Check out our Monthly Survey Page to see what our users are running.

Steps we're taking as a site for GDPR compliance

Posted by , | Views: 14,092

As we're sure many of you know, a big new privacy and data protection thing is coming into force next month from the EU, called the EU General Data Protection Regulation (GDPR).

Any website that takes any information from anyone in the EU, has to comply with it, or face huge fines. Naturally, we want to ensure we're complying.

Here's a few steps we've already done

  • All YouTube embeds in comments/forum posts now use YouTube's enhanced privacy mode, which doesn't load a single cookie until you hit play.
  • All future articles with a YouTube embed will also use YouTube's enhanced privacy mode, we're working to update all older articles with a script soon.
  • We recently (read: finally) added the ability for you to delete your own individual comments. Was on the todo list for a long time, sorry it took so long. This will be rolled out to the forum too ASAP.
  • If you wish to completely remove your account (not "hidden"—just completely gone), there's an option to do so in your User Control Panel now.
  • All new users PC Info is now opt-in to the Monthly User Statistics, this can be changed any time with a new checkbox labelled "Include your PC details in our Monthly User Statistics?" at the top of the User Control Panel page for PC Info. Not a big change, but it means now you can display your PC Info without being in the survey. For people who have it checked and leave it for a long time, data is eventually cut out of the monthly survey that we consider stale anyway, so it wouldn't be included when it gets too old. To be clear on our user survey: no user identifiable information is included for the survey output, no user id, no username or anything—just the answers.
  • We've removed the Twitter embed in the right sidebar, so that Twitter cookies and tracking does not touch our website at all. To be clear, the Twitter handle @gamingonlinux still exists, just the embed for it on our site is gone.
  • The registration page now includes links to our Ethics and Privacy policy pages (can be found any time in the site's footer).
  • This was done a long time ago, but as a reminder, if you wish your profile to be private, you can do so by setting it in the User Control Panel Privacy page. We've decided that going forward, all new users profiles will be private by default. We're eventually going to add more specific details of what you wish to show on your profile page instead of private or public. Luckily, we don't actually store or show a lot of information anyway.
  • We've removed the ability for users to set an avatar from a URL. While we're sure our security was tight on that to ensure they 100% are linking to an image, it's just not worth the hassle if somehow a script slipped past it and stored a cookie on your PC. You can still pick an avatar from the gallery (which we will expand) or upload an avatar directly.
  • When a submitted article is approved, we're making sure to wipe the email and IP that it was submitted from. They're only stored to block spammers (based on IP) and to email you if it's accepted or denied. Denied articles are completely removed.

Other misc updates:

  • Notifications older than six months are now being wiped, to help keep our database lean and mean. To be honest, if you haven't visited in six months it's likely any notifications are pointless.
  • We removed the GamingOnLinux Facebook Group embed from the right sidebar on the homepage, this was unrelated to GDPR. We just didn't like their data handling with the recent stuff in the news. To be clear, the GOL Facebook Group still exists, just the embed for it on our site is gone.
  • We now included a standard message in all articles, at the bottom to notify you that certain links will be affiliate links. So no editor can forget (read: me, I'm forgetful).

You can find more about GDPR here.

Personally, while testing our site using uBlock Origin in Chrome, I don't see a single notification about anything blocked, so that's good. Since we have no adverts, no outside statistics tracking or anything (we don't even use Google Analytics like most sites do) there should be nothing to be concerned about.

If you feel there's something we should be doing that we're not to help protect your privacy and data, do let us know any time.

Ps. You can follow random progress on gitlab here.

Article taken from GamingOnLinux.com.
43 Likes, Who?
We do often include affiliate links to earn us some pennies. We are currently affiliated with GOG, Humble Store and Paradox Interactive. See more information here.
About the author -
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly came back to check on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly.
See more from me
The comments on this article are closed.
68 comments
Page: «5/7»
  Go to:

Nonjuffo 21 April 2018 at 7:08 am UTC
EagleDeltaThat's not exactly accurate yet. The GDPR rules are so broad in their wording with too many questions on what it covers and doesn't could limit innovation. Distrubuted systems that store "personal data" like username/email/etc for history reasons (like Git) could be seen as required to be compliant. The problem is there is absolutely no way to enforce that.

In case readers don't know, Git is a source code control system that is designed to be largely de-centralized. Every user working on a git project keeps their own copy apart from the server. In the case of many FOSS projects, there are also many copies on a server(s). Github, Gitlab, Atlassian, etc could be forced to removed references to names/emails in the git history, but that would break every copy of that project everywhere else AND the forced change could simply be undone by a user with permissions force-pushing to an existing branch to an entirely new branch that still contains the user data (in this case a name/username and an email). Additionally, Github/Gitlab/etc could not force those changes downstream to a developer's Desktop/Laptop/Server without breaking the exact law they were trying to be compliant with.

