If a member deletes their account, their posts are reattributed to "guest". Admins may subsequently reattribute the "guest" posts to a different account. Either way, the database messages table retains the original member's email address in the poster_email column.
If I understand GDPR correctly, a user has the right to have all information associated with their account deleted from the site. To be clear, I desire no quibble whether that statement is true or flawed: honestly I don't want to retain the information anyway. I do want to retain the posts themselves, as the posts become property of the site.
Anyway, wouldn't a desired behavior include deleting the poster's email from the messages table? Also, wouldn't it be desirable to update said column should the posts be reattributed? Thoughts?
Either way, in the short term how would one (safely) remove or update the column en masse manually? Thanks gang!
Interesting point - I had a user 'pass away" so I disabled his log-in ability (thusly retaining his posting history), and then had to go in and disable his email (I later got a bounce notification letting me know if forgot to check that).
I would think the best way to handle an account "deletion" is just to remove the sign-in validity and email - that is, "disabled'. (Nothing in and nothing out to the user). The posts (and username) should be retained.
Ideally, a 'deleted' (disabled) flag in the database is all that is needed, along with the code for sign in and email activity checks to test for that flag - if present, no sign-in and no email activity.
(Admin can remove the flag - "undelete" - the account). Maybe display an "*" next to, or some other indication (grey out?) to the username to indicate the user is no longer 'active' is more appropriate.
I would think existing user-posts reverting to "guest" would not be desirable, nor allowing the username to be "reused" by someone else.
In the past (other forums) I have had users 'disable' their accounts for various reasons, and then desire to return sometime later. Creating a "new account" for them is not as elegant.
Now, if an admin decides a user is "personna non-gratta", another flag - to 'lock' the 'disabled' account (banned) I'd think the best approach.
Additional discussion on how to display disabled and banned user accounts in the member list and board posts, and reactivation (yes or no) behavior is warranted.
Sadly the kind of “not really deletion” you are talking about is in fact inadequate under EU data protection requirements, and what ElkArte has is closer to what is legally required.
If you have deletion as requiring admin approval, the account is moved into status 4 (pending deletion) and the user cannot directly log in. However in the EU you have to approve the request unless you can demonstrate a satisfactory reason for not doing so (and several options exist)
I tend to agree about reattribution updating email etc. to match the current username and email, and I’m mildly mixed on deleting the email in the database.
The reason for this is because people can and do leave and come back. It’s an easy argument that posts don’t fall under the GDPR as such, but emails are more complicated. My plan - not yet enacted, it hasn’t come up - is to delete the account itself and then purge emails after 30 days, with a side note that emails may be retained in backups for longer since purging from backups is not required if not technically feasible (and it isn’t). This is, for the record, perfectly adequate under the GDPR if you declare this is what you are doing.
In my case scheduling a job for 30 days in the future is no drama, I have a system in place for scheduling one-off tasks to either happen ASAP (but out of main execution, similar to scheduled tasks) or at a point in the future.
As for not showing in the member list etc, pending-deletion is already excluded from the user-facing areas and PMs to the account are disabled.
Gee - does "account deletion"per GDPR include the quoted replies too? :P
(We need a sarcasm font). :D
Edit: Personal Opinion - Compliance with whatever arbitrary edicts are proposed by the politics of various jurisdictions should be the responsibility of the admin as {insert your preferred pronoun here} chooses to comply, not imposed by the software package. If the package allows such compliant configuration, that's fortunate.
It’s a valid question. The answer is broadly no, for the same reason that posts themselves are generally excluded from such deletions.
If a post contains personally identifiable details, forum owners are generally expected to sanitise that, ditto if quoted. But one hopes that people don’t generally post that sort of thing from the off…
One thing I would note, EU legislation usually gets sneered at, but more people are subject to it than to any of the US legislation - even without the UK, the EU is over 400 million people, who all have to comply with this. (And the UK has its version of this, pushing the number surprisingly close to 500 million people.)
Good discussion - I'm reminded of an old quip "Indecision is the key to flexibility."
In my case, the forum serves (among other purposes such as camaraderie) to capture personal recollections of common events, and these are for historical record. So, the removal of posts and/or sanitizing attribution upon account disable/removal is explicitly counter to the primary purpose of the forum.
