#1 2018-06-15 10:16:34

Spirit
Administrator

Help wanted for GDPR compliance

So Quaddicted and QuakeWiki need a privacy policy and all that. I could use some help from anyone experienced or enthusiastic about that. Post here if you are willing to invest time and sweat into it and prepare to hold my hand. I would create a new subforum for coordination if needed. Thanks!

#2 2018-07-10 17:51:02

Spirit
Administrator

Re: Help wanted for GDPR compliance

This is a serious, scary issue and I need competent help on it. Otherwise it will be good bye to these sites to protect my personal safety.

#3 2018-07-10 18:32:17

dumptruck_ds
Member

Re: Help wanted for GDPR compliance

I assume you are not running Quaddicted as a business. All I see is information for businesses. I'd be happy to pitch in $ for you to hire a consultant.

An interactive "self assessment"
https://ico.org.uk/for-organisations/re … ssessment/

Last edited by dumptruck_ds (2018-07-10 18:39:21)

#4 2018-07-10 19:20:16

Gez
Guest

Re: Help wanted for GDPR compliance

Feel free to look at the Doom Wiki and perhaps contact Quasar.

#5 2018-07-11 13:37:13

Quasar
Guest

Re: Help wanted for GDPR compliance

I'll definitely second what Gez said. For the Doom Wiki, we have basically copied the WMF's privacy policy, with a couple of additions we felt were necessary due to differences between the way we run things and the way they do (for example, they don't allow video embedding from YouTube on Wikipedia, so that's an example of something we need to spell out).

#6 2018-07-12 06:56:00

Spirit
Administrator

Re: Help wanted for GDPR compliance

Thanks you guys! I'll try to adapt the Doom Wiki page for Quake Wiki but I guess we also need all that cookie warning stuff?

For Quaddicted it's more complicated, considering the file archive where personal details can be in every zip, etc... :\

#7 2018-07-12 19:11:59

Gez
Guest

Re: Help wanted for GDPR compliance

Any personal information placed in the text files for the mods that are archived there was volunteered by the people who wrote the text file and send it for archiving there. It's entirely under users' control. Worst case, allow people to contact you to edit hosted files to remove information they'd want to see removed, if they cannot already update the files by themselves. From what I see on the public browsing interface, the "author" field can be pretty much anything (including a team name), the "homepage" field doesn't have to be filled, and none of the other fields appear to contain personal information.

#8 2018-07-20 16:09:30

Spirit
Administrator

Re: Help wanted for GDPR compliance

Could someone else please take a look at Doom Wiki's policy and adapt it for Quake Wiki? Just add the page there and make sure it applies. Ask if you need information about logs and such.

For Quaddicted I don't think it is as easy as Gez suggests. I don't know enough about GDPR and the fear-mongering about it is widespread. File editing is never going to happen with me, nor would I remove releases or information from their readme files.

I'll probably follow some other sites' approach and block European IPs as potential countermeasure next month as interim solution. :(

#9 2018-07-20 18:48:59

negke
Moderator

Re: Help wanted for GDPR compliance

Blocking users on a site like this sounds like an overreaction.
We'll have to do some digging - maybe there's some official place to ask?

As far as I know, the following things may be of concern:

  • IP logging (or other means of tracking/identifying general users) - has been deactivated for years here

  • Email adresses - for the forum/DB accounts, not publically visible

  • Personal information in releases/readmes - sometimes real names and email addresses; however, the files were uploaded voluntarily by the authors (and moreso they are only mirrored on Quaddicted); this may not count as collection of personal data by the site?

  • Third-party sites accessing/logging user data - e.g. embedded stuff like ads (no such thing here) or social media buttons which afaik are regular links on this site, with locally hosted images.

  • Monetary aspects possibly? - e.g. the donation button, I don't really know if it's relevant

  • Transparency statement - some sort of legal notice ("Impressum") and information on what kind of data is stored; needs to be easily accessible, ideally from every page

  • Right to be forgotten - should be feasible in terms of forum/DB interaction, accounts and comments can be deleted upon request; as for the releases themselves, maybe the exceptions in Article 89 apply?

  • Right to request a list of stored personal data - probably nothing to worry about since all data minus the email address is publically visable anyway (and could be compiled into a single document with some manual work if someone should actually submit such a request)

#10 2018-08-01 18:03:26

negke
Moderator

Re: Help wanted for GDPR compliance

I noticed there are now disclaimer popups about the use of cookies on many sites. I checked and it seems Quaddicted sets a cookie on first visit, too. Is it possible to only generate a cookie once a user logs in?

#11 2018-08-04 11:43:20

Spirit
Administrator

Re: Help wanted for GDPR compliance

Thank you for your input!

negke wrote:

IP logging (or other means of tracking/identifying general users) - has been deactivated for years here

Nope, the server logs, it is just not visible to anyone but me.

negke wrote:

Email adresses - for the forum/DB accounts, not publically visible

Still collected and stored.

negke wrote:

Personal information in releases/readmes - sometimes real names and email addresses; however, the files were uploaded voluntarily by the authors (and moreso they are only mirrored on Quaddicted); this may not count as collection of personal data by the site?

