[pmwiki-devel] GDPR Compliance Issues

Petko Yotov 5ko at 5ko.fr
Wed Jun 27 07:10:29 PDT 2018 

On 22/06/2018 00:40, Criss Ittermann wrote:
> What I see as material problems are:
> 
> Removing people from Diffs — mentioned in a thread on the PmWiki Users
> list — if they request their data to be completely removed from the
> site.  That can be tricky — there's a difference between being an
> author (of an original article or section thereof, thus possessing
> copyright to the creation) vs. editor.  Removing a diff in the middle
> of a chain of diffs can materially change a wiki page in ways that
> don't work.  If someone fixed a typo, it's now a typo again — and that
> would be OK I suppose.  But if someone added a paragraph that was
> later edited & added-to — now the context for further changes is
> missing.

You don't need to remove their edits (the diffs), their edits are not 
personal information. Personal information in page  history are only 
their name and IP address.

We need to write a recipe that takes an author identifier (username or 
e-mail) and possibly an IP address (although some IP addresses may 
forward thousands of users), then reads all pages with full history and 
pseudonymizes or anonymizes these bits: just rewrites the "author" and 
"host" page attributes with some string like user20180627T1322.

As long as it is impossible to guess or recover the personal information 
from the files on your server by other users, or in case of a breach, it 
may be enough.

> Making sure all email & comment forms have a required checkbox (not
> checked already) asking permission to share/email/store personally
> identifying information.  Though that's pretty easy if you know how to
> use PmForm.


If you use "explicit consent" as sole legal basis for collection and 
processing of personal information you need to explain each and every 
different purpose for this collection and processing, with individual 
checkboxes, where people may select some or all checkboxes.

Note that besides "explicit consent" there are 6 other cases for legal 
basis for this -- if you are in at least one of these cases, you don't 
require explicit consent.

One of these cases is "legitimate interest of your company or a third 
party" (for example usage statistics, software troubleshooting), another 
one is "legal obligations" (for example it is required by law to store 
the server access logs for 2 years, and they contain the IP address 
which is considered personal information by the GDPR), and yet another 
one is "fulfill contractual obligations with person", and "perform tasks 
at person's request" (for example they request the creation of an 
account, or request notifications, or request password recovery).

That means, if you have some "terms of use" which may be considered a 
contract, one single checkbox may be enough.

At any rate, you need a simple, plain text summary of your use of 
personal information.

> Getting explicit permissions before setting ANY cookies (not "if you
> use this site you agree to cookies....") which should be in a pop-up
> with a checkbox, and the permission has to be tracked though I have no
> idea how you'd trace it (just on IP?).

For a PmWiki cookie, only a session ID, and probably the "Author" cookie 
are considered personal information, you can send other cookies without 
the need for consent.

If you have a legitimate interest (usage information, editor 
accountability, security, troubleshooting), you don't need explicit 
consent.

BTW the IP address is also personal information, it is crazy that by law 
we have to store the server access logs with the IP address, and people 
need to consent before. This is a Catch 22 abomination, when someone 
opens the site, the server immediately stores the log entry, and if they 
do not consent the server stores another log entry.

I believe the people who wrote the parts about cookies and IP addresses 
were somewhat ignorant about how the internet works, and they did not 
get help, which was stupid.

> And you can't say "using this site constitutes you agree to our
> privacy policy or terms of service" — you need a material checkbox
> agreeing to it, with a link, and that checkbox use has to be tracked
> somehow (just like email form & comment form permission, and just like
> the cookie-setting issue — everything has to be tracked).

If the software is written in a way that it refuses to go forward unless 
the checkbox is checked, wouldn't this be enough?

> A neat thing WordPress did is they have plug-ins supply "Suggested
> wording" for privacy policies to cover that they're in use on the
> site.  When the user is on the back-end there's help documents for
> creating a privacy policy, and for example Akismet suggests some
> wording for your privacy policy.  WordPress overall gives suggested
> wording (which covers general cookies, and mentions that you have to
> put your analytics etc. into the document).

Indeed, you probably need to mention that you outsource analytics to 
external companies and embed content from other platforms like videos or 
maps.

There is a JS program that can be useful, Tarteaucitron ("Lemon pie" in 
French):

   https://github.com/AmauriC/tarteaucitron.js

It can be configured to delay the loading of external resources like 
analytics and videos until the visitor accepts these individually and 
explicitly, and the visitor can see and delete individual cookies.

Petko

More information about the pmwiki-devel mailing list