XYMer's Home away from Home

Due to European Union GDPR rules that are technically impossible to implement, and sometimes at odds with fundamental web technology, as of March 25, 2018 this site can no longer accept new memberships from European countries

Existing accounts belonging to users in the European Union must either be closed or the users need to swear under oath that they no longer reside in the EU, are not EU citizens, and will never return. We are not pleased with this development, but the threat of 20 million euro fines for non-compliance with something that is impossible to comply with have a special way of focusing your attention.

Here's our new privacy policy. Have fun.

Privacy Policy

This policy explains in detail how “XYMer's Home away from Home” along with its affiliated companies (hereinafter “we”, “us”, “our”, “XYMer's Home away from Home”, “https://x704.net/bbs”) and phpBB (hereinafter “they”, “them”, “their”, “phpBB software”, “www.phpbb.com”, “phpBB Group”, “phpBB Teams”) use any information collected during any session of usage by you (hereinafter “your information”).

Your information is collected via two ways. Firstly, by browsing “XYMer's Home away from Home” will cause the phpBB software to create a number of cookies, which are small text files that are downloaded on to your computer’s web browser temporary files. The first two cookies just contain a user identifier (hereinafter “user-id”) and an anonymous session identifier (hereinafter “session-id”), automatically assigned to you by the phpBB software. A third cookie will be created once you have browsed topics within “XYMer's Home away from Home” and is used to store which topics have been read, thereby improving your user experience. Two additional cookies are set to record that you've accepted our GDPR policy and that you've agreed to allow the site to set cookies (this pointless and irritating exercise is legally mandated by the European Union -- please complain to them that it's utterly pointless and has no purpose other than to spam users with obnoxious cookie notifications on every site everywhere).

The second way in which we collect your information is by what you submit to us. This can be, and is not limited to: posting as an anonymous user (hereinafter “anonymous posts”), registering on “XYMer's Home away from Home” (hereinafter “your account”) and posts submitted by you after registration and whilst logged in (hereinafter “your posts”).

Your account will at a bare minimum contain a uniquely identifiable name (hereinafter “your user name”), a personal password used for logging into your account (hereinafter “your password”) and a personal, valid e-mail address (hereinafter “your e-mail”). Your information for your account at “XYMer's Home away from Home” is protected by data-protection laws applicable in the United States. Any information beyond your user name, your password, and your e-mail address required by “XYMer's Home away from Home” during the registration process is either mandatory or optional, at the discretion of “XYMer's Home away from Home”. In all cases, you have the option of what information in your account is publicly displayed. Furthermore, within your account, you have the option to opt-in or opt-out of automatically generated e-mails from the phpBB software.

Your password is ciphered (a one-way hash) so that it is secure. However, it is recommended that you do not reuse the same password across a number of different websites. Your password is the means of accessing your account at “XYMer's Home away from Home”, so please guard it carefully and under no circumstance will anyone affiliated with “XYMer's Home away from Home”, phpBB or another 3rd party, legitimately ask you for your password. Should you forget your password for your account, you can use the “I forgot my password” feature provided by the phpBB software. This process will ask you to submit your user name and your e-mail, then the phpBB software will generate a new password to reclaim your account.

This privacy policy has been compiled to better serve those who are concerned with how their 'Personally Identifiable Information' (PII) and personal data are being used online. PII, as described in US privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. Please continue reading our privacy policy carefully to get an understanding of how we collect, use, protect or otherwise handle your Personally Identifiable Information in accordance with our website.

What personal information do we collect from the people that visit our blog, website or app?

When ordering or registering on our site, as appropriate, you may be asked to enter your name, email address, mailing address, phone number, or other details to help you with your experience and to make the site work in any sane way whatsoever.

For purposes of the GDPR and EU citizens or residents, what personal data do we collect any why do we collect it?
- Your IP address, since it is necessary for sending data to your browser, securing your session, tracking abuse, and preventing spam.
- A username that you provide if you sign up as a member of the site.
- Your email address, necessary as a security measure to prevent spam and abuse against the site, and in order to send notifications about site changes and notifications that you request. Members may change or delete their email address at any time by contacting the site administrator through a private message to our Benevolent Dictator BDAqua.
- Your site settings and preferences, if you become a member of the site.
- Anything you or anyone else voluntarily enters in to the site, including but not limited to: sensitive personal data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, photos, videos, and personal communications. This is necessary because this is a forum site and we cannot, do not, and will not vet absolutely everything that anyone could ever possibly enter in to a new thread topic, comment, response, private message to another user, etc.. Really, as an online forum sharing stuff like this is the entire point of the site's existence even if the GDPR make that sort of thing effectively illegal. Consider yourself warned!

How long will data be stored?
- In general, forever, unless you ask us to delete it. We may not be able to fully expunge all personal data upon request because it's very likely it will be impossible to readily identify that some personal data belong to you. Much of the data on the site are unstructured comments, so if someone else posts your personal data, or quotes your personal data in a reply to something you post, or you are identifiable in a photography posted by another user, we will have no way to connect those data directly to you and will be unable to expunge it unless you tell us where it is. We may also not be able to delete all occurrences of your IP address, including the address you use to register for the site if you choose to do so, because in some cases we will need to retain that information to protect the site from spam or abuse. We also may not be able to delete ad-hoc personal data and IP addresses that are incidentally captured in log files, error files, (occasionally) documents uploaded by yourself or others, or if your personal are otherwise not connected to your member account due to database glitches, technical problems, or prior removal of partial personal data.
- Log files containing your IP address are periodically rotated but kept for varying periods of time, not more than a few months, in order to administer the site.

