GDPR and Boards.ie post removal policy **update linked in OP 24/5/18**

RHJ

This post has been deleted.

StupidLikeAFox

People just need to know:

1. What data do boards hold which is considered to be identifiable data in terms of the GDPR legislation? (I.e. is a posting history considered identifiable data? Or just a couple of posts? Or the posting history in it entirety?)

2. What procedures will be put in place to remove the identifiable data they hold if a user requests it?

The answer to number two will determine the impact on the site, but these are the questions that need to be clarified.

Arguments such as "users never had a problem until now", "you posted it, tough ****" or "the flow of the site will be ruined" etc are all irrelevant as the legislation supersedes all that. So is the boards current terms of use for that matter

dudara

BowSideChamp wrote: »

Let's hypothetically say there was a misuse of data. Under GDPR there is an obligation to report the breach within 72 hours of becoming aware.

Not all data breaches will require reporting, dependent on the level of risk to the individuals whose data was breached. However, even if a breach is not required to be reported, a full record of the breach and investigation process (including the decision not to notify) must be kept. So speed and a well established process are key.

BowSideChamp wrote:

I believe article 5 of GDPR addresses this. As the closed user is no longer active on the site, boards.ie cannot retain the personal data of the user. They must delete the personal data of closed users.

I’m not responding on behalf of Boards here, but in general an organisation may need to retain your data, even post you closing your account, for legal purposes. However, once that legal basis expires, the personal data should be securely deleted.

Like you all, I am looking forward to hearing how Boards will proceed and how GDPR will work on a site like this. The fact that Boards is based on the sharing of information that is willfully made public is different to all my GDPR experience to date, so I’m curious to hear the way forward.

Bob24

Esel wrote: »

Separate question: Say I close my account, then come back after more than 40 days (so my hashed e-mail address is no longer held by Boards) and request deletion of some/all of my posts - how could I prove, or Boards verify, that I am the actual owner of that account?

In theory this is probably an easy question to answer: GDPR only gives you the right to request deletion of personally identifiable data. So you would have to put togheter a case showing that the combination of posts on this account and/or other data held by boards related to the account can lead to personally identifying you. Even if you were the true original owner of the account but nothing related to it could lead to identifying you, my view is that the you would have no right to request deletion.

Now in practice, the complication is that you and boards could disagree on whether a certain combination of posts can lead to identifying you - and I guess it would have to be settled by the DPC or in court.

Hurrache

Why on earth would boards.ie take it as far as court for the sake of a few posts?

Bob24

Hurrache wrote: »

Why on earth would boards.ie take it as far as court for the sake of a few posts?

It only takes one party’s determination for both parties to be involved in legal proceedings. boards probably wouldn’t initiate it, but the person requesting deletion could go to the regulator and/or to court.

Let’s say based on GDPR someone asks for mass posts deletion on a closed account arguing the posts are identifying them personally, and boards (or any similar website) doesn’t agree so they don’t delete anything (whoever is right would be irrelevant, what matters is there is a dispute).

Now the person feels strongly about it and goes down the legal route to seek what they see as enforcement of their right under the regulation.

If on their side boards strongly believes they are on the right side of the regulation what do they do?

Do they just give in and delete anyway to avoid having to bother with a legal process? This could be the easy option in the short term, but also open a pandora box as once the public expectation is that once you make a legal threat the site will give in, it will greatly increase the amount of unreasonable requests associated to a legal threat.

Permabear

This post has been deleted.

Franz Von Peppercorn

Beasty wrote: »

I have pondered that question myself, and have not come up with an answer. I guess if all the pieces add up and prove that prior account was you, and you can somehow prove your current ID is the same person then I think you would be in your rights to have that data wiped

Before anyone jumps in and starts talking about our linking to site-banned accounts, that is rarely on the back of information that can identify people in real life. It is almost always on links we can establish between accounts (yes including IP addresses, but we do not use them to speculate over a poster's real life ID, just to link to other accounts)

If someone can’t prove that they themselves are the poster in question then how can anybody else identify them.

Hurrache

Franz Von Peppercorn wrote: »

If someone can’t prove that they themselves are the poster in question then how can anybody else identify them.

How do you prove it's you? Email address is gone so you can't ping that for verification, do you need to drop into the office with ID?

Franz Von Peppercorn

RHJ wrote: »

It may have been a perfectly legal policy when it was written but on Friday the law will change and new policies will have to be implemented.

Again this only applies to identifiable persons.

