Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: Txp cookies, visitor logging, and GDPR stuff in general
jakob wrote #311012:
How about data collected with anonymizeIP ?
Good question.
On one hand data that is sufficiently anonymized does seem to be out of the GDPR’s concern, as the GDPR even says (though the burden of proving the status is still on the controller, or the DPO).
On the other hand, that source I gave seemed to make clear that the EU has decided IP addresses, regardless, are considered personal data, thus a controller would have to get permission to collect and use it.
I don’t know. It might be one of those gray situations where you go ahead and collect without permission using the anonymizer tool, explaining it clearly in the CoC, of course, which would still be required, and hope for the best. If ever challenged you wave the “anonymized data” exemption in their face and say, “I tried, as the Reg says.” ;)
Maybe watching what Google does would be wise too, since that’s their tool and they seem to be reacting recently to the GDPR and making GA changes.
That doesn’t seem to help Txp logging, though. It seems clear in that respect if you’re going to use Txp’s logging, you have to get permission first. That is reason to plugin-ize it, in my book.
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
This could be food for thought about handling various things, including IP logging…
If you look at CNIL’s website (this link in English), which is the French authority for data privacy, so their site must be compliant with the GDPR, you see they have a typical popup at top of screen, which reads:
If you continue to browse this website, you accept third-party cookies used to offer you videos, social sharing buttons, contents from social platforms.
Yes, accept all | Personalize
If you click the personalize button, you can turn things on and off.
As you all know, I’m no dev, but the obvious question would be, could you making IP logging an option in the personalization menu? If so, that’s your solution to handling Txp visitor logging, if you wanted to log at all.
That still bodes for making the logging functionality a plugin, IMO, and there is need for some pop-up menu template like they use, maybe another plugin, or a module like bloke was talking about, then you can add other modules as personalization options?
Seems like a mess of extra code, just have local logging. Easier to turn it off and forget about it, which is what I will do, but I’m trying to think of ways to helps y’all.
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
jakob wrote #311012:
How about data collected with anonymizeIP ?
The strange thing is that my readings reveal that many authorities are trying to make proxies illegal due to their links to activities not favoured by many states. The directive in combination to the EU directive will eventually destroy the internet.
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
Yiannis, I think I’m missing a few steps in your thinking there.
anonymizeIP is just a module in Google Analytics that chops the final bit of a tracked IP number – e.g 12.214.31.144 becomes 12.214.31.0 – so that you get basic general location data on your site’s visitors but a visitor’s specific IP number is never recorded and therefore not personally identifiable.
As the linked article describes, it happens in memory before being committed to statistic logging so there isn’t an interim recorded state. It’s been mandatory for German users of GA for several years and was the process of long discussions with the data protection authority so has been independently audited.
My question was whether this counts as a) an IP address at all (because it’s only part of one), and b) as personal data.
TXP Builders – finely-crafted code, design and txp
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
phiw13 wrote #311006:
In order for a user to post a comment, he or she need to add an email address. That is required by the comments system.
The fact that you have to give an email address at all for making a comment on a blog is bad design. I’ve ready discussions of this before, where it’s argued that too much software on the web (open source or otherwise) needlessly requires emails. It really makes no sense. It’s a concept that comes from the notion everybody needs to contact one another or make leads out of each other, but it’s not true, and it falls flat against the GDPR.
This is one of those examples where I expect the GDPR will influence how software is designed. Name and ID number would be fine, with optional website, if anyone cared.
Then if anyone chose to comment, their action is the expressed permission to record the data and use it for purposes of the comment system.
In the case of forums, emails make a little more sense because they are used for private communication between forum members via the forum system. And that would be the only justification statement needing made in a policy for it.
You don’t have to say anything about “verification”. Like you say, what the hell does that even mean? You don’t want to create strange terms that you have to then define extensively. That’s not giving good conduct. ;)
…is there a better text? I mean something that reflects better reality and sounds less invasive?
