GDPR - Extension needed

Justoverclock

If someone would collaborate : 👀

https://github.com/justoverclockl/flarum-ext-cookieconsent/blob/main/js/src/forum/CookieConsent.js

PascalBoschma

sylv38

Hello the flarum team !

I haven't found any thread about Pusher to post this message.

I think that, regarding GDPR, it would really be nice to let the user choose if he wants to use Pusher or not. A checkbox would logically find its place to enable/disable pusher extension in confidentiality settings. To be GDPR compliant, this checkbox should be disabled by default. Would it be possible ? Of course, a setting could be added in admin panel to enable this possibility only for those who want.

Thus, I could use the cookie consent notification to explain that Pusher can be used to have realtime notifications and that it can be enabled in user settings.

[deleted]

I've chosen to leave the Flarum ecosystem based on the fact that there is no GDPR capability meaning that communities operating within the EU (or in the case of the UK, operating within Europe) are not and should not be classed as compliant. This represents a major issue for me given my professional capacity.

Frankly, I'm shocked that Blomstra is being marketed in Europe when it has no GDPR capabilities making it non compliant.

A real pity as Flarum has a brilliant ecosystem, but sadly, a complete lack of direction when it comes to GDPR. Personally, I've moved to NodeBB where this is a feature of the core and has been since the inception of GDPR.

matteocontrini

[deleted] meaning that communities operating within the EU (or in the case of the UK, operating within Europe) are not and should not be classed as compliant

What do you mean exactly? My community is GDPR-compliant, no cookie is installed without consent, explicit consent to the privacy policy is required to join the community, and I fulfil citizen rights on request, as the Regulation and my privacy policy require.

I agree it could be nice to have some additional features to let users manage their data on their own, but GDPR isn't really about having buttons in the UI.

matteocontrini

[deleted] Policies are one thing, but validation of existence and execution is another. This is why organisations have to regularly attest as part of due diligence that they are GDPR compliant.

How can Flarum help with that? In this case the organization is me and you, we are the data controllers. Flarum has no responsibility.

[deleted] They've been fully compliant since version 1.9.0 (1.18.2 was just released) and were the first forum platform to achieve certified compliance.

To be honest I only see a link to Wikipedia in that blog post... They just added some features to help forum administrators be compliant, as they say. Nice to have, but not required for a community to be compliant.

[deleted] It's been classed as not a priority, which is completely the wrong approach.

I agree with that.

[deleted] I never actually said that.

Maybe I misunderstood...

[deleted] [Flarum] communities operating within the EU [...] are not [...] compliant

Darkle

[deleted]

What @matteocontrini said is exactly what I plan to use, I think it's feasible, but it's true that with a really big community it can be something really laborious/unsustainable.

I don't know how the development of Blomstra is going with the GDPR extension, @luceos could you update us about it, are there problems or it just requires a lot of development time?

Maybe in that case, you could start a fundraiser to accelerate its development (as happened with the ad extension), I think a lot of people would be willing to help.

[deleted]

matteocontrini You have a mechanism for users to be able to request data corrections, perform an export of their own data, and delete their own account under Flarum ? I don't think you do unless you've written an extension yourself ?

Cookie compliance is an EU directive and whilst considered in line with GDPR they aren't the same thing. Flarum isn't GDPR compliant at all.

matteocontrini

[deleted] You have a mechanism for users to be able to request data corrections, perform an export of their own data, and delete their own account under Flarum ?

Yes, they can send an email and I handle those requests. I receive GDPR requests weekly. It's GDPR compliant and that's what a lot of companies do. I don't see where the GDPR says there should be buttons in the UI to do this. Compliance is about your policies and practices.

[deleted]

matteocontrini Yes, that's very true, but unless you can prove that you have the ability to respond to any GDPR request in 30 days as mandated by the ICO, and have a means of performing data anonymity to remove IP addresses, email addresses, and anything else classed as personally identifiable information, then you are not fully compliant.

The real problem with GDPR and the regulation is that people read it then suddenly become overnight experts. Flarum isn't GDPR compliant out of the box and should be. If you've never had your policies and procedures independently audited, you cannot assume compliance based on self review.

matteocontrini

[deleted] my policies were written by a lawyer, I handle requests within hours, I remove IP addresses from the database and any other personal information.

I don't think it's correct to say that every Flarum community is automatically not compliant. You can say that Flarum doesn't provide tools to aid with that, but that's a different thing.

[deleted]

matteocontrini Written by an expert lawyer and independently audited and validated as in place and functional by whom ? Anyone can have a set of policies drafted. Your can copy them from the internet also.

Policies are one thing, but validation of existence and execution is another. This is why organisations have to regularly attest as part of due diligence that they are GDPR compliant.

This is how NodeBB does it
https://blog.nodebb.org/nodebb-1-9-0/

They've been fully compliant since version 1.9.0 (1.18.2 was just released) and were the first forum platform to achieve certified compliance. Note how they also targeted their EU hosted customers as a priority to ensure they were also fully compliant.

Flarum hasn't done any of this, despite the GDPR officially landing on May 25 2018. It's been classed as not a priority, which is completely the wrong approach.

matteocontrini I don't think it's correct to say that every Flarum community is automatically not compliant.

I never actually said that. I said that Flarum itself is not GDPR compliant and needs to be if blomstra as an entity is to be taken seriously in Europe.

[deleted]

matteocontrini How can Flarum help with that? In this case the organization is me and you, we are the data controllers

Flarum should provide the necessary tooling as part of its core. Not an extension. Data obfuscation is not the same as data portability and right to erasure by the way - they are two different things, and Flarum provides neither.

matteocontrini To be honest I only see a link to Wikipedia in that blog post... They just added some features to help forum administrators be compliant, as they say. Nice to have, but not required for a community to be compliant.

