Skip to main content
Topic: Poster email addy (Read 2494 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Poster email addy

If a member deletes their account, their posts are reattributed to "guest". Admins may subsequently reattribute the "guest" posts to a different account. Either way, the database messages table retains the original member's email address in the poster_email column. 

If I understand GDPR correctly, a user has the right to have all information associated with their account deleted from the site. To be clear, I desire no quibble whether that statement is true or flawed: honestly I don't want to retain the information anyway. I do want to retain the posts themselves, as the posts become property of the site. 

Anyway, wouldn't a desired behavior include deleting the poster's email from the messages table? Also, wouldn't it be desirable to update said column should the posts be reattributed? Thoughts? 

Either way, in the short term how would one (safely) remove or update the column en masse manually? Thanks gang!

Re: Poster email addy

Reply #1

Interesting point - I had a user 'pass away" so I disabled his log-in ability (thusly retaining his posting history), and then had to go in and disable his email (I later  got a bounce notification letting me know if forgot to check that).
 
I would think the best way to handle an account "deletion" is just to remove the sign-in validity and email - that is, "disabled'. (Nothing in and nothing out to the user). The posts (and username) should be retained.
Ideally, a 'deleted' (disabled) flag in the database is all that is needed, along with the code for sign in and email activity checks to test for that flag - if present, no sign-in and no email activity.
(Admin can remove the flag - "undelete" - the account).  Maybe display an "*" next to, or some other indication (grey out?) to the username to indicate the user is no longer 'active' is more appropriate.
I would think existing user-posts reverting to "guest" would not be desirable, nor allowing the username to be "reused" by someone else.

In the past (other forums) I have had users 'disable' their accounts for various reasons, and then desire to return sometime later. Creating a "new account" for them is not as elegant.

Now, if an admin decides a user is "personna non-gratta", another flag - to 'lock' the 'disabled' account (banned) I'd think the best approach.

Additional discussion on how to display disabled and banned user accounts in the member list and board posts, and reactivation (yes or no) behavior is warranted.
Last Edit: January 30, 2022, 01:25:51 pm by Steeley

// Deep inside every dilemma lies a solution that involves explosives //

Re: Poster email addy

Reply #2

Sadly the kind of “not really deletion” you are talking about is in fact inadequate under EU data protection requirements, and what ElkArte has is closer to what is legally required.

If you have deletion as requiring admin approval, the account is moved into status 4 (pending deletion) and the user cannot directly log in. However in the EU you have to approve the request unless you can demonstrate a satisfactory reason for not doing so (and several options exist)

I tend to agree about reattribution updating email etc. to match the current username and email, and I’m mildly mixed on deleting the email in the database.

The reason for this is because people can and do leave and come back. It’s an easy argument that posts don’t fall under the GDPR as such, but emails are more complicated. My plan - not yet enacted, it hasn’t come up - is to delete the account itself and then purge emails after 30 days, with a side note that emails may be retained in backups for longer since purging from backups is not required if not technically feasible (and it isn’t). This is, for the record, perfectly adequate under the GDPR if you declare this is what you are doing.

In my case scheduling a job for 30 days in the future is no drama, I have a system in place for scheduling one-off tasks to either happen ASAP (but out of main execution, similar to scheduled tasks) or at a point in the future.

As for not showing in the member list etc, pending-deletion is already excluded from the user-facing areas and PMs to the account are disabled.

Re: Poster email addy

Reply #3

Gee - does "account deletion"per GDPR include the quoted replies too?  :P

(We need a sarcasm font).  :D

Edit: Personal Opinion - Compliance with whatever arbitrary edicts are proposed by the politics of various jurisdictions should be the responsibility of the admin as {insert your preferred pronoun here} chooses to comply, not imposed by the software package. If the package allows such compliant configuration, that's fortunate.
Last Edit: January 31, 2022, 11:25:48 am by Steeley

// Deep inside every dilemma lies a solution that involves explosives //

Re: Poster email addy

Reply #4

It’s a valid question. The answer is broadly no, for the same reason that posts themselves are generally excluded from such deletions.

If a post contains personally identifiable details, forum owners are generally expected to sanitise that, ditto if quoted. But one hopes that people don’t generally post that sort of thing from the off…

One thing I would note, EU legislation usually gets sneered at, but more people are subject to it than to any of the US legislation - even without the UK, the EU is over 400 million people, who all have to comply with this. (And the UK has its version of this, pushing the number surprisingly close to 500 million people.)

