I've raised my concerns with the data protection commissioner regarding the transfer of personal data to a third party without advanced warning and without providing me with an effective mechanism to ensure it was removed before the database was migrated.
The initial response suggests that Boards can do what they want with their platform and business, but they can't do whatever they like with my data and that my concerns are considered serious.
Sending an email is hardly jumping through hoops.
The lack of advanced warning was unfortunate but they still provide a way for you to delete your data or have it anonymised.
They provide a way to ask for it. None of the other things they're supposed to have in place are actually in place. Also their DPA is a generic and largely useless document, intended to provide Boards Software Limited with what they need, but not me as a subject with what I need. These are very generic, especially when referring to things like physical security with man-traps and background checks etc. I review these as part of my job. My data was migrated to Canada and it will now exist on Canadian physical infrastructure in backups and snapshots. They may remove it but it will remain and remain available to be restored on request. That's the issue. If they notified the user-base in advance, many would have opted to close their accounts beforehand, but as always the interests are those of the commercial operator and not of the user who has been denied the opportunity to safeguard their personal data. That's the long and short of it. Don't make any excuses for them.
Can I ask what the concerns are about our data here? I'm not sure what can be used or why.
The BIG thing is that they migrated their data hosting from a First Country [Ireland] to a Third Country [Canada] without consent. Now all the talk from Boards so far is that Canada has adequate Data Protection laws in place and that may be. But the BIG law/regulation that Boards broke, and they could be in trouble with this, is that they migrated the data to that Third Country without any prior notice. Consent wasn't asked and certainly not given. At this stage, it's too late as the data is already there. If I was their DPO, I'd be VERY concerned.
This point has been brought up in Feedback for the past few days and has been overlooked and not answered by Boards staff.
How could our data be used though? I know there's our email and IP address, but how would someone accessing these be an issue?
I'd imagine most don't use an everyday email so spam wouldn't be a huge concern for them, but I have seen some posters say they have used one with that contains their name.
No they don't.
I've done the same. I hope the response I get is not as aggressive or condescending. I added screenshots of the responses I got to my complaint.
I am less concerned about what I posted in the open forums than what is contained in my PMs. I gave information there in response to 'Talk To' forums, eg bank and Eir, which include my full name, address, Eircode, phone numbers, account numbers etc.
This very personal and sensitive information is now 'at risk' to me in a non EU country and I wasn't given any opportunity to delete it in advance. I am not at all happy about this! Whilst I want it deleted now, it seems like too little, too late.
I suggest anyone who actually cares about their digital privacy in light of the migration of boards to a Canadian platform might want to read the following documentation and articles.
This PDF is the current security overview from Vanilla for their hosted forums:
Note it contains references to Safe Harbour (defunct since 2015) and Privacy Shield (shot down by the EU court of justice in July 2020) and references to EU Clauses during interim periods etc. What that basically means is that PIPEDA is the legislative bill/act applicable in Canada to allow personal data move from the EU to the US.
This editorial explains very well exactly why PIPEDA isn't up to the task, leaving too many back-doors open and putting at risk personal data of EU citizens:
This explains in more general terms how PIPEDA, the current data privacy laws effective in Canada, are inadequate:
So in order to update Canadian privacy laws, Bill C-16 was tabled during a first speed in early winter 2020. Canadas own Data Commissioner has concerns that it's not fit for purpose, so it has been sent back to the drawing board:
This information is being shared to ensure that boards users are informed and educated about the potential consequences and risks presented following the migration of OUR data to a Canadian provider, despite the rubber stamp assurances included in DPA's and so forth.
I strongly suggest anyone consenting (or who should be afforded by law the opportunity to withdraw that consent) to process their personal data take the time to review these articles. Most won't, but those who care should take an interest.
This is not just noise, pushback and being difficult. It's at the very heart of the matter.
Unlikely and it's a very gray area but shouldn't be. Consent must be explicit not implied. Many privacy policies that I have read state that they may send your data to third countries but rarely is this listed as to what data, which third countries, which specific data processors and why.
It should also be noted that most privacy polices and the like are boiler plate texts, sufficient to check a GDPR box. They rarely go into detail or are easily read. Most websites, EU or otherwise, are flagrantly in breach of GDPR as their cookie consent is generally defaulted to include marketing and analytics. Opting out regularly requires multiple, if not tens or hundres of clicks to opt out of every vendor. Marketing "Legitmate Interest" non opt outable is a particular bug bear of mine but this is generally Third Countries and UK sites who do this. A good few Irish sites do this too.
As mentioned by others and most recently @RoYoBo, many PM's to other users or the likes to the Talk To company reps include sensitive detail like account numbers, phone numbers, email addresses, even home addresses. This is a huge concern.
I hadn't realised that level of personal information was shared, that is a biggie.