So, how does GDPR apply to distributed data systems?

I don't think GDPR applies to services like Github. If it did, it would also apply to things like scientific journals, which operate on the same basic underlying principles (i.e. the content is deliberately publicized along with the (pseudo-)identity of the authors). Private repos might be another matter, but also not really a FOSS problem. I would be more concerned about the new copyright directive EU is preparing that would require online platforms to do "upload filtering" so none of that naughty piraty stuff could ever possibly get on the Internet.
scaine 21 April 2018 at 7:16 am UTC
View PC info
  • Contributing Editor
  • Supporter
  • Top Supporter
EagleDelta
callciferOnly if your "innovation" is based on harvesting people's data without their consent and/or against their will. GDPR simply asks you to:

- have an actual, justifiable use case for using personal data
- obtaining explicit, narrow, opt-in constent (so no pre-checked checkboxes), separately for all use cases
- and disallowing you from refusing service to users who don't consent to your data collection

Basically, the regulation says don't do creepy shit with people's personal data and if your "innovation" depends on doing just that, I'm perfectly happy for it to get out of the EU.

---

All that said, it's highly unlikely for any member state to actively go after mom and pop businesses; compliance is expected from everyone but the fines are mostly aimed at data collecting giants like Google, Facebook, Microsoft etc who will most definitely be complying as none of them want to be made an example of.

That's not exactly accurate yet. The GDPR rules are so broad in their wording with too many questions on what it covers and doesn't could limit innovation. Distrubuted systems that store "personal data" like username/email/etc for history reasons (like Git) could be seen as required to be compliant. The problem is there is absolutely no way to enforce that.

In case readers don't know, Git is a source code control system that is designed to be largely de-centralized. Every user working on a git project keeps their own copy apart from the server. In the case of many FOSS projects, there are also many copies on a server(s). Github, Gitlab, Atlassian, etc could be forced to removed references to names/emails in the git history, but that would break every copy of that project everywhere else AND the forced change could simply be undone by a user with permissions force-pushing to an existing branch to an entirely new branch that still contains the user data (in this case a name/username and an email). Additionally, Github/Gitlab/etc could not force those changes downstream to a developer's Desktop/Laptop/Server without breaking the exact law they were trying to be compliant with.

So, how does GDPR apply to distributed data systems?

Remember that GDPR isn't about "you must not collect personal data". It's about a) having permission to do so, b) having a good (and documented) reason for that collection and c) agreeing to (and documenting) data destruction.

And there's a lot of flex. Need to keep records on people after they delete their account for 10 years? Sure, if you can justify the why, you can do that. Of course, if you can't, you'll be potentially fined millions...

And the whole "right to be forgotten" (or "right to erasure", as it's amusingly known in GDPR) is only a right in certain circumstances. If someone wants you to delete their data, but you have a documented and good reason to reject that request, that's also fine.

Git and its associated front ends will just have to be very clear on what's possible and what's not.
scaine 21 April 2018 at 7:20 am UTC
View PC info
  • Contributing Editor
  • Supporter
  • Top Supporter
serge
TheSHEEEPThis is the reason for a great deal of websites showing that little bar at the top/bottom of their page informing you that they use cookies and that you should leave if you do not agree with that (or something along those lines).

Those site are not compliant to the law because they have to let you access to the website even if you refuse their cookies, it is up to them to take all the step required for not storing cookies in your browser.

No, those sites are entirely compliant if they let you use the site without clicking on the banner. That particular (infuriating, useless) law is only focused on storing a cookie on your computer. Provided you don't click the banner, they won't (or at least shouldn't) store a cookie. You can continue to use the site and ignore the banner if you want.

Not all sites take that approach though, of course. If not storing a cookie breaks their site, they might not use a banner, but instead force you to accept the cookie before continuing. That's quite rare though I think.
tuubi 21 April 2018 at 7:36 am UTC
View PC info
  • Supporter
EagleDeltaSo, how does GDPR apply to distributed data systems?
I don't think your git example is relevant. The names and emails are willingly attached to commits for copyright purposes (among other things), and git itself is software, not a web business. Services like gitlab will have to comply by making it explicit what data they collect and how they use it. And local git clones are not their responsibility any more than a saved screenshot from facebook is facebook's problem. I don't think the laws even apply to software in general, just the web.


minjLet's dig into this a little deeper. You must allow the user deny cookies in that prompt, and must needs to remember that choice. Seeing a contradiction, anyone?
Is there really a rule that says that choice needs to be remembered beyond the session? I don't think so.

minjThe (cookie) technology is not the problem, third-party tracking is. But since the law-makers are clueless as ever, they are now wielding the proverbial hammer on the little guy. The big ones will find a different way, any way.
It does limit what the "little guy" can do with visitors' private data, but why is that a problem?


EDIT: I'm slow.


