We're changing how you log in to PistonHeads
Discussion
Wouldn’t there be an audit trail of user names mapped to login email addresses?
I mean, if you re doing this for reasons , surely that should be relatively simple to track/monitor?
Unless that module was mucho dinero extra of course
Edit - I know the square root of naff all about this kind of thing, so am standing by to be shot down in flames
I mean, if you re doing this for reasons , surely that should be relatively simple to track/monitor?
Unless that module was mucho dinero extra of course
Edit - I know the square root of naff all about this kind of thing, so am standing by to be shot down in flames
Edited by Pincher on Tuesday 16th September 23:57
Pincher said:
Wouldn t there be an audit trail of user names mapped to login email addresses?
I mean, if you re doing this for reasons , surely that should be relatively simple to track/monitor?
Unless that module was mucho dinero extra of course
Edit - I know the square root of naff all about this kind of thing, so am standing by to be shot down in flames
The “right to forget” is so much more than that and requires the removal of all personally identifiable data. This can include all previous usernames, and any mention of them in the forums. If the user has had dozens of names, even though they may all be tracked to the same account, mentions of them by others won’t be.I mean, if you re doing this for reasons , surely that should be relatively simple to track/monitor?
Unless that module was mucho dinero extra of course
Edit - I know the square root of naff all about this kind of thing, so am standing by to be shot down in flames
Quite how far one needs to go to comply with the law can be different in different cases but in a worst case scenario, that can be what you’re faced with. People will say “a forum pseudonym isn’t personally identifiable data”, but it’s never as simple as that and those that assert this likely haven’t had to have this tested in court.
These requests crop up at work from time to time on behalf of clients whose own customers have hit them with this. We’ve had to have our developers create an API that removes all references to a person, this has been complex enough even without having multiple pseudonyms to deal with as well. But you do get scenarios where the end user states that’s not enough. Sometimes the answer can be “that’s not reasonable”, but you have to be confident that would stand up if it went to court, “reasonableness” being part of the test.
I’ve been involved in a few of these now. It ain’t fun.
Scott
You can checkout anytime, but you can never leave..........
if anyone has ever quoted anything you've ever written on PH.
Seems the hamsters don't do detail.
Take Breadvan72 for example.
Bits of him left all over the place in here if you look for them.
Part of the fun with PH though.
Be a shame if it all got too clean, clinical and efficient.
AI hamsters not welcome here.
if anyone has ever quoted anything you've ever written on PH.
Seems the hamsters don't do detail.
Take Breadvan72 for example.
Bits of him left all over the place in here if you look for them.
Part of the fun with PH though.
Be a shame if it all got too clean, clinical and efficient.
AI hamsters not welcome here.
OIC said:
You can checkout anytime, but you can never leave..........
if anyone has ever quoted anything you've ever written on PH.
Seems the hamsters don't do detail.
Take Breadvan72 for example.
Bits of him left all over the place in here if you look for them.
Part of the fun with PH though.
Be a shame if it all got too clean, clinical and efficient.
AI hamsters not welcome here.
If Breadvan did a formal "right to forget", which given who he is, I'm sure he could if he wanted to, then it becomes a classic problem for forums and is one of the reasons most don't allow username change or "delete all my posts" requests.if anyone has ever quoted anything you've ever written on PH.
Seems the hamsters don't do detail.
Take Breadvan72 for example.
Bits of him left all over the place in here if you look for them.
Part of the fun with PH though.
Be a shame if it all got too clean, clinical and efficient.
AI hamsters not welcome here.
The database size for PH's forum must be colossal. Running a search to find all mentions of his name and replacing it with asterisks would be an onerous task and I is something you might evaluate on a Right To Forget request, but which you might conclude wasn't practical. As long as you can defend that position should it go to court, then you're ok.
Scott
zarjaz1991 said:
The database size for PH's forum must be colossal. Running a search to find all mentions of his name and replacing it with asterisks would be an onerous task and I is something you might evaluate on a Right To Forget request, but which you might conclude wasn't practical. As long as you can defend that position should it go to court, then you're ok.
