GDPR rules

[fizi]

What think the Dev Team about GDPR? e107 will work with this rules?

[Jimmi08]

What happens if user has related data (forum post, news, comments) and you delete user info ?

[martyshep]

I recently went through GDPR and had to delete some users who had forum posts. The forum posts then show as being posted by 'Anonymous' user.

[Jimmi08]

@martyshep Thank you. So if user inserted some sensitive info to forum post, it should be in rules that "before you ask for Delete user, check all your forum posts and delete sensitive ones manually" Do you know what I mean? I would prefer Anonymize functionality - then user with that ID is still available and you as main admin can log in as this user from admin area. And Delete user button shouldn't be user functionality, only for admins. You need at first to check if user can be deleted.

And deleting user should be always logged somewhere because you need to prove that they was deleted. And user should get email notification about deleting their account.

By the way - this GDPR rule (need) can be easily filled by special form - send the ask(need) for deletion. In your Privacy Policy you should have time period (14 - 30 days) and user should get confirmation about you receiving their asking. Then you delete them, write them confirmation email about deleting OR you write them, we are sorry we need your data because...

[martyshep]

@Jimmi08 Yes I agree, I had to manually review the posts from that user to be deleted. I was thinking of deleting all posts for the users, and in one case I did using: sql delete FROM e107_forum_post WHERE post_user = but I felt it left forum threads out of context with missing posts.

Of course if this could be automated into an Admin tool where you can specify the USER ID and the tool removes the posts automatically without the website owner needing to use SQL themselves, that would be useful.

[Jimmi08]

@martyshep Be aware statistical purpose. And delete posts from topic can cause that the topic losts its logic.

I asked our lawyer about this because I have site where user profile has a lot of personal info (like 20 years ago - skype, ICQ, adress...) It's community site. Lawyer asked: what is purpose of this site? My answer: building community (Harry Potter fans). Lawyer asked: is registration voluntary? If yes, their consent with rules during registration is enough. No cookies for registered users. No special rights (send email is enough) Only good Privacy Policy to inform visitors about everything. And registration similar with COPPA (to confirm consent). And deleting posts? My legal interest is bulding community, so my legal interest is to save old posts too for community purposes (they can delete them themselves).

At least I deleted all noactive users (not sure how e107 manage this), but I have in user table last log in time, last IP (confirmation that account was used) and points for each activity. So I deleted only users with last log in 5 years ago and zero activity. Collect IP is ok because my legal interest is safe site and its users.

I am starting to use e107 forum so I will do more tests with it.

[SimSync]

I don't think that the GDPR forces us to delete everything a user has ever posted. I think, if we destroy the link between the posted data and the author, so that he/she can't be "reverse engineered" from the remaining data, this should be enough.

In case of a forum: There are no requirements, that a user is forced to put personal information in a post (which is probably publicly available). So, if a user want to have this data away, he has to remove this on his own. In case of a shop (like vstore): Billing and/or Shipping information, together with payment information can not be deleted as you need this information for later processes and so on.

This is how a "deleted" user would look like in my opinion:

• Active: false
• Displayname + Realname: Guest or Anonymous User
• Loginname: Random unique name (i'm pretty sure, that it has to be unique in the database)
• Password: Random password
• Custom title, Avatar, signature: empty string
• Email: Random email or string (i'm pretty sure, that it has to be unique in the database)
• Hide Email: true
• Admin: false
• Perms/Classes: Remove all classes, set to "No One"
• The contents of the "extended" fields should be cleared for this user.

What i'm not sure about is the userid, as this one will not change and is more or less impossible to change. If somebody knows his userid, he can still display his profile and with that reverse engineer all other information. Maybe, we simply have to prevent that a user profile of a "deleted" user can be displayed...?

[Jimmi08]

@SimSync PERFECT! It should works this way. Just ideas:

With USERID - it should be blocked to display user.php?id.62 for: no-active users (not verified) except main admin - message similar to login page (you see this page because you are main admin) banned users

I would create special table for gdpr plugin with table of deleted users or some user special extended field - gdpr-deleted - if this field is set, then display user profile with message "we are sorry, acount was deleted)

In some software they set negative value for userid and change it every related tables (then in program if user ID is negative, they know to not display anything)

[CaMer0n]

The basic setup for this can be seen in e107_plugins/_blank/e_user.php in the 'delete' method.

I believe we can use the user_ban field to flag these records too.

[rica-carv]

I think that the anonymous user shouldnt be used, i think more like not registered anymore, and leave its nick, without displaying nothing more....

[SimSync]

@CaMer0n I would prefer a separate field like user_deleted with a timestamp when the the user has been deleted + a field user_deleted_id holding the userid that initiated the delete process. For me, banning and deleting is a totally different status. In case of banning, i would not delete all personal data.

@rica-carv A nickname is kind of "personal". Usually a user uses it on several sites, which means it gives somebody a good impression who wrote something, when and so on.

[CaMer0n]

@SimSync The user_ban field is currently used for the following:

• unverified users
• banned users
• active users
• user with bouncing email addresses.

Adding another item for 'deleted user' would be the least intrusive change imho. The current label used for this field in admin > users is "Status".

[SimSync]

@CaMer0n Yeah, ok. You are right, if it's this kind of multi purpose field, we can also use it for this too. But is there some a field, that can be used to save more information about the deletion? Like datestamp and userid to document the deletion a little bit. An "ex user" could get the idea to ask for a confirmation. Especially, if he was deleted by an admin.

[CaMer0n]

@SimSync I believe we could use a similar process to what we do during signup. Place a hash into user_sess, send an email with a link.. after clicking the link the account is 'deleted', then user_sess could be updated with the datestamp of deletion.. or we simply use "user_lastvisit" for this purpose- which in this case will be their very last visit. ;-)

[SimSync]

@CaMer0n A confirmation mail is a good idea. I just imagined how i should confirm a user the removal of his account, if he doesn't know his userid.... 😄 So the email confirmation should be enough confirmation at all. I can see, that the username doesn't exist anymore, but i can't access the old account anymore without a userid because everything was anonymized ... 😆 So setting the user_lastvisit field with the delete datestamp should be enough. No need to create additional fields (which can't be accessed without knowledge of the userid).... 😉

[rica-carv]

@SimSync

A nickname is kind of "personal". Usually a user uses it on several sites, which means it gives somebody a good impression who wrote something, when and so on.

Not really. Who prevents ME of using nicks of other users from other sites??

Anyway, i can't see the issue on still displaying the nickname, because for instance, in forums, when you do a comment, the nick is displayed. What happens if the user is completelly deleted? For me, the nick should remain, but if it's such a "tricky" issue, it could be replaced for a random user name, like Ebay does for unregistered users...

Anyway, imagine a plugin links directly to the user table refering the user id, if that id is deleted, what happens to the linked plugin dependent users? It will be a complete caos.....

[CaMer0n]

@fizi Would you like to test it and give feedback?

[fizi]

I would like to test it, but I do not know what to look for. :)

[CaMer0n]

@fizi You just go to usersettings and click "Delete Account"