I presume your asking about blog comments… My inclination would be to research the tech a bit first and see if therey’s any good explanations out there (besides “verification”) about why an email is needed for comments at all.
I don’t think there is a good explanation, thus no good reason to ask for it, thus why it’s hard to say anything worthwhile about why you need to collect.
Honestly, I if I was going to use comments (which I’m never going to use) I would say something like this:
If you chose to use the blog commenting system, you automatically give the controller permission to collect your NAME, EMAIL, WEBSITE [whatever]. You can use a false name or pseudonym, and the website is optional, but your email is needed only because [NAME of SOFTWARE/CMS] is developed that way. The controller does not use the email for any reason. Your comments may be removed for bad conduct reasons (reference to CoC policy), but you will not be contacted about it. You may request to have your commenting account deleted at any time, including your email address, and it will be deleted within [n] days.
Also, you don’t have to put that in context of the comment form. Put it in your CoC and just make a short note at the comment form like “See CoC before signing up for comments.” or whatever.
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
Hi Julian,
I agree with you that sometimes I write as if I know you guys intimately and vice-versa .. We’ve been here for long enough but the internet is no substitute to person to person interaction. I stand corrected re the anonymizeIP!!! I actually thought that it was working like a proxy.
In any case, I think that the GDPR will increase rather than decrease surveillance. Be that for the few. I am also thinking that even the Right to be forgotten is problematic. Think of investigative journalism for example, where good investigative reporters will no longer be able to gain access to much material which is currently available online because the person/people they are investigating will be able to take down – from the public side at least – all incriminating evidence in their digital footprint.
I believe that companies like Google will not be able to make the right judgements to all the notices they will receive and they will eventually resort to only go with algorithmic decisions which are no different to all the automated DMCA trolls currently infesting the net. In the end we will lose the freedom web1 had, and web2 abused.
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
colak wrote #311026:
Think of investigative journalism for example, where good investigative reporters will no longer be able to gain access to much material which is currently available online because the person/people they are investigating will be able to take down – from the public side at least – all incriminating evidence in their digital footprint.
I understand what your getting at. But that particular statement is interesting. You’re looking at it from the perspective, in this case, journalists being able to pin something on someone, or, rather, the perspective that once anyone makes a post online of any kind, be it socmed, blog, whatever… they are not allowed to remove it ever again. They must forever remain accountable for whatever thing they said, even if they made a human mistake. And that would seem to go for not being able to edit their original post either, because, after all, you could change the thing said that someone might want to pin you for.
If we’re talking about shitdip Donald (and not Donald Swain), I can kind of see your point. People like that need to be held accountable because they are extremely controversial, influential, and powerful.
But think if it was you, or your son, or father…. Hopefully that suddenly makes a big difference in your perspective. I am doing a major audit of my online footprint for exactly the reasons of not being pinned to the wall by reporters, TSA pricks at the border, employers, wife, whoever. It doesn’t matter. I should not have to be painted all over the internet if I decide I don’t want to be anymore.
By the way, there are some special conditions for journalism in the GDPR. I haven’t read them yet, but I did notice them. Also, criminal records are not even covered, if I remember right. In other words, criminals don’t have the same right to erasure. So it seems they are giving the good people the edge, as it should be.
I absolutely agree with you about not trusting tech companies. I don’t. Not any more. Never will again. Likewise, governments.
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
@ phiw13
Destry wrote #311025:
I don’t think there is a good explanation, thus no good reason to ask for it, thus why it’s hard to say anything worthwhile about why you need to collect.
I just remembered one reason why emails may be collected in comment systems. Some provide notifications to commenters when people reply directly to their comments. I don’t know if that’s how it works in Txp or not, but I think Disqus, for example, works that way.
That would be your reason/statement in the CoC if that was the case.
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
Hi Yiannis,
Thanks for joining up the dots. And yes, I agree with much of what you say. Someday maybe we’ll all descend on you and can discuss this all and more in person ;-) I just read your cookie notice and just had to say it made me laugh!
