Use Reddit? Join us on our very own subreddit: https://www.reddit.com/r/Linuxstuff/
You can sign up to get a daily email of our articles, see the Mailing List page!
Support us on Patreon to keep GamingOnLinux alive. This ensures we have no timed articles and no paywalls. Just good, fresh content! Alternatively, you can support us on Paypal and Liberapay!

Steps we're taking as a site for GDPR compliance

Posted by , | Views: 6,720

As we're sure many of you know, a big new privacy and data protection thing is coming into force next month from the EU, called the EU General Data Protection Regulation (GDPR).

Any website that takes any information from anyone in the EU, has to comply with it, or face huge fines. Naturally, we want to ensure we're complying.

Here's a few steps we've already done

  • All YouTube embeds in comments/forum posts now use YouTube's enhanced privacy mode, which doesn't load a single cookie until you hit play.
  • All future articles with a YouTube embed will also use YouTube's enhanced privacy mode, we're working to update all older articles with a script soon.
  • We recently (read: finally) added the ability for you to delete your own individual comments. Was on the todo list for a long time, sorry it took so long. This will be rolled out to the forum too ASAP.
  • If you wish to completely remove your account (not "hidden"—just completely gone), there's an option to do so in your User Control Panel now.
  • All new users PC Info is now opt-in to the Monthly User Statistics, this can be changed any time with a new checkbox labelled "Include your PC details in our Monthly User Statistics?" at the top of the User Control Panel page for PC Info. Not a big change, but it means now you can display your PC Info without being in the survey. For people who have it checked and leave it for a long time, data is eventually cut out of the monthly survey that we consider stale anyway, so it wouldn't be included when it gets too old. To be clear on our user survey: no user identifiable information is included for the survey output, no user id, no username or anything—just the answers.
  • We've removed the Twitter embed in the right sidebar, so that Twitter cookies and tracking does not touch our website at all. To be clear, the Twitter handle @gamingonlinux still exists, just the embed for it on our site is gone.
  • The registration page now includes links to our Ethics and Privacy policy pages (can be found any time in the site's footer).
  • This was done a long time ago, but as a reminder, if you wish your profile to be private, you can do so by setting it in the User Control Panel Privacy page. We've decided that going forward, all new users profiles will be private by default. We're eventually going to add more specific details of what you wish to show on your profile page instead of private or public. Luckily, we don't actually store or show a lot of information anyway.
  • We've removed the ability for users to set an avatar from a URL. While we're sure our security was tight on that to ensure they 100% are linking to an image, it's just not worth the hassle if somehow a script slipped past it and stored a cookie on your PC. You can still pick an avatar from the gallery (which we will expand) or upload an avatar directly.
  • When a submitted article is approved, we're making sure to wipe the email and IP that it was submitted from. They're only stored to block spammers (based on IP) and to email you if it's accepted or denied. Denied articles are completely removed.

Other misc updates:

  • Notifications older than six months are now being wiped, to help keep our database lean and mean. To be honest, if you haven't visited in six months it's likely any notifications are pointless.
  • We removed the GamingOnLinux Facebook Group embed from the right sidebar on the homepage, this was unrelated to GDPR. We just didn't like their data handling with the recent stuff in the news. To be clear, the GOL Facebook Group still exists, just the embed for it on our site is gone.
  • We now included a standard message in all articles, at the bottom to notify you that certain links will be affiliate links. So no editor can forget (read: me, I'm forgetful).

You can find more about GDPR here.

Personally, while testing our site using uBlock Origin in Chrome, I don't see a single notification about anything blocked, so that's good. Since we have no adverts, no outside statistics tracking or anything (we don't even use Google Analytics like most sites do) there should be nothing to be concerned about.

If you feel there's something we should be doing that we're not to help protect your privacy and data, do let us know any time.

Ps. You can follow random progress on gitlab here.

44 Likes, Who?
We do often include affiliate links to earn us some pennies. We are currently affiliated with GOG and Humble Store. See more information here.
69 comments
Page: «6/7»
  Go to:

MayeulC 21 April 2018 at 12:35 pm UTC
Did you guys actually read the GDPR? It's actually clearly written and understandable: https://gdpr-info.eu/
Some people seem to write stuff that they read from some random clickbait article. (I'm not aiming at anyone in particular, please don't take offense).

The bottom line is usually: protect you user's data as if it was your most invaluable business assets, don't collect anything you don't need, and don't store it for longer than it is needed for processing. There are multiple interesting discussions of it on Hacker News.
An interesting point is that you can't refuse a service to a user because they didn't consent something actually unneeded for the service.

EagleDeltaDatabase backups come to mind with the right to remove all data from all time.
I actually disagree with this. Backups are as important as live databases. If you have a breach in your backup system, you don't want to leak information you didn't even need anymore in the first place.

On the other hand, I am not sure stuff like public postings actually need to be deleted, even if the user decides to delete his account. The choice is probably up to him, though.

EagleDeltaFar worse than backups (I just thought about this) is the Right to Erasure in something like Git.

Git being a distributed system used by many FOSS projects and Companies to version source code, simply cannot easily adhere to the right to erasure, if at all.

That doesn't seem necessary as per https://gdpr-info.eu/art-17-gdpr/ unless I am misunderstanding something there.

I find the GDPR really well written, forward-thinking, and it is obvious that a lot of thought by technical people has been put into it.

