[pmwiki-users] GDPR

[Criss Ittermann]

The other post with the link is helpful — but we still need GDPR compliance for cookies set with the author name (the site login form on passworded sites, and the edit form/comment forms on non-passworded sites) at minimum because that's personally identifying information and it could, for example, tie a computer user with their content/comments on a PmWiki website even if they use an "anonymous" author name (i.e. not their real name — a handle, or pseudonym).

So for example, my website (one of many I run on PmWiki) is about mental health issues. Someone may add an article on my site and thus now be somehow (by just about any means) tied to the information they posted (IP address in server logs, username/author name, browser history of what pages they edited, etc.).  That being potentially stigmatizing, job-harming information (any information that may harm employment or make someone a target of discrimination is considered protected information) one would want them to understand that by posting the information on the website COULD theoretically be tied back to them &/or their devices.  And with a cookie on their computer with their author name, they could be traced back to their content in the other direction.

> On Sep 5, 2018, at 8:56 AM, Dominique Faure <dominique.faure at gmail.com> wrote:
> 
> (I forgot to answer to the end of the point)
> 
>> Anyone else have particular GDPR-related needs? Can anyone think of other places user information is potentially collected (even IP address, etc.) and cookies set?
> 
> An easy one: The web server itself (through its own cookie handling
> configuration and its access/error log files).
> But, according to your specific hosting architecture (eg. shared
> web-only solutions), you could not always deal with these as you like!

This is in the site privacy policy.  I mention that by browsing my site, your IP is logged in my server logs and server logs are rotated on X basis.  Forget exactly how I worded it. And that old server logs could be in old backups of the server.  Etc.

It's not PmWiki's responsibility to write people's privacy policies. But we do have to be careful about the technical end of things and maybe make it easier for people to implement GDPR regulations.  So I might even write up cookbook recipes on say how to put a link to your privacy policy in your footer.  But having zero pages on the site even mentioning the GDPR is strange.  We can all share upstream anything we've done about the GDPR and make it easier on everyone else.

I just posted the changes I made to my email form on one site to have a GDPR checkbox to the PmForm site recipes.  Will be tackling comment forms next. Then have to make these changes on all my sites, too.

> Anyway, IMHO, and according to
> https://www.demandlab.com/insights/blog/dont-get-caught-with-your-hand-in-the-gdpr-cookie-jar/
> This should easily be solved with a wiki page of explanations on local
> cookie usage and some clever use of the HttpVariables cookbook recipe
> in order to track an set a persistent cookie flag controlling their
> display.

I'd love some help with doing that — because that's the part I don't understand. I can do PmForms almost in my sleep.  But this cookie stuff makes my eyes cross. ;)

And this will become more of an issue for "US only" services when the California regulations go into effect January 2020.  http://adage.com/article/digital/california-passed-version-gdpr/314079/ — basically just start moving to the highest privacy/opt-in standards and then you don't have to worry about the local jurisdiction issues.

Hopefully browsers will start allowing outgoing links without referring page information tied to the click.  That would be sweet.  Is there a way to do that?  If so, how can we get that into PmWiki?


Crisses