GDPR Ready Forum Softwares

Discussion in 'Forum Software' started by gConverter, May 3, 2018.

Tags:
  1. gConverter

    gConverter Aspirant

    43
    13
    +29
    Greetings!
    We're working with people who want us to migration their forum softwares to another (target forum software). During last two weeks, we're getting lots of questions related to GDPR compliance of target forum software. People want to know if their choice is correct for new epoch of the web. Most asked questions:
    • Is the X forum software GDPR ready?
    • Is there any option and features in the X forum software to help us configure it for GDPR compliance?

    So, I'd like to get some recommendations and answers to this questions here. What are the general options and tools forum software must include to be GDPR ready? And which forum software is ready for GDPR?

    Especially related to most important individual rights:
    1. The right to be informed
    2. The right of access
    3. The right to rectification
    4. The right to erasure
    5. The right to restrict processing
    6. The right to data portability
    7. The right to object
    8. Rights in relation to automated decision making and profiling.
    https://ico.org.uk/for-organisation...protection-regulation-gdpr/individual-rights/
     
    Last edited: May 3, 2018
  2. \o/

    \o/ Aspirant

    36
    13
    +8
    Aren't the "rights" only phrases in the ToS without any technical requirements that are not fulfilled anyway? According to what I understand, the only change is that the admin must be able to tell the user what is stored about him and delete that on purpose. Forums (or, at least, their underlying databases) provide that functionality anyway...?
     
  3. Pete

    Pete Flavours of Forums Forever

    1,773
    227
    +601
    OK, so technically the software doesn't have to do any of the above at all, provided that you as an entity fulfill the criteria some other way. Even consent doesn't need to be handled in the software.

    1. Right to be informed

    Can't really be done automagically with software. No platform on earth can report reliably in a clear and easy to understand manner where data is going, especially if you're building off various APIs. For example, data sent to Facebook for FB Login, data sent to Google for Google Maps or reCAPTCHA.

    The software should provide some way of listing what it uses out of the box, and it should be easy for plugins to list what they do with things and then let the admin make it into the privacy policy.

    Under this same heading would come consent. I'd argue most forums do consent at least to some degree or another, but most of them could do with some work on the subject.

    2. Right of access

    To an extent the platforms do do this. You can access your profile where most of your data will be present. Some platforms let you even see your IP address showing what the platform has on you (e.g. SMF does this)

    But the full gamut of information is unlikely to be directly self-serve access and with good reason: if a user does an action that ends up in the error log, the user having direct access to that information is likely a security risk to the forum unless they are an admin.

    There is one edge case that is complicated; what if you were a staff member, made a post in a staff board, and then left the staff team? In most (all?) forum platforms, you not being able to see the board would also prevent you from seeing the post even though you made it.

    3. Right to rectification

    On some level this is likely doable in the platform - editing your profile fields etc. If not, the admin will have to do it unless they have a good reason. But this isn't really a software problem as the software should largely be able to do it.

    4. Right of erasure

    This is hotly debated and while most platforms have some notion of deletion of account, the question of deletion of posts is another matter - and there's plenty of argument to be made that it's a collaborative work and therefore deleting posts (outside of deleting PII) is infringing on the rights of others.

    But most platforms support the core requirements here.

    5. Right to restrict processing

    Hmm, this is a tricky one because the definition is actually fairly vague in most cases. However, I'd argue that a ban on an account is usually fairly effective at preventing processing (e.g. while discussing other matters)

    6. Right to portability

    We're starting to see forums add a 'download my posts' function which will cover most of it but in our world, transferring posts between platforms isn't really that important in most cases, unless you're transferring threads as a whole and even then you have other issues to deal with like collective rights.

    7. Right to object

    This isn't really something you can do in software short of a contact form. Though if you use newsletters, that's in the marketing arena and making sure users can opt in and out of newsletters appropriately is important.

    8. Automated decision making

    I'm honestly not sure what in a forum might fall under this category. You could make an argument that denying a service to someone based on their country (through IP address/geo lookup) could be problematic on some level, but this isn't inherently a problem I see forums having.
     
    • Like Like x 4
    • Informative! Informative! x 2
    • List
  4. KnownHost

    KnownHost Sponsor

    78
    23
    +62
    I just wanted to say that damn Pete, that was very well written and is absolutely correct. I'm also glad the forums decided to do a little popup to say refresh to see a new post, as I was only one paragraph in to my reply which would have basically said a lot of the same things.
     
