GDPR and Boards.ie post removal policy update linked in OP 24/5/18

traveller0101 · 27-05-2018 2:59pm

Boards.ie: Sean wrote: »

Absolutely. Under GDPR when you have an active account your posts are your data and you have every right to delete them. It would be petty and vindictive of us in the extreme to want to close down your account just because you invoked your god-given (or least GDPR-given) rights!

Hopefully, even if a user decides to delete all their posts that won't stop them contributing to Boards and continuing to post in the future.

What does active account have anything to do with it? If you tie together IP addresses, then you should be deleting all the data linked to that person.

Star Lord · 27-05-2018 11:01pm

traveller0101 wrote: »

What does active account have anything to do with it? If you tie together IP addresses, then you should be deleting all the data linked to that person.

An IP address is not necessarily linked to a person. They can, and usually are, shared. Most people do not have static IP addresses, but rather one that's randomly assigned by their isp, and can change at any given time.

Fred Swanson · 27-05-2018 11:14pm

This post has been deleted.

Esel · 28-05-2018 12:15am

Star Lord wrote: »

An IP address is not necessarily linked to a person. They can, and usually are, shared. Most people do not have static IP addresses, but rather one that's randomly assigned by their isp, and can change at any given time.

Still traceable via ISP though, no?

Bob24 · 28-05-2018 8:14am

Star Lord wrote: »

An IP address is not necessarily linked to a person. They can, and usually are, shared. Most people do not have static IP addresses, but rather one that's randomly assigned by their isp, and can change at any given time.

Sometimes it can be linked, sometimes it can't.

But in any case to be GDPR compliant the only practical option when you log user IP addresses is to treat them as personal data.

pleas advice · 28-05-2018 8:53am

Boards.ie: Sean wrote: »

Inactive Accounts

Under the GDPR principle of not retaining personal data longer than is required we intend to email all inactive users (users who have not logged onto Boards for 6 years or more) to see if they still want to remain a member of Boards. Inactive users will have 30 days to log onto the site. If they do so within the 30 days we will remove them from the inactive user list. If they do not we will assume that they no longer wish to retain their Boards account and we will begin the process of closing their accounts..

Will this be an ongoing thing, or a once-off?

Nody · 28-05-2018 9:44am

pleas advice wrote: »

Will this be an ongoing thing, or a once-off?

Well to remain compliant over time I'd guess it will be done as a once a year or similar exercise as the 6 year limit is arbitrary there is no need to do it daily/weekly etc.

LuckyLloyd · 28-05-2018 1:25pm

Well to be fair, Boards have tackled this head on - fair play.

I won't lie that I enjoy the irony that those who closed accounts in the past - i.e. those most eager to run away from their past on the site - will now not have the opportunities to benefit from or abuse the new rights that stem from GDPR.

....... · 28-05-2018 2:11pm

This post has been deleted.

Boards.ie: Sean · 28-05-2018 2:21pm

Esel wrote: »

Seán - say a third party gets access to a device with a logged-in account, and requests deletion? The owner would know nothing and find all their posts gone.

Or a tired and emotional user requests deletion and later regrets doing so.

Have you given any thought to restoration in these scenarios?

Beasty wrote: »

Once processed the deletion cannot be reversed and I'm sure the site would not want to be perceived to being obstructive in any way when observing such legal rights. It will all be dealt with by the office.

The privacy policy indicates requests will be processed within 30 days, but does not indicate any "cooling off period". Maybe they could introduce an automatic "are you sure" reply, or a minimum processing period within those 30 days

Bob24 wrote: »

Since GDPR requires boards to permanently delete personal data upon request, it wouldn't be very reasonable to expect them to have any long term restoration process*. They could have some kind of cooling off period whereby the data is marked for deletion but only really deleted after a week and a second confirmation from the requester, but IMO it could be over engineering it a bit for a very small number of cases - and there would be a risk of some people accusing boards of dragging its feet to process requests.

Also while I'm not saying it could never happen, since the deletion process will require to provide identification documents, the chances of someone impersonating an other person are reduced.

* it was explained that the deleted post will remain in backups for 30 days though, so I guess technically restoration would be possible within that timeframe, but TBH if it was me I don't think I would bother with selectively restoring a database for a post that someone regrets deleting (a case of mass deletion due to boards mistake might be different but I doubt it would happen very often).

So, I think these are very fair and valuable points and based on the feedback we have now updated our procedures regarding requests to delete posts.

As before, in order to verify identity a user should send such requests via PM. Once we have received any such request we will send out a confirmation email to the email address associated with the user's account, informing them that a request has been received to delete some or all of their posts.

The user will then have 7 days during which they can email us back cancelling the request to delete their posts.

