Poster email addy
If a member deletes their account, their posts are reattributed to "guest". Admins may subsequently reattribute the "guest" posts to a different account. Either way, the database messages table retains the original member's email address in the poster_email column.
If I understand GDPR correctly, a user has the right to have all information associated with their account deleted from the site. To be clear, I desire no quibble whether that statement is true or flawed: honestly I don't want to retain the information anyway. I do want to retain the posts themselves, as the posts become property of the site.
Anyway, wouldn't a desired behavior include deleting the poster's email from the messages table? Also, wouldn't it be desirable to update said column should the posts be reattributed? Thoughts?
Either way, in the short term how would one (safely) remove or update the column en masse manually? Thanks gang!
Re: Poster email addy
Reply #1 –
Interesting point - I had a user 'pass away" so I disabled his log-in ability (thusly retaining his posting history), and then had to go in and disable his email (I later got a bounce notification letting me know if forgot to check that).
I would think the best way to handle an account "deletion" is just to remove the sign-in validity and email - that is, "disabled'. (Nothing in and nothing out to the user). The posts (and username) should be retained.
Ideally, a 'deleted' (disabled) flag in the database is all that is needed, along with the code for sign in and email activity checks to test for that flag - if present, no sign-in and no email activity.
(Admin can remove the flag - "undelete" - the account). Maybe display an "*" next to, or some other indication (grey out?) to the username to indicate the user is no longer 'active' is more appropriate.
I would think existing user-posts reverting to "guest" would not be desirable, nor allowing the username to be "reused" by someone else.
In the past (other forums) I have had users 'disable' their accounts for various reasons, and then desire to return sometime later. Creating a "new account" for them is not as elegant.
Now, if an admin decides a user is "personna non-gratta", another flag - to 'lock' the 'disabled' account (banned) I'd think the best approach.
Additional discussion on how to display disabled and banned user accounts in the member list and board posts, and reactivation (yes or no) behavior is warranted.
Re: Poster email addy
Reply #2 –
Sadly the kind of “not really deletion” you are talking about is in fact inadequate under EU data protection requirements, and what ElkArte has is closer to what is legally required.
If you have deletion as requiring admin approval, the account is moved into status 4 (pending deletion) and the user cannot directly log in. However in the EU you have to approve the request unless you can demonstrate a satisfactory reason for not doing so (and several options exist)
I tend to agree about reattribution updating email etc. to match the current username and email, and I’m mildly mixed on deleting the email in the database.
The reason for this is because people can and do leave and come back. It’s an easy argument that posts don’t fall under the GDPR as such, but emails are more complicated. My plan - not yet enacted, it hasn’t come up - is to delete the account itself and then purge emails after 30 days, with a side note that emails may be retained in backups for longer since purging from backups is not required if not technically feasible (and it isn’t). This is, for the record, perfectly adequate under the GDPR if you declare this is what you are doing.
In my case scheduling a job for 30 days in the future is no drama, I have a system in place for scheduling one-off tasks to either happen ASAP (but out of main execution, similar to scheduled tasks) or at a point in the future.
As for not showing in the member list etc, pending-deletion is already excluded from the user-facing areas and PMs to the account are disabled.
Re: Poster email addy
Reply #4 –
It’s a valid question. The answer is broadly no, for the same reason that posts themselves are generally excluded from such deletions.
If a post contains personally identifiable details, forum owners are generally expected to sanitise that, ditto if quoted. But one hopes that people don’t generally post that sort of thing from the off…
One thing I would note, EU legislation usually gets sneered at, but more people are subject to it than to any of the US legislation - even without the UK, the EU is over 400 million people, who all have to comply with this. (And the UK has its version of this, pushing the number surprisingly close to 500 million people.)
Re: Poster email addy
Reply #7 –
The responsibility lies with the site owner in all cases. It isn’t really a valid defence to say “it’s all the platform’s responsibility”.
And yes, in your case it runs counter to the point of the forum. You can disable account deletion, or make it “requires admin approval” as I have on my setup.
Thing is, the laws are not entirely set in stone. In your case for example you are documenting things for matter of public record and in that situation you would have valid reason to carry out data processing without explicitly relying on user consent, which also means you have some legal recourse in absence of user consent (I.e. requesting account deletion).
The reason I bring up the population count is because I hang around various forum environments and get into a number of tubthumping debates about how stupid the EU is as though it’s some tiny country that no one should care about, and that I’m stupid for caring about it, and I just wanted to head it off at the pass that while it might be astoundingly stupid in various ways (and it is), the reality is that it affects significantly more people than some think.