When do we collect information?

We collect information from you when you register on our site, subscribe to a newsletter, respond to a survey, fill out a form, Use Live Chat, Open a Support Ticket, provide us with feedback on our products or services when users post, or otherwise enter any information on our site.

How do we use and process your information?

We may use the information we collect from you when you register, make a purchase, sign up for our newsletter, respond to a survey or marketing communication, surf the website, or use certain other site features in the following ways:

- To personalize your experience and to allow us to deliver the type of content and product offerings in which you are most interested.
- To improve our website in order to better serve you.
- To allow us to better service you in responding to your customer service requests.
- To administer a contest, promotion, survey or other site feature.
- To ask for ratings and reviews of services or products
- To follow up with them after correspondence (live chat, email or phone inquiries)
- The site internally processes data necessary to make site features work, such as sending notification emails if you have chosen to receive them. It is not necessary to choose to receive notification emails to use the site.
- The site administrators may also periodically examine the data to ensure the site is working properly, to investigate problems, abuse, or bugs. In rare cases the data may be queried to analyze how the site is used in order to improve site performance, reliability, or utility to its users.
- The site is completely non-commercial, includes no advertising, and no personal data or any other data are used by the site to target users with advertisements (with the previously noted caveat that anyone anywhere in the world is free to read almost anything you post on this site because it is a public forum and that's the ENTIRE POINT of the site). Jeez.

Also, the likelihood of the site doing almost any of that other than using your data to make the site's basic feature sort of do what you'd hope, like notify you (if you've opted to be notified in various circumstances) is quite low because the volunteers who run the site generally don't have a lot of spare time to do any of that, can't imagine why they'd market anything, have no products or services, run no promotions, nor attempt to personalize the site other than to upload a new theme option every decade or so.

How do we protect your information?

- We do not use vulnerability scanning and/or scanning to PCI standards.
- We only provide articles and information. We never ask for credit card numbers.
- We do not use Malware Scanning.

Your personal information is probably contained behind secured networks, although we can't entirely guarantee this because we use a hosting service and this is their responsibility. If they're doing a good job, and we have no reason to suspect otherwise, you data are presumably only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology.

If you inexplicably enter credit card information in to this site it will be stored in perpetuity, or until you delete it or ask us to delete it, because this site is completely non-commercial and there is no mechanism anywhere on it to order anything. You can, however, enter your credit card information in any new forum topic you create, forum reply, private message, or profile field as you see fit. That would be stupid and pointless since, again, this site doesn't process credit cards, recognize them as anything other than some random text, nor serve any commercial interest whatsoever, but "stupid and pointless" is kind of a running theme in online privacy policies so we felt compelled to mention it here.

Do we use 'cookies'?

Oh please. Really? Yes, we use cookies, like every other site on the entire world wide web since, oh, 1996 or so. The intro paragraphs already addressed cookies pretty well, but here we go again. Cookies are like these little files that a site or its service provider transfers to your computer's hard drive through your Web browser (if you allow) that enables the site's or service provider's systems to recognize your browser and capture and remember certain information. For instance, we could use cookies to help us remember and process the items in your shopping cart if we had such a thing. They could also used to help us understand your preferences based on previous or current site activity, which enables us to provide you with improved services, but we've never done that either. We also don't use cookies to help us compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future, but it seems like it's theoretically possible.

Instead, we use cookies to:
- Understand and save user's preferences for future visits.
- Maintain a user's login session while navigating the site.
- Remember that you've agreed to allow the site to set cookies.
- That you've agreed to the EU's GDPR notice.
- And to set a temporary unique ID while you're browsing the site for security purposes.

You can choose to have your computer warn you each time a cookie is being sent, which gets very annoying very quickly, or you can choose to turn off all cookies, or even block them for just this site if your browser supports it. You do this through your browser settings. Since each browser is a little different, look at your browser's Help Menu to learn the correct way to modify your cookies. Certain features of the site will break if you do so, but there's simply no practical way to prevent that.

If users disable cookies in their browser:

If you turn cookies off you won't be able to log in and all kinds of stuff will be unusable. We don't care if you log in, but if you've been a member for a while other users might miss hearing from you.

Third-party disclosure

Do we disclose the information we collect to Third-Parties?
We sell, trade, or otherwise transfer to outside parties your name, address, city, town, any form or online contact identifier email, name of chat account etc., screen name or user names, phone number, SSN, cookie number, ip address device serial #, unique device identifier, photo, video or audio file of child, and anything you enter in to the site anywhere. This forum is generally accessible to the public, so this sharing occurs anytime you post anything in a forum topic on the site, add it to your public user profile, or another user posts it about you. We already kind of talked about this. Seriously. It's a forum. You share stuff you want other people to see. That's the whole point.

