Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GDPR #2321

Closed
micgro42 opened this issue Apr 19, 2018 · 27 comments
Closed

GDPR #2321

micgro42 opened this issue Apr 19, 2018 · 27 comments

Comments

@micgro42
Copy link
Collaborator

@micgro42 micgro42 commented Apr 19, 2018

Next month (May 2018), a new EU regulation will come into effect, concerning the privacy/ data protection of user data. This new regulation comes with very high potential sanctions: up to 20 Million EUR or 4% of a years revenue, depending on which is higher.

This also poses some questions on whether DokuWiki is GDPR-compliant (and what does that even mean?):

  • If a user deletes their account, do we have to delete their username from changelogs/meta?
  • Do we have to delete IP-addresses from changelogs, maybe after some time?
    • Can we do that in a way that still lets us tell different anonymous users apart from each other?
  • Do we need to show some message / do we need some legally worded user opt-in for some things? (Subscriptions?)
  • Do we need a Privacy Statement for DokuWiki.org?
    • should we provide examples other users can adjust?
    • would it be desirable to extend that with technology (eg. automatically list what data is collected when, why and how long) and provide a way for plugins to hook into that?

Maybe some of you have expertise in this matter or work in a company with legal resources to answer such questions -- Input would be greatly appreciated 🙏

@selfthinker

This comment has been minimized.

Copy link
Collaborator

@selfthinker selfthinker commented Apr 19, 2018

Do we have any donated money left to potentially pay a lawyer to help answer some questions?

@splitbrain

This comment has been minimized.

Copy link
Owner

@splitbrain splitbrain commented Apr 20, 2018

Potentially yes. However since all this law really achieves is feeding lawyers, I would prefer to not contribute any more to that for ideological reasons ;-)

If anyone out there is already paying a lawyer to answer their GDPR questions, it would be nice if they could sneak in our questions though...

@cjohnsonuk

This comment has been minimized.

Copy link

@cjohnsonuk cjohnsonuk commented Apr 20, 2018

As long as the logs only contain a user ID (ie a numerical reference to their user account) then you'd only have to hash their user details in the central account record (where the numerical user ID, user name and email address are associated) to remove the "personally identifiable information" (Pii). If the user account is "deleted" by marking their account as deleted and replacing their Pii with a one way hash of the information in their account details then there is no longer anything that personally identifies them. The posts could be detected as having a hashed user ID and shown as authored by "[deleted user]". If the user rejoined the service with the same details then the a check on the new account's one way hash would match with the deleted accounts hash and the an question asked of the user "Do you want to associate your previous posts with your new account?"

But I checked the logs and they contain the actual user name, not a numerical reference. So that would be a real chore to update the logs (but potentially still possible).

And then of course you have the issue where the user's Pii is included in the body / text of the posts...
eg in a todo item where the username is listed

@mprins

This comment has been minimized.

Copy link
Contributor

@mprins mprins commented Apr 20, 2018

Even though thus is a EU regulation, the actual implementation is in national law so answers will vary across legislations.
Starting with a privacy statement or agreement in which you explain what is collected and why and is accessible to whom and when it will be deleted is always a good start.

@Digitalin

This comment has been minimized.

Copy link

@Digitalin Digitalin commented Apr 20, 2018

From some fresh readings, this regulation is a law that applies to all EU members with extraterritorial involvements (for outside EU working with Europeans), probably with some variation by land, but not so much (e.g. sensitive data ).
To get an quick overview, WordPress has a roadmap to address GDPR and its first implementations.
It is quite complex stuff but seems logic and normal (see Max Schrems ). Privacy and consent by design, right to erasure, personal data backup, encrypted data, ...etc, just good sense. At this stage, I am not sure a lawyer is necessary but companies would need to use a DokuWiki core and plugins GDPR-compliant.

@splitbrain

This comment has been minimized.

Copy link
Owner

@splitbrain splitbrain commented Apr 24, 2018

I started a privacy policy at https://www.dokuwiki.org/privacy -- keeping it understandable (as requested by the GDPR) and complete is quite hard. Any hint on what's missing is welcome.

@cjohnsonuk

This comment has been minimized.

Copy link

@cjohnsonuk cjohnsonuk commented Apr 24, 2018

@Michaelsy

This comment has been minimized.

