Txp cookies, visitor logging, and GDPR stuff in general

michaelkpate · 2018-04-18 00:14:30

I am not sure if this applies to just residents of the UK or everyone on the planet.

If you don’t make any money from your blog, you don’t have to be compliant.

If you do, they offer a self-assessment tool on their home page. It said I was okay but I am not sure I understood all the questions.

You must register with Information Commissioners Office

Registering with ICO costs £35 a year and should take 15 minutes.

An issue with registering as a blogger is that you will be added to a public register (by law) and your address will be publicly visible. I think that this puts bloggers at risk. I spoke to ICO about it and they said ways around it are to use:

Your accountants address if you have one

A PO box address

A managed office address

For many bloggers who aren’t earning much yet these options may not be affordable or practical, putting them in a position of choosing to put themselves and their families at risk or complying with the law. I find it ironic that a law meant to keep people’s data safe and improving consents procedure is forcing bloggers to put personal information online in this way through coercion. – GDPR for bloggers – does it apply to you and how to comply

Bloke · 2018-04-18 00:22:18

Haha, I wish!

So, shock horror, the General Data Protection Regulations aren’t actually about data protection, but controlling monetization and profiteering on the back of user data. So anyone can keep what they like and don’t have to tell me, as long as they don’t use it for any financial transaction. Sounds just like my privacy’s being protected there.

they offer a self-assessment tool on their home page… but I am not sure I understood all the questions

Transparency and clarity in action ;-)

Last edited by Bloke (2018-04-18 00:23:28)

michaelkpate · 2018-04-18 00:37:55

Or in the words of this individual using a Gadsden Flag as his avatar:

Wrong. These new laws are designed to put small businesses OUT of business and hand all of it over to the fat cats who have already leaked our information. Quit drinking the E.U. Kool Aid. This is a travesty that is going to destroy businesses, and destroy lives. I’m all for common sense regulations, but these are outrageous and impossible to adhere to.

We are all going to be fish in a barrel, waiting to be targeted by the E.U. guns. That’s a fact. There isn’t a single example of 100% compliance online anywhere. That’s because there really is no such thing as compliance. It’s an unattainable goal. Without a ton of money and a high powered legal team, you are at the mercy of the arrogant pricks of the E.U. – Teabagger Blaster

Destry · 2018-04-18 06:59:55

I believe these are some tips for survival and piece of mind:

1) Don’t believe everything you read that doesn’t come from the legislation or someone legally qualified to interpret it. (Especially not me.) If they have a statement like “I am not a lawyer/legally qualified…” then we need to dig deeper before we get confident about the last word.

2) If you live outside the EU, you’re concern is the EU level regulation. If you live in it, your concern is how your own country interprets the Reg. There will be differences. Probably not a lot, but maybe enough to be aware of. There are some differences in France. (There are also differences between French copyright law and EU copyright law, as another example, but that’s a different ball of yarn.) Regarding the register your site question. This was required in France prior to the GDPR. In relation to the GDPR now, the requirement is eliminated. One of the nice things about the Reg, actually. It puts the burden and trust in the hands of the org (via the DPO first, or Controller if a small site like mine). So, again, learn your national interpretation of the Reg.

3) Despite the fact IP addresses are rather nebulous, the ruling seems to be that, “in some cases”, they count as personal data (if ever combined with ISP records). The link to that source is somewhere earlier in this thread. I didn’t really scour the credentials of the site. See #1 and #6.

4) If you’re not the tech giants and international corporations, don’t get twisted up about it too much. This regulation was clearly written with those entities in mind, for the most part. I don’t have to be a lawyer to recognize that emphasis in the writing of the Reg. (Yes, the courts want money, but millions/billions, not petty pennies from making mom and pop’s bankrupt. Still, watch out for the leeches that work the bottom of the pool.)

5) Understand what “breach” means. (Nomipolony doesn’t seem to understand it judging from how she wrote about it, thus, again, don’t believe and react to everything you read.) Breach is not falling afoul of the Reg. That’s just being careless. A ‘breach’ is when personal data you collect is compromised due to a site hack, or whatever and the data leaks out of your control into wrong hands. THAT is when you are in big f-ing trouble if it’s traced back to you and found the breach happened because you did not secure your site properly and have a CoC in place explaining what your policies/procedures were. That is where the legal cases will center on.

