Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#73 2018-04-13 13:06:06

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,912
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

phiw13 wrote #311005:

Oh, please, keep posting those thoughts and references. Highly interesting (and useful).

Well, good sir, if you insist. But I’ll try to only soft-shoe about.

I’ll be interested to see how you personal “code of conduct” / privacy policy will look like. Please share, if that is not too much to ask.

I’m done writing, I think. It’s short. I may tweak it here and there over time. The CoC applies to all subdomains too, which at this time is only one; could be two later. I’m trying to get the site online soon. Maybe by end of weekend. Maybe even before bed.

Offline

#74 2018-04-13 13:31:52

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,453
Website GitHub

Re: Txp cookies, visitor logging, and GDPR stuff in general

Destry wrote #311007:

If the data collected is voluntarily by web user (e.g. contact form), then you’re off the hook about having to get permission for it. Your policy only needs to make clear how you store it, how you use it and why, and how users can request to have it changed or removed, and when you allow it.

Yay! So I just need to stick the abbreviation GDPR somewhere in my privacy policy and I’m golden ;-)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#75 2018-04-13 13:49:40

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,729
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

Destry wrote #310991:

The conclusion is, all IP addresses should be treated as personal data, in order to be GDPR compliant.

How about data collected with anonymizeIP ? In Germany, it’s long been necessary to use that function with Google Analytics. The argument is that visitor statistics can be collected and analysed but that the IP is anonymised to the extent that it’s not linkable to a particular person or cookie.

Another perhaps useful source is the UK Information Commissioner’s Office. First of all there’s quite a bit of broken down information on the site, also for different kinds of site owners. But they also have a quite a detailed non-legalese privacy notice and cookie use page at the bottom, not to mention their “cookie popup”.


TXP Builders – finely-crafted code, design and txp

Offline

#76 2018-04-13 14:40:15

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,912
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

jakob wrote #311012:

How about data collected with anonymizeIP ?

Good question.

On one hand data that is sufficiently anonymized does seem to be out of the GDPR’s concern, as the GDPR even says (though the burden of proving the status is still on the controller, or the DPO).

On the other hand, that source I gave seemed to make clear that the EU has decided IP addresses, regardless, are considered personal data, thus a controller would have to get permission to collect and use it.

I don’t know. It might be one of those gray situations where you go ahead and collect without permission using the anonymizer tool, explaining it clearly in the CoC, of course, which would still be required, and hope for the best. If ever challenged you wave the “anonymized data” exemption in their face and say, “I tried, as the Reg says.” ;)

Maybe watching what Google does would be wise too, since that’s their tool and they seem to be reacting recently to the GDPR and making GA changes.

That doesn’t seem to help Txp logging, though. It seems clear in that respect if you’re going to use Txp’s logging, you have to get permission first. That is reason to plugin-ize it, in my book.

Offline

#77 2018-04-13 15:11:01

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,912
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

This could be food for thought about handling various things, including IP logging…

If you look at CNIL’s website (this link in English), which is the French authority for data privacy, so their site must be compliant with the GDPR, you see they have a typical popup at top of screen, which reads:

If you continue to browse this website, you accept third-party cookies used to offer you videos, social sharing buttons, contents from social platforms.

Yes, accept all | Personalize

If you click the personalize button, you can turn things on and off.

As you all know, I’m no dev, but the obvious question would be, could you making IP logging an option in the personalization menu? If so, that’s your solution to handling Txp visitor logging, if you wanted to log at all.

That still bodes for making the logging functionality a plugin, IMO, and there is need for some pop-up menu template like they use, maybe another plugin, or a module like bloke was talking about, then you can add other modules as personalization options?

Seems like a mess of extra code, just have local logging. Easier to turn it off and forget about it, which is what I will do, but I’m trying to think of ways to helps y’all.

Offline

#78 2018-04-13 16:17:02

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,091
Website GitHub Mastodon Twitter

Re: Txp cookies, visitor logging, and GDPR stuff in general

jakob wrote #311012:

How about data collected with anonymizeIP ?

The strange thing is that my readings reveal that many authorities are trying to make proxies illegal due to their links to activities not favoured by many states. The directive in combination to the EU directive will eventually destroy the internet.


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#79 2018-04-13 16:32:06

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,729
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

Yiannis, I think I’m missing a few steps in your thinking there.

anonymizeIP is just a module in Google Analytics that chops the final bit of a tracked IP number – e.g 12.214.31.144 becomes 12.214.31.0 – so that you get basic general location data on your site’s visitors but a visitor’s specific IP number is never recorded and therefore not personally identifiable.
As the linked article describes, it happens in memory before being committed to statistic logging so there isn’t an interim recorded state. It’s been mandatory for German users of GA for several years and was the process of long discussions with the data protection authority so has been independently audited.

My question was whether this counts as a) an IP address at all (because it’s only part of one), and b) as personal data.


TXP Builders – finely-crafted code, design and txp

Offline

#80 2018-04-13 17:16:13

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,912
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

phiw13 wrote #311006:

In order for a user to post a comment, he or she need to add an email address. That is required by the comments system.