Copy link
Contributor

@Michaelsy Michaelsy commented Apr 27, 2018

[off-topic]: @splitbrain: I assume this is the page do you mean at the top of https://www.dokuwiki.org/privacy ?!
I already corrected the link there.

@Digitalin

This comment has been minimized.

Copy link

@Digitalin Digitalin commented May 12, 2018

An excellent article in Bozho's tech blog: GRPD - a practical guide for developers . Also, the Drupal GDPR Compliance Team gives a lot of links on their dedicated page

@T100D

This comment has been minimized.

Copy link

@T100D T100D commented May 13, 2018

@splitbrain About the privacy page, I think you have to ensure somehow the users data is save and that how it is kept save has to be described somehow internally for accountability.

Serverlogs, do they contain a user ticket number that is related to their account and visible or knowable by google analytics, if so you should mention that possibly.

GDPR is not done something done by lawyers, but rather accountants, they check if their customers are GDPR compliant.

Good starting point: https://gdprchecklist.io

@splitbrain

This comment has been minimized.

Copy link
Owner

@splitbrain splitbrain commented May 14, 2018

Everyone, please refrain from posting more links to pages "that explain everything". If you want to help out, do one of the following:

  • extend the privacy policy at https://www.dokuwiki.org/privacy
    ** feel free to ask specific questions for things you can not answer (eg. details of the server setup)
  • post answers to the questions in the original post, with references to the exact text of the applicable laws
@daumling

This comment has been minimized.

Copy link

@daumling daumling commented May 22, 2018

What about the cookie nag box? DW uses cookies, so DW would need such a box. I noticed that the bootstrap3 template offers to activate a cookie nag box, so why not integrate such a thing into the DW core?

@T100D

This comment has been minimized.

Copy link

@T100D T100D commented May 22, 2018

@daumling Cookies which are required in order to fulfill the requests of the website visitor do not require explicit user consent. But any others — including those used for general use statistics eg tracking — do require it.

On our local dokuwiki as far as i can see the cookies are only functional to dokuwiki.

@daumling

This comment has been minimized.

Copy link

@daumling daumling commented May 22, 2018

Not sure about that. Session cookies are considered personal data AFAIK, and consent is required. See e.g. this article: https://www.cookiebot.com/en/gdpr-cookies/ - it mentions session cookies.

There is a cookielaw plugin, but it is rudimentary.

@xrat

This comment has been minimized.

Copy link

@xrat xrat commented May 25, 2018

AFAIK, https://www.dokuwiki.org/privacy is missing the required bits of Information to be provided where personal data are collected GDPR §13, especially the mention of the data subject's rights.

Edit: Link to law replaced w/ official URL.

@splitbrain

This comment has been minimized.

Copy link
Owner

@splitbrain splitbrain commented May 28, 2018

I updated the last part and renamed it to "Your Rights" that should make it more clear.

Regarding the "where personal data are collected" - is that referring to which country? That would be France (Hetzner's servers are located there). Not sure where to put that though.

@xrat can you make changes to the page where you think clarification is needed?

@Traumflug

This comment has been minimized.

Copy link

@Traumflug Traumflug commented May 29, 2018

For your inspiration, I've edited Greebo (the installed release) to make the DOKU_PREFS cookie a session cookie. A session cookie means no permanent storage, so no user consent required.

The second commit removes recording of IP addresses from the logs. Quite some places need code removal, still the result works just fine. All new changelog entries no longer receive the IP address, so nothing can go wrong. Some retrocompatibility code for dealing with older records is also included.

As making a pull request on Github is a chore and Github refuses to accept patches, I made a Gist: https://gist.github.com/Traumflug/74fd0b4c8968fd0184e503d221b13310 with both patches.

With these patches applied the privacy statement reduces to about this (DokuWiki markup):


==== General Data Protection Regulation (GDPR) ====

We're neither interested in personal data, nor do we try to collect or use such data. In detail:

  • Pages at reprap-diy.com do not use trackers.
  • Visiting pages at reprap-diy.com stores up to three cookies in your browser to follow the session. These cookies get deleted when the session ends (when you close your browser).
  • Creating an account at reprap-diy.com stores your email address, content of the //Real name// field and an encrypted hash of your password.
  • Logging into an account and checking the //Remember me// checkbox stores another, permanent cookie (valid for one year) to keep you logged in. To remove this cookie, log out.
  • Each page edit stores the username of the user who did the edit. This information cannot get removed, but if the related account was removed, it also cannot be mapped to an email address or other personal data.
  • During page editing your IP address is used to lock the page against a competing edit. The address gets removed when the edit gets saved.
  • Some of the pages on reprap-diy.com may contain external videos. For YouTube we use the "privacy enhanced" youtube-nocookie.com domain that will not track your visit. Your IP address will be visible to the server providing the video, though.
  • To view the data stored about you at reprap-diy.com, look at your [[start?do=profile|user profile]].
  • To remove this data, go to your [[start?do=profile|user profile]] and delete your account.

