Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: Txp cookies, visitor logging, and GDPR stuff in general
Destry wrote #310890:
If the site serves EU citizens — i.e. collects data about them — it doesn’t matter what country it’s in, or where the data is stored. The site owner (‘controller’) still has to respond to any requests about that data.
Related:
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
speaking of GDPR, – Today i received a letter from Google:
Dear Google Analytics Administrator,
Over the past year we’ve shared how we are preparing to meet the requirements of the GDPR, the new data protection law coming into force on May 25, 2018. Today we are sharing more about important product changes that may impact your Google Analytics data, and other updates in preparation for the GDPR. This e-mail requires your attention and action even if your users are not based in the European Economic Area (EEA).
I am thinking of deleting all my google Analytics stuff. I really don’t need stats now that I have retired and only have a few hobby sites. I also can’t abide GA’s UI — confusing and just awful!
Besides Piwik are there any free alternatives?
…. texted postive
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
I deactivated my GA account 2 weeks ago, and removed myself from shared accounts (sorry, txpmag). As soon as I do a couple more prep steps, I’ll delete that as a goog service. Yesterday, Twitter. Finally gone. I’ve deleted about a dozen centralized accounts now and the feeling is a little more liberating and euphoric each time, it’s getting addicting. I’m looking for accounts to delete. And apps to remove from my laptop and phone. I’ve almost got my phone apps down to just 2 screens now. As soon as Gaggle and LockedIn apps are quit, I should make it.
bici wrote #310900:
Besides Piwik are there any free alternatives?
It doesn’t matter that software is GA or not. The GDPR applies to all analytics software. Any data-collecting or data-transfer software of any kind.
Can users tell if you’re using Matomo (formerly PiWik)? I don’t know. Same situation as with Txp logging. If it ever came down to it, the legal argument could be you intended to use it because you had it installed. That’s not the same thing as actually using though, so I think Txp logging, and especially the minimal data it reads, isn’t an issue.
But…
Open source also carries the burden of autonomously keeping it up to date for security reasons. And this is the essential point underlining the Regulation. If a breach happens, data is compromised, and it’s found you did not take steps to prevent it from happening, you will pay heavy fines.
The absolute best way of dealing with it, for those who can, is to not have the software installed at all. No possible way for data to be compromised.
Basically, just get offline entirely. Delete and close everything, smash hard-drives, recycle hardware, and go complete mountain man, or mountain furry, or whatever rainbow color one identifies with.
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
jakob wrote #310894:
The predatory lawyers may instead take aim for the small businesses, SMEs and non-profit associations because they know they rarely have the facilities or personnel to dedicate to this and the whole thing is not simple to deal with. And those are probably the kinds of clients many of us will have.
Very likely.
I know a guy who creates attractive theme images that people typically look for as hero images, etc, puts cryptic copyright stuff on them, spreads them through goog images, then monitors them like a spider in waiting for anyone to use one without getting his permission. He pounces on them aggrressively and they give up money, services, even hardware, out of the fear of being sued. It’s sneaky and skanky, but not entirely illegal, and I’m sure multiple thousands of other vultures do that kind of thing. Same in the lawyer ranks.
Granted, I may be a little over-sensitive as I have had to field accusations from such unscrupulous guys before.
Not at all. The more paranoid in this stuff, the better. It means your guard is up and your likely taking steps to safeguard yourself. Thanks for sharing those stories.
in short, that in contrast to Directive 95/46/EG, which needs converting into the respective countries’ national legislation…
Yes. This is what I think is the case, member countries are not ready with local interpretations yet.
In France, biz owners, etc, are governed by a law from 1978 ‽ which was amended in 2004 ‽ So I’m happy to see that dogfood change. But I’ve not seen the local version yet.
Any of my French cohorts know status or have link?
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
Et voilà ! The French take of the GDPR, Projet de loi relatif à la protection des données personnelles – JUSC1732261L, governed by CNIL (Commission nationale de l’informatique et des libertés), the authority for data privacy in France.