Scott
And for those like me with a username that might easily be used in posts to talk about something entirely different, there would need to be some way to figure out whether the post is talking about me, or about something of the same name. As you say, not really practical.Scott
droopsnoot said:
And for those like me with a username that might easily be used in posts to talk about something entirely different, there would need to be some way to figure out whether the post is talking about me, or about something of the same name. As you say, not really practical.
Yep, exactly, good point!I am regularly having this conversation with clients now, who seem to take "but the end user insists" as bring proof that we've got to do it for them. I understand why they panic but we know what we're talking about and know where the line can be drawn.
Frankly the whole "right to forget" stuff should never have been put in place. You can't un-say things. Most of the time the requests come from people who have fallen out with a company and just want to make life as difficult as possible for them. They've heard a bit about GDPR and think they can confidently demand anything they like. Again I am often having to discuss this with clients. They panic.
Scott
zarjaz1991 said:
Frankly the whole "right to forget" stuff should never have been put in place. You can't un-say things.
Or... Since GDPR has been in force for pretty much a decade, and the right to be forgotten was known to be a key part before it was introduced, perhaps software companies should have tackled this already.On forum software all you need is to allow the "username" field to inherit values from any post you are quoting, and to ensure that people can't manually use the quote markup.
I've been pondering this issue recently; the internet has taken the place of various talking shops from the past; pubs, coffee houses etc. But, legally we subject it to the same rules as the written word.
Edited by donkmeister on Thursday 18th September 09:40
donkmeister said:
Or... Since GDPR has been in force for pretty much a decade, and the right to be forgotten was known to be a key part before it was introduced, perhaps software companies should have tackled this already.
On forum software all you need is to allow the "username" field to inherit values from any post you are quoting, and to ensure that people can't manually use the quote markup.
I've been pondering this issue recently; the internet has taken the place of various talking shops from the past; pubs, coffee houses etc. But, legally we subject it to the same rules as the written word.
On forum software all you need is to allow the "username" field to inherit values from any post you are quoting, and to ensure that people can't manually use the quote markup.
I've been pondering this issue recently; the internet has taken the place of various talking shops from the past; pubs, coffee houses etc. But, legally we subject it to the same rules as the written word.
Edited by donkmeister on Thursday 18th September 09:40
donkmeister said:
Or... Since GDPR has been in force for pretty much a decade, and the right to be forgotten was known to be a key part before it was introduced, perhaps software companies should have tackled this already.
On forum software all you need is to allow the "username" field to inherit values from any post you are quoting, and to ensure that people can't manually use the quote markup.
I've been pondering this issue recently; the internet has taken the place of various talking shops from the past; pubs, coffee houses etc. But, legally we subject it to the same rules as the written word.
Ok I had a detailed reply to this but it won't go in, doing the 403 thing. Obviously mod_security or whatever is in use here doesn't like something and I can't work out what.On forum software all you need is to allow the "username" field to inherit values from any post you are quoting, and to ensure that people can't manually use the quote markup.
I've been pondering this issue recently; the internet has taken the place of various talking shops from the past; pubs, coffee houses etc. But, legally we subject it to the same rules as the written word.
Edited by donkmeister on Thursday 18th September 09:40
Scott
Let me try again. I'm not being defeated by mod_security!
Forum software has been particularly behind the curve on this and only lately seem to be catching up. And yes it should be straightforward, but forums, or any software that involves discussions, interactions or notes, can run into the issue of people mentioning the person's forum name, and if that's a common word it becomes impractical.
Some will say "the answer is to remove all their posts", but with a prolific poster that can destroy a forum's content, and the "not practical" argument works again here. Most forums go for anonymisation of the posts instead.
Then commercial organisations have the often conflicting need to maintain records of interactions with clients for periods of time.