The fact that you have to give an email address at all for making a comment on a blog is bad design. I’ve ready discussions of this before, where it’s argued that too much software on the web (open source or otherwise) needlessly requires emails. It really makes no sense. It’s a concept that comes from the notion everybody needs to contact one another or make leads out of each other, but it’s not true, and it falls flat against the GDPR.

This is one of those examples where I expect the GDPR will influence how software is designed. Name and ID number would be fine, with optional website, if anyone cared.

Then if anyone chose to comment, their action is the expressed permission to record the data and use it for purposes of the comment system.

In the case of forums, emails make a little more sense because they are used for private communication between forum members via the forum system. And that would be the only justification statement needing made in a policy for it.

You don’t have to say anything about “verification”. Like you say, what the hell does that even mean? You don’t want to create strange terms that you have to then define extensively. That’s not giving good conduct. ;)

…is there a better text? I mean something that reflects better reality and sounds less invasive?

I presume your asking about blog comments… My inclination would be to research the tech a bit first and see if therey’s any good explanations out there (besides “verification”) about why an email is needed for comments at all.

I don’t think there is a good explanation, thus no good reason to ask for it, thus why it’s hard to say anything worthwhile about why you need to collect.

Honestly, I if I was going to use comments (which I’m never going to use) I would say something like this:

If you chose to use the blog commenting system, you automatically give the controller permission to collect your NAME, EMAIL, WEBSITE [whatever]. You can use a false name or pseudonym, and the website is optional, but your email is needed only because [NAME of SOFTWARE/CMS] is developed that way. The controller does not use the email for any reason. Your comments may be removed for bad conduct reasons (reference to CoC policy), but you will not be contacted about it. You may request to have your commenting account deleted at any time, including your email address, and it will be deleted within [n] days.

Also, you don’t have to put that in context of the comment form. Put it in your CoC and just make a short note at the comment form like “See CoC before signing up for comments.” or whatever.

Offline

#81 2018-04-13 17:20:43

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,091
Website GitHub Mastodon Twitter

Re: Txp cookies, visitor logging, and GDPR stuff in general

Hi Julian,

I agree with you that sometimes I write as if I know you guys intimately and vice-versa .. We’ve been here for long enough but the internet is no substitute to person to person interaction. I stand corrected re the anonymizeIP!!! I actually thought that it was working like a proxy.

In any case, I think that the GDPR will increase rather than decrease surveillance. Be that for the few. I am also thinking that even the Right to be forgotten is problematic. Think of investigative journalism for example, where good investigative reporters will no longer be able to gain access to much material which is currently available online because the person/people they are investigating will be able to take down – from the public side at least – all incriminating evidence in their digital footprint.

I believe that companies like Google will not be able to make the right judgements to all the notices they will receive and they will eventually resort to only go with algorithmic decisions which are no different to all the automated DMCA trolls currently infesting the net. In the end we will lose the freedom web1 had, and web2 abused.


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#82 2018-04-13 17:47:50

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,912
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

colak wrote #311026:

Think of investigative journalism for example, where good investigative reporters will no longer be able to gain access to much material which is currently available online because the person/people they are investigating will be able to take down – from the public side at least – all incriminating evidence in their digital footprint.

I understand what your getting at. But that particular statement is interesting. You’re looking at it from the perspective, in this case, journalists being able to pin something on someone, or, rather, the perspective that once anyone makes a post online of any kind, be it socmed, blog, whatever… they are not allowed to remove it ever again. They must forever remain accountable for whatever thing they said, even if they made a human mistake. And that would seem to go for not being able to edit their original post either, because, after all, you could change the thing said that someone might want to pin you for.

If we’re talking about shitdip Donald (and not Donald Swain), I can kind of see your point. People like that need to be held accountable because they are extremely controversial, influential, and powerful.

But think if it was you, or your son, or father…. Hopefully that suddenly makes a big difference in your perspective. I am doing a major audit of my online footprint for exactly the reasons of not being pinned to the wall by reporters, TSA pricks at the border, employers, wife, whoever. It doesn’t matter. I should not have to be painted all over the internet if I decide I don’t want to be anymore.

By the way, there are some special conditions for journalism in the GDPR. I haven’t read them yet, but I did notice them. Also, criminal records are not even covered, if I remember right. In other words, criminals don’t have the same right to erasure. So it seems they are giving the good people the edge, as it should be.

I absolutely agree with you about not trusting tech companies. I don’t. Not any more. Never will again. Likewise, governments.

Offline

#83 2018-04-13 18:08:13

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,912
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

@ phiw13

Destry wrote #311025:

I don’t think there is a good explanation, thus no good reason to ask for it, thus why it’s hard to say anything worthwhile about why you need to collect.

I just remembered one reason why emails may be collected in comment systems. Some provide notifications to commenters when people reply directly to their comments. I don’t know if that’s how it works in Txp or not, but I think Disqus, for example, works that way.

That would be your reason/statement in the CoC if that was the case.

Offline

#84 2018-04-13 20:00:54

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,729
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

Hi Yiannis,

Thanks for joining up the dots. And yes, I agree with much of what you say. Someday maybe we’ll all descend on you and can discuss this all and more in person ;-) I just read your cookie notice and just had to say it made me laugh!


TXP Builders – finely-crafted code, design and txp

Offline

Board footer

Powered by FluxBB