Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

Updated GDPR policy and new Terms of Use

1235

Comments

  • Registered Users, Registered Users 2 Posts: 26,024 ✭✭✭✭Timberrrrrrrr


    What i would expect to happen is a ton of unwanted spam emails

    Has it happend in the last 6 years you have been a member?

    Edit: on my phone so not sure but isn't there a change email address option on your account?


  • Administrators, Social & Fun Moderators, Sports Moderators, Paid Member Posts: 78,495 Admin ✭✭✭✭✭Beasty


    Edit: on my phone so not sure but isn't there a change email address option on your account?
    Yes there is an option to change e-mail in your Control Panel


  • Posts: 5,557 ✭✭✭ [Deleted User]


    Has it happend in the last 6 years you have been a member?

    Edit: on my phone so not sure but isn't there a change email address option on your account?

    Yes,but as i said,my email address is already out there,in hindsight,if i had of known,i would of used an alternative email address initially


  • Registered Users, Registered Users 2 Posts: 26,024 ✭✭✭✭Timberrrrrrrr


    Yes,but as i said,my email address is already out there,in hindsight,if i had of known,i would of used an alternative email address initially

    Hindsight is indeed a wonderful thing. Surely if you are that worried then you would immediately change your email address to prevent any future (possible) misuse?

    You're saying it's already "out there" but where exactly is out there? Is there a rogue admin that is noting peoples email addresses for future vigra spam ads?

    I'm sorry if this sounds like i am making light of your fears but i honestly don't gwt what you have to fear and what you expect boards.ie to do about it seeing as they are already complying with the laws.


  • Registered Users, Registered Users 2 Posts: 7,698 ✭✭✭the_pen_turner


    Hindsight is indeed a wonderful thing. Surely if you are that worried then you would immediately change your email address to prevent any future (possible) misuse?

    You're saying it's already "out there" but where exactly is out there? Is there a rogue admin that is noting peoples email addresses for future vigra spam ads?

    I'm sorry if this sounds like i am making light of your fears but i honestly don't gwt what you have to fear and what you expect boards.ie to do about it seeing as they are already complying with the laws.

    its not as simple as that. most people have their names as part of their email adddress. combine that with a few specific bits of info from posts like posting in your local town thread or what type of job you have could easily allow someone to work out who you are.


  • Advertisement
  • Technology & Internet Moderators Posts: 28,862 Mod ✭✭✭✭oscarBravo


    its not as simple as that. most people have their names as part of their email adddress. combine that with a few specific bits of info from posts like posting in your local town thread or what type of job you have could easily allow someone to work out who you are.

    Right, but to do so would be a criminal offence.

    Seriously. I don't care enough what your email address is - or what your real identity is, for that matter - to risk criminal prosecution to find it out.


  • Registered Users, Registered Users 2 Posts: 7,698 ✭✭✭the_pen_turner


    oscarBravo wrote: »
    Right, but to do so would be a criminal offence.

    Seriously. I don't care enough what your email address is - or what your real identity is, for that matter - to risk criminal prosecution to find it out.

    i understand that . im not saying any admin etc has done anything wrong .

    do criminals care about the laws they are breaking

    a lock only keeps an honest man out.

    surely there should be some kind of system in place to protect users data from someone who would chose to break the law. maybe some kind of system that requires 2 or more admins to sign offf before the data is accesable


  • Moderators, Category Moderators, Arts Moderators, Business & Finance Moderators, Entertainment Moderators, Society & Culture Moderators Posts: 18,572 CMod ✭✭✭✭Nody


    surely there should be some kind of system in place to protect users data from someone who would chose to break the law. maybe some kind of system that requires 2 or more admins to sign offf before the data is accesable
    There is no system or rule you can set up that someone who wants to abuse it can't circumvent; I've worked for years on payment processes (i.e. very high risk, high direct reward if abused) and no matter how many controls are added I've yet to find a system I can't abuse if I set my mind to it. Add a second accomplice (or someone I know in the general process I can get to do me a "favor") and you've circumvented pretty much every control in any system out there and you'll only find out afterwards. This is not to say you should not make it as difficult as possible but every system can be abused if targeted and every system and control tend to have the processor in question as the weakest link.


  • Registered Users, Registered Users 2 Posts: 26,024 ✭✭✭✭Timberrrrrrrr


    its not as simple as that. most people have their names as part of their email adddress. combine that with a few specific bits of info from posts like posting in your local town thread or what type of job you have could easily allow someone to work out who you are.


    Hence I'm saying why not change email address


  • Registered Users, Registered Users 2 Posts: 7,698 ✭✭✭the_pen_turner


    Nody wrote: »
    There is no system or rule you can set up that someone who wants to abuse it can't circumvent; I've worked for years on payment processes (i.e. very high risk, high direct reward if abused) and no matter how many controls are added I've yet to find a system I can't abuse if I set my mind to it. Add a second accomplice (or someone I know in the general process I can get to do me a "favor") and you've circumvented pretty much every control in any system out there and you'll only find out afterwards. This is not to say you should not make it as difficult as possible but every system can be abused if targeted and every system and control tend to have the processor in question as the weakest link.

    i dont expect a hugly complicated system but surely there should be something that would stop someone acting alone. surely we can trust that boards wouldnt have more than one criminal on the mist(not sayng there is)


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 7,698 ✭✭✭the_pen_turner


    Hence I'm saying why not change email address

    that doesnt change the fact that your email is out there for loads of strangers to see.

    if you change it what happens to the old one. can that still be accessed


  • Registered Users, Registered Users 2 Posts: 26,024 ✭✭✭✭Timberrrrrrrr


    that doesnt change the fact that your email is out there for loads of strangers to see.

    if you change it what happens to the old one. can that still be accessed

    Thats something for admin/staff to answer i have no idea


  • Administrators, Social & Fun Moderators, Sports Moderators, Paid Member Posts: 78,495 Admin ✭✭✭✭✭Beasty


    if you change it what happens to the old one. can that still be accessed

    Certainly not by Admins, and I suspect not by others other than via a backup that predates the change


  • Registered Users, Registered Users 2 Posts: 9,880 ✭✭✭Canis Lupus


    What i would expect to happen is a ton of unwanted spam emails

    That's what a spam folder is for. I get zero emails into my main inbox that aren't expected. Anything spam goes to the spam folder. So basically, as far as I can see there's no impact.


  • Registered Users, Registered Users 2 Posts: 33,451 ✭✭✭✭AndrewJRenko


    Nody wrote: »
    surely there should be some kind of system in place to protect users data from someone who would chose to break the law. maybe some kind of system that requires 2 or more admins to sign offf before the data is accesable
    There is no system or rule you can set up that someone who wants to abuse it can't circumvent; I've worked for years on payment processes (i.e. very high risk, high direct reward if abused) and no matter how many controls are added I've yet to find a system I can't abuse if I set my mind to it. Add a second accomplice (or someone I know in the general process I can get to do me a "favor") and you've circumvented pretty much every control in any system out there and you'll only find out afterwards. This is not to say you should not make it as difficult as possible but every system can be abused if targeted and every system and control tend to have the processor in question as the weakest link.
    One very strong system to deter abuse is very simple - that all accesses of email addresses is logged and recorded.

    But more importantly, why do admins NEED access to email addresses?


  • Closed Accounts Posts: 8,474 ✭✭✭Obvious Desperate Breakfasts


    its not as simple as that. most people have their names as part of their email adddress. combine that with a few specific bits of info from posts like posting in your local town thread or what type of job you have could easily allow someone to work out who you are.

    I’m gobsmacked that people sign up to sites like boards.ie using their everyday emails. Dummy email addresses all the way. I’ve been doing that for years.


  • Registered Users, Registered Users 2 Posts: 7,698 ✭✭✭the_pen_turner


    I’m gobsmacked that people sign up to sites like boards.ie using their everyday emails. Dummy email addresses all the way. I’ve been doing that for years.

    hind sight is always 20 20


  • Boards.ie Employee, Boards Employee 2, Boards Employee 3 Posts: 12,597 ✭✭✭✭✭Boards.ie: Niamh
    Boards.ie Community Manager


    Do you have written contracts with your Admins (those that are not employees) where this is clearly stated?
    No we don't, only people employed by the company have a contract. Admins are volunteers.
    It also doesn't mean that your admin has never looked at my email address for any reason.

    One obvious concern with this is the possibility of exposing the identity of otherwise anonymous posters. The question should be "why do admins need this information?".

    Do you track and audit admin access to email addresses?

