XYMer's Home away from Home

When http://bbs.xlr8yourmac.com is down (i.e. always)
Privacy Policy
It is currently Sat Dec 15, 2018 8:37 am

All times are UTC - 8 hours




Post new topic Reply to topic  [ 78 posts ]  Go to page Previous  1, 2, 3, 4  Next
Author Message
PostPosted: Thu Jun 07, 2018 1:29 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6304
Location: NYC
Hmmm, started getting the popups again (anything change at your end?), so removed site cookies (I do regularly remove all cookies, even after visiting just a few sites), disabled JS from NoScript, and was still able to log in and post.

Edit: uh oh, but none of the formatting options work without JS. Might have to use " " from now.


Top
 Profile  
 
PostPosted: Thu Jun 07, 2018 3:56 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 9927
Location: North of the State of Jefferson
It was briefly broken due to an incorrect quotation mark that prevented some browsers from executing the popup code.

I will need to play with it some more, but it's possible we could wrap the JavaScript for the consent popups inside a page element that you could block with an ad blocker by writing an appropriate custom rule. How well this would work might depend on the ad blocker. We might also be able to set up the consent JS to load from a sub-domain, so you could block all resources from that domain or that specific URL and not be harassed.

We also still need to tweak the consent so that clicking cancel is what accepts the consent, and clicking OK denies consent. This helps establish affirmatively that you have consented because the "OK" is the default action, so you might accidentally consent when you don't want to.

Eventually the consent should move to a separate web page rather than using JS popups. Doing so will prevent bypassing the agreement by disabling JS. At that point I might also investigate writing a Firefox/Chrome addon that automatically sets the "I've consented" cookies so you can bypass the consent capture.

Probably also need to send all members who currently receive email notification email to the effect of "Here at x704.net we value your privacy! Due to new European Union privacy rules, and because we don't want you receiving email from you don't want, we've disabled email features on your x704.net account until you opt in to receive them. Please log in to your x704.net account, read our updated privacy policy, and re-enable any email notifications you wish to receive. Thanks!"

All of this will take a little time. If I'm home sick one of these days maybe I can get it done.

- Anonymous


Top
 Profile  
 
PostPosted: Fri Jun 08, 2018 6:23 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6304
Location: NYC
Quote:
Eventually the consent should move to a separate web page rather than using JS popups.

I think you mentioned that you would need to learn how to do this kind of programming, but if you can eventually move to something like this, it would probably be the least intrusive/annoying.

Already posted earlier, what Reddit is doing --their popup includes link to updated privacy policy, should the user be interested in reading it, with button to easily dismiss the entire popup, and continue. Small unobtrusive popup bottom right, leaving most page content visible. Occurs before login, just as it does here.

Image

I have added x704 to my list of cookies exceptions, which will retain the accept cookies on Firefox quit, but I often want to clear all cookies and leave Firefox open. Trying to save the agreement cookies now means I have to individually delete cookies one by one for other sites visited, except x704, instead of simply hitting Remove ALL.

Also, changing the theme to other than subsilver2 appears to have no affect on whether the popups appear or not.


Top
 Profile  
 
PostPosted: Fri Jun 08, 2018 10:38 am 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 9927
Location: North of the State of Jefferson
I don't think what Reddit is doing complies with the law, unless they aren't setting any cookies or doing any analytics or logging before you log in -- which is entirely possible. It's just not possible here because we didn't write phpBB and aren't in any position to hack it that extensively, and we don't have easy control over the back end of the site since we're using a hosting service.

Those are among the reasons I said I thought it would be easier for larger sites to comply: they've singularly developed their code so they can readily modify it, and they're (likely) running on their own hardware in their own server environment.

I'm not sure why changing to another theme doesn't work. I only edited the header template for subsilver2. Of course, since subsilver2 is the default theme, you'll only be able to change to a non-default after you've logged in, so even if it did work it would only help when you deleted your "I agree" cookies without deleting your session cookies, since your login is maintained by cookies.

- Anonymous


Top
 Profile  
 
PostPosted: Fri Jun 08, 2018 12:03 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6304
Location: NYC
Lots of Reddit cookies before dismissing popup or logging in. Doesn't look like full compliance. But if the GDRP zealots don't come down on Reddit, which is huge, chances are tiny x704 will be invisible.