If we do not hear back from them within 7 days we will then begin the process of removing their posts from our systems.

It is important to note that there are no additional steps or barriers introduced here when a user wishes to delete their posts. As before, all they have to do is send us a single PM requesting such. They are free to ignore the confirmation email we send them as after 7 days we will go ahead and begin removing the posts.

However, as suggested this does introduce an confirmation step and a cooling off period in cases of malicious requests or when a user might have been feeling a bit overly tired and emotional!

Thanks for the very helpful feedback

Boards.ie: Sean · 28-05-2018 3:04pm

Esel wrote: »

By deletion, I clearly implied deletion of all posts.

Verification of requests must be robust.

Do the new terms say that a request for all personal data will result in an encrypted file being provided, with the key in a separate e-mail? How secure is that process?

Patww79 wrote: »

This post has been deleted.

Turtwig wrote: »

Are PM's not readable from your email though? You don't need to log onto boards to read a PM.

The issue here is that if a user's email account is compromised then an attacker could either get access to a copy of their personal data that we store on our systems.

This is true. But it also the case that even before last Friday and the introduction of GDPR this was true. If an attacker compromised a user's email account and had a quick look around the logon procedure for the site, then they could access nearly all the same information.

How? Well, they'd go to Boards and click on the Forgot Password option on the login screen. They'd enter the email address of the compromised account and get a password reset email. This would then allow them to log onto that account. The personal data we send out as a result of GDPR is data we hold in your Control Panel settings, your posts and your PM's. In the scenario I'm describing an attacker would have access to all this data once they'd logged onto the compromised account other than soft deleted posts.

So, if a user's email account is compromised then their Boards account can also be compromised. The current solutions we have put in for GDPR have the same level of account security as we have had (and AFAIK have been happy with) for years.

We aren't claiming that we have the highest level of security and we definitely could put in place more robust procedures, for example requiring that a much more secure level of identity verification be provided before we would process GDPR requests. But that could be seen as introducing additional barriers to people being able to reasonably access their rights to the personal data and we need to balance security with this right of reasonable access.

In this regard, we are not different for many other sites in that illicit access to an account can be obtained by compromising the user's email account and requesting a password reset email be sent to that compromised account.

Finally, it should be noted that we don't process any special or senstive categories of personal data. GDPR defines special categories of personal data as data revealing "racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation". We capture none of this data during registration or subsequently; services that do process these types of data may need a much higher level of security.

Boards.ie: Sean · 28-05-2018 3:57pm

traveller0101 wrote: »

What does active account have anything to do with it? If you tie together IP addresses, then you should be deleting all the data linked to that person.

Star Lord wrote: »

An IP address is not necessarily linked to a person. They can, and usually are, shared. Most people do not have static IP addresses, but rather one that's randomly assigned by their isp, and can change at any given time.

Esel wrote: »

Still traceable via ISP though, no?

Bob24 wrote: »

Sometimes it can be linked, sometimes it can't.

But in any case to be GDPR compliant the only practical option when you log user IP addresses is to treat them as personal data.

GDPR defines personal data as "any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"

Our advice is that IP addresses are a type of identifier which may allow for the identification of an individual, thereby turning that person into an “identifiable natural person” and bringing that information within the scope of the definition of personal data. However, online identifiers are not in all circumstances a form of personal data. They do not inevitably lead to the identification of a natural person, but are merely recited as one of the identifiers which may allow for the identification of a natural person. Often, it is the case that IP addresses become Personal Data in circumstances in which, when the IP address is combined with other information, an individual becomes identifiable.

In the case of closed accounts all other personal data (other than the Boards username) has been deleted permanently. IP addresses are allocated regionally, and as afar as we know the most accurate we can get to is the locality level. Of course, for big institutions like universities, locality may be enough in that they may be the only entity in the locality the IP address is pointing to. However, in these cases we still can't identify the individual as they typically have 100's or 1000's of people working there.

For individuals, getting a as far as a locality doesn't allow us to identify a specific individual. Their ISP could, but we can't.

If our advice regarding our legitimate interest in retaining the IP addresses for posts for ant-spamming purposes changes and we are advised that we should not be retaining the IP addresses of closed accounts then we will update our processes accordingly and clear all post IP addresses from posts associated with those accounts.

But in the absence of any such updates and based on the advice we have received we will continue with our current policy. Thanks

Boards.ie: Sean · 28-05-2018 3:58pm

pleas advice wrote: »

Will this be an ongoing thing, or a once-off?

Nody wrote: »

Well to remain compliant over time I'd guess it will be done as a once a year or similar exercise as the 6 year limit is arbitrary there is no need to do it daily/weekly etc.