Definitely still is collection.

negke wrote:

Third-party sites accessing/logging user data - e.g. embedded stuff like ads (no such thing here) or social media buttons which afaik are regular links on this site, with locally hosted images.

There should be almost zero external requests happening. If there are, please tell me and I will neuter them.

negke wrote:

Monetary aspects possibly? - e.g. the donation button, I don't really know if it's relevant

Removed.

negke wrote:

Transparency statement - some sort of legal notice ("Impressum") and information on what kind of data is stored; needs to be easily accessible, ideally from every page

I will not publish my private address to the web. It was hard enough to get it removed from WHOIS scrapers some years ago. Maybe we would need to form an e.V.?

negke wrote:

Right to be forgotten - should be feasible in terms of forum/DB interaction, accounts and comments can be deleted upon request; as for the releases themselves, maybe the exceptions in Article 89 apply?

Manually on request seems reasonable, I agree. I don't understand the legalese in that linked document nor can I properly judge Quaddicted (in its whole) in that regard.

negke wrote:

Right to request a list of stored personal data - probably nothing to worry about since all data minus the email address is publically visable anyway (and could be compiled into a single document with some manual work if someone should actually submit such a request)

Manually on request seems reasonable, I agree.

negke wrote:

Is it possible to only generate a cookie once a user logs in?

I don't know which components set which cookies and when. There is DokuWiki (could be converted to static pages and then dropped), FluxBB (handling auth and the forum, could be dropped too if absolutely necessary as well :(( ) and my own ugly code. I don't think I could set up a sufficient system about cookies.


I answered to all of these in the context of Quaddicted. QuakeWiki should be fairly easy in comparison, as it is a standard MediaWiki and thanks to DoomWiki there is a readily available policy template to use.

#12 2018-08-04 12:32:38

negkeShutOut
Guest

Re: Help wanted for GDPR compliance

Not an Impressum as such, but a page that details what kind of data is stored and for what purpose.

#13 2018-08-04 12:38:14

negkeShutOut
Guest

Re: Help wanted for GDPR compliance

As far as I see, the site as such isn't much of a problem. There aren't any hidden systems or scripts that sumbit data, and the forum accounts are an opt-in type of thing. The filebase is what we don't know about, but come to think of it, it isn't really much different from e.g. tech sites that host tools by various authors (think chip.de etc). Doesn't seem like they shut down their download sections, so how do they handle the GDPR?

#14 2018-08-05 00:11:41

ericw
Member

Re: Help wanted for GDPR compliance

negkeShutOut wrote:

The filebase is what we don't know about, but come to think of it, it isn't really much different from e.g. tech sites that host tools by various authors (think chip.de etc). Doesn't seem like they shut down their download sections, so how do they handle the GDPR?

fwiw, here is what the Internet Archive says about GDPR in its faq:
https://archive.org/about/faqs.php#1314

#15 2018-08-11 10:52:50

Spirit
Administrator

Re: Help wanted for GDPR compliance

I am in contact with someone, let's hope they can walk me through the important bits. :)

IA is a proper archive, they have special legal protection and abilities (see e.g. their ROM hosting).

#16 2018-08-15 09:02:34

Dorian
Guest

Re: Help wanted for GDPR compliance

Thank you Spirit
Really hope you can open your gates again for Europe.

#17 2018-08-16 17:27:32

Spirit
Administrator

Re: Help wanted for GDPR compliance

Thanks! Shouldn't be much of an issue really. We just need to figure out what is needed and implement/write that.

#18 2018-08-17 20:01:44

dumptruck_ds
Member

Re: Help wanted for GDPR compliance

Spirit,

I respectfully request regular updates via Twitter or func_msgboard on this issue please. You have a lot of people worried that a valuable community resource is going to go away for good. People have offered financial help for legal advice or host to files on their own time and with their own resources.

More information and updates would be welcome. Maybe get the conversation going now that you have ppl's attention? One person has taken it upon themselves to create a mirror of the files and felt that it was okay to do so based on your prior posts here:

https://www.quaddicted.com/archives/start

Or at least some guidance for what the community should do as an alternative at this time.

#19 2018-08-18 07:21:31

Gypsy
Guest

Re: Help wanted for GDPR compliance

https://drive.google.com/open?id=1qXdYl … zqK8hgl6wn

that's a link to a practically already done privacy policy. It's for wordpress but, plenty of it probably applies to you here. Just go to each section a reword it to suit you. Done. Shame you aren't on wordpress because, wordpress wrote my privacy policy for me.

#20 2018-08-18 11:04:04

Spirit
Administrator

Re: Help wanted for GDPR compliance

dumptruck_ds wrote:

People have offered financial help for legal advice or host to files on their own time and with their own resources.

