New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GDPR rules #3175

Open
fizi opened this Issue Jun 5, 2018 · 18 comments

Comments

Projects
None yet
6 participants
@fizi

fizi commented Jun 5, 2018

What think the Dev Team about GDPR? e107 will work with this rules?

CaMer0n added a commit that referenced this issue Jun 5, 2018

@CaMer0n CaMer0n added the enhancement label Jun 5, 2018

@Jimmi08

This comment has been minimized.

Contributor

Jimmi08 commented Jun 6, 2018

What happens if user has related data (forum post, news, comments) and you delete user info ?

@martyshep

This comment has been minimized.

Contributor

martyshep commented Jun 6, 2018

I recently went through GDPR and had to delete some users who had forum posts. The forum posts then show as being posted by 'Anonymous' user.

@Jimmi08

This comment has been minimized.

Contributor

Jimmi08 commented Jun 6, 2018

@martyshep Thank you. So if user inserted some sensitive info to forum post, it should be in rules that "before you ask for Delete user, check all your forum posts and delete sensitive ones manually"
Do you know what I mean?
I would prefer Anonymize functionality - then user with that ID is still available and you as main admin can log in as this user from admin area.
And Delete user button shouldn't be user functionality, only for admins. You need at first to check if user can be deleted.

And deleting user should be always logged somewhere because you need to prove that they was deleted. And user should get email notification about deleting their account.

By the way - this GDPR rule (need) can be easily filled by special form - send the ask(need) for deletion. In your Privacy Policy you should have time period (14 - 30 days) and user should get confirmation about you receiving their asking. Then you delete them, write them confirmation email about deleting OR you write them, we are sorry we need your data because...

@martyshep

This comment has been minimized.

Contributor

martyshep commented Jun 6, 2018

@Jimmi08 Yes I agree, I had to manually review the posts from that user to be deleted. I was thinking of deleting all posts for the users, and in one case I did using:
sql delete FROM e107_forum_post
WHERE post_user =
but I felt it left forum threads out of context with missing posts.

Of course if this could be automated into an Admin tool where you can specify the USER ID and the tool removes the posts automatically without the website owner needing to use SQL themselves, that would be useful.

@Jimmi08

This comment has been minimized.

Contributor

Jimmi08 commented Jun 6, 2018

@martyshep Be aware statistical purpose. And delete posts from topic can cause that the topic losts its logic.

I asked our lawyer about this because I have site where user profile has a lot of personal info (like 20 years ago - skype, ICQ, adress...) It's community site. Lawyer asked: what is purpose of this site? My answer: building community (Harry Potter fans). Lawyer asked: is registration voluntary? If yes, their consent with rules during registration is enough. No cookies for registered users. No special rights (send email is enough) Only good Privacy Policy to inform visitors about everything. And registration similar with COPPA (to confirm consent). And deleting posts? My legal interest is bulding community, so my legal interest is to save old posts too for community purposes (they can delete them themselves).

At least I deleted all noactive users (not sure how e107 manage this), but I have in user table last log in time, last IP (confirmation that account was used) and points for each activity. So I deleted only users with last log in 5 years ago and zero activity. Collect IP is ok because my legal interest is safe site and its users.

I am starting to use e107 forum so I will do more tests with it.

@SimSync

This comment has been minimized.

Contributor

SimSync commented Jun 6, 2018

I don't think that the GDPR forces us to delete everything a user has ever posted.
I think, if we destroy the link between the posted data and the author, so that he/she can't be "reverse engineered" from the remaining data, this should be enough.

In case of a forum: There are no requirements, that a user is forced to put personal information in a post (which is probably publicly available). So, if a user want to have this data away, he has to remove this on his own.
In case of a shop (like vstore): Billing and/or Shipping information, together with payment information can not be deleted as you need this information for later processes and so on.

This is how a "deleted" user would look like in my opinion:

  • Active: false
  • Displayname + Realname: Guest or Anonymous User
  • Loginname: Random unique name (i'm pretty sure, that it has to be unique in the database)
  • Password: Random password
  • Custom title, Avatar, signature: empty string
  • Email: Random email or string (i'm pretty sure, that it has to be unique in the database)
  • Hide Email: true
  • Admin: false
  • Perms/Classes: Remove all classes, set to "No One"
  • The contents of the "extended" fields should be cleared for this user.

What i'm not sure about is the userid, as this one will not change and is more or less impossible to change. If somebody knows his userid, he can still display his profile and with that reverse engineer all other information. Maybe, we simply have to prevent that a user profile of a "deleted" user can be displayed...?

@Jimmi08

This comment has been minimized.