    Admins need access to certain user information to operate in their role as Admins and to maintain the security of the site when needed. We do not track or audit Admin access to email addresses.
    its not as simple as that. most people have their names as part of their email adddress. combine that with a few specific bits of info from posts like posting in your local town thread or what type of job you have could easily allow someone to work out who you are.
    Yes they could but are not allowed to do so. GDPR allows you to withdraw your personal data, in this case email address if you feel that this is an issue.
    i understand that . im not saying any admin etc has done anything wrong .

    do criminals care about the laws they are breaking

    a lock only keeps an honest man out.

    surely there should be some kind of system in place to protect users data from someone who would chose to break the law. maybe some kind of system that requires 2 or more admins to sign offf before the data is accesable

    Users data is only accessible to a very small number of people to facilitate the smooth running of the site. Two Admins signing off on anything would be not be feasible. Admins are in different locations and in some cases different time zones. Often when they have to act on a spammer, for example, it is time sensitive and waiting for another Admin to be around before they can access the user profile would hamper them in their role.
    that doesnt change the fact that your email is out there for loads of strangers to see.

    if you change it what happens to the old one. can that still be accessed
    If you change your email address the old one is essentially overwritten by the new one. It is no longer saved or visible anywhere once you have saved the new email address.
    One very strong system to deter abuse is very simple - that all accesses of email addresses is logged and recorded.

    But more importantly, why do admins NEED access to email addresses?
    As above, they need it to fulfil their roles as Admins and to facilitate the smooth running of the site.


  • Registered Users, Registered Users 2 Posts: 33,451 ✭✭✭✭AndrewJRenko


    Admins need access to certain user information to operate in their role as Admins and to maintain the security of the site when needed.

    With due respect, that's a 'nothing' answer. It says nothing.

    It doesn't see how or why admins need email addresses, over and above usernames.
    We do not track or audit Admin access to email addresses.
    Thanks for clarifying, but that's a substantial concern, and an exposure for your organisation.


  • Boards.ie Employee, Boards Employee 2, Boards Employee 3 Posts: 12,597 ✭✭✭✭✭Boards.ie: Niamh
    Boards.ie Community Manager


    With due respect, that's a 'nothing' answer. It says nothing.

    It doesn't see how or why admins need email addresses, over and above usernames.
    I appreciate it's not as much detail as you are looking for but it's as much detail as I'm willing to give without compromising how we function and exposing some of our site security procedures.

    From our Terms of Use:
    Moderators and Administrators
    In order to allow for the proper administration of boards.ie we make use of third party moderators and administrators. And in order for them to properly carry out their functions as moderators and administrators they require access to personal information concerning you, your boards.ie account and your activity on the site. Such data is only permitted to be used by our third party moderators and administrators for the purposes of administering the site and cannot be used by them for any other purpose.

    Thanks for clarifying, but that's a substantial concern, and an exposure for your organisation.
    As far as I am aware, we are not obliged to do so but I will pass the concern on, thank you.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 33,451 ✭✭✭✭AndrewJRenko


    I appreciate it's not as much detail as you are looking for but it's as much detail as I'm willing to give without compromising how we function and exposing some of our site security procedures.
    Security through obscurity is not generally respected

    https://en.wikipedia.org/wiki/Security_through_obscurity


    As far as I am aware, we are not obliged to do so but I will pass the concern on, thank you.

    Like most security issues, the requirements are very general rather than specific.

    But in simple terms, if you have a breach, and you have an audit facility, you will have some chance of tracking the leaker down.

    The existence of an audit trail is substantial deterrent to leaking.


  • Technology & Internet Moderators Posts: 28,862 Mod ✭✭✭✭oscarBravo


    Security through obscurity is not generally respected

    https://en.wikipedia.org/wiki/Security_through_obscurity

    That's a bit of a misconception. Security that relies entirely on obscurity is a risk, but obscurity as one layer of a security-in-depth approach often makes sense. From your own link:
    NIST's cyber resiliency framework, 800-160 Volume 2, recommends the usage of security through obscurity as a complementary part of a resilient and secure computing environment.


  • Registered Users, Registered Users 2 Posts: 973 ✭✭✭November Golf


    Off topic but....

    In future, can we please have two separate threads:

    1. for Information (one way - info, Updates & FAQ's)

    2. Discussion on the topic of information (two way - for discussing, raising concerns, and asking questions)

    I mean I have been dipping in and out of this thread since it was started and frankly I have forgotten what the policy changes actually are & I'm not that bother to go back and read the OP. I'm not saying there hasn't been real points made or justified concerns raised but if the whole purpose of this thread was to "inform people" about the changes that have been made, its no longer fit for purpose in my opinion.


  • Administrators, Entertainment Moderators, Social & Fun Moderators, Society & Culture Moderators, Paid Member Posts: 18,830 Admin ✭✭✭✭✭hullaballoo


    Not a bad suggestion tbf.


