Txp cookies, visitor logging, and GDPR stuff in general

Destry · 2018-04-26 21:20:46

Have a good sailing trip.

planeth wrote #311451:

Data Processing Agreement is a contract between you as a controller and the processors which process personal data on your behalf.

This I picked up on.

Either the service you are using has already one for you to sign, or you’ll need to have one written for them to sign.

This is where I’m unsure. I’m not paying Protonmail for their services. It’s a free account like gmail is free. Google certainly wouldn’t give me any signed agreement either. I mean, imagine having to make the one-on-one agreement with millions of freelancers. That doesn’t make sense.

But lets turn it to the web host, because I could just as easily create a new email account on their mail services using my own domain, for purposes of using with a web contact form, which is all this is for. Am I then supposed to have a one on one agreement with WebFaction because it’s their server? I doubt I’ll get it from them either. They just want to be a web host.

Destry · 2018-04-28 08:55:21

Sorry bici, I didn’t respond to this thoroughly before, nor very well.

bici wrote #311299:

Can a case be made that anything posted in a Forum belongs there forever.

Destry wrote #311306:

Absolutely not. That’s like saying you can’t edit your posts either, which is ludicrous. And I would radically change my participation if that were ever the case.

What I meant here was, I would not like to see that happen. Not only would it be the biggest bait-n-switch ever pulled by an open source forum, but I would give serious thoughts to stop using the forum at that point.

bici wrote #311316:

And yet there are many forums/blogs where once you have posted there is no editing/deleting.

I think what you mean is, a site visitor can’t edit or delete. This might be true, but the owner can still do it, and now has to do it if a user makes a reasonable request for it.

Letters to The Editor in a newspaper: there for ever. Comments made on a website: there for ever. An article published in a Book or Magazine: There for ever.

Print media is a different situation entirely, of course, and not relevant to the Reg, unless the info has been digitized, and then it probably falls under copyright laws, not GDPR.

But for blog posts and comments — even these forum posts — the focus is on ‘classic’ and ‘digital’ data in electronic/tabulated format. In other words, the user accounts that users made the posts by. And the Reg now says, users have the right to be forgotten, for ‘erasure’. And if controllers don’t want the responsibilty of dealing with such requests, they have to develop/provide tools for the user to ‘erase’ on their own will.

Were anyone to delete all their posts it would be a disservice to those that would benefit from the information offered.

This is true in a place like this, and probably rare-to-unlikley to ever happen (if you don’t bait-n-switch users), but it’s not immune from it. If any forum did try to resist, they (the controller) has the burden of justifying the denial in a legal suit, and that’s not going to be good in most cases.

What the forum could do, is allow account deletion but then anonymize that user’s posts. I.e. username would have to be hashed in profiles (nick or otherwise since the system wouldn’t be able to distinguish what was pseudo or real), headshots removed (again pseuo avatars or otherwise, etc. In fact, that might be the legal requirement anyway if a user doesn’t batch delete their entire presence, posts and all. I’m not sure. Anonymized data is a big part of the Reg, so I wouldn’t be surprised.

Destry · 2018-04-28 13:22:41

Destry wrote #311455:

This is where I’m unsure. I’m not paying Protonmail for their services. It’s a free account like gmail is free. Google certainly wouldn’t give me any signed agreement either. I mean, imagine having to make the one-on-one agreement with millions of freelancers. That doesn’t make sense.

I think I get a little bit of what’s happening now, at least as it concerns the following situation…

I just got an email from Google about Google Analytics’ tactic for compliance. It’s making people accept a crazy number of new “data processing” agreements, individually, in relation to different GA features. So in that respect Goog is handling the DPA for you, which makes sense since it’s such a big piece of bread and butter for them on one hand, and they have a lot to lose legally on the other.

I don’t know if Protonmail is doing something like that similarly, or even if gmail is, for that matter, but I see how it could be done.

This is just a poke in the dark, but I think in these cases where a service is free, the onus is on the service provider to offer the DPA because they are trying to grow and remain in business. If I was paying them (as a business owner), however, the onus would be on me as a controller to provide some legal DPA in contract with the processor. Or, maybe it doesn’t matter which way it goes, as long as one exists?

