Could the Facebook fiasco happen to forum owners?

[highlander29]

Having listened to a few hours of Zuckerberg's testimony on Capital Hill to defend Facebook's involvement in the disclosure of data about 30 million users and improper secondary usage of that data to influence election results, I am wondering if we could face a similar issue as forum administrators. It seems to me that there are some plugins such as Tapatalk, push notifications and some search engines such as Treadloom that have access to some personal information related to our forum users. What if they used that information improperly? Do they use that information to target advertisements? Do we face such a risk?

 

[KimmiKat]

Good question. Many board uses those and wonder if they do some of the stuff FB did. Would make me nervous to use them if they did.

 

[Maddox]

I would suggest that you contact them all and tell you in writing what data they scrape and how they use it. If they won't tell you then I would dump them, as useful as they may be; they may come back to bite you sometime in the future - it's always better to be safe than sorry.

Data Privacy is fast becoming a 'big deal', sometimes going that extra mile rather than tempering them with real life situations and uses. I totally disagree with the 'one size fits all' attitude that is being taken and would much prefer a graduated approach based on risk factor and volume. From the individual point of view that is affected by a data breach I understand that one is one too many, but one compared to millions is a mile apart.

 

[Apple]

To be honest, I don't see the need for Tapatalk nowadays. Forums can be 100% responsive without the need for a 3rd party app.

 

[LeadCrow]

Unlike with Facebook, no forum's membership is so indispensable it could prevent a user exodus.

- Forums dont track visitors and members' activity on other sites at all. The closest to that might be cross-site network-centric functions like SSO, but very few forum networks implement that as merging websites appears to be more prevalent.

- Accounts start from a clean slate by default, the only personal information forums get from you is whatever users bothered to input in the fields available (a limited selection of fields is available by default, unless webmasters add any). 'Personalization' that deviates from the site's default experience is user-selected (like skin choice, notification preferences).

- Forum apps: Overreaching permissions and liberal monetization of the data acquired can be potentially troublesome, but this would be limited to specific websites. Apps may also include undocumented functions like tracking scripts. Use of apps is strictly optional though, and should affect a fraction of a site's visitors.

- Tracking/analytics/ad code. Webmasters can forego 3rd-party services for peace of mind, or adopt privacy-friendly ones that do not track users across websites or 'personalize' content (code for acquire user data). The average webpage nowadays calls multiple 3rdparty services for no vital reason. Session replay and heatmapping (example service) are usually sold to webmasters and forum networks as harmless means to improve ad placement, and defended as such.

 

[Joel R]

I agree with LeadCrow. At its most basic, forums require very little personally-identifiable information. In fact, for most forums, it's one single item that we request: an email address. Everything else such as age, location, username, personal interests, and hobbies is optional.

If you're integrated with third-party tracking services such as advertising networks or Facebook Pixl, then you maybe have an issue (but it's really those platform's issues, and not yours).

 

[cheat_master30]

Well, I think it's probably important to realise that even if there were similar issues, they'd cause less of a fiasco than on Facebook simply because your average internet forum is far smaller. It's less likely to get the attention of governments or the media, and the same goes for smaller social media sites and services in general.

But in theory? Well, probably not. As said, most forum users don't give us that much personal information to begin with, and it's a lot less important on a forum than it is on a social media site. That means the likelihood of any app or service having access to said information is much lower, and the results are likely to be far more mild because of that.

So no, I don't think the same sort of issues could happen here.

 

[LeadCrow]

most forum users don't give us that much personal information to begin with

Logging in using Facebook connect, which requires webmaster create a Facebook app.
Account data from Facebook can prefill a lot of information, and even data not filled into your forum account can still be acquired by the app maker (like current and past relationships, or location data if you have a facebook app installed on any device where youre logged).

 

[we_are_borg]

It can happen with every site in this world greed and not caring about privacy is the down fall you need to be careful. The bigger your site the worse it gets Facebook will recover but only because what Mark is doing. Also because the have the cash at hand they can use that for PR.

 

[KimmiKat]

A few months back a board I was on set it up that you could only log in via FB connect. Me and some others figured the way to still log in, but the owner banned us and only want login via FB. Was a very small board - no loss.

Logging in using Facebook connect, which requires webmaster create a Facebook app.
Account data from Facebook can prefill a lot of information, and even data not filled into your forum account can still be acquired by the app maker (like current and past relationships, or location data if you have a facebook app installed on any device where youre logged).

 

[LeadCrow]

Data sharing doesnt end after you get banned or stop logging in using Facebook connect. You might need to purge the app-specific or site-specific association from your FB account.

 

[KimmiKat]

Forgot to put in my post above, I don't do FB, so I never used the connect thing on that board. I got tossed for going around the plug-in due to the way the forum software worked.

Data sharing doesnt end after you get banned or stop logging in using Facebook connect. You might need to purge the app-specific or site-specific association from your FB account.

 

[Alpha1]

Its interesting to read the replies here. I think there is much more chance of something similar happening to forums, because in contrast to Facebook forum owners generally do not have the funds to protect themselves from such abuse and in most cases not even of discovering the abuse.

Going back to the 2015 Brivium debacle, pretty much everyone was taken aback by them distributing 200 addons with backdoors in them. Its unknown what data those addons where collecting, but depending on how many sites these 200 addons were installed on and how large those were, that could have affected hundreds of millions of forum users or more.

Brivium was not the first nor the last hacker releasing addons.

This was more or less the point of this thread:
Does the GDPR block you from installing unaudited addons?

 

[R0binHood]

Yeah, I agree with Alpha. I think this is a very interesting avenue to consider.

The problem is that there are certain services for forums, that are offered to admins, by 3rd parties, to enhance the experience in some form or another.

But in order for these services to work optimally then they need access to all of the forum data. This may mean full access to all public data, or all private data, or some combination of both depending on how the forum is setup, how much is publicly accessible and what the service provides.

For example, something like Threadloom I think is a fantastic product, that provides a great search product, but in order to provide this service they have to have full access to all for the forum data and analyse that somehow, even if it's a private forum that's not publicly indexable. How much of your forum is then stored and analysed and indexed on 3rd party servers in order to provide this service? I'm not saying it shouldn't be, but we need to know what data is, and how it's processed, stored and managed.

Tapatalk on the other hand probably have full root access to your entire database as they also deal with private messaging, logins and registrations.

How much of that are they copying, storing, republishing? Can you trust them to delete your user data at your request? I'm not sure you can based on their history, and that's where it could all blow up for forum admins. I think the decision to install and use services like Tapatalk is going to become much more difficult over the next few years if there's a major shift to avoiding sharing such copious amounts of data uninhibited from companies like this.

They've known and understood the value in this forum and user data for years, which is how they've built large fast growing companies around it. What will happen to them if this data source gets switched off at the tap though? I just can't see the access that companies like Tapatalk has continuing unhindered. Yes, certain add ons and plugins will need access to provide functionality. But that will need to be carefully controlled through APIs. But full access to the entire DB unrestricted won't be around for much longer.