Re: Poster email addy
Reply #11 –
Thanks Badmonkey - I did search the EA site for more info on Account Deletion issues and that along with your response clarifies what EA does (and doesn't do) quite a bit.
My first thought, from a member's perspective, is that, if a user wants to "preserve their privacy", they appear to have the ability to "sanitize" their own profile before disabling their account, at least as far as what can be seen by other users, or even the admin, so the user has complete control over what personal profile info remains after they are no longer active., right?
If they posted 'private' information that's a different issue, and one I'm not sure short of allowing a user to edit every post they've ever made or deleting every post, can be resolved, and alas, either option can just make a mess out of a forum's threads. But again, what is posted by a user is entirely in the users control at the point of posting and for some period of time afterwards. After that, the user 'owns" whatever the 'privacy' repercussions result. (The best analogy is just like dropping a letter in the mailbox - what happens after that is no longer in the sender's control, and the recipient(s) has no legal obligation to burn it or otherwise "sanitize it" for you later).
So I guess I'm not getting what burden (or why) GDPR is putting on the Forum owner on behalf of the user, but not being subject to that jurisdiction I guess isn't my concern (other than structural changes to EA due to GDPR - or any other aspiring legal authority - that forces me to comply with it anyway - that's my only concern).
Now, from an Admin's perspective a disabled user account has some technical/functional concerns regarding the former account - which I think is limited to on-going interaction with that user account - as in 'none': no more log-in, no more email in or out, and other users can't PM with it. In the latter situation what the other users "see" regarding that account warrants discussion - such as whether it just "disappears' from their PM list, or provides some indication that the account is no longer active instead.
So I guess from the users perspective I see the terms "account deleted" and "account disabled" as distinctions without a functional difference, and perhaps the word" "deleted" should be avoided since it appears to imply "record removal" and invites such "legal ramifications".
From an admin perspective, deleting an account is only to "clean up the user database", which would then allow that user-name to be reused (with the associated historical postings concern there), or in the case of a huge forum (a million+ users over time?) to keep the database from overflowing allocated server space or bogging down.
In the past I've handled that "clean-up" by archiving all posts in threads and accounts ended earlier than a certain point in time, and then purging user accounts that were inactive at that point (since there will be no posts or PMs remaining for them). And it's not a trivial "button-push" task by any means.
In my case, the archive data is typically also available to current users as a static record (in the case of EA, a separate "board" that acts as a portal to the archive(s) that I can restrict via permissions if desired - I've got archives going back to 2001 for example). Once I've archived and purged, there's no way to "reactivate" an account and bring it back from "archive".
But as for an "active" (as opposed to archived) forum, in my mind whether an account is "disabled", or "deleted" is just semantics (it's not - or should not be - actually "deleted") - the user can either log-in and participate. Or not, and if not, the forum should just disable account log-in, any further email and PM activity for that account. What happened before that is, as they say, "history".
Re: Poster email addy
Reply #12 –
The reason it’s the site owner’s responsibility is that, as site owner, we are keepers of peoples’ personal data. As such we have responsibilities as to how this data is used.
Notionally the law was written to curtail the likes of Facebook harvesting much more data than you theoretically give them, and to ensure that what data is given can be taken back - the idea being the freedom of the user and the rights of the user being protected.
The reality is unfortunately lacking compared to the theory. Much was made of the headline penalties - 2% of global revenue (not profit) or €10M whichever is higher. (These can be extended to 4%/€20M in really bad cases.)
Anyway, if I join a forum and later decide to leave, I might not care that they have my email. I might, on the other hand, care very much that they don’t have my email so they can’t use it to contact me for any reason. There are plenty of valid reasons why this might be an outcome that is intended and we should not judge the validity thereof for any given situation.
But account disabled vs deleted is a complex distinction and under the GDPR this is explicitly discussed; disabling an account is not deletion and if consent to use a user’s data is withdrawn and no prevailing legal basis exists for you to keep that data, you need to remove it within a reasonable timeframe and subject to your data protection policies.
Re: Poster email addy
Reply #14 –
What about this scenario?
- member register to your forum
- member is posting some illegal material on your forum
- you (as admin) don't see or notice that illegal stuff an nobody reports it
- member asks for deletion and you approve the account deletion
- the illegal staff remains on your forum
- you (as a forum admin) receive a complaint about that illegal material
Now what you prefer? Having some info about that post (like email, IP, etc) or have none of that info?