I think this thing about emails in relation to the contact form, though, is one business owners better look into fast, whether it’s a provider like Protonmail or your web host. The only way out of any DPA for mail processing, as I see it, is if you host your own mail server, and how many freelancers or small business do that?

Destry · 2018-04-28 17:09:05

Was just looking at the privacy policy for CryptPad, which is a worthy French project, btw, and I’m really liking what I see there. It’s super simple, plain language, and seems to cover all the bases.

Can it really be that easy?

I especially like how they talk about IP and log data, in a ‘that’s just the way it is’ kind of tone, ‘we don’t do this, we do that’. Done.

Their contact email is not a form, but a direct link to a mail address at xwiki.com, which is probably their own mail server, so that eliminates having to say anything about a DPA there.

I guess I’m either going to not let potential clients contact me ?, or I have to contact Proton and/or WebFaction.

Destry · 2018-04-28 18:51:12

If you’re on WebFaction and you’re using an email from your own domain for business, you do need to get some kind of DPA from them, or give them one, or something. They don’t seem to be GDPR compliant yet (lawyers are reviewing), but they seem willing to work with you via a support ticket. Thread on it here

This likely means if you don’t use your own domain emails hosted by them, you have to get a similar arrangement from that provider instead (e.g. Protonmail). Protonmail doesn’t seem to have nothing about it on their website, and being outside the EU, they may not want to play. I don’t know.

Edit: I’ve just written them to see what they say about it.

It looks like Planeth the sailor was right. ;)

Destry · 2018-04-29 00:25:39

lol… This email marketers info is cracking me up, but making its readers cry. If you think you’ve got it bad as a honest freelancer or whatever, just think of these saps who are used to screwing people with dark UX and hidden opt-out cover ups. They are literally scared and confused. I take a certain pleasure from that.

And this, from a commenter. Man, it says it all:

I still do not think many organisations here in the UK are aware of GDPR. People just look perplexed if you mention it to them. The very few that do know what GDPR is all [say] the same thing …. ‘it doesn’t apply to us, we are too small’.

This is going to be an entertaining summer.

colak · 2018-04-29 17:51:57

We’ve been discussing how GDPR will affect our online presence but this twitter thread is looking at its repercussions in schools. here is a funny one

Award certificates must only refer to the successful pupil as ‘Child x.’ ‘Your child, who cannot be named for legal reasons, has worked well in a subject that we cannot disclose in accordance with GDPR legislation.’ Signed: Teacher x (twitter.com/VivWatson1/status/990496004616196098)

which elicited the response:

“Has worked well” seems too clear. “Is progressing in line with averages expected from a meta-study of like and unlike students” seems to be more fitting… (twitter.com/4321jc/status/990496993905524737)

michaelkpate · 2018-04-29 20:51:00

I just got curious about Dreamhost and did some googling.

Also IP addresses are personal data. So it’s not only about databases, also server log files are affected as they include the IP address. As far as I could see in our DreamHost settings, it’s not possible to turn server logs completely off or to anonymize IP addresses in the log files. Even if you don’t save a database, you are also affected by the server logs. And yes, Privacy Shield is a must. = Will Dreamhost be GDPR compliant?

If you search the database at https://www.privacyshield.gov/list, Dreamhost isn’t listed. Neither is Hostgator, Bluehost, Laughing Squid, Digital Ocean, and Joyent. The only one I could think to try that was is Rackspace.

CodeWalker · 2018-04-29 22:03:51

Just on a side note, regarding tracking cookies of the Google Analytics variety…. I have been using GA Lite lately rather then the official ga script from Google. It’s a clone that is much much smaller, you can run it off your server, and you can even bundle it up with your own scripts via webpack / grunt / gulp.

Crucially – it doesnt drop truck load of cookies like the official script does. It uses local storage. Thats good news if your in the EU because, it’s less cookies to document in your Privacy Policy / GDPR stuff.