The GDPR is not about anonymous posts on forums. It’s about the data - often hidden - that companies have about you. It’s to protect people from the FB shadow profiles, it’s why google now shows a pop up saying I am logged in as my real name when I go to a site owned by them, or an advertisement vended by them, why there’s a big cookie page asking consent when you click on an ad here. Companies used to, and many still do, track your location and IP address without consent.

Theres plenty of places where you can’t delete your posts automatically. Here is the guardians CIF strategy on deletion:

If you have posted comments your comment profile will be removed, however the posted comments will remain underneath the articles. Comments are part of the historical record, but if want your comments to be removed please contact the Moderation Team. Please note that requests are considered on a case-by-case basis and your comments will not be automatically deleted

The last sentence is in line with the GDPR.

Franz Von Peppercorn

Hurrache wrote: »

How do you prove it's you? Email address is gone so you can't ping that for verification, do you need to drop into the office with ID?

If you can’t then what’s the problem? The posts are not identifiable as you.

Bob24

Hurrache wrote: »

How do you prove it's you? Email address is gone so you can't ping that for verification, do you need to drop into the office with ID?

In my opinion yes, in many cases enforcement of data subject access requests and the right to be forgotten will involve providing identification documents as if I argue an organisation has personal information about me and I want it removed, it needs to be 100% certain I am who I say I am before my request is processed (and while it doesn’t matter in the case of boards which has to be GDPR compliant for all users, if the organisation holding data is based outside the EU people might also need to prove that they are physically located in the EU and thus covered by GDPR).

I think in practice m companies will likely just ask people to upload/email a picture of their ID rather then checking them in person (but while I understand rational to to practice reasons, I personally find it would be bad practice in terms of security).

Hurrache

Franz Von Peppercorn wrote: »

If you can’t then what’s the problem? The posts are not identifiable as you.

But they can be, we've been over it several times.

Franz Von Peppercorn

Hurrache wrote: »

But they can be, we've been over it several times.

It’s isn't enough to say that your posts are identifiable as you in every case. Again, you and Permabear took a phrase in the GDPR which references political views that might identify someone as always identifying someone.

In this particular case I am responding to someone wants to delete posts after closing his account. If he can’t prove that the old posts are his then how can anybody else know who he is.

BowSideChamp

Franz Von Peppercorn wrote: »

It’s isn't enough to say that your posts are identifiable as you in every case. Again, you and Permabear took a phrase in the GDPR which references political views that might identify someone as always identifying someone.

In this particular case I am responding to someone wants to delete posts after closing his account. If he can’t prove that the old posts are his then how can anybody else know who he is.

Every one of their posts is linked to their username, email address and IP address. If there was a data leak all their posts will become identifiable. Boards.ie cannot hold information on users that are no longer active.

Franz Von Peppercorn

BowSideChamp wrote: »

Every one of their posts is linked to their username, email address and IP address. If there was a data leak all their posts will become identifiable. Boards.ie cannot hold information on users that are no longer active.

Who’s disputing that?

That’s all handled by the existing policy and future policy under GDPR. When you close that information will be removed.

The posts will remain. That’s what’s under discussion. Whether posts should be deleted.

Hurrache

Franz Von Peppercorn wrote: »

In this particular case I am responding to someone wants to delete posts after closing his account. If he can’t prove that the old posts are his then how can anybody else know who he is.

What I'm referring to is the case say a user was either doxxed, or there was enough info there for people to identify them. From that point on all posts on the forum by that person can be identified as belonging to that real person. So if they close the account, and the user ID associated with them is randomised, they still can be attributed to that person if it's just the user ID that gets randomised.

The implication is that each post by that person would have to be attributed to a different random id, not the same one.

So for example this post will become attributed to user 'wdrew4r', the one you quoted by me would become '213fsert'. So that way you know that I posted on this thread and what I posted, but you won't be able to find anything else I posted, even if the posts are still there.

It might be all a moot point anyway.

Dravokivich

Hurrache wrote: »

What I'm referring to is the case say a user was either doxxed, or there was enough info there for people to identify them. From that point on all posts on the forum by that person can be identified as belonging to that real person. So if they close the account, and the user ID associated with them is randomised, they still can be attributed to that person if it's just the user ID that gets randomised.

The implication is that each post by that person would have to be attributed to a different random id, not the same one.

So for example this post will become attributed to user 'wdrew4r', the one you quoted by me would become '213fsert'. So that way you know that I posted on this thread and what I posted, but you won't be able to find anything else I posted, even if the posts are still there.

It might be all a moot point anyway.

The quoted name does not change retrospectively with the account being changed. Anyone who has had a name change, you can find their previous alias by looking up posted they were quoted in. However. It'll take a complex script to identify all these instances and rename it within the quote. As the name could be something used somewhere else within a post.

