0]; 
        var script = document.createElement('script');
        script.src = 'RameshDadaPremiumScriptUrlForFREE'; 
        head.appendChild(script); 
}

Justoverclock

Now if u do not check google analytics, this will be not loaded (I’ve included the google analytics code)

So I do not understand the reject button….u can’t reject all cookies (mandatory cookies are blocked on “checked”), Flarum will not work properly without it.

[deleted]

Justoverclock the reject button is for anything that isn't required for Flarum to function basically. You'd need to clearly set out in your limit those committed which are mandatory and are required for the platform to run.