As we're sure many of you know, a big new privacy and data protection thing is coming into force next month from the EU, called the EU General Data Protection Regulation (GDPR).
Any website that takes any information from anyone in the EU, has to comply with it, or face huge fines. Naturally, we want to ensure we're complying.
Here's a few steps we've already done
- All YouTube embeds in comments/forum posts now use YouTube's enhanced privacy mode, which doesn't load a single cookie until you hit play.
- All future articles with a YouTube embed will also use YouTube's enhanced privacy mode, we're working to update all older articles with a script soon.
- We recently (read: finally) added the ability for you to delete your own individual comments. Was on the todo list for a long time, sorry it took so long. This will be rolled out to the forum too ASAP.
- If you wish to completely remove your account (not "hidden"—just completely gone), there's an option to do so in your User Control Panel now.
- All new users PC Info is now opt-in to the Monthly User Statistics, this can be changed any time with a new checkbox labelled "Include your PC details in our Monthly User Statistics?" at the top of the User Control Panel page for PC Info. Not a big change, but it means now you can display your PC Info without being in the survey. For people who have it checked and leave it for a long time, data is eventually cut out of the monthly survey that we consider stale anyway, so it wouldn't be included when it gets too old. To be clear on our user survey: no user identifiable information is included for the survey output, no user id, no username or anything—just the answers.
- We've removed the Twitter embed in the right sidebar, so that Twitter cookies and tracking does not touch our website at all. To be clear, the Twitter handle @gamingonlinux still exists, just the embed for it on our site is gone.
- The registration page now includes links to our Ethics and Privacy policy pages (can be found any time in the site's footer).
- This was done a long time ago, but as a reminder, if you wish your profile to be private, you can do so by setting it in the User Control Panel Privacy page. We've decided that going forward, all new users profiles will be private by default. We're eventually going to add more specific details of what you wish to show on your profile page instead of private or public. Luckily, we don't actually store or show a lot of information anyway.
- We've removed the ability for users to set an avatar from a URL. While we're sure our security was tight on that to ensure they 100% are linking to an image, it's just not worth the hassle if somehow a script slipped past it and stored a cookie on your PC. You can still pick an avatar from the gallery (which we will expand) or upload an avatar directly.
- When a submitted article is approved, we're making sure to wipe the email and IP that it was submitted from. They're only stored to block spammers (based on IP) and to email you if it's accepted or denied. Denied articles are completely removed.
Other misc updates:
- Notifications older than six months are now being wiped, to help keep our database lean and mean. To be honest, if you haven't visited in six months it's likely any notifications are pointless.
- We removed the GamingOnLinux Facebook Group embed from the right sidebar on the homepage, this was unrelated to GDPR. We just didn't like their data handling with the recent stuff in the news. To be clear, the GOL Facebook Group still exists, just the embed for it on our site is gone.
- We now included a standard message in all articles, at the bottom to notify you that certain links will be affiliate links. So no editor can forget (read: me, I'm forgetful).
You can find more about GDPR here.
Personally, while testing our site using uBlock Origin in Chrome, I don't see a single notification about anything blocked, so that's good. Since we have no adverts, no outside statistics tracking or anything (we don't even use Google Analytics like most sites do) there should be nothing to be concerned about.
If you feel there's something we should be doing that we're not to help protect your privacy and data, do let us know any time.
Ps. You can follow random progress on gitlab here.
Going for the Antisocial Tinfoil Hat of the year award here. And I'm completely serious.
Quoting: tuubiI wholeheartedly approve of any and all legislature to ban, destroy and eviscerate all tracking cookies and privacy-invading "features" the net is now full of. If it brings down half the world's advertisers and social networks, all the better. None of this really benefits us as individuals and consumers.Oh I agree, i hate tracking stuff too :)
Going for the Antisocial Tinfoil Hat of the year award here. And I'm completely serious.
Quoting: tuubiI wholeheartedly approve of any and all legislature to ban, destroy and eviscerate all tracking cookies and privacy-invading "features" the net is now full of. If it brings down half the world's advertisers and social networks, all the better. None of this really benefits us as individuals and consumers.
Going for the Antisocial Tinfoil Hat of the year award here. And I'm completely serious.
I'm tired of politicians trying to do the "right thing" anyway so I'll vote for a Zeronet/I2P/TOR-type world instead :P
Quoting: ElectricPrism[stuff]
Honestly, this just shows ignorance on your part. As someone who has been involved with GDPR compliance stuff at work for the past several months I'd like to point out a few things:
QuoteMost of the internet that has no base in the EU will carry on unchanged
Not quite. It doesn't matter where your business is based in. If you want to offer services to users that are currently in the EU (not just citizens, all residents and even tourists) you must comply. If you don't, you'll either pay fines (4% of global revenue or €20 million, whichever is higher) or you'll likely just get blocked. The EU is wayyy too big of a market for an online based company to ignore, so the vast, vast majority of companies are working on compliance.
