Original Post
GDPR Compliance.
I think it's slightly troubling that toribash has not become compliant with the EU's General Data Protection Regulations.
Some of the regulations include, but are not limited to:
For a more comprehensive guide on GDPR please visit the ICO's website.
Issues I see with these forums becoming compliant:
Seeing that vBulletin version 4.x.x is no longer supported, it is safe to assume that vB3.8.2, the version toribash is currently running, is also unsupported. So my bet is that the easiest way for the forums to become compliant would be updating to vB5.
Further reading: here.
Some of the regulations include, but are not limited to:
- The right of erasure. All individuals must be granted the "right to be forgotten". All data on an individual must be erased. You have one month to respond to an erasure request.
- The right of access. Individuals have the right to access their personal data. You also have a month to respond to such a request.
- The right to be informed. You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with.
- You must ensure that you have appropriate security measures in place to protect the personal data you hold. which falls nicely in with Dinis' suggestion for HTTPS.
- You have a duty to notify the relevant supervisory authority within 72 hours of becoming aware of a breach, and to notify the affected users.
For a more comprehensive guide on GDPR please visit the ICO's website.
Issues I see with these forums becoming compliant:
Seeing that vBulletin version 4.x.x is no longer supported, it is safe to assume that vB3.8.2, the version toribash is currently running, is also unsupported. So my bet is that the easiest way for the forums to become compliant would be updating to vB5.
Further reading: here.
Aimlessly swimming in circumcisions
You sound like personal data is the only issue here, but we both know it's not. You are not complying with cookie laws and use a bunch of outdated PHP. This website also has no https certificate in 2019. It's basically a huge joke and if you're too lazy to do something about it I'll find ways to change that.
And yes, GDPR standards apply to any websites offering services in Europe, and since you can buy TB items in Europe it should concern you
-----
By the way, when it comes to personal data it's not just about removing it. You are supposed to have a whole statement readily available stating why you need certain information and where you're using it. Furthermore, you are also required to have a section dedicated to Nabi studios, stating businesses' information. Basically it's way deeper than just removing data on request.
And yes, GDPR standards apply to any websites offering services in Europe, and since you can buy TB items in Europe it should concern you
-----
By the way, when it comes to personal data it's not just about removing it. You are supposed to have a whole statement readily available stating why you need certain information and where you're using it. Furthermore, you are also required to have a section dedicated to Nabi studios, stating businesses' information. Basically it's way deeper than just removing data on request.
Last edited by Smaguris; Feb 22, 2019 at 12:56 AM.
Reason: <24 hour edit/bump
Hardkore
"The European Union's General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. These regulations will impact businesses that utilize personal data of EU citizens, even if the company does not have a physical presence in Europe. This means that the GDPR will be applicable for US websites as well."
[https://www.cmdsonline.com/blog/the-looking-glass/gdpr-us-websites/]
"If your country is not a member of the EU—currently 28 member states located primarily in Europe (27 after Brexit goes into effect Spring 2019)—you are considered a ‘third country’ under GDPR. Restrictions are imposed under GDPR that will impact how data is transferred to international organizations in third countries."
[https://www.mightybytes.com/blog/wha...ased-websites/]
"For example, if your US-based organization collects email addresses from EU citizens—such as a newsletter signup form, live website chat, or via telephone calls, for example—you’ll need to comply with GDPR guidelines. While you may not be actively targeting EU customers, if they can sign-up or input data to your website or through social media accounts, even if the data ends up in a third-party email marketing or CRM system (and not on your website), you’re responsible for GDPR-compliance." [https://www.mightybytes.com/blog/wha...ased-websites/]
"The GDPR not only applies to organisations located within the EU but also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location." [https://eugdpr.org/the-regulation/gdpr-faqs/]
"This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behaviour as far as their behaviour takes place within the Union."
[https://gdpr-info.eu/art-3-gdpr/]
The GDPR guidelines must be complied with if data from people in Europe is going to be stored by the company
[https://www.cmdsonline.com/blog/the-looking-glass/gdpr-us-websites/]
"If your country is not a member of the EU—currently 28 member states located primarily in Europe (27 after Brexit goes into effect Spring 2019)—you are considered a ‘third country’ under GDPR. Restrictions are imposed under GDPR that will impact how data is transferred to international organizations in third countries."