That link is just for reference to the GDPR itself. See https://nodebb.org/gdpr

matteocontrini Maybe I misunderstood...

Well, that comment is factual in the sense that data portability and right to erasure are part of the GDPR so seeing as Flarum doesn't offer this, it's not compliant, and any community using Flarum by definition won't automatically be.

askvortsov

[deleted] Flarum should provide the necessary tooling as part of its core. Not an extension

I want to emphasize again that providing or not providing some systems in core is not in any way a reflection of the importance of those systems. There are some incredibly important things (tags, private messaging, redis / caching, etc) that will probably never be in core, and Flarum will be stronger for it. It's an engineering decision that allows us to keep core streamlined and maintainable while still enabling all these useful features to exist. If you'd like to read a bit more about this philosophy, see this post.

As to the status of the GDPR extension, I agree that it's been going way slower than any of us initially hoped, but the only active developers on it are myself and @IanM, and we've both been very pressed for time. However, that extension will have all the features discussed in this thread, and I am still optimistic that we will get it done.

Hari

matteocontrini >> they can send an email

People do not read the terms and FAQs. when they want to delete their profile like people do in FB they need a delete button otherwise they start using bad words and that can be seen by others too (which causes a bad reputation). instead of all this mess, it would be nice to have a "delete profile" extension just like the change username extension.

here is an a example (a real conversation)

[deleted]

Darkle Maybe in that case, you could start a fundraiser to accelerate its development (as happened with the ad extension), I think a lot of people would be willing to help.

I offered this I'm my starting post for this thread. Sadly, even that wasn't enough to steer momentum.

[deleted]

askvortsov I realised the lack of GDPR functionality in March of this year, and in several discussions prior to that. I also can't agree with the philosophy that such an important feature isn't available in the core. It just doesn't make any sense to me as a security expert, and as a result means I've jumped off the Flarum train onto NodeBB with all of my forums - 2 completed, one remaining but in a development state. Security, privacy, and GDPR all have a fundamental basis in social media platforms, so why should any forum choose to behave differently ?

On a final note, there's no option to even opt out of emails via the message itself, which is also non compliance.

I'm not here to bash Flarum in any way. I greatly respect the product, it's ecosystem, the developers, and the community as a whole - I no longer use the Flarum application, but am here in an advisory capacity to ensure the Flarum Foundation doesn't land itself in unexpected hot water if discuss was ever breached and has no controls or framework in place to notify affected users - and even worse, have no ability to determine what data exactly is in scope.

Personally, the lack of any GDPR extension at this point means little to me given my move out, but as an act of courtesy, I'm using my knowledge and experience to bring this back to the table before it's too late.

streaps

askvortsov As to the status of the GDPR extension, I agree that it's been going way slower than any of us initially hoped, but the only active developers on it are myself and @ianm, and we've both been very pressed for time. However, that extension will have all the features discussed in this thread, and I am still optimistic that we will get it done.

Don't you (the people trying to build a business around Flarum) realize how damaging this approach and communication strategy is for Flarum? It already had the image of a software that never gets finished. Now after version 1.0 has been released, after years of waiting, we see the same pattern with a central feature that should have been in v1.0. Maybe there will be a beta version soon, maybe it will take months or years or the whole business / development around Flarum implodes again. This wishy-washy communication and commitment hurts Flarum. Every day there is uncertainty about the GDPR extensions is a missed opportunity. I'm sure many people don't even consider Flarum as a viable alternative because of this. They have a look at Flarum, find nothing about the GDPR on the main site, find nothing about GDPR on the blog and then land on this thread after a search. That's all you can provide as an semi-official statement about the (future) GDPR support in Flarum – hidden between the arrogant/ignorant views of some community members. It's a complete disaster. And the fact that you don't realize how bad it looks only amplifies it.

010101

[deleted] I also can't agree with the philosophy that such an important feature isn't available in the core.

This part of the debate might also be a matter of semantics. Correct me if I’m wrong, but @[deleted] , I think it would also be just as satisfactory if it was a core, Flarum Foundation maintained, default extension. Correct? It doesn’t have to be in CORE, core. 🙂 But it should be like the Tags or Like extension and come with the default installation.

I hate doing it. Always comparing to WordPress. I’m sorry, it’s just so well-known… By default, WordPress has some GDPR features and an example privacy policy with fresh installs. And, WordPress also doesn’t often add something like that to their core. So, it must be important.

[deleted]

010101 It doesn’t have to be in CORE, core

I don't agree. It should be in the core product. For non compliance with the GDPR where it can be proven that you do not have adequate controls in place to adequately handle a beach properly, you can be fined up to €20m or four times the turnover of any parent entity.

My comment here is the Flarum should offer GDPR compliance out of the box and but truly on extensions - be those core or third party. GDPR compliance is mandatory, not optional.

010101

[deleted] GDPR compliance is mandatory, not optional.

But now we get into that fact that it really isn’t. If I have private forum for me and my friends, it’s not required. Also, it’s not required (a lot of the major rules) if you don’t track the user and do a lot of that fishy stuff social media sites do. At least, that’s what I keep reading over and over. I’d paste links but I think they are in other discussions and I personally won’t change your mind.

[deleted]

010101 This isn't factual I'm afraid. The GDPR is there to protect any members that are EU residents ( or based in Europe if from the UK). If your forum is completely private, this is irrelevant if it gets breached and you spill data that can identify an EU resident or be classed as personally identifying in nature. It doesn't matter if you host your forum on US soil either. As soon as you have one member from the EU, your forum and you are automatically in scope.

« Previous Page Next Page »