On financial support https://twitter.com/schbirid/status/1018465648056381440: "Thanks, but money is not the issue. What's needed is someone willing and capable of dealing with it all."

On hosting I can just say it mad me sad to see that people rather rip Quaddicted apart instead of helping Quaddicted comply with laws.

dumptruck_ds wrote:

I respectfully request regular updates via Twitter or func_msgboard on this issue please.

Sorry, I thought I had posted a tweet with @quaddicted about the current status. Did that now! -> https://twitter.com/quaddicted/status/1 … 9491446784
I am not going back to func_msgboard or terrafusion.
I am idling in #qc. Maybe we could do some concentrated discussion round some day about the roadmap for Quaddicted with people interested in collaborating? I would love to replace the current setup with something open and distributed.

I am quite irritated that people start building copies without even reaching out to me. Feels like my call for help went unheard and people are happy* to drop the sites in a heartbeat. Just to make one thing clear, the archives we built are in no danger whatsoever.

dumptruck_ds wrote:

Or at least some guidance for what the community should do as an alternative at this time.

- Tell me what is needed for GDPR exactly for the entirety of Quaddicted. E.g. "the site uses cookies" -> "write $this". (I am in contact with someone who offered to walk me through it, so this might be solved and just a matter of time, we will see.)
- Adapt the Doom Wiki solutions to Quake Wiki.

About Quaddicted being a business or not, I rather err on the business site. There are no financial interests, there are no ads (there were some in the distant past but yuck). But at least in Germany the question is tricky. From what I know (IANAL) the site might be in competition with other, commercial sites and thus be judged (and sued) as such. A "competitor" could "sue" for non-compliance to GDPR and summon hell onto me: https://en.wikipedia.org/wiki/Abmahnung

* I mean it's clear that the review/db is not up for how people keep releasing things but no one wanted to collaborate on a better system so far, for years


Gypsy: Thanks, but not applicable.


edit: Added business bit.

#21 2018-08-18 13:19:33

Quasar
Guest

Re: Help wanted for GDPR compliance

If what you need regarding the policy page at this point is just to get it imported and then customizing the markup and content, I'd be happy to help with that. We also tweaked a MediaWiki message on our login page to point at it, and indicate that creating an account is indicating acceptance of the terms. Someone with admin access would have to make that change.

#22 2018-08-18 23:57:56

dumptruck_ds
Member

Re: Help wanted for GDPR compliance

Thanks for the Twitter update Spirit. That's helpful and I did check yours and Quaddicted before posting. So the GDPR doesn't have any guidance for small independent websites anywhere online? Or any kind of mechanism to help?

I'd do this if I could code or knew anything about this stuff. I don't.

This article seems relevant to Quaddicted. There's a section below for proprietary platforms, including a Javascript notifier you can use.

https://siteturner.com/gdpr-for-blogger … to-comply/

re: Quakewiki I'm not sure what your Tweet is meaning about some "some soul" like Doom Wiki? You mean involvement from the community to rework the site?

Last edited by dumptruck_ds (2018-08-18 23:59:04)

#23 2018-08-19 12:48:17

Spirit
Administrator

Re: Help wanted for GDPR compliance

Quasar, yes that would be fantastic! I made your account admin, shout (or mail) if anything else is needed. Thank you so much!

dumptruck_ds, see above (my previous posts) regarding Quake Wiki. Yes, that should be all that is needed.
That link is the first I see that actually helps, sweet! I think we could use that site's privacy policy (https://siteturner.com/privacy-policy-for-siteturner/)as a base as well, it is straightforward and low on legalese. I will absolutely not embed any third-party code for the cookie notification though, maybe there is a self-hostable, FLOSS alternative?

#24 2018-08-20 05:11:10

Mugwump
Member

Re: Help wanted for GDPR compliance

Spirit wrote:

I am quite irritated that people start building copies without even reaching out to me. Feels like my call for help went unheard and people are happy* to drop the sites in a heartbeat.

You're forgetting that not everyone has the legal background/knowledge required to provide said help, especially among us nerds. What Johnny Law did was in no way a move to drop Quaddicted, rather a service to the community while you get this situation sorted out. "Rip Quaddicted apart"? Come on! He didn't steal anything from you, he just made a mirror to content that you may have gathered but didn't create yourself. The words you're looking for are: "thank you, Johnny!"

BTW, OneTruePurple on Discord provided a link to a free proxy that works perfectly and allows us Europeans to use Quaddicted again. Here it is: https://www.usa-proxy.org
You might wanna share it with your followers on Twitter.

#25 2018-08-20 07:45:32

Spirit
Administrator

Re: Help wanted for GDPR compliance

No need to tell me how I should feel in your opinion.

You are ignoring that I do not have the legal background/knowledge myself, yet people get incomprehensibly angry when I did what seemed like a reasonable consequence as intermediate protection.

That site is able to log your user credentials, better do not use such a site. Also note how they hides who runs it and where. If you feel the need to access the site, just use Tor (with a non-EU exit). Tor does not man-in-the-middle you.

Board footer