6) Kind of speaking at Bloke here in relation to IP addresses… My impression is, it’s less about controlling how you do something and more about being transparent what that something is. So if you use IP addresses to safeguard your site, and only that, then simply list off the various ways you do or potentially access and use them, how, and say you don’t have an in with the director of your local ISP and your good. Aside from that, do the usual norms, of course – opt-in not opt-out, etc. And revise as you go and we learn more about it. That’s all anybody can do, and what we will do, in fact.

My pithy example will be online tomorrow at latest, you can all see how I’m running afoul of the Reg. ;)

Destry · 2018-04-18 07:12:08

In reply to michaelkpate #311149:

“We are all going to be fish in a barrel, waiting to be targeted by the E.U. guns.” – Teabag Blaster

Oh, brother. Everything wrong with America.

Bloke · 2018-04-18 08:29:26

Destry wrote #311167:

A ‘breach’ is when personal data you collect is compromised due to a site hack, or whatever and the data leaks out of your control into wrong hands. THAT is when you are in big f-ing trouble if it’s traced back to you and found the breach happened because you did not secure your site properly

Right, so let’s circle back to Txp then. Let’s start with the assumption that if there’s money to be made, people/lawyers will do anything. A breach happens on a shared host. A Txp site is infected – maybe it was the source of entry, maybe it wasn’t – data from its txp_log table is leached. Who’s culpable? Arguments:

It’s the host’s fault for not securing the environment properly and allowing privilege escalation.
It’s the Control Panel’s fault for having an undiscovered bug that let someone exploit it in the first place.
It’s some third party command line tool (ping, cd, ls, whatever) at fault for having an undiscovered bug.
It’s the underlying hardware/chip at fault (e.g. Spectre-style exploit).
It’s Textpattern’s fault because the CMS has an undiscovered bug or feature that permits privilege escalation.
It’s the site owner’s fault at the hack point for not securing their site.
It’s the Txp site owner’s fault for using logging and not being transparent about it.
It’s Textpattern’s fault for not doing more to warn people that turning on logging will actually store visitor information.
…

Any or all of the above statements could be made and they’re all equally valid or invalid depending on viewpoint. So what should we do as a CMS? Logging is off by default. Do we need a warning in the pophelp for the logging pref that turning it on will collect data including IP and it’s the site owner’s responsibility to use the data in accordance with the law?

And then just pray that none of the other scenarios above that involve Txp’s level of culpability are ever tested.

Destry · 2018-04-18 08:53:17

Bloke wrote #311171:

Do we need a warning in the pophelp for the logging pref that turning it on will collect data including IP and it’s the site owner’s responsibility to use the data in accordance with the law?

And then just pray that none of the other scenarios above that involve Txp’s level of culpability are ever tested.

That seems logical to me, yes. And it shows that you’ve actually thought about it and taken steps to inform users and work with the laws. That goes a long way in these things, even if you don’t get it right. It shows you made an attempt to play fair in the best way you could under the circumstances, constraints, and weaknesses.

That’s pretty much life on Earth in a nutshell.

Destry · 2018-04-18 09:08:41

I wonder if other CMS projects are having this discussion and what they’re coming up with… Where are our spies? Dispatch them to the four corners! May the wind be at their backs!

Or will Txp be the safest game in town?!

Btw, the sooner you get a “GDPR compliant” blurb on the homepage, the better it will be for reputation and adoption. :)

Bloke · 2018-04-18 09:45:58

How about something like this as an addendum to what is already there:

If you enable logging of any kind, visitor IP address information will be collected if the browser passes it along. Please take every precaution to use the data in accordance with any international laws, such as GDPR, and employ strong security in every facet of your server and Textpattern installation to avoid this data being compromised in any way.

It is strongly advised that you leave this setting at its default, ‘none’, unless you absolutely need this information and, further, publicly state your intended usage of it.