Last edited by CodeWalker (2018-04-29 22:10:13)

phiw13 · 2018-04-30 00:12:19

CodeWalker wrote #311513:

Crucially – it doesnt drop truck load of cookies like the official script does. It uses local storage. Thats good news if your in the EU because, it’s less cookies to document in your Privacy Policy / GDPR stuff.

From a privacy point of view, I don’t see much difference between local storage and cookies. Both can be personalized and used for tracking the user. Local storage is possibly worse as it offers a larger space for storing data. I think the GDPR, at least in spirit, treats them as equals – but I am not a lawyer.

(and fwiw, both Firefox and Safari treat local storage and cookies are synonymous in their privacy settings)

Destry · 2018-04-30 07:46:28

With regard to the particularity of Data Processing Agreements (DPA) and web hosts (per IP addresses) and/or mail service providers (contact info), Planeth’s database on companies in compliance is useful reference to see how companies are doing it. We could probably help her to add more thus help a lot of others in turn.

Looking at the list there, MailJet, a French mail provider is in compliance, and account holders only need to request a DPA from them.

Others in the US, like Postmark and Mailchimp, are doing the same, seemingly, and even show pieces of the agreement.

I’m pretty confident now the onus of providing the DPA — in those situations, particularly — is on the processor not the controller. Once you have a DPA, you have to keep it on file in case a national authority requests it, which they could do anytime. Then in your web privacy policies/statements you would name your processor(s) and that you have the DPA with them. Make it clear what each is for, etc.

OVH, a web host, is listed there as compliant, but I don’t see any DPA resource. Presumably you can still request one there, but that would remain to be seen.

The only other webhost listed is Amazon, which would be, of course, as they have a lot riding on it.

Web hosts better get on it fast or there will be a lot of rogues websites on the internet soon… Or a lot of ‘Under Construction” signs. ;)

I wonder if all this legal pressure on web/mail providers, etc, will encourage them to raise rates on everything now to cover the legal review fees. I wouldn’t be surprised. It could be a market thing, rates going up on average globally.

Destry · 2018-04-30 08:23:00

It occurs to me that every service provider (web host, mail…) should be making it perfectly clear, like MailJet, that they provide DPAs and you only need to request one. Practically no companies do. Even OVH, supposedly compliant, says nothing about DPAs.

If I was a service provider in the processor category, I would be getting on that ASAP. They are really doing everybody a disservice by not. Adding to the confusion.

Those that do are sure to gain a lot of new customers fast!

Textpattern CMS

Textpattern CMS support forum

#193 2018-04-26 21:20:46

Re: Txp cookies, visitor logging, and GDPR stuff in general

planeth wrote #311451:

#194 2018-04-28 08:55:21

Re: Txp cookies, visitor logging, and GDPR stuff in general

bici wrote #311299:

Destry wrote #311306:

bici wrote #311316:

#195 2018-04-28 13:22:41

Re: Txp cookies, visitor logging, and GDPR stuff in general

Destry wrote #311455:

#196 2018-04-28 17:09:05

Re: Txp cookies, visitor logging, and GDPR stuff in general

#197 2018-04-28 18:51:12

Re: Txp cookies, visitor logging, and GDPR stuff in general

#198 2018-04-29 00:25:39

Re: Txp cookies, visitor logging, and GDPR stuff in general

#199 2018-04-29 17:51:57

Re: Txp cookies, visitor logging, and GDPR stuff in general

#200 2018-04-29 20:51:00

Re: Txp cookies, visitor logging, and GDPR stuff in general

#201 2018-04-29 22:03:51

Re: Txp cookies, visitor logging, and GDPR stuff in general

#202 2018-04-30 00:12:19

Re: Txp cookies, visitor logging, and GDPR stuff in general

CodeWalker wrote #311513:

#203 2018-04-30 07:46:28

Re: Txp cookies, visitor logging, and GDPR stuff in general

#204 2018-04-30 08:23:00

Re: Txp cookies, visitor logging, and GDPR stuff in general

Board footer