  5. gConverter

    gConverter Aspirant

    43
    13
    +29
    Thank you for answers!
    I did a bit research and found some interesting solutions by IP. Board and wpForo (WordPress forum plugin)

    1. Right to be informed
    I think, first of all this includes "I agree" checkboxes on registration and guest posting forms. This should be provided by forum software for sure. IP Board and wpForo have an area for admins to edit their own privacy policy. They have options to manage different kind of "I Agree" checkboxes.

    IP Board:
    Terms1.png.3d027181ba57709cf44aee4d4062f371.png

    wpForo:
    wpForo-Tools-Privacy-Rules-admin-page.png wpForo-gdpr-forum-privacy-policy-template.png wpForo-Registration-Form-Accept-Privacy-Policy-and-Rules.png wpForo-Topic-Editor-for-Guests-with-checkboxes.png wpForo-Privacy-Policy-on-registration-page.png

    I didn't find such solution in vBulletin, phpBB and XenForo, maybe you know more.

    2. Right to restrict processing
    I think this is mostly related to automatic email subscriptions and email notifications. I found some options in these forum documentations:

    IP Board:
    Consent1.png.5361f07b0927df68929b415dee105dfd.png

    wpForo:
    wpForo-disable-automatic-subscription-to-topic.png

    3. Right of access, rectification, erasure
    I think these exists in all forum software, for users profile account page for admins admin area.

    4. Right to data portability
    I only found some guide for admins to export user data and content in wpForo documentation.

    5. Rights related to automated decision making including profiling
    I found some interesting thing also in wpForo documentation. As far I see, wpForo create a WordPress account once user use Facebook Login button. And yes this should be mentioned with FB login button and user should agree for this. I think all forum softwares create an account when user login first time with social login button. So such information and options would be very helpful. Here is wpForo admin and user screens:
    wpForo-Facebook-Login-Information-on-registration-page.png wpForo-Facebook-Login-Information.png wpForo-checkbox-I_Agree_to_create_a_forum_account_on_Facebook_login.png

    6. Cookies
    Sometimes admins want to disable cookies. I see IP. Board has an extended options to control cookies. wpForo also have an option to disable cookies. I didn't find such options in vBulletin, XenForo, phpBB. I only see options for Cookie domain, Cookie name, Cookie path, Cookie Secure... Is there any way to disable cookies using this options? Here are IP Board and wpForo options:
    cookies1.png.080de2cea4845cf30b667c2bebcc9177.png wpForo-disable-cookies-option.png
     
    • Like Like x 1
    • Informative! Informative! x 1
    • List
  6. radu81

    radu81 Fan

    655
    347
    +189
  7. Creaky

    Creaky Adherent

    390
    142
    +103
  8. dethfire

    dethfire Habitué

    1,008
    692
    +201
    Some good, some bad
     
  9. Morrigan

    Morrigan I put the Cute in Exe"cute".

    53
    13
    +42
  10. Wes of StarArmy

    Wes of StarArmy Adherent

    323
    105
    +115
    The Xenforo GDPR updates were just released today! :)
     
    • Like Like x 1
    • Informative! Informative! x 1
    • List
  11. Bigguy

    Bigguy W.U.B Owner

    602
    270
    +42
    One of SMF's members is working on a modification that will let users download their existing data and a few other things, including a privacy policy page. I think they are on the right track with it. The mod as far as I know is not complete yet.
     
    • Like Like x 1
    • Informative! Informative! x 1
    • List
  12. zappaDPJ

    zappaDPJ Administrator

    6,348
    1,342
    +4,736
    vBulletin are consulting with their lawyers:

    https://www.vbulletin.com/forum/for...6685-gdpr-and-vbulletin?p=4386369#post4386369

    SMF are also consulting with their lawyers:

    https://www.simplemachines.org/community/index.php?topic=559841.msg3970232#msg3970232

    However as stated by BigguyBigguy there is an add-on available for SMF that appears to cover a lot of ground: https://www.smfhacks.com/index.php?action=downloads;sa=view;down=207
     
    • Informative! Informative! x 2
    • Agree Agree x 1
    • List
  13. Ryan Ashbrook

    Ryan Ashbrook IPS Developer

    3,686
    1,127
    +651
  14. we_are_borg

    we_are_borg Moderator

    4,552
    807
    +1,758
    Great additions. Ryan AshbrookRyan Ashbrook i saw the following

    Its was explained to me as follows, when you can trace something back to a person its personal information. So an IP address can be traced in a database by law enforcement thats not accessible by normal people does not matter in this case. With this a license plate is also personal information it can be traced by law enforcement. That does databases are not accessible by normal people is not an issue in this case.
     