Image


Top
 Profile  
 
PostPosted: Fri Jun 08, 2018 12:27 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10199
Location: Caught between the moon and NYC
Today I'm getting a GDPR notice after every action. Click on view active topics, notice. Click on an active topic, notice. Click reply, notice. Click submit, notice.

That being said my browser has been open since yesterday.

Edit: Gave in and closed and reopened my browser, which resets everything. Problem is gone. Thanks for all the hard work Anon.


Top
 Profile  
 
PostPosted: Fri Jun 08, 2018 1:00 pm 
Offline

Joined: Thu May 15, 2008 8:21 pm
Posts: 1156
Location: Burblandia
MonkeyBoy wrote:
Today I'm getting a GDPR notice after every action. Click on view active topics, notice. Click on an active topic, notice. Click reply, notice. Click submit, notice.

That being said my browser has been open since yesterday.

Edit: Gave in and closed and reopened my browser, which resets everything. Problem is gone. Thanks for all the hard work Anon.

Exact same issue and resolution here! Thx all.


Top
 Profile  
 
PostPosted: Fri Jun 08, 2018 1:55 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 9927
Location: North of the State of Jefferson
Sorry it's still a pain in the arse, but I hope to work on it more. So far the work hasn't been hard, just time consuming, and time is at somewhat of a premium in my life these days.

- Anonymous


Top
 Profile  
 
PostPosted: Sun Jun 10, 2018 9:29 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6304
Location: NYC
Anon, forgive me for going on about this, but I'm wondering if something like what the newyorker is doing would be suitable for our site -- provided, that is, it's something you can do, and not without too much trouble. It's basically if you proceed you agree (nothing to accept or cancel) including a reference to the use of cookies. You may find that it's not in the absolute strictest compliance with GDPR, but I'm certain the small army of highly paid Condé Nast legal help has gone over the GDPR terms with a fine tooth comb, and has deemed this acceptable. Perhaps with this "agreement" in place, the accept cookie might be provided automatically, or even dispensed with entirely?

Image


Top
 Profile  
 
PostPosted: Sun Jun 10, 2018 10:07 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 9927
Location: North of the State of Jefferson
That's fine as long as no personal information is collected until after someone has explicitly agreed to its collection. If they wrote their own software for their site, that works.

In our case, personal information is collected immediately so explicit informed consent must also occur immediately upon loading the site, so a banner probably wouldn't work here: the interface probably needs to be modal -- basically a "capture" page, beyond which someone who doesn't consent cannot pass. And technically even that doesn't work because it's also illegal to effectively sell access to a site in exchange for personal information (in other words, any otherwise accessible feature of the site needs to be equally available to any visitor whether they consent to collection or not). At least the capture page would prevent the information from being collected, which seems at least some minor protection for people sensitive about such things. Rewriting the forum software not to collect any personal information is completely impractical.

You can, however, make a reasonable argument that if whatever you're doing is illegal either way, you might as well do the less irritating illegal thing, and that view does seem to hold some merit.

In any event, they both take a little tiny bit of programming, so we're probably stuck with what we have at the moment for a little while.

- Anonymous


Top
 Profile  
 
PostPosted: Mon Jun 11, 2018 12:50 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6304
Location: NYC
Thanks, realize it's a pain in the ass for you to have to deal wiith this crap -- what's important is to keep the site going, no matter the entry protocol. Won't bug you with this anymore.


Top
 Profile  
 
PostPosted: Mon Jun 11, 2018 2:21 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10199
Location: Caught between the moon and NYC
https://www.youtube.com/watch?v=8deMsP9ZLfY


Top
 Profile  
 
PostPosted: Tue Jun 12, 2018 8:43 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 9927
Location: North of the State of Jefferson
The founder of StopForumSpam is livid about the GDPR.

As for this site, we can no longer do a Google search on suspicious IP addresses when they register without a data processing contract with Google. :roll: (Hint: Google has signed no such contract with us. It is unclear that such a thing is even possible.) Just let spammers sign up and delete them after they start spamming?

Oh for fucks sake! What's this?

I swear it won't be long before you won't be able to make a damned blog post without a team of lawyers specializing in international intellectual property and privacy law.