Last edited by tuubi on 21 April 2018 at 7:37 am UTC
no_information_here 21 April 2018 at 8:03 am UTC
Thanks, Liam, I really appreciate your attention to this. It is a chore, but something that is overdue for everyone in the industry. It is too bad the burden is a bit heavier for smaller sites.

callciferBasically, the regulation says don't do creepy shit with people's personal data and if your "innovation" depends on doing just that, I'm perfectly happy for it to get out of the EU.
Well said.
minj 21 April 2018 at 8:14 am UTC
tuubi
minjLet's dig into this a little deeper. You must allow the user deny cookies in that prompt, and must needs to remember that choice. Seeing a contradiction, anyone?
Is there really a rule that says that choice needs to be remembered beyond the session? I don't think so.

minjThe (cookie) technology is not the problem, third-party tracking is. But since the law-makers are clueless as ever, they are now wielding the proverbial hammer on the little guy. The big ones will find a different way, any way.
It does limit what the "little guy" can do with visitors' private data, but why is that a problem?

Well, I haven't read the legalese of this, but the public advisory materials I've seen indicate that it needs to be remembered. What is a session, anyway? HTTP is a state-less protocol. You get a session by saving a session identifier in a... session cookie.

My point is, cookies are not private data and their regulation should not have been included in GDPR.

Neither is IP address, imho.

GDPR is not only about limiting data usage either. You have to provide means to a) delete everything; b) export everything in a reusable format. This entails additional development costs that only the likes of GAFA should incur, imho.
tuubi 21 April 2018 at 8:32 am UTC
View PC info
  • Supporter
minjWhat is a session, anyway? HTTP is a state-less protocol. You get a session by saving a session identifier in a... session cookie.
You're getting stuck on the terminology. The session doesn't need to include any identifiable private data. Just a randomly generated session id and a variable that tells the service not to store cookies on the user's system.
DrMcCoy 21 April 2018 at 9:16 am UTC
QuotePersonally, while testing our site using uBlock Origin in Chrome, I don't see a single notification about anything blocked, so that's good

I see that you're still pulling in stuff from Google, though. Namely a font CSS thing (which you could mirror yourself) and the reCAPTCHA script (probably not self-hostable).

There's also custom avatar URLs still live (Patola's, for example), and Ghostery also "complains" about Gravatar (it counts it as a tracker).


Last edited by DrMcCoy on 21 April 2018 at 9:17 am UTC
minj 21 April 2018 at 11:48 am UTC
tuubi
minjWhat is a session, anyway? HTTP is a state-less protocol. You get a session by saving a session identifier in a... session cookie.
You're getting stuck on the terminology. The session doesn't need to include any identifiable private data. Just a randomly generated session id and a variable that tells the service not to store cookies on the user's system.

Cookie is a cookie is a cookie, otherwise why would every random site bother you about it on your first visit ever?
MayeulC 21 April 2018 at 12:35 pm UTC
Did you guys actually read the GDPR? It's actually clearly written and understandable: https://gdpr-info.eu/
Some people seem to write stuff that they read from some random clickbait article. (I'm not aiming at anyone in particular, please don't take offense).

The bottom line is usually: protect you user's data as if it was your most invaluable business assets, don't collect anything you don't need, and don't store it for longer than it is needed for processing. There are multiple interesting discussions of it on Hacker News.
An interesting point is that you can't refuse a service to a user because they didn't consent something actually unneeded for the service.

EagleDeltaDatabase backups come to mind with the right to remove all data from all time.
I actually disagree with this. Backups are as important as live databases. If you have a breach in your backup system, you don't want to leak information you didn't even need anymore in the first place.

On the other hand, I am not sure stuff like public postings actually need to be deleted, even if the user decides to delete his account. The choice is probably up to him, though.

EagleDeltaFar worse than backups (I just thought about this) is the Right to Erasure in something like Git.

Git being a distributed system used by many FOSS projects and Companies to version source code, simply cannot easily adhere to the right to erasure, if at all.

That doesn't seem necessary as per https://gdpr-info.eu/art-17-gdpr/ unless I am misunderstanding something there.

I find the GDPR really well written, forward-thinking, and it is obvious that a lot of thought by technical people has been put into it.

@liam: about Twitter, isn't any way to include a mastodon feed widget instead? (Plus, this sounds like something that could be "easily" written: fetch the atom feed, then parse the content from the resulting links; display).
a quick search gave me https://github.com/AzetJP/mastodon-timeline-widget/blob/master/README_en.md Thank you for taking the time to perform those changes


Last edited by MayeulC on 24 April 2018 at 1:16 pm UTC
  Go to:
While you're here, please consider supporting GamingOnLinux on Patreon, Liberapay or Paypal. We have no adverts, no paywalls, no timed exclusive articles. Just good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Livestreams & Videos
Community Livestreams
See more!
Popular this week
View by Category
Contact
Latest Comments
Latest Forum Posts