Updated GDPR policy and new Terms of Use

Timberrrrrrrr

ezra_ wrote: »

Come now - a fifty would be valid consideration and would make the contract valid and enforceable. The lack of sufficient consideration isn't the blocker here, but rather that it would shift you from a volunteer to something along the lines of a contractor, and that brings in complications to both sides.

However, since we have gone down the rabbit hole of an admin committing a breach, barring someone going rogue, the more likely outcome is;

ezra_ starts spamming boards with something
beasty checks out my email address
checks it on www.isthisguyaspammer.com
acts accordingly

However, isthisguyaspammer.com then starts processing my email address and spamming me (or doing something else with it that I don't give consent to)

DPC gets involved (because, well just because it is needed for this analogy).

Who is at fault here? Beasty? Boards? Both? isthisguyaspammer.com?

Why would he use a 3rd party to check your email though? You're on boards long enough to know spammers get banned straight away. Sorry if that sounds aggressive as i don't mean it to come across that way its just im very confused as to why you think they would use a 3rd party to check an email address

Beasty

I is innocent. Honest Guv! :pac:

Is this not all to do with the site taking reasonable steps to protect users and their relevant information? What constitutes "reasonable" is clearly a matter of conjecture, but in the absence of directly relevant case law no-one can give a definitive answer. Equally what constitutes relevant information is also going to be subjective

As an Admin around here I feel comfortable with that role, the information the site allows me to access, and my wider responsibilities in connection with that information.

Of course, whether we like it or not, Boards is a business, which is part of a bigger business. They have to make sure they are comfortable with the processes and procedures they have put in place. Their responsibilities are really not for me to comment upon.

They have to run the business within any constraints imposed by law and regulation. They too must take reasonable steps. However none of us can be expected to take all steps required to guarantee no data breaches or other breach of law. It is impossible to do so without essentially stopping all interaction with 3rd parties, ie closing down the site and the business.

AndrewJRenko

ezra_ wrote: »

hullaballoo wrote: »

Me going to boards HQ and signing a document saying
I know that I'm a data processor for the purposes of the GDPR is not a contract. In fact, it has no real legal value other than, as seamus says, potentially preventing me from later saying I didn't know I am a data processor.

A bit of a pointless exercise is all it would be.

Come now - a fifty would be valid consideration and would make the contract valid and enforceable. The lack of sufficient consideration isn't the blocker here, but rather that it would shift you from a volunteer to something along the lines of a contractor, and that brings in complications to both sides.

However, since we have gone down the rabbit hole of an admin committing a breach, barring someone going rogue, the more likely outcome is;

ezra_ starts spamming boards with something
beasty checks out my email address
checks it on www.isthisguyaspammer.com
acts accordingly

However, isthisguyaspammer.com then starts processing my email address and spamming me (or doing something else with it that I don't give consent to)

DPC gets involved (because, well just because it is needed for this analogy).

Who is at fault here? Beasty? Boards? Both? isthisguyaspammer.com?

Is it part of Boards anti-spam procedure to check emails with a 3rd party? If so, Boards is responsible for any outcome. If not, the mod shouldn't be using it.

I'm still unclear why a mod would need to check an email address. If a spammer is spamming, then you block them,regardless of the email address.

Timberrrrrrrr

AndrewJRenko wrote: »

Is it part of Boards anti-spam procedure to check emails with a 3rd party? If so, Boards is responsible for any outcome. If not, the mod shouldn't be using it.

[B[I'm still unclear why a mod would need to check an email address.[/b] If a spammer is spamming, then you block them,regardless of the email address.

To see if the email address is linked to any other accounts?

AndrewJRenko

Timberrrrrrrr wrote: »

To see if the email address is linked to any other accounts?

How can you tell by looking at an email whether it is linked? Each email address can have only one account.

If you assume that two email accounts from the same domain are linked, that is a dangerous assumption. If you assume that two email addresses which appear to be vaguely similar are linked, that's a dangerous assumption.

Timberrrrrrrr

AndrewJRenko wrote: »

How can you tell by looking at an email whether it is linked? Each email address can have only one account.

If you assume that two email accounts from the same domain are linked, that is a dangerous assumption. If you assume that two email addresses which appear to be vaguely similar are linked, that's a dangerous assumption.

Can you open an account, get banned then open another with the same address?

ezra_

AndrewJRenko wrote: »

How can you tell by looking at an email whether it is linked? Each email address can have only one account.

If you assume that two email accounts from the same domain are linked, that is a dangerous assumption. If you assume that two email addresses which appear to be vaguely similar are linked, that's a dangerous assumption.

It seems there is a lot of conflation taking place here.

Peope talk of breaches, so lets look at the scenarios.

1) External Intrusion into the Boards.ie system. 'Hacking', if you will. This is outside of the scope of this thread, and I'm sure Boards.ie has this covered

2) Rogue Admins - could happen, some Admin decides to download personal information (say selling the fact to a newspaper that ezra_ is actually Michael D, and look what he posts). I'm assuming Boards.ie would vet admins to mitigate against this, and this is covered anyway under the GDPR

3) Admin Goof - this is where, during the course of acting as an admin for a valid purpose, the admin actually processes the personal information outside of the T&Cs and results in passing on personal information to a third party, who then starts to use that information. Ergo, breach.

Its Point 3 that is really the key here.