It will be interesting to see what the DPC makes of all this.
At the very least, Boards users should have been given the option to delete or refuse permission for PMs to be transferred. I had a look through mine and was appalled at how much information I have provided there over time, enough to give a complete personal profile with full name, DOB, address, bank details, account numbers etc. I would NEVER have provided such information at the time if I'd known it was then to be gifted abroad without my permission.
Anyone who uses these Talk To forums from now on must be made aware of the data risk, which completely hobbles their use. All of the companies there require personal and sensitive information by PM to progress a query or a complaint. More than enough to facilitate identity theft or any other nefarious actions, especially when linked to years of 'anonymous' posts.
Those of us who have already provided such information that we seemingly cannot now delete ourselves need this to be addressed ASAP.
Ok. Wow. A deep dive. I'd also like to reiterate that this is not just noise, pushback and being difficult. It's at the very heart of the matter.
There are now many more questions than answers. The apparent unwillingness for Boards to be transparent about this move in a GDPR setting is unsettling.
Picking apart bits of the first PDF link [https://vanillaforums.com/legal/VanillaForumsSecurityOverview4.5.pdf]
"What kind of data does Vanilla store? Vanilla is a forum, so we store user records and user generated content. Some of it is access-restricted based on application RBAC ACLs. PII can be shielded from accidental access." So, how does Vanilla know where PII is stored? How does it know what is PII if some users put their PII in PM's?
"Where is Vanilla’s data stored? Vanilla operates private cloud environments in both the US (San Francisco) and Canada (Montreal).". Admittedly, Niamh said that the data is in Canada only.
"Can this data be encrypted at rest? Yes. Vanilla can use Full Disk Encryption (FDE) on its database servers at higher plan levels."
"Are any fields encrypted? No. Our data needs to be searchable. When higher data security is required, we make use of Full Disk Encrypted". This one sort of contradicts the one above about FDE and a previous comment [I think] by Boards that data is encrypted at rest. So is it encrypted at rest AND searchable from the forums, or not?
"Where is backup data stored? We store compressed and encrypted backups in a single-purpose access-controlled Amazon S3 bucket (redundant file storage service).". Where is this bucket located?
"Server-to-server API communications are secured using SSL". I'll assume this is a typo and they mean https/tls.
"Are VMs individually firewalled? Yes. Each VM has a stateful software firewall installed which is customized to its workload. Repeated failed SSH access results in throttling." A software firewall? Is this just IPTables on Ubuntu? What if the server is compromised with root access. IPTables can be reconfigured by the bad actor. A hardware firewall should be used for security. Admittedly, many companies use IPTables thinking it's adding full security. It is, until it isn't.
"Vanilla is willing to sign EU Model Clauses to bridge the gap between Safe Harbor and Privacy Shield, and to reflect the latest “Schrems II” decision." EU Model Clauses are another name for Standard Contractual Clauses. Those that have been keeping up over the past couple of years, especially in light of the recent declaration that Privacy Shield was deemed inadequate, most companies, especially in USA and apparently Vanilla, are relying on SCC's. However, there is little consensus between the various Data Protection Authorities as to the long term legalities of such SCC's but I suppose the CJEU has ordered that they be allowed. It's highly likely that SCC's will come before CJEU at some point soon. Considering that, Vanilla are WILLING to sign an SCC. Have they done that for Boards? What's the effective date on that contract?
On the subject of PIPEDA... The European Commission’s adequacy decision concerning Canada is restricted to commercial organizations. The reason for this is PIPEDA’s applicability criteria: the law only applies to the collection, use or disclosure of personal information in the course of a commercial activity and includes federally-regulated businesses like banks, airlines and telecommunications companies. Snip taken from [https://www.endpointprotector.com/blog/pipeda-vs-gdpr-the-key-differences/]. The entire article is an interesting read, showing the differences between PIPEDA and GDPR. Specifically with PIPEDA: consent can be implied, no right to be forgotten [or it's implied rather than explicit] so your account may be terminated but your data may exist up to the maximum retention period, no data portability, companies may not need to be PIPEDA complaint if they operate outside of Canada [remember that US hosting center?]
On Boards.ie Private messages were just that private and were always considered sacrosanct(DeVore and the other founders were always very clear about this and stood over it too) and unless there was a legal issue or a report of abuse which was sent to admins/the office, were indeed private. Very very few other forums had this culture or even considered it. Now it turns out we can't delete them and more, were transferred out of Ireland and the EU without much in the way of warning and without our permission. Have I got this right? Please tell me I haven't - and no just because Canada is considered "safe" doesn't cut the mustard in this case. Whatever about navigation and other issues that is not on, needs to be fixed PDQ and that's being polite about it.
Few enough were innocent in the past, few enough are innocent in the present, we just don’t know why yet.
