GDPR - Extension needed

matteocontrini

[deleted] You have a mechanism for users to be able to request data corrections, perform an export of their own data, and delete their own account under Flarum ?

Yes, they can send an email and I handle those requests. I receive GDPR requests weekly. It's GDPR compliant and that's what a lot of companies do. I don't see where the GDPR says there should be buttons in the UI to do this. Compliance is about your policies and practices.

[deleted]

matteocontrini Yes, that's very true, but unless you can prove that you have the ability to respond to any GDPR request in 30 days as mandated by the ICO, and have a means of performing data anonymity to remove IP addresses, email addresses, and anything else classed as personally identifiable information, then you are not fully compliant.

The real problem with GDPR and the regulation is that people read it then suddenly become overnight experts. Flarum isn't GDPR compliant out of the box and should be. If you've never had your policies and procedures independently audited, you cannot assume compliance based on self review.

matteocontrini

[deleted] my policies were written by a lawyer, I handle requests within hours, I remove IP addresses from the database and any other personal information.

I don't think it's correct to say that every Flarum community is automatically not compliant. You can say that Flarum doesn't provide tools to aid with that, but that's a different thing.

[deleted]

matteocontrini Written by an expert lawyer and independently audited and validated as in place and functional by whom ? Anyone can have a set of policies drafted. Your can copy them from the internet also.

Policies are one thing, but validation of existence and execution is another. This is why organisations have to regularly attest as part of due diligence that they are GDPR compliant.

This is how NodeBB does it
https://blog.nodebb.org/nodebb-1-9-0/

They've been fully compliant since version 1.9.0 (1.18.2 was just released) and were the first forum platform to achieve certified compliance. Note how they also targeted their EU hosted customers as a priority to ensure they were also fully compliant.

Flarum hasn't done any of this, despite the GDPR officially landing on May 25 2018. It's been classed as not a priority, which is completely the wrong approach.

matteocontrini I don't think it's correct to say that every Flarum community is automatically not compliant.

I never actually said that. I said that Flarum itself is not GDPR compliant and needs to be if blomstra as an entity is to be taken seriously in Europe.

matteocontrini

[deleted] Policies are one thing, but validation of existence and execution is another. This is why organisations have to regularly attest as part of due diligence that they are GDPR compliant.

How can Flarum help with that? In this case the organization is me and you, we are the data controllers. Flarum has no responsibility.

[deleted] They've been fully compliant since version 1.9.0 (1.18.2 was just released) and were the first forum platform to achieve certified compliance.

To be honest I only see a link to Wikipedia in that blog post... They just added some features to help forum administrators be compliant, as they say. Nice to have, but not required for a community to be compliant.

[deleted] It's been classed as not a priority, which is completely the wrong approach.

I agree with that.

[deleted] I never actually said that.

Maybe I misunderstood...

[deleted] [Flarum] communities operating within the EU [...] are not [...] compliant

[deleted]

matteocontrini How can Flarum help with that? In this case the organization is me and you, we are the data controllers

Flarum should provide the necessary tooling as part of its core. Not an extension. Data obfuscation is not the same as data portability and right to erasure by the way - they are two different things, and Flarum provides neither.

matteocontrini To be honest I only see a link to Wikipedia in that blog post... They just added some features to help forum administrators be compliant, as they say. Nice to have, but not required for a community to be compliant.

That link is just for reference to the GDPR itself. See https://nodebb.org/gdpr

matteocontrini Maybe I misunderstood...

Well, that comment is factual in the sense that data portability and right to erasure are part of the GDPR so seeing as Flarum doesn't offer this, it's not compliant, and any community using Flarum by definition won't automatically be.

askvortsov

[deleted] Flarum should provide the necessary tooling as part of its core. Not an extension

I want to emphasize again that providing or not providing some systems in core is not in any way a reflection of the importance of those systems. There are some incredibly important things (tags, private messaging, redis / caching, etc) that will probably never be in core, and Flarum will be stronger for it. It's an engineering decision that allows us to keep core streamlined and maintainable while still enabling all these useful features to exist. If you'd like to read a bit more about this philosophy, see this post.

As to the status of the GDPR extension, I agree that it's been going way slower than any of us initially hoped, but the only active developers on it are myself and @IanM, and we've both been very pressed for time. However, that extension will have all the features discussed in this thread, and I am still optimistic that we will get it done.

