Add utilities to support for General Data Rights Protection Act (GDPR)

[ffdixon]

The European Union is set to enforce a new data rights protection act that specifies how companies must handle and protect personal data it collects on citizens in European Union (EU) countries. See GDPR.

These rights come into effect on May 25, 2018.

We need to provide BigBlueButton administrators with tools to allow them to

1. report back to a user what personal data is on the BigBlueButton server, and
2. remove ("right to forget") all personal data related to a user from the server.

Overview

Today, when a user joins a BigBlueButton session, the server records personal data in log files and recordings.

Log files

In the case of log files, the default settings on a BigBlueButton server store the following information

• nginx records IP address of the user when they log into the client, and red5 apps logs users as they join the session. (see /var/log/nginx/bigbluebutton.access.log).
• red5 records username and external userID in the bigbluebutton logs (see /var/log/red5/bigbluebutton.log)
• tomcat records the username and external userID in the API logs (see /var/log/bigbluebutton/bbb-web.log)

This information is automatically deleted after 30 days.

Recordings

BigBlueButton captures many events during a session, including raise hand, chat, talk, respond to poll, whiteboard marks, upload presentation, etc.. This information is stored in a file called events.xml (the meeting events). See Recordings.

In the case of recordings, when a user participates in a recorded session, the BigBlueButton server captures their interaction in the raw files of the recording (the events and media).

The capture of raw data does not necessarily mean that the user will appear in a recording. For example, if the user didn't generate any events during the segmented marked for publishing, there would be no personal data visible in the recording.

The raw files will persist on a BigBlueButton server for 30 days before being automatically deleted.

However the recordings will persist until deleted.

Utilities

We want to provide BigBlueButton administrators with two utilities

Right to access by the data subject ('a report on personal data')

When a user joins from a learning management system, such as Moodle, the join API call passes two pieces of information: fullname and userID (see join API).

We need to write a utility that given a userID will scan the recordings on a BigBlueButton 1.1/2.0-beta server and report on all the personal data stored in the recordings.

  ./bbb-user-data -u <userID>  -r <recordingID>

We could also use grep to extract all data related to the user in the log files for information related to the userID. This could be done with a BASH script.

Right to erasure (‘right to be forgotten’)

We need to provide the BigBlueButton administrator with a tool that given an userID will process recordings in which the user participated in and do the following

Remove user's personal data from the RAW archive

• Overwrite the .wav file with silence for all segments in which the user spoke (the events.xml will indicate the user's start/stop talking events)
• Remove all events related to that user from events.xmls
• Remove all video/desktop sharing shared by the user
• Save back the updated Raw archive
• Submit the raw archive for reprocessing

After the recording reprocesses, the published recording will not have any reference to the user.

The tool would be called as

  ./bbb-user-data-forget -u <userID> -r <recordingID>

[ffdixon]

For the code to support GDPR, see https://github.com/bigbluebutton/gdpr

[ffdixon]

See https://github.com/bigbluebutton/gdpr

[basisbit]

Maybe this issue should be reopened, as UI and working + actively maintained tools for this are still missing

[scaredmushroom]

I would also like to ask if the documentation above is still up to date.
Thanks for the work.