Voilá, no user consent required, problem solved.

The only issue which might remain is fighting spammers. No IP address, no entry into blacklists. But we all have secured account registration against spammers, right?


In case somebody doesn't believe that session cookies need no user consent, he may have a look at this pretty official page: http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm#section_2. It states:

Cookies clearly exempt from consent according to the EU advisory body on data protection include:

  • user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
  • authentication cookies, to identify the user once he has logged in, for the duration of a session
    user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration
  • multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
    [...]
@selfthinker

This comment has been minimized.

Copy link
Collaborator

@selfthinker selfthinker commented May 29, 2018

If I understand it correctly, I don't think we need to do anything about cookies for GDPR (apart from informing the user about them which is already handled by the privacy statement).
The only cookie which contains personally identifiable information is the DW<hash> cookie, and users can choose to delete that one at the end of each session by not ticking "Remember me". The DOKU_PREFS cookie is not used for personally identifiable information (although plugins could potentially abuse it).

@selfthinker

This comment has been minimized.

Copy link
Collaborator

@selfthinker selfthinker commented May 29, 2018

Sorry for posting more links, but these are more relevant because this is how two big wiki projects handle GDPR:

  • GDPR in Wikimedia's issue tracker gives an overview but doesn't really say that much about what actually needs to be done and includes links to a lot of speculation. Like so many others, Wikipedia has changed their Privacy Policy. I'm not sure how they're (not) dealing with public contributions is really compliant?
  • OpenStreetMap's GDPR Position Paper is more interesting as it seems quite thorough. Their process around account removal is not as helpful for us, though, as they don't allow anonymous edits (and use a database which makes that task easier).
@Traumflug

This comment has been minimized.

Copy link

@Traumflug Traumflug commented May 29, 2018

The DOKU_PREFS cookie is not used for personally identifiable information

The sheer existence of a cookie means personally identifiable information, because they come with and IP address / DNS entry attached. Content doesn't matter, much less encrypted content.

Sorry for posting more links, but these are more relevant

D'oh. Those pages pointing to some volunteering efforts are more relevant than an official page. Ouch.

I certainly see this GDPR panic mode everywhere. People try extremely hard to stick to what they're used to, providing endless text blobs in the hope to walk around the problem somehow with lawyer fineprint. Instead of simply fixing the software.

@selfthinker

This comment has been minimized.

Copy link
Collaborator

@selfthinker selfthinker commented May 29, 2018

The sheer existence of a cookie means personally identifiable information, because they come with and IP address / DNS entry attached.

I don't think this specific cookie comes with IP address and DNS entry attached. That cookie and its contents is not stored on the server but only in the browser.

D'oh. Those pages pointing to some volunteering efforts are more relevant than an official page. Ouch.

No need to become personal, especially not dissing "volunteering efforts" in any Open Source project.

I meant it is much more relevant to us as in no-one else (apart from other version control software or services, like git or GitHub) deals with the one question which none of the official pages deal with: how to deal with user contributions that are intrinsic to the software.

Instead of simply fixing the software.

If anyone of us would know what is needed to fix the software, we would do it. Can you point out what needs fixing? I don't think that is possible, most certainly not "simple".
I have the feeling no-one really understands any specifics about GDPR (and that includes the big guys like Google and Facebook). I think the majority of what's out there is misinformation.

I like how OpenStreetMap (who "have received professional counsel") say in their paper:

Naturally estimating the impact of the GDPR introduction and consequences before it is
actually in force are fraught with the problem that we have to guess how the legislation will
be applied in practice and there is a danger of both over- and underreacting.

@michitux

This comment has been minimized.

Copy link
Collaborator

@michitux michitux commented May 29, 2018

Changing DOKU_PREFS into a session does not fix anything but breaks the usability imho. DOKU_PREFS is used e.g. for storing the size of the edit window and this should persist across sessions imho. As Anika says, cookies do not store the IP (or even DNS entry) of the user, the IP address is instead sent with every request.