We could do with something similar in the main documentation too, on the Prefs panel where we can go into a bit more detail if necessary? Fancy doing the honours there, Destry?

Destry · 2018-04-18 10:45:57

Bloke wrote #311179:

Fancy doing the honours there, Destry?

Sure. At some point today or tomorrow.

There’s one detail we might need to think about, that of ‘consent’ to collect IP addresses. It’s not Txp responsibility to tell users of Txp how to handle that, but it’s good transparency to make them aware of the potential.

Here’s an alternate consideration for the pop-up, or whatever. By all means massage it to taste…

Be aware that IP addresses, which visitor logs collect, are considered ‘Digital Personal Information’ by the European Union’s General Data Protection Regulation (GDPR). The GDPR concerns any website that collects personal data of EU residents, whether or not the site is in the EU. Likewise, the GDPR requires site owners to get consent to collect such data. Know what your responsibilities as a website owner (‘Controller’) are in relation to the GDPR. If you enable logging, ensure your privacy policies account for why you do and how. And maintain strong website security practices to prevent breaches of any user data you may collect. Until that point, you are advised to leave visitor logging disabled.

Of course, Txp could further distance itself from this situation by making logging a plugin, then putting such a statement in the plugin documentation. Then it’s entirely on the shoulders of the site owner. No question about it. But the above would work in the meantime, as far as I see it.

Bloke · 2018-04-18 10:58:41

Okay, good stuff in there. Will consider some or all of that.

I was trying to avoid too much mention, specifically, about the GDPR and make it more general. Otherwise if/when other applicable laws are introduced we’ll have to play catch-up, resulting in a laundry list which then becomes overwhelming to read.

This sort of thing would be definitely applicable in the user documentation. Maybe we should just tweak what we have in the pophelp to mention personal identification, continue to mention the GDPR by acronym there as an example, add a bit about consent and leave it at that. Thus it reflects and raises awareness of the general practice of logging and site owners’ responsibilities, without detailed reference to any one specific hunk of legalese.

Destry · 2018-04-18 11:07:09

For those wondering how to get permission to collect IP addresses via visitor logs, it could be a simple addition to your cookie-popup (and written into the full CoC)…

“This website uses visitor logs, which record IP addresses, to monitor for malicious activity. See Code of Conduct. Your continued use of this website is consent to have your visitation logged.”

Then in your CoC policies you included instruction about how people can contact you to see what yo have on them, which is in their right to do, if you’re collecting the data. You’re better off if you give your logs a time-limit and make that clear (“all logs are deleted after 7 days”). Most people won’t care or bother to worry after seeing that. Just be prepared to show the last seven days for only the person proving to be who they are.

Textpattern CMS

Textpattern CMS support forum

#109 2018-04-18 00:14:30

Re: Txp cookies, visitor logging, and GDPR stuff in general

#110 2018-04-18 00:22:18

Re: Txp cookies, visitor logging, and GDPR stuff in general

#111 2018-04-18 00:37:55

Re: Txp cookies, visitor logging, and GDPR stuff in general

#112 2018-04-18 06:59:55

Re: Txp cookies, visitor logging, and GDPR stuff in general

#113 2018-04-18 07:12:08

Re: Txp cookies, visitor logging, and GDPR stuff in general

In reply to michaelkpate #311149:

#114 2018-04-18 08:29:26

Re: Txp cookies, visitor logging, and GDPR stuff in general

Destry wrote #311167:

#115 2018-04-18 08:53:17

Re: Txp cookies, visitor logging, and GDPR stuff in general

Bloke wrote #311171:

#116 2018-04-18 09:08:41

Re: Txp cookies, visitor logging, and GDPR stuff in general

#117 2018-04-18 09:45:58

Re: Txp cookies, visitor logging, and GDPR stuff in general

#118 2018-04-18 10:45:57

Re: Txp cookies, visitor logging, and GDPR stuff in general

Bloke wrote #311179:

#119 2018-04-18 10:58:41

Re: Txp cookies, visitor logging, and GDPR stuff in general

#120 2018-04-18 11:07:09

Re: Txp cookies, visitor logging, and GDPR stuff in general

Board footer