How and with whom we share your personal information and sensitive personal information:
- Email address: 1) with no one but site administrators and forum moderators, unless you post it publicly.
- Your IP address: 1) with site administrators and forum moderators, 2) with any site to which another user creates a hyperlink that you click on, 3) any site hosting an image linked by this site itself or a user of the site who posts an inline image.
- Everything else: 1) with any administrator in the process of running the site, 2) with any user to whom you send such information in a private message or email using the site (I mean, if you write personal information in a private message and send it to someone, it should be abundantly obvious that person to whom that private message was addressed will in fact see the personal information you sent him/her -- we sincerely hope this revelation isn't alarming and hope you'll report a bug if your personal information are not successfully transferred), 3) with anyone anywhere on the Internet if the data are posted in a public comment, 4) to serve lawful requests by government authorities (we have never had such a request, and since we'd be legally compelled to do so anyway it seems kind of pointless that we have to say that here, but everyone else always puts that clause in their privacy policies so there you go).
- The site includes no "trackers," third-party analytics, advertisements, or behavioral targeting, but since the site is largely public if you post something that is publicly visible the site cannot guarantee that someone, somewhere in the world will not be able to use those data to track you, behaviorally target you, or customize ads on your behalf. To reiterate, THIS IS A PUBLIC FORUM SO ALMOST ANYTHING YOU POST HERE WILL BE VISIBLE TO THE PUBLIC. Really, do we need to keep saying this?? Anyway, the EU's GDPR probably outlaws this, but for the love of beans it's not our fault that the people who wrote the GDPR apparently haven't used the web since 1993 and seem to be unaware of this necessary, and often desirable, aspect of the world wide web.

We engage in this practice because:
We just can't guarantee your data won't be shared in these way during the routine process of running the site, never mind such thing as (without exclusion) unforeseen critical extenuating circumstances, demands from law enforcement, etc. Some of these data are also shared because they're part of your public profile and anyone visiting the site can see them, or because you posted them, or you clicked a checkbox requesting you be notified of events on the site. You are 100% welcome to lie about anything you enter on the site, except for your age if you're under 13 in the US or legally a "child" in your locality, and whether your reside in the European Union.

Personally Identifiable Information.

Third-party links

Occasionally, at our discretion or whimsy of any user posting such a link, we may include or offer third-party products or services on our website. These third-party sites have separate and independent privacy policies. We therefore have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our site and welcome any feedback about these sites.

Users are welcome to share images by linking them from third-party sources. If you view a page containing such an image your browser will make a request to that third-party site which will result in that site receiving your personal data in, at a minimum, the form of your IP address.

Transmission of data:
Most of our site is protected by SSL, but even with this protection at a minimum your IP address and the IP address of the server hosting the site will be visible to intervening routers and networks that transmit IP data to/from you as you browse our site. We have no responsibility for protecting your IP address as it is transmitted across the Internet to serve information your browser requests on this site, nor any other requests from your browser initiated due to content on this site, such as images hosted on third party servers. To minimize this leakage of personal data consider using a virtual private network or anonymization network

Google

Google's advertising requirements can be summed up by Google's Advertising Principles. They are put in place to provide a positive experience for users. https://support.google.com/adwordspolic ... 6548?hl=en

This site does not use Google advertising, nor any other Google resource, but the boilerplate from which this privacy policy was generated automatically included this section about Google. We have left it in place for your edification in case you're interested in that sort of thing. Really, anyone who's read this far probably is interested, so go check it out. No need to thank us. To reiterate, anything Google says about advertising is completely irrelevant to this site.

California Online Privacy Protection Act

CalOPPA is the first state law in the nation to require commercial websites and online services to post a privacy policy. Reminder: this is not a commercial web site. The law's reach stretches well beyond California to require any person or company in the United States (and conceivably the world) that operates websites collecting Personally Identifiable Information from California consumers to post a conspicuous privacy policy on its website stating exactly the information being collected and those individuals or companies with whom it is being shared. - See more at: http://consumercal.org/california-onlin ... RbT51.dpuf

According to CalOPPA, we agree to the following:
- Users can visit our site anonymously.
- Once this privacy policy is created, we will add a link to it on our home page or as a minimum, on the first significant page after entering our website.
- Our Privacy Policy link includes the word 'Privacy' and can easily be found on the page specified above.

You will be notified of any Privacy Policy changes:
- On our Privacy Policy Page

Can change your personal information:
- By emailing us
- By calling us
- By logging in to your account
- By chatting with us or by sending us a support ticket
- Pretty much by any other means you can communicate with a site admin.

How does our site handle Do Not Track signals?
We don't honor Do Not Track signals. We may track, plant cookies, and use advertising when a Do Not Track (DNT) browser mechanism is in place, at least we might if we had any advertising, but we don't and can't imagine ever having any. We don't honor Do Not Track requests because the site's administrators don't program in PHP and haven't a bloody clue how to honor DNT, think it's pointless anyway, and have no interest in tracking you other than making your login session work. Also, not using session cookies would hopelessly break the site. Caveat emptor.

Does our site allow third-party behavioral tracking?
It's also important to note that we allow third-party behavioral tracking: this is a public message board and almost anyone who hasn't been banned from the site can load it and scrape any content you post to gain behavioral insights. If you do not want to be behaviorally tracked by anyone on the entire Internet anywhere, then don't post stuff. We have no idea if any behavioral tracking occurs because that's entirely in the realm of unknown third parties.

COPPA (Children Online Privacy Protection Act)

If you're under 13 or legally a "child" in your local jurisdiction, you're not allowed to use this site.

When it comes to the collection of personal information from children under the age of 13 years old, the Children's Online Privacy Protection Act (COPPA) puts parents in control. The Federal Trade Commission, United States' consumer protection agency, enforces the COPPA Rule, which spells out what operators of websites and online services must do to protect children's privacy and safety online.