Typical France. Looks like it’s adopting the Reg as another round of amendments (there’s been many) to the ancient law n° 78-17 of 6 January 1978 relative to computers, files, and freedoms. The link above is not the final rewrite, but shows where the previous version of the CNIL law will be edited. I have not been able to find a final, READABLE version of the amended law yet.
Egads. Let’s just make the quicksand maze as confusing as we can for our citizens, eh France?
“Multiple changes in this area include CNIL agents being allowed to carry out the online checks under a borrowed identity.”
So not only do controllers have to worry about requests from data subjects and greedy lawyers, they have to field against government spies too.
“Even after its publication, as required by the law itself, a robust cleaning exercise will be required to make it fully compatible with GDPR.”
You don’t say.
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
This might be useful to anyone caring enough. The DLA Piper global law firm is graciously (strategically and salivatingly) keeping a running list of resources available for all countries, and notably Union members, about the GDPR and getting into compliance with it. They even setup a microsite dedicated to it.
But their blogs have a lot of things to parse out too. For example I found this useful overview of what steps larger companies in France should take to get ready.
I find their cookie policy rather interesting too, by fact it’s so thorough. Lawyers, after all.
Basically, what I’m in process of doing is writing my humble/legal “Code of Conduct” (which does seem to be the expected label to put on your data privacy policies now). I find all of these, and other, resources at both EU level and country level useful for how to shape and word it.
I won’t keep blathering on here anymore unless someone has questions.
May the force be with you.
P.S. I’m being told in Mastodon that IIRC an IP addresses count as ‘personal data’. I’ve asked for a reference link but I’m still waiting. If that’s true, though, the ‘logging as plugin’ question leans a little harder to ‘yes’.
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
IP addresses count as ‘personal data’ in the GDPR, under the category of Digital Personal Data.
As in our thread here, it has generated a lot of discussion. Here’s the breakdown:
A much discussed topic is the IP address. The GDPR states that IP addresses should be considered personal data as it enters the scope of ‘online identifiers’. Of course, in the case of a dynamic IP address – which is changed every time a person connects to a network – there has been some legitimate debate going on as to whether it can truly lead to the identification of a person or not. The conclusion is that the GDPR does consider it as such. The logic behind this decision is relatively simple. The internet service provider (ISP) has a record of the temporary dynamic IP address and knows to whom it has been assigned. A website provider has a record of the web pages accessed by a dynamic IP address (but no other data that would lead to the identification of the person). If the two pieces information would be combined, the website provider could find the identity of the person behind a certain dynamic IP address. However, the chances of this happening are small, as the ISP has to meet certain legal obligations before it can hand the data to a website provider. The conclusion is, all IP addresses should be treated as personal data, in order to be GDPR compliant.
So, ‘logging as a plugin’ gets my vote. I’d prefer it as far removed as possible so it makes the strongest case in face of possession / intention.
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
Many programmers tell me that it is very hard to safeguard the privacy of visitors. In fact some who I know developed browser extensions insist that their work was tenfold as browsers are built in a way that invades privacy.
The problem here is no longer what it seems because most ISPs maintain IP/person databases. The problem IMO is that of power. These laws will only be able to safeguard big corporations who employ big specialised lawyer firms. The rest of us (the so called 99%), will have to eventually give up any efforts for growth.
Keeping in the subject. Do you think that this forum will need to have a privacy policy? We actually do have to store private data here, not to mention the server logs.
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
colak wrote #310993:
Do you think that this forum will need to have a privacy policy?
It already does. Link is in footer. Not very prominent, but there. Phil has been updating the content of the page.
It would prudent to relabel the document “Code of Conduct” though, and make reference to the GDPR at top of document, and any applicable local authority, so the title makes sense in context. Though he has a few days left to worry about it.