Contributor

Jimmi08 commented Jun 6, 2018

@SimSync PERFECT! It should works this way. Just ideas:

With USERID - it should be blocked to display user.php?id.62 for:
no-active users (not verified) except main admin - message similar to login page (you see this page because you are main admin)
banned users

I would create special table for gdpr plugin with table of deleted users or some user special extended field - gdpr-deleted - if this field is set, then display user profile with message "we are sorry, acount was deleted)

In some software they set negative value for userid and change it every related tables (then in program if user ID is negative, they know to not display anything)

@CaMer0n

This comment has been minimized.

Member

CaMer0n commented Jun 6, 2018

The basic setup for this can be seen in e107_plugins/_blank/e_user.php in the 'delete' method.

I believe we can use the user_ban field to flag these records too.

@rica-carv

This comment has been minimized.

Contributor

rica-carv commented Jun 6, 2018

I think that the anonymous user shouldnt be used, i think more like not registered anymore, and leave its nick, without displaying nothing more....

@SimSync

This comment has been minimized.

Contributor

SimSync commented Jun 6, 2018

@CaMer0n I would prefer a separate field like user_deleted with a timestamp when the the user has been deleted + a field user_deleted_id holding the userid that initiated the delete process.
For me, banning and deleting is a totally different status. In case of banning, i would not delete all personal data.

@rica-carv A nickname is kind of "personal". Usually a user uses it on several sites, which means it gives somebody a good impression who wrote something, when and so on.

@CaMer0n

This comment has been minimized.

Member

CaMer0n commented Jun 6, 2018

@SimSync The user_ban field is currently used for the following:

  • unverified users
  • banned users
  • active users
  • user with bouncing email addresses.

Adding another item for 'deleted user' would be the least intrusive change imho.
The current label used for this field in admin > users is "Status".

@SimSync

This comment has been minimized.

Contributor

SimSync commented Jun 6, 2018

@CaMer0n Yeah, ok. You are right, if it's this kind of multi purpose field, we can also use it for this too.
But is there some a field, that can be used to save more information about the deletion? Like datestamp and userid to document the deletion a little bit. An "ex user" could get the idea to ask for a confirmation. Especially, if he was deleted by an admin.

@CaMer0n

This comment has been minimized.

Member

CaMer0n commented Jun 6, 2018

@SimSync I believe we could use a similar process to what we do during signup. Place a hash into user_sess, send an email with a link.. after clicking the link the account is 'deleted', then user_sess could be updated with the datestamp of deletion.. or we simply use "user_lastvisit" for this purpose- which in this case will be their very last visit. ;-)

@SimSync

This comment has been minimized.

Contributor

SimSync commented Jun 6, 2018

@CaMer0n A confirmation mail is a good idea. I just imagined how i should confirm a user the removal of his account, if he doesn't know his userid.... 😄 So the email confirmation should be enough confirmation at all.
I can see, that the username doesn't exist anymore, but i can't access the old account anymore without a userid because everything was anonymized ... 😆
So setting the user_lastvisit field with the delete datestamp should be enough. No need to create additional fields (which can't be accessed without knowledge of the userid).... 😉

@rica-carv

This comment has been minimized.

Contributor

rica-carv commented Jun 7, 2018

@SimSync

A nickname is kind of "personal". Usually a user uses it on several sites, which means it gives somebody a good impression who wrote something, when and so on.

Not really. Who prevents ME of using nicks of other users from other sites??

Anyway, i can't see the issue on still displaying the nickname, because for instance, in forums, when you do a comment, the nick is displayed. What happens if the user is completelly deleted?
For me, the nick should remain, but if it's such a "tricky" issue, it could be replaced for a random user name, like Ebay does for unregistered users...

Anyway, imagine a plugin links directly to the user table refering the user id, if that id is deleted, what happens to the linked plugin dependent users? It will be a complete caos.....

CaMer0n added a commit that referenced this issue Jul 12, 2018

CaMer0n added a commit that referenced this issue Jul 13, 2018

Merge pull request #3278 from SimSync/fix_3175
Issue #3175 Various changes to make it work
@CaMer0n

This comment has been minimized.

Member

CaMer0n commented Jul 15, 2018

@fizi Would you like to test it and give feedback?

@CaMer0n CaMer0n added this to the e107 2.1.8 milestone Jul 15, 2018

@fizi

This comment has been minimized.

fizi commented Jul 18, 2018

I would like to test it, but I do not know what to look for. :)

@CaMer0n

This comment has been minimized.

Member

CaMer0n commented Jul 18, 2018

@fizi You just go to usersettings and click "Delete Account"

@CaMer0n CaMer0n modified the milestones: e107 2.1.8, e107 2.1.9 Jul 18, 2018

@CaMer0n CaMer0n modified the milestones: e107 2.1.9, e107 2.2.0 Aug 22, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment