Closed the-hotmann closed 4 years ago
acelaya
commented
4 years ago Hey @MartinHO, thanks for this. However, I'm not sure if I completely understand what you mean.
Are you suggesting this project should provide these texts so that admins could pick them and host them under their domains somehow, or do you think Shlink should include them out of the box?
the-hotmann
commented
4 years ago This project should provide these AND they should be included in Shlink as they are just needed where Shlink itself is installed.
Just creating a subdirectory with the name "gdpr" and placing there files like:
"en_imprint.txt" "es_imprint.txt" "de_imprint.txt"
(for every translated language) would be completely enough. Also when setting it up maybe a little hint to this files (or Folder) would be awesome.
So I think both should be the case.
If you want I can create a PR where I just show how it could be and how I think it would be good.
Within Shlink itself then the Text (let me make this example)
This Domain or any subdomain is getting used for creating ShortLinks which will be tracked based on the Visitors anonimized IP. If you do not like to be tracked, based on your IP pls do not call/visit any links from [FQDN from Shlink Installation]
and asks the Admin where he comes from, or even better which language he wants the GDPR Text in and pulls the text in the wanted language (if available) and replaces "[FQDN from Shlink Installation]" with the link and saves it to the DB but also provides it to the Admin.
If not used atm the Admin later can pull the GDPR Text from the shlink-web-client as it could gets it from the DB.
Like this the Admin always can get it and maybe even change the language afterwards in the web-client and change the link and would always get the needed GDPR Text
acelaya
commented
4 years ago Ok, I think I more or less get the point, and probably makes sense, but there are parts of your comment I want to clarify.
So, we could probably have these GDPR texts in some folder, and ship them with the project.
Then during installation, the admin could get asked the language and see the text with the domain placeholder already replaced by his/her own domain.
However, admins would still need to expose this text somewhere for end-users to see it. Shlink itself will not serve it (or to be more precise, it will not have a way to serve it, as the only way end-users interact with Shlink is through short URLs).
To summarize:
Is this what you propose?
the-hotmann
commented
4 years ago Yes thats it. I know that Shlink itself will not serve this text online. But in the EU the Imprint or GDPR Site of the mainDomain like "domain.tld" is the first place people will look if they want to get infos at any subdomain and the subdomain does not have any own imprints/GDPRsite.
So its in the Admins responsibility to put the text on the site/place it have to be placed to statisfie the local GDPR law
Hint: you could even use this generated Text for a little advertising like:
Usage of Shlink
This Domain or any subdomain is getting used for creating ShortLinks with Shlink which is a selfhosted service and will track Visitors based on their anonimized IP. If you do not like to be tracked, based on your IP pls do not call/visit any links from [FQDN from Shlink Installation]
Like this get Backlinks from every domain which is having your GDPR-Text in its Imprint/GDPR-Site which will be good for Promotion
acelaya
commented
4 years ago Ok, got it.
In that case I would like to proceed as follows.
First, I want to see how other tools like this handle the GDPR (like bit.ly, for example).
If I don't find anything conclusive, maybe we can go with approach. However, I would not like to put this into the main repository, as that would feel like mixing a responsibility which is out of Shlink's scope (from a technical point of view).
Having a separate repository would feel more appropriate.
the-hotmann
commented
4 years ago You could also build a WebService where you put in your FQDN (Domain you are using Shlink on) and it will generate the GDPR Text for you in the selected language?
Would put this GDPR thing out of Shlink itself and would be a online service.
Actually that would just be pulling info from somewhere and replace a placeholder with a given string (FQDN/QDN) and admins are good to place it on their Websites
Maybe that makes more sense
acelaya
commented
4 years ago I don't want to overengineer this too much.
Let's keep it as a set of plain text files. If having the placeholder replaced by the actual domain is critical, shlink can consume those files and perform the replacement, but starting with a simple markdown doc inside this new repo explaining how to proceed is a reasonable compromise for now.
But as I said, give me some time and I will check other options. Any help here is more than welcome if you also want to investigate :-)
acelaya
commented
4 years ago I have investigate a bit, and my conclusion is that Shlink is currently GDPR compliant, without having to notify users in any way, as nothing considered "personal data" is getting stored (this was already my understanding, but I'm no expert on this subject, so better double check).
Yes, IP addresses are personal data under the context of the GDPR, but shlink anonimizes them before any storage occurs.
Specially interesting are these two articles:
Since shlink masks the last octet of every IP, it no longer can be used the identify one specific user.
I'm going to close this, as no action is needed.
Lets assume I use Shlink on this domain:
links.domain.tldNow this FQDN does not have an own imprint or data protection part so it needs to be mentioned on the maindomain which is probably:
www.domain.tldNow this normaly contains any website with an imprint or site for data protection. There normaly have to be mentioned that this domain or any subdomain is getting used for creating short links. And traffic/visitors will get tracked anonymised on this domain (here it is "
links.domain.tld").I think this would make this App GDPR conform.
Ofc this should be translated into different languages and should be contained withion
shlinkandshlink-web-client.I would love to support this GDPR move with translating it into german. But I would need a template for that. SO englisch or spanisch version to translate from.
It could sound like something like this:
This Domain or any subdomain is getting used for creating ShortLinks which will be tracked based on the Visitors anonimized IP. If you do not like to be tracked, based on your IP pls do not call/visit any links from [FQDN from Shlink Installation]"[FQDN from Shlink Installation] should be replaces by the actually used FQDN or QDN. Then it would look like this.
This Domain or any subdomain is getting used for creating ShortLinks which will be tracked based on the Visitors anonimized IP. If you do not like to be tracked, based on your IP pls do not call/visit any links from links.domain.tld"This Text should be generated (after installation and after Change of the FQDN) and should be placed in the root directory or somewhere where the Admin can find it. And then just copy & paste it into the right page.
Due to the new GDPR compliance we have to state where datas are getting collected and how they are getting stored. But thats (as far as I know) all. So this would not be very much to be GDPR conform.
This ticket is reffering to an already existing Ticket #145 which was more aiming to be GDPR conform in technical things, but we even need a statement where and what is getting tracked (at least in the EU)