Hari

matteocontrini >> they can send an email

People do not read the terms and FAQs. when they want to delete their profile like people do in FB they need a delete button otherwise they start using bad words and that can be seen by others too (which causes a bad reputation). instead of all this mess, it would be nice to have a "delete profile" extension just like the change username extension.

here is an a example (a real conversation)

Darkle

[deleted]

What @matteocontrini said is exactly what I plan to use, I think it's feasible, but it's true that with a really big community it can be something really laborious/unsustainable.

I don't know how the development of Blomstra is going with the GDPR extension, @luceos could you update us about it, are there problems or it just requires a lot of development time?

Maybe in that case, you could start a fundraiser to accelerate its development (as happened with the ad extension), I think a lot of people would be willing to help.

[deleted]

Darkle Maybe in that case, you could start a fundraiser to accelerate its development (as happened with the ad extension), I think a lot of people would be willing to help.

I offered this I'm my starting post for this thread. Sadly, even that wasn't enough to steer momentum.

[deleted]

askvortsov I realised the lack of GDPR functionality in March of this year, and in several discussions prior to that. I also can't agree with the philosophy that such an important feature isn't available in the core. It just doesn't make any sense to me as a security expert, and as a result means I've jumped off the Flarum train onto NodeBB with all of my forums - 2 completed, one remaining but in a development state. Security, privacy, and GDPR all have a fundamental basis in social media platforms, so why should any forum choose to behave differently ?

On a final note, there's no option to even opt out of emails via the message itself, which is also non compliance.

I'm not here to bash Flarum in any way. I greatly respect the product, it's ecosystem, the developers, and the community as a whole - I no longer use the Flarum application, but am here in an advisory capacity to ensure the Flarum Foundation doesn't land itself in unexpected hot water if discuss was ever breached and has no controls or framework in place to notify affected users - and even worse, have no ability to determine what data exactly is in scope.

Personally, the lack of any GDPR extension at this point means little to me given my move out, but as an act of courtesy, I'm using my knowledge and experience to bring this back to the table before it's too late.

streaps

askvortsov As to the status of the GDPR extension, I agree that it's been going way slower than any of us initially hoped, but the only active developers on it are myself and @ianm, and we've both been very pressed for time. However, that extension will have all the features discussed in this thread, and I am still optimistic that we will get it done.

Don't you (the people trying to build a business around Flarum) realize how damaging this approach and communication strategy is for Flarum? It already had the image of a software that never gets finished. Now after version 1.0 has been released, after years of waiting, we see the same pattern with a central feature that should have been in v1.0. Maybe there will be a beta version soon, maybe it will take months or years or the whole business / development around Flarum implodes again. This wishy-washy communication and commitment hurts Flarum. Every day there is uncertainty about the GDPR extensions is a missed opportunity. I'm sure many people don't even consider Flarum as a viable alternative because of this. They have a look at Flarum, find nothing about the GDPR on the main site, find nothing about GDPR on the blog and then land on this thread after a search. That's all you can provide as an semi-official statement about the (future) GDPR support in Flarum – hidden between the arrogant/ignorant views of some community members. It's a complete disaster. And the fact that you don't realize how bad it looks only amplifies it.

010101

[deleted] I also can't agree with the philosophy that such an important feature isn't available in the core.

This part of the debate might also be a matter of semantics. Correct me if I’m wrong, but @[deleted] , I think it would also be just as satisfactory if it was a core, Flarum Foundation maintained, default extension. Correct? It doesn’t have to be in CORE, core. 🙂 But it should be like the Tags or Like extension and come with the default installation.

I hate doing it. Always comparing to WordPress. I’m sorry, it’s just so well-known… By default, WordPress has some GDPR features and an example privacy policy with fresh installs. And, WordPress also doesn’t often add something like that to their core. So, it must be important.

[deleted]

010101 It doesn’t have to be in CORE, core

I don't agree. It should be in the core product. For non compliance with the GDPR where it can be proven that you do not have adequate controls in place to adequately handle a beach properly, you can be fined up to €20m or four times the turnover of any parent entity.

My comment here is the Flarum should offer GDPR compliance out of the box and but truly on extensions - be those core or third party. GDPR compliance is mandatory, not optional.

010101

[deleted] GDPR compliance is mandatory, not optional.

But now we get into that fact that it really isn’t. If I have private forum for me and my friends, it’s not required. Also, it’s not required (a lot of the major rules) if you don’t track the user and do a lot of that fishy stuff social media sites do. At least, that’s what I keep reading over and over. I’d paste links but I think they are in other discussions and I personally won’t change your mind.