We do not specifically market to children. Actually, we don't market to anyone, but this site is definitely not built to attract children.

We also think COPPA is a pain in the butt, and the difficulty of conforming with it for a hobby site that has absolutely zero interest whatsoever in how old you are leaves us no choice but to block kids from participating in what would otherwise seem like a healthy and informative technology community. If you're a US senator, please change the law so it kind of makes sense for us.

Fair Information Practices

The Fair Information Practices Principles form the backbone of privacy law in the United States and the concepts they include have played a significant role in the development of data protection laws around the globe. Understanding the Fair Information Practice Principles and how they should be implemented is critical to comply with the various privacy laws that protect personal information.

In order to be in line with Fair Information Practices we will take the following responsive action, should a data breach occur:
We will notify the users via in-site notification as soon as we figure out the breach occurred and aren't so preoccupied with technical measures to fix it that we don't have time to post something about it.

We also agree to the Individual Redress Principle which requires that individuals have the right to legally pursue enforceable rights against data collectors and processors who fail to adhere to the law. This principle requires not only that individuals have enforceable rights against data users, but also that individuals have recourse to courts or government agencies to investigate and/or prosecute non-compliance by data processors.

More GDPR notice stuff for EU citizens and residents
This site shall not be accessed by residents or citizens of the European Union due to GDPR requirements that this site, and probably any non-trivial site especially one that allows user-posted content, are technically impossible to meet. If you are in the EU, do not continue browsing this site.

What are your rights involving your personal data as an resident or citizen of the EU?
- Probably none, except for any that may exist under US law, which is pretty thin in this area. More specifically, the European Union describes a great deal of rights it believes you have if you are a resident or citizen of the EU, without regard to the site you're visiting. This web site is not, however, aimed at a European audience, is run as a hobby by people outside the European Union, engages in no business activity, and it's unproven that the site, it's administrators, management, or anyone in any way involved with running the site in any way, is within the personal jurisdiction of the European Union as might be recognized by US courts. So while the EU is quite confident that you have every right laid out in the GDPR, the site's owners are cautiously optimistic you don't.
- The site's management will, however, make a reasonable effort to do what the GDPR asks because we like to be helpful, even though we suspect we're outside any reasonable notion of European jurisdiction.

National borders:
Due to the way data are routed across the Internet, it is very likely that your personal data will cross international boundaries when you use the site.

This site is run in the United States and is usually hosted and stored on computers within the territorial boundaries of the United States. If you are outside the United States your data will necessarily be transferred across international boundaries when you access the site. Depending on where you are this is probably illegal (we remain completely befuddled by this section of the GDPR), but there's nothing we can do about it and still run the site.

Parting thoughts:
- The GDPR is well intentioned, but is technically impossible for any non-trivial site to actually fully conform to in the real world.

I'm not asking for legal advice, but hypothetically if the site were owned by a limited liability company that recorded exactly $1 of annually gross revenue do you think the GDPR violation fine would be enforceable only as $0.04? If so, where could someone proactively annually mail this fine? Would this absolve the hapless operator of a site run by such a company of liability for a much larger GDPR fine or could the corporate veil be pierced? Are there any other technical or legal loopholes someone could -- purely as a thought experiment to help us all better understand the law -- exploit to the same end?

On an unrelated note, if you're a member and have no annual income would you like to become the new legal owner and operator of this site?

- Anonymous

I could easily enough keep lying, but for the sake of honesty and personal integrity, traits which I hold in high esteem, it’s time for me to admit that I’m 12 years old. Since this minimum age requirement appears to be new and, I might add, entirely arbitrary, I wonder if you can make an exception? I first registered in 2009, when i was 3, but have been a loyal contributing member since.

On a more serious note, are you really obligated to provide that ok/cancel popup every time we navigate somewhere within the site, or is that part of the joke? This is completely maddening, joke or not.

Edit: seems to have stopped, thank god.

Thank you for your question. This is not a new requirement, however, it's fine to lie about your age so long as your actual age is over the age of 12, even if you claim to be younger. I will add that to the privacy agreement.

- Anonymous

Oh never mind. It looks like fine are a minimum of 10 million or 20 million Euros, rather than a minimum of 4% global revenue: https://www.gdpreu.org/compliance/fines-and-penalties/

Would the LLC idea still work as a shield? If it got fined, it could just close shop and a certain site administrator wouldn't be bankrupted with no hope of recovery. It's not worth it for a hobby site that the administrator only administers out of goodwill and happenstance.

Any good geoblocking tools to keep EU visitors out?

- Anonymous

Is this our death knell?

Anon, not sure I understand, and mistook some of the obviously tongue in cheek for other actual, serious implications. Why or how does the GDPR reach to a site administered in the US, even for EU residents? In addition, beyond my IP and email address, how does x704 store or retain my "personal" information--what personal information, other than something I may give voluntarily in making a public post, which will obviously be available to anyone with an Internet connnection?

Wow, I am affected by GDRP every time I go pee now. I have to verify that I understand the ramifications of peeing despite understanding the Europeeans are under much more scrutiny than me.