  15. Ryan Ashbrook

    Ryan Ashbrook IPS Developer

    3,686
    1,127
    +651
    I don't know much about this in particular - I leave it all to management who have a higher understanding of the situation who are obviously quite busy right now. I was just sharing our latest update. :)
     
  16. Pete

    Pete Flavours of Forums Forever

    1,773
    227
    +601
    I'm disappointed it had to come from the community rather than the organisation. It's not like this was a new-fangled thing - and they were fighting it when first mentioned, because I flat out asked them what they were going to do. I don't run any SMF instances any more, and the things I do run, well, I can do the leg-work required there anyway.
     
  17. zappaDPJ

    zappaDPJ Administrator

    6,348
    1,342
    +4,736
    For vBulletin 5:

    https://www.vbulletin.com/forum/for...6685-gdpr-and-vbulletin?p=4391698#post4391698

    It is disappointing but perhaps not surprising given the current pace of development.
     
  18. Pete

    Pete Flavours of Forums Forever

    1,773
    227
    +601
    If there wasn't someone who walks around like a strutting peacock telling everyone how silly it is (whether they legally have to comply or not), and mocking anyone who actually spends time thinking about it, as well as arguing with the people who are trying to be constructive about what needs to happen, it could easily have gone through official channels.

    Said person is one of the most vocal critics of anything moving forward because why move forward when you can merely be content with looking back to the glory days?
     
    • Agree Agree x 1
    • Informative! Informative! x 1
    • List
  19. gConverter

    gConverter Aspirant

    43
    13
    +29
    How about the Rights related to automated decision making including profiling?
    I only see a nice solution on wpForo Wordpress Forum plugin.
    https://wpforo.com/docs/root/gdpr/rights-related-to-automated-decision-making-including-profiling/

    The GDPR applies to all automated individual decision-making and profiling (Article 22).

    Do other forums have such solution for Social login actions?
    If a forum creates an account based on Social Login it should be informed prior. If it doesn't, this can be ignored for sure.


    wpForo-Facebook-Login-Information-on-registration-page.png wpForo-Facebook-Login-Information.png
     
  20. Joel R

    Joel R Fan

    529
    187
    +515
    The latest version of Invision community 4.3.3+ covers all of these for sure. I was just playing around with some of these features over the weekend on my IPS.

    #1 Right to be informed - you can control both a pop-up cookie bar that links to Terms of Service, Privacy Policy, and Cookies. There's also an explicit opt in during the Registration form that links to Terms of Service and Privacy Policy. IPS is also adding in enhanced cookie explanations for third-party community enhancements with links to the respective Privacy Policies. You just need to check which services you use.

    #2 & 3 Right to access and rectification - every user can edit both the public information on his Profile (such as his About Me, hobbies, and other custom fields) and his Account Details (which controls things like 2FA, device history).

    #4 Right to Erasure - you're able to delete a user account. To not lose context of public contributions, you can reassign a users deleted account to a unique guest account like Guest_2347.

    #5 Restriction of Processing - anybody who has banned or archived a user can set this up. It simply means that a user has the right to restrict further processing on his personal data.

    #6. Right to Data Portability - there's a new feature in IPS 4.3 to be able to export your personal data in machine readable format (aka XML).

    #7. Right to Object. This related to the ability for a user to stop or to object to the processing of their personal data for profiling or marketing purposes. IPS, like most communities, allows users to control their own notification preferences on pretty much everything via their Notification Preferences. You can also change your forum, gallery, downloads, blog, etc. Notifications. If you integrate with Facebook Pixel or digital marketing networks you'll probably need further steps to conduct informed consent and remove a user from being tracked.

    #8 Rights related to automated decision making or profiling. In IPS, there really isn't any automated decision making or profiling going on unless you build one yourself, so I don't see it applying to the majority of IpS communities. This act probably applies more to social networks or advertising networks, but youre safe if you're doing the automated decision making either by contract or by informed consent.

    I think if most admins just take common sense steps to do informed consent, ask for opt in during registration, and review how the personal data is used then they'll be fine.
     
    • Informative! Informative! x 1
    • List
Verification:
Draft saved Draft deleted
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.