- Anonymous


Top
 Profile  
 
PostPosted: Wed Jun 13, 2018 12:28 am 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 15249
Sure sounds like they're going to kill off any selection of thought. :upset:


Top
 Profile  
 
PostPosted: Wed Jun 13, 2018 2:55 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10199
Location: Caught between the moon and NYC
Has anyone told ARIN? They're still showing my IP address on their homepage.

I suppose if nobody can post anything then that's a form of privacy.


Top
 Profile  
 
PostPosted: Wed Jun 13, 2018 4:00 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 9927
Location: North of the State of Jefferson
MonkeyBoy wrote:
Has anyone told ARIN? They're still showing my IP address on their homepage.

I dunno. Try filing a complaint with Hungary or Croatia's data protection authority. In other news, ICANN looks like hot mess (link to The Register for good times) also here.

- Anonymous


Top
 Profile  
 
PostPosted: Wed Jun 13, 2018 4:56 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10199
Location: Caught between the moon and NYC
That seems like a hot mess, but not on the part of ICANN. Having such a massive law go into effect with absolutely no planned means of negotiating for implementation isn't the fault of ICANN. Seems kind of like the EU is a little too used to royal decrees.


Top
 Profile  
 
PostPosted: Wed Jun 13, 2018 5:19 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 15249
What about ISPs that have your IP & all your data!?


Top
 Profile  
 
PostPosted: Wed Jun 13, 2018 6:00 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10199
Location: Caught between the moon and NYC
I feel sorry for any US ISP who gets entangled in a visiting EU citizen who joins the guest network of a US customer. All that data mining and logging and similar activities can't possibly be GDPR compliant. Of course how would the EU citizen ever know that the GDPR was violated? How would the EU prove it?


Top
 Profile  
 
PostPosted: Wed Jun 13, 2018 6:15 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 9927
Location: North of the State of Jefferson
BDAqua wrote:
What about ISPs that have your IP & all your data!?

I am not a lawyer: generally they are obligated to keep as little of it as possible unless you opt in to allow them to keep more, but either way they may keep what they need in order to serve the legitimate interest of providing Internet connectivity. But since these data kept ("processed") based on a "legitimate interest" you, the customer, may request a dump of these data so you may take them with you to a new ISP (!?) since they're impacted by the data portability requirement.

It is not clear that naked IP addresses should protected as vigorously as, for example, your name, address, a stored list of all the web sites you've visited, cross-referenced with your credit score and political leanings and sold to third-party data brokers...but what do I know? I'm not an EU regulator.

Yeah, I get what the GDPR is going for:
1) give you control over and awareness of data collected about you,
2) disrupt the immoral panopticon-based web business model by turning personal data from an asset in to a liability,
3) * disrupt American corporate dominance of the Internet by companies like Google and Facebook.

...and I don't have a problem with that. The intentions are generally good.

The problem is that the details are truly fiendish, a few bits are just awful (like defining an IP address as personal data since it's usually not in the real world, and in the real world only becomes personal data when it's used to target people by combining it with other information...or the way it applies to random unstructured data you don't even know exists let alone use for creepy shit), and often appears to miss the forest for the trees. In general the law seems obsessed with who has control of information, not how it's being used or its (typically) incidental** and unavoidable presence. Nor is there much clear sense of proportionality. A store selling fresh-roasted coffee may incidentally collect personal data, but the threat posed by the proprietor's customer spreadsheet, email program, and group photo from the store's 10th birthday extravaganza is not proportional to a behavioral tracking ad network that sets an evercookie that gets loaded in to 1/50 of the web through a hidden 1 pixel iframe. The coffee roaster is not a privacy threat. It's just not. If it were a multinational coffee company profiling all the globe's coffee drinkers it might be, but again, it's just not. The risk and responsibility must increase with the scale, centralization, and intent for the data, not merely by who possesses it or the fact of its possibly abstract existence. Large organizations, setting aside their business model, must bear greater responsibility for their handling and need to be more selective with personal data curation because they are better positioned to find new ways to exploit it.

An appropriate rule for a site like this one would be "don't harvest users' email addresses for sending spam," while a more stringent standard might be appropriate for multinational companies whose business is built around profiling and targeting people in a process akin to information warfare. And on top of all that, by making compliance impossible, they've probably guaranteed the law of unintended consequences will forcefully rear its head. I'm confident that at the end of the day it won't end up actually accomplishing what it set out to achieve, but will still impose astronomical costs on everyone who isn't really part of the problem.