-he who stacks pork

_________________
Powerbook 180, System 7.1, 100MB HD, 8MB
Surly 1x1, 9:zero:7 Whiteout, Chinese 29er, Salsa Juan Solo, Gary Fisher Rig, Surly Instigator, Surly Troll, Ahrens Slalom, Frankendale Cannonstein 650b
I enjoy picnics on the beach with hot and crazy women

There are several problems. First, the GDPR rules apply to all web sites that are accessed by people residing in the EU and that collect personally identifying information. This is essentially all public web sites, although it's at least possible to conceptually imagine an entirely static site, or one with sufficiently restricted access, that it's not subject. Few such sites exist. This site is certainly not one of them.

The second problem is that the definition of personal data is sufficiently broad that virtually anything the site collects can be construed as sensitive personal data. For example, in order to control spam and abusive accounts, the site collects and retains indefinitely IP addresses used to post comments, on a per-user basis, as well as access and error logs. Under the new rules, these are likely subject data. Beyond that, since the site collects and permanently stores user comments, anything anyone writes within a comment on the site could represent sensitive personal data, especially if they contain anything about religion, sexual orientation, political views, names, addresses, etc. Once posted, it's virtually impossible to control or unpublish these data. For example, they can be stored in backups (oh God, don't even get in to managing data in backups...it's literally impossible), quoted in replies, and archived by external services. A user's username, email address, and profile information, especially when taken together, are likely sensitive personal data that can uniquely identify an individual. Whether or not the information is available to others through other sources/channels does not appear to be relevant to the determination that it can be used to identify you. If you post something uniquely identifying in a private message, that is certainly personal data.

It also doesn't appear to matter that, for example, sometimes an IP address isn't personally identifying -- you need to assume it is because in some cases it might be. Since IP addresses will sometimes be personally identifying, and you have no way of figuring that out reliably before collecting it, you have to treat all of them that way. Similarly, someone might register their real name as their username. When someone registers, a site administrator may research (that is to say, "share") that email, username, and IP address to make sure the user isn't a spammer or bot. Etc, etc...

Third, compliance requires data portability. We cannot provide for download, or by any other mean, all the data that user ever posted, uploaded, or that the site collected. Facebook can afford a team of 30 full time developers to construct a feature to do that. We cannot. We can't even identify all the data implicitly associated with a specific user, let alone make it available in some unspecified "portable" format for transfer/download.

Fourth, the rules require we be able to delete data at the request of a user. Even if we could find all the potentially personally identifying information on the site associated with a specific EU resident, which we can't as noted previously, we can't reasonably delete all of it for practical, security, technical, and logistical reasons. We can usually delete an account and all the posts directly linked to it, but can't guarantee it'll be fully purged and can't clean it from backups. I don't even know enough about the database structure backing the site to say for certain that deleting an account won't leave breadcrumbs somewhere.

Miscellaneous concerns include, that consent must be given to share or record data, but in many cases it's impossible for us to know with whom those data might be shared, that parental consent is required for children (which is an administrative nightmare to manage -- the US COPPA law is why anyone under the age of 13 isn't allowed to use the site) and that consent be revocable. The rules also require consent and can't deny access to a site because a user doesn't want to share their data, which is technically impossible with most conceivable forum sites because it's unclear how the data may be shared in practice even if the site doesn't use third-party analytics tools, ads, etc. It's also impossible to allow registration for the site without collecting these data! OK, I suppose it's possible, but only by redesigning the site from scratch and disabling many features, both on the front end, and useful management tools on the back end. That's right out.

The global reach of the rule is a serious concern. So far it's too early to have any cases demonstrating that it is/isn't possible for the EU to collect fines against American entities in American courts, but legal reciprocity may put Americans in danger even if they have no business in the EU and don't target EU residents. Specifically, civil judgments in the EU likely expose Americans to financial peril due to the Uniform Foreign Money Judgments Recognition Act that is in effect in most states, depending on a few technicalities. Beyond that, if an American were fined and traveled to the EU in the future they would also at that point be subject to direct enforcement. I don't know that I will never want to travel to the EU or to any country that might decide it's willing to enforce an EU judgment against me, even if American courts pass on that opportunity. The potential for enforcement in US courts is even greater since it allows for EU residents to file civil suits on the basis of noncompliance. Since US news sites are blocking visitors from the EU it's clear that they don't believe US laws will protect them. The rules are very clear that the EU intends to hold them as binding on sites that otherwise have nothing intrinsically to do with the EU. The fact that this site is sometimes hosted within the EU only adds to the risk.

The putrid icing is that not only does the rule reach across national borders, each individual EU member nation, or any number of people in any combination of member nations could issue a civil fine or sue under the rule. On that basis the hapless volunteer site administrator could get hit with 20,000,000 Euro fines from 28 nations totaling 560,000,000 Euro -- approximately 655 million dollars. The only good news is that at least they'd be unlikely to collect the full judgment. At best, in the event of a lawsuit the administrator would still be on the hook for onerous legal bills even if the judgment were very quickly rendered unenforceable.

There appear to be rules about moving personal data out of the EU that I haven't even read yet because I'm still overwhelmed trying to comprehend the rest of the mess. What does it mean to move data on EU visitors out of the EU? Does it matter where the server is hosted? Does it matter that the hosting company is located in the EU and randomly moves the site from one physical server to another every year or two? I haven't a fucking clue. What about when an admin downloads a database dump as a backup? At this point, I assume the worst.