I have written a few GDPR / Privacy policy docs in the past, and these were mainly for volunteer organisations. One of the most problematic issues arises when you ask the org - how do you process personal data? You can then find that people are actually very 'leaky' when it comes to third-party services. This ends up being boiled down to a 'Code of Conduct' which is agreed and signed by the volunteers that sets out the scope and limits of third party processing (as well as the scope and limits of direct processing). It is clear then to the people who give the data to the org, and to the people who process that data what can be done with the data.

This really shuts down point 3.

I think part of the reason why this thread has grown so much is that it isn't so clear what the admins are actually doing with the data, what (if any) third party services they are using) and what the limits are apart from 'I promise to do no evil'.

ezra_

By the by, you send me your personal email address (one that you use quite a bit) and through a number of 3rd party services, I can find out quite a bit about where you work and what you do. Something that would be useful when working out if someone is a fan or a shill.

But to do that, I have to pass your data to a third party (not EU in the cases above) and something that you probably haven't given consent for.

by8auj6csd3ioq

have asked several time to have my account here closed and data anonymised but no reply

Mr E

Did you email the address in the first post?

Beasty

OK, the revised policy is as set out in the OP. We've had various discussions about GDPR and the site's own ways of applying privacy laws and protecting users

The office staff are now off for a well earned Christmas break and will not be around to answer any further points here for a while. Rather than letting this thread continue going round the same points, and indeed off at tangents, I'm proposing to close it tomorrow (Sunday) evening. That will allow some time for any new points to be raised, and if the Admin team believe we are in a position to address them, we may allow the discussion to continue. Otherwise I think it best to await the return of the office staff to address any outstanding points and re-open the discussion if they consider it appropriate

by8auj6csd3ioq

Mr E wrote: »

Did you email the address in the first post?

i emailed contact us form. I will be email data protection soon

Mr E

Follow the instructions in the first post of this thread. Note that it's Christmas and it could very well be the New Year before they can get back to you.

AndrewJRenko

ezra_ wrote: »

2) Rogue Admins - could happen, some Admin decides to download personal information (say selling the fact to a newspaper that ezra_ is actually Michael D, and look what he posts). I'm assuming Boards.ie would vet admins to mitigate against this, and this is covered anyway under the GDPR

That's a big assumption there. And I'm not sure what kind of 'vetting' would mitigate against this? Ireland is a small world - with hundreds of moderators (or thousands?), there is a good chance that each of us is just two or three degrees of separation from a moderator.

So it's not just about selling to newspapers, it could well be about leaking to a spouse or ex-spouse, or to an employer, or to a political movement of whatever. This is a big issue, and I've heard little to give any comfort here.

ezra_ wrote: »

3) Admin Goof - this is where, during the course of acting as an admin for a valid purpose, the admin actually processes the personal information outside of the T&Cs and results in passing on personal information to a third party, who then starts to use that information. Ergo, breach.

Its Point 3 that is really the key here.

I have written a few GDPR / Privacy policy docs in the past, and these were mainly for volunteer organisations. One of the most problematic issues arises when you ask the org - how do you process personal data? You can then find that people are actually very 'leaky' when it comes to third-party services. This ends up being boiled down to a 'Code of Conduct' which is agreed and signed by the volunteers that sets out the scope and limits of third party processing (as well as the scope and limits of direct processing). It is clear then to the people who give the data to the org, and to the people who process that data what can be done with the data.

This really shuts down point 3.

I think part of the reason why this thread has grown so much is that it isn't so clear what the admins are actually doing with the data, what (if any) third party services they are using) and what the limits are apart from 'I promise to do no evil'.

Certainly, a 'Code' and more details of why admins need access to email and what they are going to do with it would be very important.

xi5yvm0owc1s2b

AndrewJRenko wrote: »

That's a big assumption there. And I'm not sure what kind of 'vetting' would mitigate against this? Ireland is a small world - with hundreds of moderators (or thousands?), there is a good chance that each of us is just two or three degrees of separation from a moderator.

Indeed. This "vetting" often amounts to naught.

Staff at the National Security Agency are known to have intercepted nude photos transmitted online, and shared them around the office.

A Facebook engineer used his insider access to stalk women online. Multiple other Facebook employees have been fired for abusing their insider access, including stalking ex-partners.

A Google engineer was fired for spying on underage teens.

It's beyond naive to assume that Boards moderators and admins will always behave honorably with regards to their level of access on the site -- especially when they have no contract of employment with Boards.ie Ltd and when their real-life identities are often unknown to the data controller. I'm sure most do behave honorably -- but there's no denying that the potential for abuse exists.

Giving pseudonymous non-employees access to private user information creates a highly problematic situation from a data protection perspective. Saying that these people have been "vetted" (how? by whom?) should provide only a cosmetic veneer of reassurance.

Beasty

OK, as indicated in my prior post, I'm closing this thread now

Boards.ie: Mark

I am leaving this thread closed as it’s the weekend and we’re heading into the disruption of the new year. However, I will add one post to clear some things up. It has been set out in the Terms of Use of the site, which users agree to upon signing up for an account and that we announce changes to, that Admins have access to personal information. As pointed out previously, only Admins have access to e-mail addresses and IPs. Both of these measures help to protect the site, whether that be against troublesome or downright malicious users (the “how that helps them” will remain a mystery until I receive legal or professional advice that indicates otherwise).

If you are concerned about your personal information, you are welcome to - and should - change your e-mail address at any time from your User Control Panel – we do not specify that your e-mail account has to be your main account or contain your real name.

You can also have this personal information erased by submitting an erasure request by contacting datarequests@boards.ie or sending a PM to Boards.ie: GDPR, though this will also result in the closure of your account. You are, however, welcome to open a new account.