There's never been a "one size fits all" answer, as I've said I commonly end up having such discussions with clients at work, and the nuances and practicalities often evade them at first, there's this panic about "just remove everything, the end user is demanding it". The answer is to approach it calmly and rationally in a case by case basis, not get involved with knee-jerk reactions. Good software will take you so far but there may be manual interventions needed. When these include manually editing databases, you're introducing considerable risk. I've had to warn people off this a good few times because I know they don't know what they're doing. Then you get into the "you can ask us to do it, but it'll be paid professional services", and suddenly the urgency seems to fall away.
Scott
Forum software has been particularly behind the curve on this and only lately seem to be catching up. And yes it should be straightforward, but forums, or any software that involves discussions, interactions or notes, can run into the issue of people mentioning the person's forum name, and if that's a common word it becomes impractical.
Some will say "the answer is to remove all their posts", but with a prolific poster that can destroy a forum's content, and the "not practical" argument works again here. Most forums go for anonymisation of the posts instead.
Then commercial organisations have the often conflicting need to maintain records of interactions with clients for periods of time.
There's never been a "one size fits all" answer, as I've said I commonly end up having such discussions with clients at work, and the nuances and practicalities often evade them at first, there's this panic about "just remove everything, the end user is demanding it". The answer is to approach it calmly and rationally in a case by case basis, not get involved with knee-jerk reactions. Good software will take you so far but there may be manual interventions needed. When these include manually editing databases, you're introducing considerable risk. I've had to warn people off this a good few times because I know they don't know what they're doing. Then you get into the "you can ask us to do it, but it'll be paid professional services", and suddenly the urgency seems to fall away.
Scott
It was the word "delete" which I'd used twice, had to change it to "remove".
As I said, I'm not going to be defeated by over-zealous mod_security rules (or whatever is in use here). Never have been, never will be.
Scott
Edit 1: seems to be ok with it once. I suspect the combination of that word and the word database might have triggered it.
Edit 2: nope as this posted ok. It'll be something like that though, always is.
As I said, I'm not going to be defeated by over-zealous mod_security rules (or whatever is in use here). Never have been, never will be.
Scott
Edit 1: seems to be ok with it once. I suspect the combination of that word and the word database might have triggered it.
Edit 2: nope as this posted ok. It'll be something like that though, always is.
Ha, does it think you are attempting to inject code? You 1337 h4x0rz, you!
I do realise that "all you need to do is..." generally indicates one doesn't understand the technicalities (I use databases, I don't manage databases), but it really seems to be an issue of keeping content than database difficulties.
I do realise that "all you need to do is..." generally indicates one doesn't understand the technicalities (I use databases, I don't manage databases), but it really seems to be an issue of keeping content than database difficulties.
zarjaz1991 said:
It was the word "delete" which I'd used twice, had to change it to "remove".
As I said, I'm not going to be defeated by over-zealous mod_security rules (or whatever is in use here). Never have been, never will be.
Scott
Edit 1: seems to be ok with it once. I suspect the combination of that word and the word database might have triggered it.
Edit 2: nope as this posted ok. It'll be something like that though, always is.
I'd imagine it's an AWS WAF rule and the tokens deIete case when.As I said, I'm not going to be defeated by over-zealous mod_security rules (or whatever is in use here). Never have been, never will be.
Scott
Edit 1: seems to be ok with it once. I suspect the combination of that word and the word database might have triggered it.
Edit 2: nope as this posted ok. It'll be something like that though, always is.
donkmeister said:
Ha, does it think you are attempting to inject code? You 1337 h4x0rz, you!
I know! Show 'spec for ma 1337 skillz!donkmeister said:
I do realise that "all you need to do is..." generally indicates one doesn't understand the technicalities (I use databases, I don't manage databases), but it really seems to be an issue of keeping content than database difficulties.
Agreed but on some systems, to action such a request over and above the building tools would require editing databases. And having picked up the pieces from the "how hard can it be?" types far too many times over the years, (not just with GDPR stuff either), I try to talk them out of it. Or straight up tell them they need to pay us to do it.Scott
Gassing Station | Website Feedback | Top of Page | What's New | My Stuff