Finally, the regulations themselves are complicated, broadly written, sometimes diffusely defined, and untested in court so there's little clarity about what's actually allowed and not allowed, let alone how, how vigorously, or where it will be enforced. Other forum administrators are concerned about this, and some have canned project because forum sites in particular seem virtually impossible to bring in to any semblance of compliance. Since a minimum fine for noncompliance is 10,000,000 Euros it's not worth the risk for small hobby sites.

I think all the regulars to this site know pretty much how I feel about collecting and sharing personal information. Just look at my username if you're not. But rules don't give brownie points for good intentions, and the technical hoops you have to jump through to make a social networking site (which all forums are really) compliant is absurd. It starts at reconfiguring logging at the lowest server layers, and gets worse all the way. An old version of an off-the-shelf forum package running on a cheap shared host simply cannot be made compliant. Yeah, if this were an online store, or news site, or something else, it would be doable, especially if it were a profit-making business with on-staff developers. But it's not and never will be, and up until now that was generally a good thing.

Ironically, all that was actually good for your privacy: this site doesn't want your personal information and doesn't use it for anything other than making the damn site work. It is not monetized, sliced, diced, analyzed, shared, cross-referenced, or anything else. You can have an account for posting things if you want to. Other people can read those posts if they want to. You sign up with your email address for security and optional notifications if other people respond to you. Yet now all of that is now very, very complicated and legally fraught.

I really have no idea what to do. Shuttering the site or perhaps leaving up a static copy of it from this point forward is one option, but obviously a bad one. Geoblocking all European IP addresses is another, and even that probably isn't good enough. Hiding beyond legal fictions is better, if it would work -- and I don't think it would because it appears that even if the site is owned by a corporation, the administrator responsible for the data is still liable for any breach of the rules. I really don't know what to do.

- Anonymous

I'm going to ask, or at least try to find out, at several small to medium boards of which I am also a member how they are managing this. Interesting that so far, I've seen no new or updated privacy agreement when I visit Apple discussions. Did I somehow miss it?

I wonder if there might be some place where admins or members of smallish message boards are coming to discuss how to proceed.

The way you've described this, what a fucking Kafkaesque nightmare! And I fully realize how limited your time is to deal with this legalistic crap and all its ramifications. Thanks for trying to keep us going, even if it means clicking through those onerous popups.

And for what it may be worth -- which might be nothing -- reddit is dealing with the agreement side of this by using a simple click through with link and "Got it":

So, I'm a Vermonter - so OK to be here, no loyalty oath required, but...

I'm testing uBlock (on Safari) but I don't quite know what I'm doing - I don't like Safari, haven't had time to fuss with and install WaterFox, but Safari seems faster.

Anyhow, when I came to XYM for the first time since installing uBlock, I got first one message to which I said OK, and then got the second.

Is this what this is about?
I tried to whitelist xym in hopes of making this stop. We'll see...

IMPORTANT GDRP NOTICE! If you are located in the European Union you may not visit this site and MUST NOT click OK to continue.

This site collects confidential personal information. Some personal confidential information, such as your IP address, must be collected and retained in order to make the site function at a technical level. To prevent the collection of most other confidential personal information, do not create an account or log in. If you do create an account or log in, personal information will be collected and probably stored indefinitely because it's intrinsic to the operation of the site. You can limit this collection by generally lying about most of your personal information when you're asked to supply it, by not adding it to the content of your posts when commenting on the site, and by adjusting your account settings. If you lie about your email address you will have trouble registering, but you can change your address later or use a burner address. Doing so may impact some features of the site.

You may not lie about your age unless you are at least 13 years old. No one under the age of 13 is allowed to use this site in any way due to the COPPA law in the United States.

Are you sure you want to continue?


I clicked OK,

Then I got this:
IMPORTANT!

This site uses cookies. Cookies are used to maintain logged in sessions and retain some site preferences between visits. If you do not consent to the use of cookies, then either configure your web browser not to accept them from this site or do not use the site. Disabling cookies will definitely make the site unusable for your if you're a site member, but you're free to give it a try. This is a technical limitation for which there are no practical or sensible workarounds.

Are you sure you want to continue?


So far, so good after clicking OK to the second message. We'll see if the whitelist worked. Hopefully I'll not be using Safari for long so this won't matter, but uBlock may be faster than NoScript (and no receiving payment from sites to be added to a whitelist)?

_________________
Mrs H

Nothing to whitelist. Nothing to do with uBlock or Safari. Related to GDPR, see https://en.wikipedia.org/wiki/General_D ... Regulation and its effects on this site--those are accept/deny privacy notifications. Specifically, you can read through Anon's post just above.

Yes I skimmed it.

The problem is - with Safari at least - and I know you don't use it, but I've not installed WaterFox yet, and I am still trying to see if Safari is faster than Firefox, and I installed ABPlus and uBlock Origin...

I keep getting the message I quoted above - my "so far so good" was in error - I click on my toolbar link to XYM and have to go through the OK bit, twice. So that's why I tried whitelisting - to no avail. I'm not a happy camper just now - nothing to do with XYM just trying to figure out what to do here - WaterFox may be the solution. Still wondering if ABP is also a culprit in the slowdown which is why I looked to uBlock which gets good reports elsewhere and even here.

_________________
Mrs H

Again, nothing to do with uBlock or whatever browser you use. Everyone is getting those, regardless of browser or any specific addon, like NoScript or uBlock. Was actually much worse for a short time last night, where doing anything brought those two up.

Btw--gentle nudge under the table--this topic really isn't the place to discuss browser preferences or difficulties.