Correct. Our data was shipped off without our required consent.
This is precisely why I have always been loathed to use online support services operating though social media, including forums like this. I wouldn’t send information like DOB, address or account numbers through PM services.
There’s a lot of potential personal information here. You could easily identify a lot about someone by linking their posting history to their real world name and contact information.
People’s personal politics, financial issues, sexuality, religious views, personal lives, hobbies, health and all sorts of things get posted here in public and I’m sure plenty have had discussions in private too.
It’s a huge issue to suddenly foist something like this on a user base of an old, old forum like this.
There’s a hell of a lot of private information contained within this site that can be used for user fingerprinting. It’s even worse for users that have maintained a single username for the decades that this site has operated.
(Account closed by user)
Hi @Boards.ie: Niamh , I do get that things must be rather chaotic at the office at the moment, but can you confirm points 1-4?
Another issue is anyone can now add others users to a previously private PM, so if you'd been chatting to someone and assumed it was private they can allow someone else to see the entire chat, whereas a reported PM just sent a single PM to an admin.
I haven't included personal info in PMs, but I know there was a recent enough AH beers and I assume names and phone numbers were exchanged as a minimum in order to arrange it?
@Boards.ie: GDPR and @Boards.ie: Odhran really need to address this.
As an aside, it took many attempts to @Odhran, because clicking on his name somehow linked @David. It's very finicky!
Another thing I've just thought of, can Vanilla link anonymous posts to usernames? A lot of people have posted very personal information anonymously in PI.
Absolutely they can. As could the Boards admins. At a systems level there’s no such thing as anonymous.
I had always taken this Boards assurance re PMs on trust (been here more years than my current incarnation) but I should have been more careful anyway. I have learned a big lesson! The Talk To forums used to be a great (sometimes the ONLY) way to engage with some companies to get a solution. Like you say Wibbs, I'd like a response from Boards now with regard to the deletion of these PMs, permanently and irrevocably.
As others have said, however, the disaster of the whole site transfer and the abysmal results in the very basic structure of the interface means that I will likely be sorely disappointed. I don't want to have to delete my entire profile to get rid of these PMs - even if I do it seems that that's not enough to safeguard my information. It really looks as if the DPC is the only route on this, unfortunately.
Some posters have written about getting caught shoplifting and other illegal activities. If that can all be linked with their personally identifiable information it could be used for nefarious reasons.
So as an aside, I was speaking to my DPO about certain issues I was working on in work, dealing with the Gards, DSR's etc. I shot the breeze with him about what's going on here. To be succinct, he was more forceful about the issue than I am in this thread. He forsees Boards being in trouble. As a realist, I don't see the Irish DPA doing much.
For anyone thinking to themselves that this must have been addressed in advance of migrating our data, you can check back on this here:
Note that the link to @Boards.ie: Odhran 's original December announcement doesn't work. Maybe someone else can find a link that works and share it here. Can't see his past posts, unsurprisingly, so maybe someone can oblige.
You'll note that there's nothing indicating that private messages can be shared with ANY users, it just states that Admins could be added to a private discussion. That's not how it's working. But that's not specifically GDPR, just symptomatic of the the casual approach to user privacy in the context of adopting Vanilla as their new platform of choice at Boards HQ.
No mention of GDPR in any case.
Similarly, none when the early excuses were being set out here:
One of these days it would be nice to hear from Boards staff with something that clearly explains how they have protected our data, as opposed to passing that off to a third country based provider where even a 1 hour review of the legal protections in place in Canada provides ample evidence that it's less than satisfactory. It seems that boilerplate clauses are being relied upon when even the data commissioner in Canada, the guy sitting in charge of the enforcement and compliance authority in that country has said that the laws do not provide protections in line with the interests of Canadian citizens. Let's put it this way, if the Canadian in charge says Canadian laws don't protect Canadian citizens, why would someone at Boards decide it's good enough for your data or mine?
Pretty inexcusable stuff. I don't expect anyone to step up here and answer these questions, because the simple fact is, there's no good answer they can offer. 3 weeks since 'read only', the basics still aren't in place. Folks, you should all be asking these questions. You really should.
Something I've just noticed is that this thread is not showing in the 'Latest Posts' tab on the homepage.
Strange really. It's as though somebody has decided they don't want too many people reading this one.
Join the conversation and then take a look for yourself.
Rich Text Editor.
To edit a paragraph's style, hit tab to get to the paragraph menu. From there you will be able to pick one style. Nothing defaults to paragraph.
An inline formatting menu will show up when you select text. Hit tab to get into that menu.
Some elements, such as rich link embeds, images, loading indicators, and error messages may get inserted into the editor. You may navigate to these using the arrow keys inside of the editor and delete them with the delete or backspace key.