As an "open source" software package, I'm not quite sure who can be held "responsible" for legal compliance (the nasty issue of "enforcement" that is the soft underbelly of every law), and so, logically, and practically, that burden can only fall upon the admin who uses it.
(And for the record - 500 million is just 6% of the global population ;D )
I'm in those 6% of the population, I feel lucky 8)
The responsibility lies with the site owner in all cases. It isn’t really a valid defence to say “it’s all the platform’s responsibility”.
And yes, in your case it runs counter to the point of the forum. You can disable account deletion, or make it “requires admin approval” as I have on my setup.
Thing is, the laws are not entirely set in stone. In your case for example you are documenting things for matter of public record and in that situation you would have valid reason to carry out data processing without explicitly relying on user consent, which also means you have some legal recourse in absence of user consent (I.e. requesting account deletion).
The reason I bring up the population count is because I hang around various forum environments and get into a number of tubthumping debates about how stupid the EU is as though it’s some tiny country that no one should care about, and that I’m stupid for caring about it, and I just wanted to head it off at the pass that while it might be astoundingly stupid in various ways (and it is), the reality is that it affects significantly more people than some think.
I'm in a different 4%, and I feel special too.. 8)
Yes indeed.. we have a hard enough time keeping up with software compatibility, never mind dynamic political legal issues of various jurisdictions.
As long as the package allows configuration the way the owner/admin wants and needs it to function within the technical and geopolitical environment (s)he is in, whatever and wherever that is, it's all good.
If platform compliance is a desired thing for some admins, someone might be tempted to make a nice little sideline with customization plug-ins to configure the software defaults and options in compliance with various political jurisdictions (but not me, man. I can't afford the necessary lawyers or the staff that would be necessary to "maintain certification" standards theoretically set by the various governments and defend myself against any alleged transgressions).
I wasn't implying EU requirements should be ignored just because I don't need to use them or may not agree with them (in fact, I'm entirely ignorant of them because they don't apply to me). My basic philosophy is that the "Forum owner" owns the platform, and should be free to do anything (s)he wants with it. The admin will general select a package to use based on it's available options and ease of configuration and use and the members will ultimately decide if it works or not, - and it's really nobody else's concern. I'm a bit of a libertarian in that regard.
No, I was casting aspersions on the notion I saw in your reply..
...that any aspiring "controlling legal authority", be it EU, or US, or any other, should govern how EA is allowed to be configured or function (regardless of whether it claims 6% or 60% of the population).
(I almost quipped about trying to use forum software officially compliant with the on-line laws of, say, the "Democratic People's Republic of Korea", to provide an extreme example of the undesirable effect of that philosophy).
There's a huge philosophical difference between "can comply" (option) and "shall comply" (required), and if I read your meaning wrong, then we're potentially in the amusing situation of "contentious agreement". :-[
Back to badmonkey's post for clarification..
Since nobody yet has deleted their account in my forum, I haven't observed the resulting behavior of them doing that. Are you saying reverting all the posts to "guest" is what EA does if a user deletes their account?
Pending further detail, for the time being I've gone back in and removed the ability for anyone to delete their account..
If an account is deleted, posts still reflect the former user's screen name, and "guest" below it. Admins may perform a member maintenance routine in the ACP to reattribute all guest posts to a particular account. Therefore theoretically if a member rejoined, they could create a new account and the admin could credit it with the outstanding posts. This should work assuming the admin attributes guest posts to
some account each time a member deletes their account. Perhaps the admin could create a shadow account for each such instance not including any information from the former member - therefore belonging to the site itself and not compromising the former's privacy. Even then the database retains the poster's original email attributed to the former's account at the time the post was actually created.
I'd almost prefer members register using a disposable email. I use clever registration questions and have registration email disabled on a million plus post forum. Spam is rare. Rare to the tune of maybe once or twice per year. Password recovery usually takes place through the Contact Form, also amazingly rare.
Thanks Badmonkey - I did search the EA site for more info on Account Deletion issues and that along with your response clarifies what EA does (and doesn't do) quite a bit.
My first thought, from a member's perspective, is that, if a user wants to "preserve their privacy", they appear to have the ability to "sanitize" their own profile before disabling their account, at least as far as what can be seen by other users, or even the admin, so the user has complete control over what personal profile info remains after they are no longer active., right?