Re: Poster email addy

Reply #5

Good discussion - I'm reminded of an old quip "Indecision is the key to flexibility."

In my case, the forum serves (among other purposes such as camaraderie) to capture personal recollections of common events, and these are for historical record. So, the removal of posts and/or sanitizing attribution upon account disable/removal is explicitly counter to the primary purpose of the forum. 

As an "open source" software package, I'm not quite sure who can be held "responsible" for legal compliance (the nasty issue of "enforcement" that is the soft underbelly of every law), and so, logically, and practically, that burden can only fall upon the admin who uses it.

(And for the record - 500 million is just 6% of the global population  ;D )
Last Edit: January 31, 2022, 11:48:08 am by Steeley

// Deep inside every dilemma lies a solution that involves explosives //

Re: Poster email addy

Reply #6

I'm in those 6% of the population, I feel lucky 8)
sorry for my bad english

Re: Poster email addy

Reply #7

The responsibility lies with the site owner in all cases. It isn’t really a valid defence to say “it’s all the platform’s responsibility”.

And yes, in your case it runs counter to the point of the forum. You can disable account deletion, or make it “requires admin approval” as I have on my setup.

Thing is, the laws are not entirely set in stone. In your case for example you are documenting things for matter of public record and in that situation you would have valid reason to carry out data processing without explicitly relying on user consent, which also means you have some legal recourse in absence of user consent (I.e. requesting account deletion).

The reason I bring up the population count is because I hang around various forum environments and get into a number of tubthumping debates about how stupid the EU is as though it’s some tiny country that no one should care about, and that I’m stupid for caring about it, and I just wanted to head it off at the pass that while it might be astoundingly stupid in various ways (and it is), the reality is that it affects significantly more people than some think.

Re: Poster email addy

Reply #8

Quote from: radu81 – I'm in those 6% of the population, I feel lucky 8)

I'm in a different 4%, and I feel special too..   8)

Quote from: Arantor – The responsibility lies with the site owner in all cases. It isn’t really a valid defence to say “it’s all the platform’s responsibility”.

And yes, in your case it runs counter to the point of the forum. You can disable account deletion, or make it “requires admin approval” as I have on my setup.

Thing is, the laws are not entirely set in stone. In your case for example you are documenting things for matter of public record and in that situation you would have valid reason to carry out data processing without explicitly relying on user consent, which also means you have some legal recourse in absence of user consent (I.e. requesting account deletion).

Yes indeed.. we have a hard enough time keeping up with software compatibility, never mind dynamic political legal issues of various jurisdictions.

As long as the package allows configuration the way the owner/admin wants and needs it to function within the technical and geopolitical environment (s)he is in, whatever and wherever that is, it's all good.

If platform compliance is a desired thing for some admins, someone might be tempted to make a nice little sideline with customization plug-ins to configure the software defaults and options in compliance with various political jurisdictions (but not me, man. I can't afford the necessary lawyers or the staff that would be necessary to "maintain certification" standards theoretically set by the various governments and defend myself against any alleged transgressions).

Quote from: Arantor – The reason I bring up the population count is because I hang around various forum environments and get into a number of tubthumping debates about how stupid the EU is as though it’s some tiny country that no one should care about, and that I’m stupid for caring about it, and I just wanted to head it off at the pass that while it might be astoundingly stupid in various ways (and it is), the reality is that it affects significantly more people than some think.

I wasn't implying EU requirements should be ignored just because I don't need to use them or may not agree with them (in fact, I'm entirely ignorant of them because they don't apply to me). My basic philosophy is that the "Forum owner" owns the platform, and should be free to do anything (s)he wants with it.  The admin will general select a package to use based on it's available options and ease of configuration and use and the members will ultimately decide if it works or not, - and it's really nobody else's concern.  I'm a bit of a libertarian in that regard.   
 
No, I was casting aspersions on the notion I saw in your reply..

Quote from: Arantor – Sadly the kind of “not really deletion” you are talking about is in fact inadequate under EU data protection requirements, and what ElkArte has is closer to what is legally required.

...that any aspiring "controlling legal authority", be it EU, or US, or any other, should govern how EA is allowed to be configured or function (regardless of whether it claims 6% or 60% of the population). 

(I almost quipped about trying to use forum software officially compliant with the on-line laws of, say, the "Democratic People's Republic of Korea", to provide an extreme example of the undesirable effect of that philosophy).  