I hope to clean stuff up this evening (Pacific time).

- Anonymous

Sorry - I didn't mean to do something wrong.
Just thought that the messages I was getting had something to do with this recent notice.
My bad.
Do you want me to delete my post?

_________________
Mrs H

Don't worry about it.

- Anonymous

I, for one, am happy to find out that my occasional claims to be 3 or 4 years old in online chat don't constitute a breach of GDPR.

Anon, I suspect that if you put the ownership of the site in the hands of a third party, even if it's a LLP or corporation, that the penalties would be assumed by the LLP or corporation.

A certain individual we all know grew very wealthy by letting the shell company own the property while he received payments from the shell company, so when the property went belly up he got to keep payments (and wasn't on the hook for liabilities related to the shell's implosion). However you may have to hire a lawyer unafraid of swearing at and threatening people even when he knows the conversation is being recorded in order to create such an entity.

Personally I think that, logically, if you put a disclaimer on a site stating that it is not GDPR compliant and that if individuals continue they are willingly breaking GDPR and are responsible for any complications related to GDPR you should be free and clear. Of course the actual regulatory framework says no such thing which is why GDPR is such a complete and utter clusterfsck.

I insist on taking responsibility for the site.

BD, you already have complete control over both the site and the domain, but aren't listed in the whois contact records. Either one of us can change it there. I have your full name, address, and phone number written down somewhere, and probably in a few PMs, but it's not bubbling immediately to the surface. If you send it to me, yeah, again, I'll update the whois records to point to you...

This doesn't get me completely off the hook for the technical impossibility of doing what the law says because I am currently responsible for the site's abject failure to implement the law, but at least it's a start.

The technical measures that are effectively impossible to deal with include, but are not limited to:
* Deletion of personal data when requested, and offering some mechanism for someone (user or not) to object or withdraw consent to further processing of their data,
* No longer requiring an email address as a condition of registering and using certain features, i.e. making consent a precondition of a service without turning the site in to 4chan,
* The inability to preemptively block all cookies and still use the site (this issue existed before GDPR),
* The inability to have people opt out of storing data outside the EU,
* The impossibility of characterizing and managing personal data in unstructured data, such as forum posts and images uploaded by members (all Internet sites other than Googe and Facebook that accept user content are probably similarly affected -- Google and Facebook can afford and have actively invested in AI to tag and identify faces in photos and makes sense of unstructured data), which boils down to even knowing that personal data exist that require protection,
* Personal data relating to children, such as an IP address, will be recorded in a non-GDPR compliant manner as soon as the child visits the site, so there's no way to get parental consent prior to recording the data,
* There's also no GDPR compliant way to block children from accessing the site,
* Researching new member sign up to make sure they're not by spammers, which usually requires sharing an IP address, email address, and/or username on an ad-hoc basis with arbitrary third parties such as search engines and abuse databases to ensure they're not associated with previously identified spammers,
* The impossibility of telling users with whom their personal data may be shared when it's posted, potentially by third parties, to a public web site,
* That some data doesn't become personal data or sensitive personal data until it's viewed in the context of other otherwise innocuous data. For example, if I know your name is Bob, you live in Berlin, drive a yellow car, collect stamps, and have two cats named Felix and Fluffy, then your data suddenly become personal data (even if we didn't already have personal data, which we would) because although each of those traits is useless on its own, taken together they now have a good probability of uniquely identifying you.
* Dealing with log files and forum posts that contain IP addresses (all posts are linked to the IP from which the comment was posted),
* Getting consent to post and subsequently protecting or responding to inquiries/requests relating to data of non-users uploaded by a user, without the site management's knowledge,
* Offering right of access to data under the preceding complications,
* Since the site runs on a commercial hosting service, it's impossible to verify what access or data are maintained by that service for which the site is still legally responsible, and it doesn't help that the commercial hosting service itself leases server capacity from larger hosting services,
* It is impossible to preclude the possibility that the site will process sensitive personal data pertaining to “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation" due to the preceding complications,
* Any mechanism to inform someone of what personal data are stored (see preceding complications),
* Preventing data of children from being processed,
* Offering data portability,
* Identifying sensitive data,
* Explaining how all the things we can't do will be done in a GDPR compliant manner.

There are also a few things that can possibly be fixed by someone sufficiently familiar with theming phpBB sites:
* Linking to the privacy policy at the top level of the site,
* Showing the correct privacy policy during the sign up process,
* Switching to less invasive GDPR and cookie notices.
* Clearly name the organization and/or those responsible for curating data.
* In the privacy policy note that the site's data are stored outside of the EU because everyone who runs the site lives outside the EU and we're using a hosting service with a server outside the EU.

...And legal impracticalities:
* The requirement for us to draw up a contract, hire, and designate a mandated EU data-processing representative who will cooperate with EU legal authorities to handle our unfixable non-compliance and render him/her self subject to any enforcement proceedings. This is absurd on several levels even if we had more than $23.75 to spend on such an initiative. Absolutely no one in their right mind would take the job.
* The term "children" is ambiguously defined so there's no realistic way to even know that a "child" is a child for legal purposes in this context.

If the EU would just amend the damned law to say something like "if you didn't ask for it, don't want it, and don't know it's there, then you're not liable to handle it in the otherwise mandated framework" then we'd probably already be mostly OK. Sadly, the law makes no distinction for personal data we request and any personal data (or God forbid "sensitive" personal data) that might somehow land in the database because all the site's content is member driven.