@liam: about Twitter, isn't any way to include a mastodon feed widget instead? (Plus, this sounds like something that could be "easily" written: fetch the atom feed, then parse the content from the resulting links; display).
a quick search gave me https://github.com/AzetJP/mastodon-timeline-widget/blob/master/README_en.md Thank you for taking the time to perform those changes


Last edited by MayeulC at 24 April 2018 at 1:16 pm UTC. Edited 3 times.
tuubi 21 April 2018 at 1:03 pm UTC
View PC info
  • Supporter
minj
tuubi
minjWhat is a session, anyway? HTTP is a state-less protocol. You get a session by saving a session identifier in a... session cookie.
You're getting stuck on the terminology. The session doesn't need to include any identifiable private data. Just a randomly generated session id and a variable that tells the service not to store cookies on the user's system.

Cookie is a cookie is a cookie, otherwise why would every random site bother you about it on your first visit ever?
No, some cookies are delicious with coffee. And I have no idea what you're asking here. Surely those sites bother you because they're required to if they're going to store and access data on your system.
Hamish 21 April 2018 at 4:38 pm UTC
NonjuffoI don't think GDPR applies to services like Github. If it did, it would also apply to things like scientific journals, which operate on the same basic underlying principles (i.e. the content is deliberately publicized along with the (pseudo-)identity of the authors).

How about Wikis just to broaden the discussion a bit?
tuubi 21 April 2018 at 4:48 pm UTC
View PC info
  • Supporter
Hamish
NonjuffoI don't think GDPR applies to services like Github. If it did, it would also apply to things like scientific journals, which operate on the same basic underlying principles (i.e. the content is deliberately publicized along with the (pseudo-)identity of the authors).

How about Wikis just to broaden the discussion a bit?
I guess GDPR applies to any personal information the wiki stores about users. Wiki page content itself is regulated by other laws I'd think, like any public content, articles and such.
Swiftpaw 21 April 2018 at 5:27 pm UTC
I highly recommend "3P Request Blocker" over ublock. ublock often doesn't block things that it should, and 3P Request Blocker gives you total control over all that. ublock's ability to pre-configure itself for each site is nice, but if you disagree with it (for instance, a site loading Facebook when there's almost always no reason for it to) it doesn't let you start blocking it, or at least not easily, while 3P does, but 3P also starts off unconfigured so it's more of a hassle.
tuubi 21 April 2018 at 5:48 pm UTC
View PC info
  • Supporter
Swiftpawublock's ability to pre-configure itself for each site is nice, but if you disagree with it (for instance, a site loading Facebook when there's almost always no reason for it to) it doesn't let you start blocking it, or at least not easily, while 3P does, but 3P also starts off unconfigured so it's more of a hassle.
You just need to enable advanced features in uBlock Origin's configuration to get a nice, clickable list that allows you to block or allow stuff. If that's what you mean. You could also enable one of the stricter third party social block lists.
F.Ultra 21 April 2018 at 11:19 pm UTC
minj
tuubi
minjWhat is a session, anyway? HTTP is a state-less protocol. You get a session by saving a session identifier in a... session cookie.
You're getting stuck on the terminology. The session doesn't need to include any identifiable private data. Just a randomly generated session id and a variable that tells the service not to store cookies on the user's system.

Cookie is a cookie is a cookie, otherwise why would every random site bother you about it on your first visit ever?

There are different types of cookies and the EU rules e.g exempt the following types of cookies from the "consent requirement":

Quoteuser‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
authentication cookies, to identify the user once he has logged in, for the duration of a session
user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration
multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
load‑balancing cookies, for the duration of session
user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.


More info can be found here (as well as EU supplied Javascript to add tacookie acceptance banner): http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm
Skully 22 April 2018 at 1:36 am UTC
Incase your interested. Privacy Badger is still reporting up to 8 potential trackers per page and is blocking cookies from them. These places might not be tracking with cookies but PB is ensuring to block them anyway. I think PB just blocks cookies from any external source other than the site your looking at.

I visited various pages on this site, Here is a list of "potential" trackers according to PB.

www.gravatar.com
www.gstatic.com
fonts.googleapis.com
www.google.com
fonts.gstatic.com
www.youtube-nocookie.com
i.ytimg.com
s.ytimg.com
i0.wp.com
yt3.ggpht.com
Nonjuffo 22 April 2018 at 5:58 am UTC
tuubi
Hamish
NonjuffoI don't think GDPR applies to services like Github. If it did, it would also apply to things like scientific journals, which operate on the same basic underlying principles (i.e. the content is deliberately publicized along with the (pseudo-)identity of the authors).

How about Wikis just to broaden the discussion a bit?
I guess GDPR applies to any personal information the wiki stores about users. Wiki page content itself is regulated by other laws I'd think, like any public content, articles and such.

From MayeulC's link (https://gdpr-info.eu/art-17-gdpr/), paragraph (3):

[Right to erasure] shall not apply to the extent that processing is necessary:

a) for exercising the right of freedom of expression and information;

d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing;


To my interpretation those exemptions would cover Wikis.
Nanobang 22 April 2018 at 1:32 pm UTC
View PC info
  • Supporter
Simply put, I welcome the GDPR and what it's doing to the Internet on behalf of the common person's right to freedom of expression and freedom of privacy.
  Go to:
While you're here, please consider supporting GamingOnLinux on Patreon or Liberapay. We have no adverts, no paywalls, no timed exclusive articles. Just good, fresh content. Without your continued support, we simply could not continue!

We also accept Paypal donations and subscriptions! If you already are, thank you!

Due to spam you need to Register and Login to comment.


Or login with...

Livestreams & Videos
Community Livestreams
  • Story Time: „The Secret of Monkey Island“
  • Date:
See more!
Popular this week
View by Category
Contact
Latest Comments
Latest Forum Posts