  • Closed Accounts Posts: 1,325 ✭✭✭xi5yvm0owc1s2b


    I'm not saying there hasn't been real points made or justified concerns raised but if the whole purpose of this thread was to "inform people" about the changes that have been made, its no longer fit for purpose in my opinion.

    If the purpose was simply to inform people, staff should have posted an announcement. Starting a Feedback thread inevitably invites discussion.


  • Closed Accounts Posts: 687 ✭✭✭nim1bdeh38l2cw


    Beasty wrote: »
    A written contract would require monetary consideration:eek:

    Why would it? Contracts don't infer monatery anything, legally such a person would be a data processor (boards would be the data controller) under Article 4 and Article 28 requires "sufficient guarantees" which in my (qualified) opinion can only be given by a written contract where it's stated what such a processor can and cannot do with the data that they have access to.


  • Registered Users, Registered Users 2 Posts: 68,173 ✭✭✭✭seamus


    Why would it? Contracts don't infer monatery anything, legally such a person would be a data processor (boards would be the data controller) under Article 4 and Article 28 requires "sufficient guarantees" which in my (qualified) opinion can only be given by a written contract where it's stated what such a processor can and cannot do with the data that they have access to.
    The law on what a data processor does, still applies whether or not a written contract exists.

    You're probably confusing a contract with a declaration.

    That is, a declaration from the admin that they understand they are a data processor and are bound by the legal obligations of one.
    Ultimately all this does is ensure that in a bind, the data processor can't plead ignorance.

    This doesn't necessarily have to be a formal sheet of paper. Merely the act of engaging in this discussion could be considered such a declaration.


  • Administrators, Entertainment Moderators, Social & Fun Moderators, Society & Culture Moderators, Paid Member Posts: 18,830 Admin ✭✭✭✭✭hullaballoo


    Why would it? Contracts don't infer monatery anything, legally such a person would be a data processor (boards would be the data controller) under Article 4 and Article 28 requires "sufficient guarantees" which in my (qualified) opinion can only be given by a written contract where it's stated what such a processor can and cannot do with the data that they have access to.
    For a contract to be valid, there has to be an exchange of value if you like.

    The exchanged thing doesn't have to be representative of the true value of the agreement to either party but it has to be of value, and both parties have to commit something of value to the exchange.

    It's just one of the elements required for a binding and enforceable contract and it is known as consideration.

    Me going to boards HQ and signing a document saying
    I know that I'm a data processor for the purposes of the GDPR is not a contract. In fact, it has no real legal value other than, as seamus says, potentially preventing me from later saying I didn't know I am a data processor.

    A bit of a pointless exercise is all it would be.


  • Administrators, Social & Fun Moderators, Sports Moderators, Paid Member Posts: 78,495 Admin ✭✭✭✭✭Beasty


    Off topic but....

    In future, can we please have two separate threads:

    1. for Information (one way - info, Updates & FAQ's)

    2. Discussion on the topic of information (two way - for discussing, raising concerns, and asking questions)

    I mean I have been dipping in and out of this thread since it was started and frankly I have forgotten what the policy changes actually are & I'm not that bother to go back and read the OP. I'm not saying there hasn't been real points made or justified concerns raised but if the whole purpose of this thread was to "inform people" about the changes that have been made, its no longer fit for purpose in my opinion.

    The Announcement is in the Announcements Forum. Posts in Feedback are for discussion


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,369 ✭✭✭ezra_



    Me going to boards HQ and signing a document saying
    I know that I'm a data processor for the purposes of the GDPR is not a contract. In fact, it has no real legal value other than, as seamus says, potentially preventing me from later saying I didn't know I am a data processor.

    A bit of a pointless exercise is all it would be.

    Come now - a fifty would be valid consideration and would make the contract valid and enforceable. The lack of sufficient consideration isn't the blocker here, but rather that it would shift you from a volunteer to something along the lines of a contractor, and that brings in complications to both sides.

    However, since we have gone down the rabbit hole of an admin committing a breach, barring someone going rogue, the more likely outcome is;

    ezra_ starts spamming boards with something
    beasty checks out my email address
    checks it on www.isthisguyaspammer.com
    acts accordingly

    However, isthisguyaspammer.com then starts processing my email address and spamming me (or doing something else with it that I don't give consent to)

    DPC gets involved (because, well just because it is needed for this analogy).

    Who is at fault here? Beasty? Boards? Both? isthisguyaspammer.com?


This discussion has been closed.
Advertisement