- Anonymous

It's unlikely they relate to the GDPR unless you also include other details that personally identify you.

There are, however, two concerns:
1) COPPA, a US law, precludes this site from offering accounts to persons under the age of 13. That's why you can lie about your age as long as you are actually 13 or older.

2) The GDPR does have special rules for children, which precludes us from making the site available to children. It's unclear what "children" means in this context. It's probably defined 28 different times in 28 different countries.

In both cases it might be possible to make the site available to people under the legally defined age, whatever it might be, if there were some way to achieve meaningful parental consent prior to a child using the site in any way that could result in a record of personal information. Unfortunately, at in the context of GDPR, this is also technically impossible because simply loading the page will record personal information in ways and places that are virtually impossible to reconcile with the law. There is also no mechanism to receive parental consent, let alone meaningful parental consent, and it's unlikely there ever will be. It would be possible in the case of COPPA because COPPA doesn't define IP addresses as personal information. And at least for COPPA someone could plug in a fax machine somewhere to receive these releases, but that's not going to happen. For the GDPR implementing some notion of meaningful parental consent is as far removed from practicality as visiting the Andromeda galaxy.

- Anonymous

Hard to to see how they'd bother with our tiny site, but if it comes to all the ulra-nano print and the paranoia from every conceivable scenario--paranoia justifiable or realistic or not (and not saying your response isn't justifiable--I'm not in your shoes), then fuckit might as well close up shop. Will be very sad if it comes to that. This place has been an important part of my life all these years.

EDIT Could be you addressed this issue above: from what I understand, shutting down the site still wouldn't be a solution, since as far as I understand it, full compliance means that anyone whose "data" (god only knows what that term would mean for x704) resides at a site has to be able to extract and remove it on demand, which wouldn't be possible if the site went 404. Or maybe could be dealt with by keeping the site open, but not allowing anyone to post. Fuck knows.

Completely shutting down the site would solve the problem because all the personal data would be deleted. This is, however, not a good solution.

Instead, BDAqua is taking over official management of the site. This is convenient because if some raving European bureaucrat wishes to sue him in to oblivion he'll a) be hard to serve with a summons, and because b) he probably hasn't many significant assets available to seize, with the possible exception of his home. In Washington state real estate as a person's primary residence is subject to a $125,000 "homestead exemption" in the case of a civil judgement recorded as a lien against the property. The entity forcing the sale (some European government or EU national/resident) would only keep an amount of money equal to: profit = sale price - amount owed to other lien holders - homestead exemption - legal fees - foreclosure costs - costs of sale, which might not be enough to make the process worthwhile, unless the point of it wasn't to actually recover the fine but instead to just punish the evildoer who didn't fully delete someone's IP address or photo.

The real solution, since the GDPR is unworkable in practice for sites that feature arbitrary user-submitted content, is for individual US states to deny reciprocity judgements from foreign courts in GDPR cases when the entity being sued has no material presence in the foreign country. I don't expect any such laws to appear anytime soon. It'll probably take a few high-profile European judgements to kickstart the process.

Interestingly, the GDPR also appears to outlaw street photography to the extent a photo may show an identifiable person and the photographer hasn't obtained prior authorization to collect that personal data (aka photo). Retroactive consent is illegal; only prior consent is allowed. This probably also means that if you have street photographs that show identifiable residents or citizens of an EU nation you're violating the GDPR.

Many commentators from EU nations brush off GDPR concerns with something like "oh, if you have a violation you'll just get a friendly letter from the local data protection office offering to help you become compliant, so you have nothing to worry about!" Which is a nice sentiment, but there's not actually anything in the law that requires this nor that says the maximum fines can't be levied against absolutely anyone for any technical violation of the law at any time. This site is probably not worth pursuing for it's inherently unfixable GDPR violations because it's too small for almost anyone to care about, but to maximize compliance the logical thing for an agency enforcing the GDPR to do is to send some legal pit bulls after a few smallish but not completely unknown sites, make examples of ruining a few people's lives with crushing civil judgements that receive widespread press reporting, and watch the rest of the Internet snap to attention.

- Anonymous

In one of my past lives as a freelance photojournalist, and before that, documentary "street photographer" (never liked that label), I probably took thousands of photographs (rolls of film, pre-digital) without asking permission, often quite close up--if asked by my sometimes perturbed subject if I had taken their photograph, I usually found a way to either deflect the question and avoid any open hostility, or blurt out something about being an "artist," the most honest reply, which would usually just leave my subject completely befuddled. But the law was quite clear that, even if said photo were to be published, there was absolutely no requirement for any form of consent. No news photographer photographing in, for example, a crowd of protestors could operate in any other way, and still can't. If I were working on a story I developed, with subjects knowingly participating, then I would have to obtain "model releases" if these photographs were to be published.

I can't imagine how a photographer for AFP, or Reuters, for example, would be able to continue working under GDPR, unless there's some exemption for news photographers. Otherwise, this would be completely ridiculous.

I took many rolls of film on the streets of Paris, from various stays. But not very worried, since they date back to the '80s-'90s, and unless i'm somehow recognized posthumously--unlikely--they will never come to anyone's attention or be published.

Very good news that you and BD have found a way to keep us going.

I noticed the bolded text the first time I read it but forgot to point it out. I don't think x704.net has a shopping cart.

But if it does...