[deleted]

010101 This isn't factual I'm afraid. The GDPR is there to protect any members that are EU residents ( or based in Europe if from the UK). If your forum is completely private, this is irrelevant if it gets breached and you spill data that can identify an EU resident or be classed as personally identifying in nature. It doesn't matter if you host your forum on US soil either. As soon as you have one member from the EU, your forum and you are automatically in scope.

Hari

[deleted] Ok, since it's related to users privacy I want to clarify a small doubt here.

What if one user visits my site from EU and using google or facebook remarketing tag if target him (show ads to him) will that violates GDPR rules? If yes will my website will be banned in Europe?

010101

[deleted] Ok, challenge accepted! I’ll look for all the links later and post them here. But, the problem we’ll have in the end is neither of us are lawyers.

[deleted]

Hari You can target existing users under legitimate interest, but not new users. If he or she visits the forum but doesn't create an account, you have no data to hold about them, so you won't be in scope.

Your website won't be banned in Europe. Some US based firms use geo blocking to restrict access to EU residents as a way of being "compliant". Given the usage of a VPN to bypass that, it's not a reliable mechanism at all.

[deleted]

010101 But, the problem we’ll have in the end is neither of us are lawyers.

I work with lawyers, compliance, human resources, client services etc in my daily job where GDPR has a huge focus, so I can assure you that that GDPR isn't solely attributed to Europe. It's about users and where they are domiciled that makes the difference. GDPR can cross borders and it's recognisable as applicable law in virtually all jurisdictions.

010101

[deleted] Here you go:

First, I 80 to 90% agree with you on this topic so don’t get me wrong. But, you are sticking to saying all forums need this. And, the law just isn’t clear enough to 100% determine that. Especially if you are an individual, outside of Europe, who doesn’t bring in revenue or track users. I too work at a company that has to comply with GDPR. That doesn’t make me an expert.

Here’s support for my part of this spirited, and great debate:

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en

This seems like an official European site?

They list various reasons you may not have to comply or may not have to comply fully.

The GDPR applies to:

1) a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or

2) a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.

My forum falls into #2. I do not monitor the behavior of users. And point #2 states “company.” “Entity” which could make it apply to me isn’t listed in #2. I’m not a company. Point #1 does mention ANY entity, but, I don’t fall into point #1.

This site goes on to say, from what I understand, that small companies are low risk. So more good news for small businesses. But once again, I’m not a company. So, to me, that’s zero risk or close to zero risk.

I also read statements like this all the time (this one from a Vanilla Forums page):

If your community has a global reach (it probably does) and you want to do business in the EU, you should comply. Protecting your customers’ data privacy, no matter where they are, is probably a good idea anyway. And, by the way, the law imposes hefty fines up to 4% of your annual revenue!

Well, once again, I’m not a company, I don’t run ads, I don’t make revenue. So… 🤷‍♂️

I also notice a lot of fear mongering unfortunately when it comes to GDPR. Any service that makes money off of this law (lawyer or those privacy policy generator sites), they scare the crap out of you so you pay them. Go figure. Those sites, like Termly, say what you’re saying. In short: better do this or pay tons of money and get sued. I don’t think so.

In conclusion, is it important for every single forum owner? It doesn’t seem like it. Therefore is it required in core? It doesn’t seem like it. Is it important if you are a business or organization? Yes. So, you are right to be concerned about “Flarum Foundation”… possibly. But Flarum Foundation should consult a lawyer.

For my small forum(s) I’m not worried about it.

Super personal opinion:

EU needs to make the law less broad and more specific if they want the majority of website owners to follow it. Data privacy is important. I too want my data safe. But, the law causes (sometimes) unessessary cookie notices, and promotes propaganda and fear mongering. All because they must have been too afraid to be a little bit specific. And sure, the individual is well protected. But, what about the small, non-revenue generating niche website? The law doesn’t protect them. Again I want companies to treat my data well too… but it’s a bad law. It needs some amendments. #1 amendment should be: we won’t mess with small niche website owners.

MikeJones

010101 EU needs to make the law less broad and more specific if they want the majority of website owners to follow it.

Agreed, I think its anti small business as well, it's definitely a barrier that will keep people from trying to start up a website. Might not be worth it for the small guys...

« Previous Page Next Page »