Every day I interact with dozens of online businesses from all over the world and I haven't seen a single one not working on GDPR compliance. Not a single one. Make of that what you will.
Quotethis will spur technology innovations to get out of the EU or they will mascaraed around a facade of compliance.
Only if your "innovation" is based on harvesting people's data without their consent and/or against their will. GDPR simply asks you to:
- have an actual, justifiable use case for using personal data
- obtaining explicit, narrow, opt-in constent (so no pre-checked checkboxes), separately for all use cases
- and disallowing you from refusing service to users who don't consent to your data collection
Basically, the regulation says don't do creepy shit with people's personal data and if your "innovation" depends on doing just that, I'm perfectly happy for it to get out of the EU.
---
All that said, it's highly unlikely for any member state to actively go after mom and pop businesses; compliance is expected from everyone but the fines are mostly aimed at data collecting giants like Google, Facebook, Microsoft etc who will most definitely be complying as none of them want to be made an example of.
Last edited by callcifer on 21 April 2018 at 12:19 am UTC
Quoting: EagleDeltaWhile I applaud the EU for actually doing something about privacy, some of these measures in GDPR show that they don't understand how technology works. There are simply some forms of data that cannot be removed or hidden without breaking applications or websites. Database backups come to mind with the right to remove all data from all time. That's simply not financially feasible for many companies.
Think about this, a company is required by a non-EU state to keep certain data from all records of visitors that logged into a site in the last 24 months. An EU citizen requests all their data to be removed, that would include not just their data, but any data that links to them (including backups). As many backups are not stateful pieces of data you can just open and delete data from, a company/org now has to have enough money to pay for the processing power to:
- Delete a user's data (not a big deal)
- Delete links to that user in other user's data (a bit more difficult, depending on how those links exist)
- Delete all history of that user. This last one is incredibly difficult as it requires the ability to restore/open every backup from the entire history since that user was created, delete their data, then save NEW backups.... all without losing service.
Now, I have an issue with the way many companies handle our private data, but there is a certain point at which privacy IS the responsibility of the user in question, NOT the company or service they use. A Public Facebook profile is just that: PUBLIC. Once that information is out there, no amount of data removal will remove it entirely from the internet. It may remove it from Facebook's servers (for example), but any number of other people could have gathered that data easily (without needing any special API keys or access), ESPECIALLY if a user made that data available on a public page.
Word from a colleague of mine who just came back from a GDPR information session is that GDPR does not cover backups so you do not have to hunt down peoples data in your backups in order to delete data.
Quoting: callciferOnly if your "innovation" is based on harvesting people's data without their consent and/or against their will. GDPR simply asks you to:
- have an actual, justifiable use case for using personal data
- obtaining explicit, narrow, opt-in constent (so no pre-checked checkboxes), separately for all use cases
- and disallowing you from refusing service to users who don't consent to your data collection
Basically, the regulation says don't do creepy shit with people's personal data and if your "innovation" depends on doing just that, I'm perfectly happy for it to get out of the EU.
---
All that said, it's highly unlikely for any member state to actively go after mom and pop businesses; compliance is expected from everyone but the fines are mostly aimed at data collecting giants like Google, Facebook, Microsoft etc who will most definitely be complying as none of them want to be made an example of.
That's not exactly accurate yet. The GDPR rules are so broad in their wording with too many questions on what it covers and doesn't could limit innovation. Distrubuted systems that store "personal data" like username/email/etc for history reasons (like Git) could be seen as required to be compliant. The problem is there is absolutely no way to enforce that.
In case readers don't know, Git is a source code control system that is designed to be largely de-centralized. Every user working on a git project keeps their own copy apart from the server. In the case of many FOSS projects, there are also many copies on a server(s). Github, Gitlab, Atlassian, etc could be forced to removed references to names/emails in the git history, but that would break every copy of that project everywhere else AND the forced change could simply be undone by a user with permissions force-pushing to an existing branch to an entirely new branch that still contains the user data (in this case a name/username and an email). Additionally, Github/Gitlab/etc could not force those changes downstream to a developer's Desktop/Laptop/Server without breaking the exact law they were trying to be compliant with.
So, how does GDPR apply to distributed data systems?
RE GPDR: I applaud what it's trying to accomplish but the way it goes about it is backwards as usual.
Thirst of all, this is a huge burden for small companies, as if they did not have other problems to deal with in this market. This should be enforced for BigData-only but I won't pretended to know how to do that just now, IANAL.
Youtube example is enlightening. Third-parties (i.e. Youtube) should be the ones to ask permission for data collection and not deny any services (e.g. showing videos), not you, the little guy. You are not managing that data, why is that your responsibility?
Right to be forgotten is a delusion. The Internet (just like the North) remembers. What about distributed systems, what about https://web.archive.org/? I don't know about you but I'd like to have a right to see what web looked like 2 years ago.
---
And last, but not least, there is the cookie harassment. Prompt fatigue, anyone? People are pressing "I agree" on every single EULA they find on the netz, you think this is gonna be any different? Better yet, https://www.i-dont-care-about-cookies.eu/
Let's dig into this a little deeper. You must allow the user deny cookies in that prompt, and must needs to remember that choice. Seeing a contradiction, anyone?