TXP Builders – finely-crafted code, design and txp
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
Destry wrote #311027:
If we’re talking about shitdip Donald (and not Donald Swain), I can kind of see your point. People like that need to be held accountable because they are extremely controversial, influential, and powerful.
Hi Destry, I am thinking of shitdip Donald:). An artist we exhibited twice in our space created a project re Swain, part of which can be found on youtube, so I am also aware of the dangers of the inadequate laws.
The problem we are facing is that technology creeps in, very shyly in the beginning, but it’s not long before it becomes spread, and an integrated part of our daily lives. Think of mobile phones for example, or self driving cars which promise/threaten to become the norm in the foreseeable future. Another artist / writer we have presented said that technology is developing faster than our laws. The particular book was finished whilst he was staying with us. The problem, as I see it, is that both technologies AND laws are creeping into our lives in a way that affects our rights. The post 9/11 era is characterised by state suctioned paranoia, enhanced by the hegemonic neo-liberal economic systems. Their combined effect on both technology developments, and our new laws, are leading us to a path reminiscent of totalitarian, extremist, times which basically allows governments to entrap their citizens. Or as you pointed out:
“Multiple changes in this area include CNIL agents being allowed to carry out the online checks under a borrowed identity.”
jakob wrote #311030:
Someday maybe we’ll all descend on you and can discuss this all and more in person ;-) I just read your cookie notice and just had to say it made me laugh!
You are all very welcome to come! I’m glad you laughed on that one. I’m trying to make it even funnier… Suggestions are always accepted:)
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
I just came across this old cookieless cookie solution which provides us with some food for thought.
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
colak wrote #311043:
I just came across this old cookieless cookie solution which provides us with some food for thought.
That’s interesting. As are the extra details explained in wikipedia.
Others might grasp it better than me, so consider this a spill of the pick-up-sticks only, but my first reaction is:
- This would qualify as personal data because it could be used in combination with other data to identify you. Similar logic as was argued for IP addresses after comparison with ISP logs (rare scenarios, yes, but the ruling was: it counts as personal data).
- Etags are hard to detect?, which means using them without opt-in from data subjects can get you in serious hot water. (Class-action lawsuits over it already years ago, might see more of those now.)
- Controllers can set Etag headers, but it’s optional? Though they have no authority over browser and web server design, so onus is on users there to browse anonymously, clear cache, etc.
- Controllers would need to account for “Etag headers” in their policies about whether they’re using them or not, why, etc. (‘if you keep using this site, you agree to the Etags for caching purposes’ … whatever) or (‘This site does not use Etags. The browser may set them but you can use safe-mode, etc’).
As the article seems to say, the risk of this is kind of small, because their are bugs with a totally undetectable implementation, and it doesn’t work at all if users browse with anonymous browsing mode on, for example.
How do Etags factor into Txp caching plugins? Are the headers added in that case?
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
colak wrote #311034:
You are all very welcome to come! I’m glad you laughed on that one. I’m trying to make it even funnier… Suggestions are always accepted:)
A Txp meetup in Greece! That would be wonderfully appropriate.
Yes, the cookie policy is great. Something I might have wrote. ;)
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
Destry wrote #311051:
A Txp meetup in Greece! That would be wonderfully appropriate.
Make that Cyprus:) (Think Greece but with British type of organisation and Westminster based legal system)
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Txp cookies, visitor logging, and GDPR stuff in general
Here is something else I have been pondering: what happens with AMP pages? You make sure your site is GDPR compliant, then you serve your page through AMP. A visitor receives a link to your site from someone (friend / twitter / …) who found it through google on a mobile device. The URL he or she receives is to the AMP page, which is loaded with Google stuff. Technically it is your site, but it is also Googles.
Quid of your privacy policy?
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
phiw13 on Codeberg
Offline