If they posted 'private' information that's a different issue, and one I'm not sure short of allowing a user to edit every post they've ever made or deleting every post, can be resolved, and alas, either option can just make a mess out of a forum's threads. But again, what is posted by a user is entirely in the users control at the point of posting and for some period of time afterwards. After that, the user 'owns" whatever the 'privacy' repercussions result. (The best analogy is just like dropping a letter in the mailbox - what happens after that is no longer in the sender's control, and the recipient(s) has no legal obligation to burn it or otherwise "sanitize it" for you later).
So I guess I'm not getting what burden (or why) GDPR is putting on the Forum owner on behalf of the user, but not being subject to that jurisdiction I guess isn't my concern (other than structural changes to EA due to GDPR - or any other aspiring legal authority - that forces me to comply with it anyway - that's my only concern).
Now, from an Admin's perspective a disabled user account has some technical/functional concerns regarding the former account - which I think is limited to on-going interaction with that user account - as in 'none': no more log-in, no more email in or out, and other users can't PM with it. In the latter situation what the other users "see" regarding that account warrants discussion - such as whether it just "disappears' from their PM list, or provides some indication that the account is no longer active instead.
So I guess from the users perspective I see the terms "account deleted" and "account disabled" as distinctions without a functional difference, and perhaps the word" "deleted" should be avoided since it appears to imply "record removal" and invites such "legal ramifications".
From an admin perspective, deleting an account is only to "clean up the user database", which would then allow that user-name to be reused (with the associated historical postings concern there), or in the case of a huge forum (a million+ users over time?) to keep the database from overflowing allocated server space or bogging down.
In the past I've handled that "clean-up" by archiving all posts in threads and accounts ended earlier than a certain point in time, and then purging user accounts that were inactive at that point (since there will be no posts or PMs remaining for them). And it's not a trivial "button-push" task by any means.
In my case, the archive data is typically also available to current users as a static record (in the case of EA, a separate "board" that acts as a portal to the archive(s) that I can restrict via permissions if desired - I've got archives going back to 2001 for example). Once I've archived and purged, there's no way to "reactivate" an account and bring it back from "archive".
But as for an "active" (as opposed to archived) forum, in my mind whether an account is "disabled", or "deleted" is just semantics (it's not - or should not be - actually "deleted") - the user can either log-in and participate. Or not, and if not, the forum should just disable account log-in, any further email and PM activity for that account. What happened before that is, as they say, "history".
The reason it’s the site owner’s responsibility is that, as site owner, we are keepers of peoples’ personal data. As such we have responsibilities as to how this data is used.
Notionally the law was written to curtail the likes of Facebook harvesting much more data than you theoretically give them, and to ensure that what data is given can be taken back - the idea being the freedom of the user and the rights of the user being protected.
The reality is unfortunately lacking compared to the theory. Much was made of the headline penalties - 2% of global revenue (not profit) or €10M whichever is higher. (These can be extended to 4%/€20M in really bad cases.)
Anyway, if I join a forum and later decide to leave, I might not care that they have my email. I might, on the other hand, care very much that they don’t have my email so they can’t use it to contact me for any reason. There are plenty of valid reasons why this might be an outcome that is intended and we should not judge the validity thereof for any given situation.
But account disabled vs deleted is a complex distinction and under the GDPR this is explicitly discussed; disabling an account is not deletion and if consent to use a user’s data is withdrawn and no prevailing legal basis exists for you to keep that data, you need to remove it within a reasonable timeframe and subject to your data protection policies.
OK, it still seems to me that EA allows literally all of a user's personal information, including their email addy, to be editable in their profile, so therefore it is within the user's ability to "sanitize" their account prior to "disabling it". But more to the subsequent contact issue, if EA disables email communication upon account disable (which it should), any email contact concern goes away.
EA does not appear to do that, however... In my original reply I noted I "disabled" a deceased user's account, and in this case, I simply "banned" it, which seemed the best way to keep the account from being reused while retaining the posts. That did not appear to stop subscribed email's from being sent to that email address, however. I didn't check to verify an email submission to the Forum from that account would be rejected , but I assume it would.