By going for the low-hanging fruit (cookies) they are now encouraging more "advanced" technologies like localstorage or various web database implementations, flash (why U no dead yet?) "super" cookies, HSTS tracking[1] and who knows what else the smarties devised since I was last following this space.
The (cookie) technology is not the problem, third-party tracking is. But since the law-makers are clueless as ever, they are now wielding the proverbial hammer on the little guy. The big ones will find a different way, any way.
[1] https://arstechnica.com/information-technology/2015/01/browsing-in-privacy-mode-super-cookies-can-track-you-anyway/
Quoting: minj@Liamdawe youtube embeds are now gone from RSS it seems. Was this intended or just a problem with parsing youtube-nocookie domain?I will take a look at that tonight, it should work fine, not intended at all. Either your RSS reader is broke with that youtube url or i broke it...will see.
Edit: Turns out this happened when we switched the article editor from BBCode to HTML. I will work on fixing it, it just needs to remove some bits of it to display properly, shouldn't take long :)
Last edited by Liam Dawe on 21 April 2018 at 8:18 am UTC
Quoting: EagleDeltaThat's not exactly accurate yet. The GDPR rules are so broad in their wording with too many questions on what it covers and doesn't could limit innovation. Distrubuted systems that store "personal data" like username/email/etc for history reasons (like Git) could be seen as required to be compliant. The problem is there is absolutely no way to enforce that.
In case readers don't know, Git is a source code control system that is designed to be largely de-centralized. Every user working on a git project keeps their own copy apart from the server. In the case of many FOSS projects, there are also many copies on a server(s). Github, Gitlab, Atlassian, etc could be forced to removed references to names/emails in the git history, but that would break every copy of that project everywhere else AND the forced change could simply be undone by a user with permissions force-pushing to an existing branch to an entirely new branch that still contains the user data (in this case a name/username and an email). Additionally, Github/Gitlab/etc could not force those changes downstream to a developer's Desktop/Laptop/Server without breaking the exact law they were trying to be compliant with.
So, how does GDPR apply to distributed data systems?
I don't think GDPR applies to services like Github. If it did, it would also apply to things like scientific journals, which operate on the same basic underlying principles (i.e. the content is deliberately publicized along with the (pseudo-)identity of the authors). Private repos might be another matter, but also not really a FOSS problem. I would be more concerned about the new copyright directive EU is preparing that would require online platforms to do "upload filtering" so none of that naughty piraty stuff could ever possibly get on the Internet.
Quoting: EagleDeltaQuoting: callciferOnly if your "innovation" is based on harvesting people's data without their consent and/or against their will. GDPR simply asks you to:
- have an actual, justifiable use case for using personal data
- obtaining explicit, narrow, opt-in constent (so no pre-checked checkboxes), separately for all use cases
- and disallowing you from refusing service to users who don't consent to your data collection
Basically, the regulation says don't do creepy shit with people's personal data and if your "innovation" depends on doing just that, I'm perfectly happy for it to get out of the EU.
---
All that said, it's highly unlikely for any member state to actively go after mom and pop businesses; compliance is expected from everyone but the fines are mostly aimed at data collecting giants like Google, Facebook, Microsoft etc who will most definitely be complying as none of them want to be made an example of.
That's not exactly accurate yet. The GDPR rules are so broad in their wording with too many questions on what it covers and doesn't could limit innovation. Distrubuted systems that store "personal data" like username/email/etc for history reasons (like Git) could be seen as required to be compliant. The problem is there is absolutely no way to enforce that.
In case readers don't know, Git is a source code control system that is designed to be largely de-centralized. Every user working on a git project keeps their own copy apart from the server. In the case of many FOSS projects, there are also many copies on a server(s). Github, Gitlab, Atlassian, etc could be forced to removed references to names/emails in the git history, but that would break every copy of that project everywhere else AND the forced change could simply be undone by a user with permissions force-pushing to an existing branch to an entirely new branch that still contains the user data (in this case a name/username and an email). Additionally, Github/Gitlab/etc could not force those changes downstream to a developer's Desktop/Laptop/Server without breaking the exact law they were trying to be compliant with.
So, how does GDPR apply to distributed data systems?
Remember that GDPR isn't about "you must not collect personal data". It's about a) having permission to do so, b) having a good (and documented) reason for that collection and c) agreeing to (and documenting) data destruction.
And there's a lot of flex. Need to keep records on people after they delete their account for 10 years? Sure, if you can justify the why, you can do that. Of course, if you can't, you'll be potentially fined millions...
And the whole "right to be forgotten" (or "right to erasure", as it's amusingly known in GDPR) is only a right in certain circumstances. If someone wants you to delete their data, but you have a documented and good reason to reject that request, that's also fine.
Git and its associated front ends will just have to be very clear on what's possible and what's not.
See more from me