elkarte / Elkarte

ElkArte Forum. A free, open source, modern discussion forum / BB
https://elkarte.github.io/Elkarte/
BSD 3-Clause "New" or "Revised" License
175 stars 61 forks source link

Right to erasure (‘right to be forgotten’) #3147

Open emanuele45 opened 6 years ago

emanuele45 commented 6 years ago

And here we are, one of the central points.

Do note: we are talking about personal data, not (necessarily) the content of the posts!

Article 17:

  1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

  1. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

This is indeed tough. Personal data are commonly: email address, IP, and potentially the member name/real name. These data are collected in quite a bit of places, in particular:

Vekseid commented 6 years ago

from_name is in the PM table. IMO it should also be storing the IP at least.

Is an IP address personal information?

Spuds commented 6 years ago

I had the same question about the IP ...

albertlast commented 6 years ago

All information how identifier a person are personal information -> ip address (specialy ipv6) are persoal information.

emanuele45 commented 6 years ago

Il looks like so.

thatnini commented 6 years ago

Is it easier to anonymize names rather than remove outright? If we remove the posts, then the topics won't flow/read right. The same could be said about removing names. As long as its no longer possible to identify the person by joining together the various bits of personal information held on them, this should be ok.

Emails should be removed.

What about the content contained the other profile fields (including custom made ones)?

Not sure about ip addresses being removed immediately on request. What if a user requests this information to be deleted, but then tries to cause damage to our forums/servers - we would have no evidence that they were known to us. There is a get out clause for this:-

Recital 49 Network and information security as overriding legitimate interest The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

We are able to set the number of days for pruning log entries. Could we set the number of days before removing ip addresses from the other areas after an account has been deleted and run it as a scheduled task? Logs/ip addresses shouldn't be retained indefinitely.

emanuele45 commented 6 years ago

If we remove the posts, then the topics won't flow/read right.

Please read the second sentence of the text of the issue. This is about personal data, not about posts.

thatnini commented 6 years ago

I was talking about requesting to delete accounts and the fact that some people are interpreting the GDPR to mean that all posts should automatically be removed as well when that happens, which I don't personally agree with, as I'd prefer to make a judgement call if the entire post history should be deleted.

Sorry, if I misunderstood.

emanuele45 commented 6 years ago

I guess we misunderstood each other, no big problem. :)

Well, interpretation of each single member of a forum is out of the scope here, of course GDPR regulates personal data, not the content of the posts. Then it's the admin that has to explain that to the member, I don't think "we" can do much about it.

kode54 commented 6 years ago

So if we delete the IP addresses and anonymize the names of people who ask to be "deleted", what's to stop them from immediately coming back again under a new name? What if someone who was banned for breaking the rules of the forum asks to be "deleted", then does this very thing?

At one point, our forum had the entire city of Toulouse, FR banned because of a super persistent spammer.

This may also make it hard for us to enforce our "one account per real user" rule, which we tend to enforce by banning duplicate accounts as well as the originals when someone proves to be abusing this for whatever ends, from shilling to voting multiple times in polls.

Vekseid commented 6 years ago

This wouldn't be something forced, it's not like everyone is subject to the same jurisdiction or interpretation. It's about supporting these laws in those cases where it is deemed necessary, not enforcing them everywhere.

emanuele45 commented 6 years ago

@kode54 as far as I know, with IPv6 coming into the game, banning by IP will become less effective (but I may be wrong, of course). Provided:

  1. IANAL
  2. I'm not sure where you are based.

So this is just a theory on my side, you should check with someone that knows the matter better than me. If you were based in the EU I guess you could argue you are keeping the records for a certain period of time under provision of article 17.1 (a) (i.e. you stated the data are used to track inappropriate behaviours in your agreement and are kept for a certain period of time for that very reason) and the users have agreed to that agreement.

kode54 commented 6 years ago

Well, the server I'm hosting doesn't support IPv6 anyway, but if it did, and I started seeing spammers or abusers from IPv6 addresses, I'd probably be banning whole netblocks.

emanuele45 commented 6 years ago

@Vekseid that's why I tracked also #3143 because, even though I put it as a question, I feel it is worth, at least to discriminate between some actions (logging of accepting agreements and anonymization).

Vekseid commented 6 years ago

@emanuele45 banning by IP needs to be done by /64 at minimum. If you are banning by /128 that is a security bug. That shouldn't even be an option.

kode54 commented 6 years ago

Banning by IP is still a mask/range thing, last I checked. You still have to mask the address yourself.

emanuele45 commented 6 years ago

Since this is probably the next big thing to implement in 1.1, here I am back on it.

So, this is a tool given to the admins to help "clean up".

I think the specifications should be something like the following:

  1. when the admin wants, he should be able to remove data associated to an account,
  2. doing so, the admin should be able to remove specific data (e.g. real_name, user_name, email address, IP address, specific custom fields, etc.) associated to a specific account,
  3. it should work on single accounts or on multiple accounts,
  4. it should work also on guest posting (so filtering by email or nick name),
  5. it should give the option to delete data collected in a certain range of dates (in order to identify different policies accepted by the user),
  6. I'd like to see this tool flexible enough to allow addons to be able to integrate easily, that means an addon should be able to specify a field to delete (and should provide a method to delete it),

That should be.

Spuds commented 3 years ago

Can back port this should someone do something with it at all