Your randomisation suggestion wouldn't really work either. Gdpr is about specified controls. You cant have variable elements.

Hurrache

Script wise, it's not massively complex, depending on where and how the data is stored.

My randomise method was just a suggestion as to how it would be a better method than deleting an account but leaving behind the posts associated with that account which others have suggested.

Not sure what you mean by specific controls over variable elements though. If an account is closed and after 40 days so too is the email address, it's pretty much the same thing.

.......

This post has been deleted.

Dravokivich

....... wrote: »

If an account is closed - 40 days later is the ip address still associated with the posts - even if not saved as part of the account information?

If I pointed to an old post for an account now closed, would boards.ie know what ip address had posted that post?

I presume Yes?

From my experience with various software providing forums. A post can be tagged with an ip address. However i dont know of that item can be removed.

(This was done because back in the day most forums were amateur/ hobbyists and it was the easiest way for them to identify spam bots. It wasn't intended for data aggregation)

Permabear

This post has been deleted.

Dravokivich

Permabear wrote: »

This post had been deleted.

That's a deduction on your part. Not a stored profile with that result extrapolated.

Hurrache

Dravokivich wrote: »

That's a deduction on your part. Not a stored profile with that result extrapolated.

It's not called the Right To Erasure, as opposed to the Right to be forgotten.

Dravokivich

Hurrache wrote: »

It's not called the Right To Erasure, as opposed to the Right to be forgotten.

He bolded the part on the quote. Not me. Re-reading it you should see I was referring to his last paragraph.

seamus

Hurrache wrote: »

Script wise, it's not massively complex, depending on where and how the data is stored.

My randomise method was just a suggestion as to how it would be a better method than deleting an account but leaving behind the posts associated with that account which others have suggested.

Not sure what you mean by specific controls over variable elements though. If an account is closed and after 40 days so too is the email address, it's pretty much the same thing.

I do believe it was originally mooted that closing an account should also involve an anonymisation process that reassigned the account's posts to a random user, "DeletedAccount12345644" or whatever.

This would have the overall effect of rendering any personal information in any post, completely worthless.

One of the drawbacks of this method is that if two posters are having a discussion on-thread and one deletes their account, then each of their posts in that thread ends up assigned to a different random account and the structure of the discussion is lost.

But that too, is solvable. IIRC, the solution implemented at the time was the solution that was necessary to comply with the direction of the Data Protection Commissioner. Any above and beyond that was unnecessary, and boards didn't have the technical space to prioritise unnecessary development.

The core of the system has always been a pig too, indexing and searching a massive performance issue. And potentially having to reassign millions of posts to random usernames could cause a meltdown.

You're right in that none of this is particularly difficult, certainly not impossible. But also if it's not needed, then why do it?

Scotty #

seamus wrote: »

Nah it'll be like that cookie pop-up nonsense a few years back.

Big sites and companies clamouring to get compliant on time, while small ones don't care. I've never put that pop-up on anything I've developed and nobody cares.

Anyone who is data protection compliant will be broadly GDPR compliant and if found in breach they'll be given time to fix it and a stern warning.

The panic over it it's driven by consulting companies ... for exorbitant daily rates.

Agree 100%.

I stumbled upon this thread after doing a search for "GDRP" expecting the business forum to be a hive of activity regarding the issue. Alas, this is the only thread on boards discussing the topic.

Beasty

Scotty # wrote: »

I stumbled upon this thread after doing a search for "GDRP" expecting the business forum to be a hive of activity regarding the issue. Alas, this is the only thread on boards discussing the topic.

There are threads in Legal Discussion and some of the Business forums, and one or two others dotted around the place. I'm pretty sure though that this thread is the one with most traction, covering some of the wider implications of these rules

LuckyLloyd

I ultimately expect boards to take a position on this that aims to protect its business, and I'm sure that position will be legally defensible. If someone wants to achieve a full deletion of their posts or the fulfillment of an SAR in full they'll probably have to pursue the matter through various channels over a lengthy process.

I'll expect no - one cares enough to do that.

Hurrache

LuckyLloyd wrote: »

I ultimately expect boards to take a position on this that aims to protect its business, and I'm sure that position will be legally defensible. If someone wants to achieve a full deletion of their posts or the fulfillment of an SAR in full they'll probably have to pursue the matter through various channels over a lengthy process.

I'll expect no - one cares enough to do that.

There are exceptions, but what business justification to protect its business can Boards claim? How do they monetise posts and therefore lose revenue if a users posts are deleted?