I should also add that, although compliance will be a PITA for startups that aren't premised around monetizing personal data, building systems from the ground up is merely challenging and expensive. Retrofitting compliance on the other hand is probably simply impossible or so difficult (like this site) as to be completely hopeless and debilitating. At least that's probably true to systems that use structured data, like centralized database with rows and clearly defined columns...it's still absurd for unstructured data like your email or your Lightroom catalog of your wedding shoots as a photographer (neither of which are shared over the Internet or data-mined to profile and target people).

- Anonymous

* I recognize this is the most controversial of the reasons, but I think there's some evidence to support it, although it's also the least important reason.

** A critic of this post might say "if the data are incidental then don't collect them!" which is apparently what EU regulators thought, but this disregards the fact that it's often not clear when data actually becomes incidental, nor the reality of how the data are actually used. For example, most posts on this site are tagged with an account and IP address which posted them. In most cases this is incidental, but is very important when a sock puppet account starts being abusive. It also ignores the fact that these data are not shown publicly, are not analyzed en mass, and we have no intent to use these data in any privacy-invading manner. It also ignores the ridiculous cost of preventing collection in existing systems and run-of-the mill sites/orgs that aren't in the business of invading your privacy are saddled with extraordinary costs to protect you from things they're never going to do.


Top
 Profile  
 
PostPosted: Fri Jun 29, 2018 4:14 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 9927
Location: North of the State of Jefferson
California passes new privacy law. It tentatively looks a little sloppy, but also doesn't appear to apply to this site, nor in fact most small web sites: AB-375.

It kind of looks like it falls on the side of not providing enough protection, but also doesn't appear to outlaw most of the Internet unlike some recent and ongoing ham-fisted attempts at data regulation. It will also be further amended and watered down before it comes in to force in 2020. I should sit down and read it more carefully, but since it almost certainly won't affect us, and will certainly be amended, I may not get around to it anytime soon. If someone else would look at it in detail and report your thoughts, I'd love to hear them.

Cheers,
- Anonymous


Top
 Profile  
 
PostPosted: Fri Jun 29, 2018 4:57 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 15249
So far it looks like it's only pointed at profit making sites.
Quote:
AB 375, Chau. Privacy: personal information: businesses.

Quote:
1798.194. This title shall be liberally construed to effectuate its purposes.


Top
 Profile  
 
PostPosted: Mon Jul 02, 2018 10:15 am 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 9927
Location: North of the State of Jefferson
BDAqua wrote:
So far it looks like it's only pointed at profit making sites.
Quote:
AB 375, Chau. Privacy: personal information: businesses.

I agree, but California, and most localities for that matter, appear to take an expansive view of "business" activities. For example, accepting member contributions to help pay for the site may make it an unregistered business in California under certain circumstances, which also imposes some interesting tax and legal registration requirements. I think that if 25% of revenue comes from California an entity must be registered with the state ($800 annual fee, $2000 penalty for failing to do so). Fortunately 100% of financial contributions to the site have come from New York and Oregon, so everything is probably OK on that front.

- Anonymous


Top
 Profile  
 
PostPosted: Mon Jul 02, 2018 11:51 am 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 15249
Whew...

Quote:
50 trillian dollars has been set aside, so if you've ever used a computer or Smart Phone we'd like our cut so don't delay call 1-800-sue-m-now today. Offer valid only in Russia, North Korea, & other friendly countries. Offer expires Y2K.


Top
 Profile  
 
PostPosted: Mon Jul 02, 2018 3:57 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 9927
Location: North of the State of Jefferson
It's also conceivable the site, its participants, and members together qualify as an unincorporated association under California law and that of other localities. That provides a small level of protection, although it's also possible the site is solely owned and operated by BDAqua.

If the site wished to be recognized as an unincorporated association for purposes of California tax law -- which it wouldn't but bear with me -- there's only a $25 filing fee and the filing is good for five years. This might allow donations from California to exceed 25% of total annual contributions without triggering apocalyptic tax ramifications, but since the site needs no financial contributions now nor in the foreseeable future, this isn't really worth considering. The likelihood that we could do this may, however, add some weight to suggestion that the site is not a business.

- Anonymous


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 78 posts ]  Go to page Previous  1, 2, 3, 4  Next

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group