What should also occur is that a "disabled account" should sidestep any email authentication requirement settings (if that function is used)
As for a Forum admin using a forum-member's email address outside the platform, that's beyond anything EA can do to prevent - it's in the database and can be harvested there. However, the user can certainly change it to something like "xxx@xxx.xxx" and solves that issue. (Perhaps "banning/disabling" should also do that - or at least be an option for admin configuration to provide GDPR compliance capability?).
Anyway, users "withdrawing consent to use their data" can not realistically apply to their previously posted content. I don't know about elsewhere, but US Copyright Law pretty much limits an author's rights to the commercial aspects of published work, and doesn't extend to the right of recall once published (in this case, the user hits "post"). At that point "that ship has sailed" so to speak and subsequently falls under the jurisdiction of the "fair Use" provisions of US Code Title 17 (caveat - unless specifically stated otherwise in an
explicit contract between the author and publisher).
I think Badmonkey's concerns (and mine also) would be addressed by EA "corrupting" the email address of a disabled account (or at least allowing them to be automatically "corrupted") when an account is disabled. (Do I have that right,
@badmonkey ?)
As it stands, reactivating a disabled account later requires user-request to the admin for intervention and approval regardless of how or why it was disabled, so nothing needs to change there, in that regard.
(Maybe I should note that users "privacy" is such a forefront concern in my forum that, first, nobody can even access the forum sign-in page without previous authentication, and then I specifically refuse members use of any gmail account in their forum email settings due to google's data-harvesting practices. I offer them a free email account on the server if they don't have an alternative. It's not bullet-proof by any means, but it does limit the most egregious privacy vulnerability.)
What about this scenario?
- member register to your forum
- member is posting some illegal material on your forum
- you (as admin) don't see or notice that illegal stuff an nobody reports it
- member asks for deletion and you approve the account deletion
- the illegal staff remains on your forum
- you (as a forum admin) receive a complaint about that illegal material
Now what you prefer? Having some info about that post (like email, IP, etc) or have none of that info?
Hi radu81,
That's one reason why I argue against "account deletion", as opposed to "
account disable". Deleting accounts, in my mind, is a "site clean-up" activity performed on occasion just to to keep operations "nimble" by removing legacy stuff when they start to bog things down.
With disable, the user- account information remains (even if it's non-identifying information any more), if knowing what account created it is important.
(Please explain why I might care about those details? The account is already disabled - or "closed" or whatever we want to call it. Personally, I'd just delete the offending post and thank the user who pointed it out for bringing it to my attention.)
Edit - since we can move "deleted posts" to a hidden archive, we have the ability to maintain a record of what was deleted and why, if there's a legal reason to preserve the notification and action-taken details, I suppose.) (As for the IP address, given the dynamics of ip addresses and prevalence of VPNs, I'm not sure an ip addy can be considered "personally identifying information" any more, can it?)
IP address is still considered personal information in parts of Europe. The provincial government of Munich has declared Google Fonts out of bounds because sites are giving IP addresses (by way of requests for fonts) to Google without the person’s consent.
As for posts, I thought I’d made it clear that posts in general were fine and protected under other parts of the GDPR as long as the posts didn’t contain personal information.
The unfortunate reality is that account deletion really should mean deletion where technically achievable but that there is no mandate on you to use it that way, as long as you are aware of what the platform does and when different options are relevant. Account deletion absolutely exists in the platform, currently it does not go far enough, and that is a thing that should be fixed to account for regions where it really does matter - even though large chunks of the law are stupid.
OK, so if IP addys need addressing in some jurisdictions, then add that to the "disable" options in admin configuration.
Would this work?:
Account disable: {User only has option to "disable" account - account "deletion" is reserved to admin.]
- sets the 'ban flag' {whatever EA does now so user can not login}
- changes user email addy to 'null' account (disabled@yourdomain.com) admin creates that email addy on his box set to 'discard/no response' to avoid bounce notices
- overrides "email change confirmation" if set in admin options
- changes IP addy to 999.9.9.9. {admin option}
- removes account from PM capabilities-
- "hides" disabled account from general member listing (admin, global moderator {permission option} can see it)
- sets disabled flag so admin, gm can see account is 'disabled' (currently a banned account looks no different from any other member listing in admin member view)
- adds date account was disabled to the database if viewable by admin/GM, that would serve as the 'disabled flag' in the item above-
That was clear enough, but I'm not sure what is considered "personal information" as defined in GDPR?