You're right, we will do it on a regular basis

uck51js9zml2yt · 28-05-2018 8:31pm

Is there any possibility of Boards providing figures on a periodic basis of how many people have requested a deletion of their posts?

oscarBravo · 28-05-2018 9:24pm

Esel wrote: »

Still traceable via ISP though, no?

An ISP won't provide that information to boards.ie under any circumstances.

Steve · 28-05-2018 10:05pm

Will GDPR affect the email notifications?

I've noticed a few sites have stopped sending the content of a reply in the email.

Hurling Rankings · 29-05-2018 10:13am

This post has been deleted.

Nody · 29-05-2018 10:31am

Hurling Rankings wrote: »

This post has been deleted.

Yes; it's been in the ToU for I don't know how long that boards can close an account at their discretion at any time, from section 7.

Boards.ie Limited may at its absolute discretion refuse you access to the site and/or cancel/terminate your user privileges without prior notice for any reason and you shall not be entitled to any compensation in respect of cancellation/termination of your user privileges. If we disable your account you will not be entitled to create another account without our permission.

pleas advice · 29-05-2018 11:08am

Does that include actually closing an account, rather than banning it? (I suppose it includes whatever Boards deems it includes)

re. closing inactive accounts

Boards.ie: Sean wrote: »

You're right, we will do it on a regular basis

There's an account that posted a few times on the MMA forum about 6 years ago, be a shame to see that one closed

Hurling Rankings · 30-05-2018 9:09am

This post has been deleted.

Permabear · 30-05-2018 12:32pm

This post has been deleted.

Bob24 · 30-05-2018 12:54pm

Permabear wrote: »

This post had been deleted.

I think it’s a very grey area. I.e. is the problem simply that the full content of your posts is still present (in which case deletion would be required), or that it is still associated to your username in the system (in which case breaking that relashionship would be be sufficient)?

Permabear · 30-05-2018 1:23pm

This post has been deleted.

Trojan · 31-05-2018 4:30pm

No one is sure what is required to comply with the GDPR, and no one will be until we see courts interpretations. But for now, each organisation has taken its own legal counsel and made a decision on what they believe to be the correct way to comply.

Permabear · 31-05-2018 5:25pm

This post has been deleted.

Steve · 31-05-2018 11:55pm

Permabear wrote: »

This post had been deleted.

Even a legal professionals paid-for advice at this point just going to be qualified speculation. It will all hinge on the first case that goes to court and on the judge that hears the case and their interpretation of the law. Once precedent has been set, you will find legal professionals will adjust their advice based on it.

Permabear · 01-06-2018 10:22am

This post has been deleted.

LoLth · 01-06-2018 10:57am

One way of looking at quoted posts could be:

a post made by you is your personal information that you have left in a public place. you have every right to take it away. Just like a football in a park.

a quote of your post is not yours but is the property of the person quoting. They are just quoting something they found in a public place. where you left it for anyone to read and respond to in all its glory and detail.

If you get your post deleted, you cannot request someone else's post be deleted unless you can prove that it is identifying you personally (as boards has always done when users post personal details and someone else quotes them).

to use the football analogy. you can take the ball home but you cannot force everyone who took photos in the park that day to delete all photos that contain your ball regardless of it being the focal point of the photo or just in the background

I'm not a practitioner of law so I am open to other interpretations but that would be my take on it. GDPR does not absolve users of responsibility for their data.

Just did a quick read there of a German blog that describes their issue with this exact problem. in Germany they cannot transfer ownership of data apparently but other forums can use Creative Commons licensing to make the distinction between original post and posts derived from that original. The original remains the property of the poster but any post derived from it (ie: quoting) would be the property of the new poster and not the poster of the quoted content.

Permabear · 01-06-2018 11:27am

This post has been deleted.

Amalgam · 05-06-2018 2:03pm

I don't agree with what boards are trying to convey to users, it is not a take it or leave it situation, it is a progressive one, very much balanced in favour of the user, not the forum. The GDPR isn't here to accommodate boards in any way, it is here to accommodate users.

My guess is boards is going to push back/obscure options, until a legal precedent is set (a good or bad one..), in an Irish court.

I run a PHPBB board and it is very much head in the sand on their support forum, the software is currently not compliant. Everything has to be erased. The problem is, for the sake of log reporting, the nature of tables, PHPBB and similar forum fronts hold onto traces of information like hairs on a toffee apple..

My board will probably be left like a swiss cheese because of the GDPR, but I understand why it exists and am perfectly happy to be compliant.

GDPR and Boards.ie post removal policy **update linked in OP 24/5/18**

Comments

GDPR and Boards.ie post removal policy update linked in OP 24/5/18