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
Destry wrote #310988:
I won’t keep blathering on here anymore unless someone has questions.
Oh, please, keep posting those thoughts and references. Highly interesting (and useful). I’ll be interested to see how you personal “code of conduct” / privacy policy will look like. Please share, if that is not too much to ask.
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
Related to all, this, and TXP specific. In order for a user to post a comment, he or she need to add an email address. That is required by the comments system.
For a very long time, I’ve had the following under the comment form. I think that is kinda boilerplate text that was once discussed here on the forum. I noticed that textpattern.com has the same text.
Email addresses are used for verification only and are not displayed with your comment
Question(s):
- What kind of verification? As far as I have been able to test you can enter a fairly non-sense and even invalid email address and the system will still accept it. (and yeah, once upon a time there was a check against an external DB (SpamHaus? or something like that), but that has disappeared (TXP 4.6 or even before).
- is there a better text? I mean something that reflects better reality and sounds less invasive?
Me makes a note that I need mention that in my privacy notice.
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
colak wrote #310993:
Many programmers tell me that it is very hard to safeguard the privacy of visitors. In fact some who I know developed browser extensions insist that their work was tenfold as browsers are built in a way that invades privacy.
Something tells me a lot of how tech is built will change now. There will be an adjustment period, but you’ll be seeing it manifest in different ways as the law settles in and org’s learn to react.
The problem here is no longer what it seems because most ISPs maintain IP/person databases.
Yes, but that’s their worry, not yours. It’s only your worry if you hired them as a processor of data you collect. ISPs will have to comply just as much as any other business.
These laws will only be able to safeguard big corporations who employ big specialised lawyer firms. The rest of us (the so called 99%), will have to eventually give up any efforts for growth.
Naaahhhhh!
First of all, this Regulation was designed to safeguard the privacy of ‘natural people’ — citizens — and we all are. It has nothing to do with saving big orgs, on the contrary.
Second, these laws are going to hurt big orgs a LOT more than it’s going to hurt small businesses (though I know Julian is skeptical too) because they have a lot more to account for. CFOs around the globe are already crying their eyes out because they see how these constraints put their shady exploitation practices in check. Just adjusting to comply to the laws is costing them millions and probably billions in some cases. It couldn’t come at a worse time for Facebook, as example.
And remember, your ‘customers’ are also business owners in most cases. They’re facing the same thing. We are all both data subjects and controllers in different contexts. Anyone who isn’t won’t really know enough about it to bother exercising their rights. They’re the ones that still vomit their lives on Facebook, YouTube, Twitter, etc because they don’t know any better.
Colak, this is the brunt of the worry, regardless of size of the org/site…
- Limit the data you collect to what you really must have, and cut off all possible vectors to data that doesn’t fit in that evaluation. Anonymize data if you can, which removes it from scope of the GDPR.
- Write a conduct policy about how you use the data you collect. Use brevity, plain language, and make it easy to find. If the data collected is voluntarily by web user (e.g. contact form), then you’re off the hook about having to get permission for it. Your policy only needs to make clear how you store it, how you use it and why, and how users can request to have it changed or removed, and when you allow it.
- Make routine checks that your tech is up to date and as secure as it can be. Data breaches are where the trouble begins, legally and financially. So the less you collect and store, the better. The less third-party bullshit plugged into your site, the better!
That’s not so bad, actually. Just take the steps to comply according to the data you need to collect, and know how to respond to users if you ever have a data breach. Do that and you’ve done what you can. Any court will recognize that.
Here’s a side look at the GDPR that seems attractive to me: it could be the single biggest contribution to green tech (electrical energy conservation) the world could ever hope for. And that wasn’t the goal of it, ironically. It could happen because the Reg will counter the desire to have more, more, MORE! Less data collected and stored means less electricity needed maintain it. Tally that over all the big tech orgs and there’s incredible conservation there. I’d like to think so. ;)
Offline