MyBB Community Forums

Full Version: New european General Data Protection Regulation...
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Since may 2018 we must comply with the dispositions of the General Data Protection Regulation (GDPR), which defines, at European level, the new rules on the protection of personal data of European citizens. The GDPR will modify the operation of any company(and forums) in the areas where it comes into contact with the processing of personal data in a structural way anywhere in the world.

Owners of MyBB.fr must comply with these rules as any other MyBB forum with European members even outside Europe...

On MyBB.fr, we have more and more demands of members asking for the suppression of their account according to the European law for data protection and their right for oversight.
https://www.cnil.fr/fr/reglement-europee...on-donnees (French)
https://gdpr-info.eu/ (English)

But an account and related messages suppression can  render a forum almost unreadable.

Also a simple account suppression do not delete all references to the username of that account, mostly quotes and answers from other users, without forgetting all private messages!

We also have to take into account the fact that if one of his message is the first of a thread, it seem that all the thread is deleted !

Our idea would be to be able to rename a user account as "Unknown 1, Unknown 2" etc. automatically with a replacement of any occurrences of the old username. This way, the forum would not be completely unstructured.

Is there anyone in charge of development who could take in charge this demand and create a script who will automate all the requests needed over the Database to facilitate the global "renaming" ?

Will the next version of MyBB be GDPR compatible ?

Thank you.
You can already rename users before deleting them (without deleting their posts and threads naturally). And that should be the end of it.

That's unless you're running a fanfic forum where people write entire books ( works that have copyright ) without asking users for usage rights beforehand.

Regular forum posts (such as this one or yours) aren't even qualified for copyright considerations.

Well, may be subject to your countries laws, but anyone could have written this, so who cares.
I think you have not read the text of the GDPR law. An e-mail or an IP address is considered as personal data.

We know that we can rename an account's username, but this username will not be replaced inside posts or quotes and in private messages either!
Check out the Amnesia plugin for MyBB 1.8.

https://github.com/kawaii/mybb-amnesia
You rename and delete the account. Then their posts are renamed, their email is gone, and their private messages too. That should be enough.

Asking to modify other user's posts and even going through other users private messages inboxes too, at some point you start violating their privacy.

Also this isn't a problem that can be solved within MyBB... at most you could replace the most common [quote='spyto' with [quote='anonymous'. However that does not cover arbitrary references like someone saying "I agree with what spyto said earlier".

It's impossible to replace such references programmatically. It'd have to be a manual process. But as long as the nickname is a nickname and not a realname, what's the point?

Even under GDPR there is only so much you can do, you can't be MIB and erase people's memories.

Regarding IP address, my hoster does not even give them to you anymore... all logs have 1.2.0.0 instead of 1.2.3.4 (half of IP missing) and PHP also, so by default what MyBB stores is an already anonymized IP. Can't delete what you never stored in the first place.

And to me it seems this is a much more important aspect of this law... you're supposed to protect your users privacy at all times. Not just the one who wants their accounts deleted and their posts and their threads too, rendering your forum unusable to everyone else. If it has to be that way then might as well stop hosting forums altogether.
(04-20-2019, 09:19 PM)kawaii Wrote: [ -> ]Check out the Amnesia plugin for MyBB 1.8.

https://github.com/kawaii/mybb-amnesia

I have gone through the code of that plugin and it seem to only manage the forum for the GDPR, the plugin do not provide a solution to erase any personal information in all tables of the Database. If someone wrote the username manually in it's message it will not be detected and act on with this plugin. There is so many areas not covered with the anonymization process, like the caches...

(04-20-2019, 09:36 PM)frostschutz Wrote: [ -> ]You rename and delete the account. Then their posts are renamed, their email is gone, and their private messages too. That should be enough.

Asking to modify other user's posts and even going through other users private messages inboxes too, at some point you start violating their privacy.

Also this isn't a problem that can be solved within MyBB... at most you could replace the most common [quote='spyto' with [quote='anonymous'. However that does not cover arbitrary references like someone saying "I agree with what spyto said earlier".

It's impossible to replace such references programmatically. It'd have to be a manual process. But as long as the nickname is a nickname and not a realname, what's the point?

Even under GDPR there is only so much you can do, you can't be MIB and erase people's memories.

Regarding IP address, my hoster does not even give them to you anymore... all logs have 1.2.0.0 instead of 1.2.3.4 (half of IP missing) and PHP also, so by default what MyBB stores is an already anonymized IP. Can't delete what you never stored in the first place.

And to me it seems this is a much more important aspect of this law... you're supposed to protect your users privacy at all times. Not just the one who wants their accounts deleted and their posts and their threads too, rendering your forum unusable to everyone else. If it has to be that way then might as well stop hosting forums altogether.

You seem to be a member of the European countries, but you do not seem to understand the full extend of the GDPR law.

We know that we can manually erased personal information of a member to respect the GDPR directives, but with members having hundreds or thousands of messages that would be quite an exercise.

Even if we are not "MIB and erase people's memories", we must take whatever actions we can to comply to the Law!

I can tell that all our members IP are fully written in our database, your "hoster" seem to be one of a kind... Wink

By the way we have our own dedicated server!

Honestly this new European law seem to be the death of common forums, the way we know it. If at least MyBB development staff were using in all its table the IdNumber of a user without its full username, that would be a more easier task to replace all occurrence of a username everywhere.

This last solution is not impossible, it would only need to translate the IdNumber to its real username for display...

It is easy to dismiss the obligations to comply to foreign rules, if we do not intend to pay the price...
(04-20-2019, 10:32 PM)exdiogene Wrote: [ -> ]I can tell that all our members IP are fully written in our database, your "hoster" seem to be one of a kind... Wink

it's uberspace in germany, they have a thing for privacy

manual.uberspace.de/web-logs.html#privacy Wrote:To protect user’s privacy, we only log the first 16 bits of an IPv4 address and the first 32 bits of an IPv6 address, respectively, nulling the rest. Thus, uberspace.de’s IPv4 address, 82.98.87.93 and its IPv6 address 2a02:2e0:3fc:52:0:62:5768:38 are logged as 82.98.0.0 and 2a02:2e0:: in the actual log files.

and that's the default for their PHP too so MyBB only sees redacted IP no need for changing anything about the software

(04-20-2019, 10:32 PM)exdiogene Wrote: [ -> ]By the way we have our own dedicated server!

I also have my own server, but I choose not to use it for MyBB.

There are some things that are just about impossible to do. Going through users private messages to delete references, sorry what a silly idea. You sent a private message, it's in their inbox, it's theirs not yours, so bugger off.

Also... backups. You can delete stuff from the database. Do you retroactively delete stuff from a backup? Impossible. You'd have to import the gzipped sql dump, run same queries, gzip it again, it's a silly idea.

Not to mention those archives have already been mirrored cause if you don't, it's not a backup.

You can only promise to not use backups for other than their purpose (to restore your site when things are broken).
If it comes to that, I'll change the agreement to where the user agrees to forgo certain rights.
Log files with IP and other information are covered by GDPR. You just have to make it explicit that these data are collected and why (security/antispam).

Accessing and/or editing users' PMs would be a crime/felony in itself. Don't.

(04-20-2019, 03:49 PM)exdiogene Wrote: [ -> ]We also have to take into account the fact that if one of his message is the first of a thread, it seem that all the thread is deleted !

Workaround: Declare another post as the thread's new first post in the database (mybb_threads), then delete the initial post. 
But anonymizig usually suffices.