Not storing IP addresses is also not the solution as there is a very valid reason to store them at least temporarily: detect and remove vandalism (by IP address you can identify the connection between several edits, possibly even several user accounts) and to be able to identify the author (at least in court) if the content posted was illegal and the site owner gets sued because of that.

What I think would be a good thing is to have some automatic way to remove IP addresses after some time, at least for changes where the user has been logged in (this could be a plugin of course). For anonymous edits I'm not sure if the IP address can be interpreted as an author identification that needs to be stored because of the license (but this of course depends on the selected license).

Concerning the removal of the user name: my personal (non-lawyer) interpretation is that due to the license of the content (creative commons license at least with attribution), DokuWiki has a legitimate interest to store this attribution as it otherwise cannot use the content and as the Wikimedia issue tracker says "the right of erasure only exists when the processing is not necessary for some legitimate interest of the data controller".

@splitbrain

This comment has been minimized.

Copy link
Owner

@splitbrain splitbrain commented May 29, 2018

Thanks @michitux for pointing out the usability aspects. I was just about to do that.

@selfthinker thanks for the links on how other wikis handle it. I'll have a look later.

Regarding removing IP addresses after while, there is now the aptly named gdpr plugin which does exactly that. It also replaces user names in change logs for deleted users.

I will close this ticket now. We will probably not ever get definite answers to all the questions asked in the original issue. And it's an issue people love to discuss for the sake of discussing without getting any further.

For now we should simply focus on having a useful privacy policy for the 0.1 percent of users who care about that. So please, if you think the privacy policy needs adjustments just go ahead and do it.

@splitbrain splitbrain closed this May 29, 2018
@Traumflug

This comment has been minimized.

Copy link

@Traumflug Traumflug commented May 29, 2018

I don't think this specific cookie comes with IP address and DNS entry attached. That cookie and its contents is not stored on the server but only in the browser.

It's the very nature of any cookie to come with IP address or DNS records attached. All of them are stored in the browser, only. Still GDPR considers them to be personal data, which is why they have to become session cookies or ask for user content before being placed. Fairly simple basics.

If anyone of us would know what is needed to fix the software, we would do it.

Code is provided above. Instead of looking at the code and commenting it, all the extensive comments sum up to "Go away, we have to find a harder way".

Very apparently, some people here want to stick their head in the sand. Instead of applying these patches and enjoying a GDPR compliant wiki. Enjoy it!

And I just see how you closed the issue to make extra sure nobody sees this solution. Extra compliment to that much stupidity!

@selfthinker

This comment has been minimized.

Copy link
Collaborator

@selfthinker selfthinker commented May 29, 2018

would it be desirable to extend that with technology (eg. automatically list what data is collected when, why and how long) and provide a way for plugins to hook into that?

I would definitely say Yes to that. That should also include templates, not just plugins. (I know e.g. some templates include Google Analytics.) Maybe have a hook per section (cookies, third party, etc)?

Repository owner locked as too heated and limited conversation to collaborators May 29, 2018
@selfthinker

This comment has been minimized.

Copy link
Collaborator

@selfthinker selfthinker commented May 29, 2018

GDPR considers [cookies] to be personal data

That is simply factually not true. The official original legal text says only one thing about cookies:

(30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

This means that cookies only need to be considered if they contain personal data or can be used to obtain them in any way. That is not the case with DOKU_PREFS.

@splitbrain

This comment has been minimized.

Copy link
Owner

@splitbrain splitbrain commented May 29, 2018

This topic is now locked. @Traumflug that kind of language is not welcome here

To clarify some last points:

  • the GDPR is only about Personal Data. Cookies are not per se personal data (they might be if they can be used to identify people - the doku_prefs cookie does not)
  • cookies do not "come with IP address or DNS records attached" that is technically nonsense. Cookies are sent back by the browser when the domain they are saved for matches
  • The IP address of the originating request is always visible to the server. That's how TCP/IP works and nothing to do with cookies or anything
  • There is legitimate reason to save the IP addresses for a certain amount of time to react on malicious activity
  • making doku_prefs a session cookie makes the UX of the application much worse without improving privacy at all
  • if you want code to be discussed for integration into DokuWiki core, open a proper pull request
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
You can’t perform that action at this time.