If this refers to linking the account to an identifiable person, then admin (or whomever disables the account) needs to edit out that data (if any) from the profile. (If the user has the ability to disable their own account then my opinion is that responsibility is on them).
If they posted personal information in a post (name, addy, phone number, whatever), again, my opinion is 'shame on them'.
Account Deletion [admin only]
A process to completely remove the account from the database
- Deletion (clean-up) function deletes accounts disabled earlier than some admin-chosen date
- -further discussion required for handling account postings of disabled accounts as a database/forum 'clean-up' function. I'm old, and only one cup of coffee into my morning so my brain hurts working through the use-cases at the moment.
Off for more coffee..
One more "personal data item" per GDPR that probably needs to be addressed (reverted to "none"?) in account disable is the user Avatar..
But, GDPR considerations aside, EA definitely should prevent Emails from being sent to disabled/banned accounts, which it currently doesn't do (at least in v1.1.6)..
That does sound wrong, I'll add it to the tracker to take a look
Addressing badmonkey's issue (which started this discussion) could be addressed as well by just erasing the email addy when the 'ban-flag' is set (or changing it into a "fail-silent" addy set up by admin on the server during configuration, if deleting the email record breaks stuff).
Is there any other way to "disable" an account besides the ban function (other than just deleting the account completely)?
The problem with deleting the email when banning an account is that the system will at some point reevaluate the ban and go “I don’t know why this is banned”. In any case there are provisions for this in the GDPR for keeping records of bad actors in the interests of protecting the service from interruption.
You can also, as I mentioned, use the “pending deletion” flag which is an account status separate to banning, and which should prevent most if not all communications.
Looks like a learning opportunity for me here.. I'll explore the above in a moment, but first...
What admin settings, and then admin/moderator and/or user actions set the account into a 'pending deletion" status?
Now back to the first part... what are you referring to when you say "The system" - the EA software? I can't think of any reason the software would need to know the "why" of anything, but that may be just my ignorance. To quote Ross Perot, "I'm all ears"..
I had given some thought to the need for retaining reasons/record for account actions taken - both for board operations and potential legal issues (in the case of GDPR, et. al.)
In response to the scenario radu81 proffered, I mentioned:
"
..since we can move "deleted posts" to a hidden archive, we have the ability to maintain a record of what was deleted and why, if there's a legal reason to preserve the notification and action-taken details, I suppose.)"
In the case of an admin or moderator action to a bad actor leading to a ban, Admin, or a moderator, can certainly attach an explanation/evidence (screen shots, whatever) to such a communication post or thread as it is deleted and sent to the "hidden board" (or after), for further disposition. Then (Admin having also created a hidden "banned" board), that post or thread can be moved to the "banned" board (subtopic by user account).
On the other hand, a user initiated account "closure" , from my perspective, is operationally no different than an account ban - in the end, the only significant difference is why the account is disabled or suspended. In this case, the simplest solution is to have two options to chose from to enter the process of account disable/suspension:
And all that does is change the flag on the account. Disabled, or Ban.
If the user has the privilege of "deleting" his/her account (as is offered as an option now), the user sees the "disable" option in the profile (labeled "Disable/Delete"?)
Now, a moderator or admin can see in the user record the flag and know that a "disabled" account is eligible to be reactivated.
If the flag is "ban", it's not eligible for reactivation, (
or at least not without a lot of user whining and begging and moderator/admin consideration of the severity of the offense(s) as recorded in the hidden "banned" board for the account.)
Now, the only question remaining (functionally) is what the user(s) can observe in the member listings regarding a disabled account.
My preference would be that it doesn't appear in any member listing other than for a moderator or admin. And the user account doesn't appear in a PM listing at all for anyone.
And again - IMHO "account deletion" is a forum clean-up function (with the caveat that I may change my mind on all this once I understand what "pending account deletion" is. - my first question above..)
HI Spuds
As it stands now, a "banned" account:
- Appears in the member listing
- Displays no indication that the account is not active (except to forum staff with appropriate moderator privileges)
- Any user can send an email to that account (if the account user selected allow emails in their account settings)
- Any user can send a PM to that account.