There's a huge philosophical difference between "can comply" (option) and "shall comply" (required), and if I read your meaning wrong, then we're potentially in the amusing situation of "contentious agreement".  :-[

// Deep inside every dilemma lies a solution that involves explosives //

Re: Poster email addy

Reply #9

Back to badmonkey's post for clarification..

Quote from: badmonkey – If a member deletes their account, their posts are reattributed to "guest". Admins may subsequently reattribute the "guest" posts to a different account. Either way, the database messages table retains the original member's email address in the poster_email column.

Since nobody yet has deleted their account in my forum, I haven't observed the resulting behavior of them doing that. Are you saying reverting all the posts to "guest" is what EA does if a user deletes their account? 

Pending further detail, for the time being I've gone back in and removed the ability for anyone to delete their account..


// Deep inside every dilemma lies a solution that involves explosives //

Re: Poster email addy

Reply #10

Quote from: Steeley – Back to badmonkey's post for clarification..

Quote from: badmonkey – If a member deletes their account, their posts are reattributed to "guest". Admins may subsequently reattribute the "guest" posts to a different account. Either way, the database messages table retains the original member's email address in the poster_email column.

Since nobody yet has deleted their account in my forum, I haven't observed the resulting behavior of them doing that. Are you saying reverting all the posts to "guest" is what EA does if a user deletes their account? 

Pending further detail, for the time being I've gone back in and removed the ability for anyone to delete their account..

If an account is deleted, posts still reflect the former user's screen name, and "guest" below it. Admins may perform a member maintenance routine in the ACP to reattribute all guest posts to a particular account. Therefore theoretically if a member rejoined, they could create a new account and the admin could credit it with the outstanding posts. This should work assuming the admin attributes guest posts to some account each time a member deletes their account. Perhaps the admin could create a shadow account for each such instance not including any information from the former member - therefore belonging to the site itself and not compromising the former's privacy. Even then the database retains the poster's original email attributed to the former's account at the time the post was actually created. 

I'd almost prefer members register using a disposable email. I use clever registration questions and have registration email disabled on a million plus post forum. Spam is rare. Rare to the tune of maybe once or twice per year. Password recovery usually takes place through the Contact Form, also amazingly rare.  

Re: Poster email addy

Reply #11

Thanks Badmonkey - I did search the EA site for more info on Account Deletion issues and that along with your response clarifies what EA does (and doesn't do) quite a bit. 

My first thought, from a member's perspective, is that, if a user wants to "preserve their privacy", they appear to have the ability to "sanitize" their own profile before disabling their account, at least as far as what can be seen by other users, or even the admin, so the user has complete control over what personal profile info remains after they are no longer active., right?
If they posted 'private'  information that's a different issue, and one I'm not sure short of allowing a user to edit every post they've ever made or deleting every post, can be resolved,  and alas, either option can just make a mess out of a forum's threads.   But again, what is posted by a user is entirely in the users control at the point of posting and for some period of time afterwards.  After that, the user 'owns" whatever the 'privacy' repercussions result.  (The best analogy is just like dropping a letter in the mailbox - what happens after that is no longer in the sender's control, and the recipient(s) has no legal obligation to burn it or otherwise "sanitize it" for you later).

So I guess I'm not getting what burden (or why) GDPR is putting on the Forum owner on behalf of the user, but not being subject to that jurisdiction I guess isn't my concern (other than structural changes to EA due to GDPR - or any other aspiring legal authority - that forces me to comply with it anyway - that's my only concern).  

Now, from an Admin's perspective a disabled user account has some technical/functional concerns regarding the former account - which I think is limited to on-going interaction with that user account - as in 'none': no more log-in, no more email in or out, and other users can't PM with it.  In the latter situation what the other users "see" regarding that account warrants discussion - such as whether it just "disappears' from their PM list, or provides some indication that the account is no longer active instead.

So I guess from the users perspective I see the terms "account deleted" and "account disabled" as distinctions without a functional difference, and perhaps the word" "deleted" should be avoided since it appears to imply "record removal" and invites such "legal ramifications".

From an admin perspective, deleting an account is only to "clean up the user database", which would then allow that user-name to be reused (with the associated historical postings concern there), or in the case of a huge forum (a million+ users over time?) to keep the database from overflowing allocated server space or bogging down. 

In the past I've handled that "clean-up" by archiving all posts in threads and accounts ended earlier than a certain point in time, and then purging user accounts that were inactive at that point (since there will be no posts or PMs remaining for them).  And it's not a trivial "button-push" task by any means.

In my case, the archive data is typically also available to current users as a static record (in the case of EA, a separate "board" that acts as a portal to the archive(s) that I can restrict via permissions if desired - I've got archives going back to 2001 for example).  Once I've archived and purged, there's no way to "reactivate" an account and bring it back from "archive".

But as for an "active" (as opposed to archived) forum, in my mind whether an account is "disabled", or "deleted" is just semantics (it's not - or should not be - actually "deleted") - the user can either log-in and participate. Or not, and if not, the forum should just disable account log-in, any further email and PM activity for that account.  What happened before that is, as they say, "history".


// Deep inside every dilemma lies a solution that involves explosives //

Re: Poster email addy

Reply #12

The reason it’s the site owner’s responsibility is that, as site owner, we are keepers of peoples’ personal data. As such we have responsibilities as to how this data is used.

Notionally the law was written to curtail the likes of Facebook harvesting much more data than you theoretically give them, and to ensure that what data is given can be taken back - the idea being the freedom of the user and the rights of the user being protected.

The reality is unfortunately lacking compared to the theory. Much was made of the headline penalties - 2% of global revenue (not profit) or €10M whichever is higher. (These can be extended to 4%/€20M in really bad cases.)

Anyway, if I join a forum and later decide to leave, I might not care that they have my email. I might, on the other hand, care very much that they don’t have my email so they can’t use it to contact me for any reason. There are plenty of valid reasons why this might be an outcome that is intended and we should not judge the validity thereof for any given situation.

But account disabled vs deleted is a complex distinction and under the GDPR this is explicitly discussed; disabling an account is not deletion and if consent to use a user’s data is withdrawn and no prevailing legal basis exists for you to keep that data, you need to remove it within a reasonable timeframe and subject to your data protection policies.

Re: Poster email addy

Reply #13

OK, it still seems to me that EA allows literally all of a user's personal information, including their email addy, to be editable in their profile, so therefore it is within the user's ability to "sanitize" their account prior to "disabling it".  But more to the subsequent contact issue, if EA disables email communication upon account disable (which it should), any email contact concern goes away.  

EA does not appear to do that, however...   In my original reply I noted I "disabled" a deceased user's account, and in this case, I simply "banned" it, which seemed the best way to  keep the account from being reused while retaining the posts.  That did not appear to stop subscribed email's from being sent to that email address, however. I didn't check to verify an email submission to the Forum from that account would be rejected , but I assume it would. 

What should also occur is that a "disabled account" should sidestep any email authentication requirement settings (if that function is used)

As for a Forum admin using a forum-member's email address outside the platform, that's beyond anything EA can do to prevent - it's in the database and can be harvested there. However, the user can certainly change it to something like "xxx@xxx.xxx" and solves that issue. (Perhaps "banning/disabling" should also do that - or at least be an option for admin configuration to provide GDPR compliance capability?).
 
Anyway, users "withdrawing consent to use their data" can not realistically apply to their previously posted content.  I don't know about elsewhere, but US Copyright Law pretty much limits an author's rights to the commercial aspects of published work, and doesn't extend to the right of recall once published (in this case, the user hits "post"). At that point "that ship has sailed" so to speak and subsequently falls under the jurisdiction of the "fair Use" provisions of US Code Title 17 (caveat - unless specifically stated otherwise  in an explicit contract between the author and publisher).

I think Badmonkey's concerns (and mine also) would be addressed by EA "corrupting" the email address of a disabled account (or at least allowing them to be automatically "corrupted") when an account is disabled. (Do I have that right, @badmonkey ?)

As it stands, reactivating a disabled account later requires user-request to the admin for intervention and approval regardless of how or why it was disabled, so nothing needs to change there, in that regard.

(Maybe I should note that users "privacy" is such a forefront concern in my forum that, first, nobody can even access the forum sign-in page without previous authentication, and then I specifically refuse members use of any gmail account in their forum email settings due to google's data-harvesting practices.  I offer them a free email account on the server if they don't have an alternative. It's not bullet-proof by any means, but it does limit the most egregious privacy vulnerability.)
Last Edit: February 02, 2022, 05:55:19 pm by Steeley

// Deep inside every dilemma lies a solution that involves explosives //

Re: Poster email addy

Reply #14

What about this scenario?
- member register to your forum
- member is posting some illegal material on your forum
- you (as admin) don't see or notice that illegal stuff an nobody reports it
- member asks for deletion and you approve the account deletion
- the illegal staff remains on your forum
- you (as a forum admin) receive a complaint about that illegal material
Now what you prefer? Having some info about that post (like email, IP, etc) or have none of that info?
sorry for my bad english