[https://www.mightybytes.com/blog/wha...ased-websites/]
"For example, if your US-based organization collects email addresses from EU citizens—such as a newsletter signup form, live website chat, or via telephone calls, for example—you’ll need to comply with GDPR guidelines. While you may not be actively targeting EU customers, if they can sign-up or input data to your website or through social media accounts, even if the data ends up in a third-party email marketing or CRM system (and not on your website), you’re responsible for GDPR-compliance." [https://www.mightybytes.com/blog/wha...ased-websites/]
"The GDPR not only applies to organisations located within the EU but also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location." [https://eugdpr.org/the-regulation/gdpr-faqs/]
"This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behaviour as far as their behaviour takes place within the Union."
[https://gdpr-info.eu/art-3-gdpr/]
The GDPR guidelines must be complied with if data from people in Europe is going to be stored by the company
Last edited by Kore; Feb 22, 2019 at 04:47 PM.
Reason: fixed broken links
Originally Posted by Smaguris
Since there is no response from staff and there's nothing being done about it I've reported this website to ICO. Hopefully something can be done about it then
Please don't post dumb things in this thread, there are better ways to gain attention to this other than being provocative.
Originally Posted by Kore
"The European Union's General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. These regulations will impact businesses that utilize personal data of EU citizens, even if the company does not have a physical presence in Europe. This means that the GDPR will be applicable for US websites as well."
[https://www.cmdsonline.com/blog/the-looking-glass/gdpr-us-websites/]
"If your country is not a member of the EU—currently 28 member states located primarily in Europe (27 after Brexit goes into effect Spring 2019)—you are considered a ‘third country’ under GDPR. Restrictions are imposed under GDPR that will impact how data is transferred to international organizations in third countries."
[https://www.mightybytes.com/blog/wha...ased-websites/]
"For example, if your US-based organization collects email addresses from EU citizens—such as a newsletter signup form, live website chat, or via telephone calls, for example—you’ll need to comply with GDPR guidelines. While you may not be actively targeting EU customers, if they can sign-up or input data to your website or through social media accounts, even if the data ends up in a third-party email marketing or CRM system (and not on your website), you’re responsible for GDPR-compliance." [https://www.mightybytes.com/blog/wha...ased-websites/]
"The GDPR not only applies to organisations located within the EU but also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location." [https://eugdpr.org/the-regulation/gdpr-faqs/]
"This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behaviour as far as their behaviour takes place within the Union."
[https://gdpr-info.eu/art-3-gdpr/]
The GDPR guidelines must be complied with if data from people in Europe is going to be stored by the company
Thanks for the post, I was planning on writing up something once I got off the bus, but you did it for me. <3
At this point I think it's pretty pointless trying to get toribash to be fully compliant, but at the very least improving on site security would go a far ways in that direction.
I'll add to this post in further once I'm off the bus and at a desk.
Edit:
Please read up on the Singapore Personal Data Protection Act of 2012
[https://sso.agc.gov.sg/Act/PDPA2012]
In particular Part VI, Section 24.
An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
Even if GDPR compliance wasn't needed, which it is contrary to what Icky believes, there would still be Acts from Singapore that it would be required to comply with.
Another issue that I'd like to raise would be how the toribash client stores login details in plaintext, I don't think I need to explain why this is a bad idea. This in combination with pretty much everything about toribash being insecure is just leading to a really bad day for someone.
This is probably the last I'll have to say in this thread, although I hope it provides something for the staff to mull over. I'd like to suggest that with the coming of TBN, it would be a good opportunity to turn a new page in this communities book. Treat it as an excuse to move away from the EOL software we rely on today. and with that hopefully gain better security practices.
The security of 5.5 million user account details should not be 2nd priority, given the amount of people that reuse passwords.
Last edited by Tuna; Feb 23, 2019 at 11:28 AM.
Aimlessly swimming in circumcisions
I'm being provocative? Give me a break, dev literally mocks me when I bring up actual concerns so if anything I'm just playing along.
To add to this, complying to most of these rules is actually very simple and takes barely no time. As someone mentioned before, being fully compliant is unrealistic given the circumstances, but disregarding it all is definitely worst approach you can take.
Even if you were not required to comply with ICO regulations, using "We don't have to do it so we won't do it" card is extremely unprofessional. It shows how little you actually care about your users. Of course TB users don't expect much so most of them will let it slide (probably due to their ignorance to the subject), but that's not a reason to disregard industry-standard practices that are basically expected on every website.
In a nutshell you could make a cookie request prompt, add "about us" page and update your policy all in few hours. It would improve your website, it would stop people like me from crying and it would save you from any troubles in the future. There's literally 0 excuses not to do it.
To add to this, complying to most of these rules is actually very simple and takes barely no time. As someone mentioned before, being fully compliant is unrealistic given the circumstances, but disregarding it all is definitely worst approach you can take.
Even if you were not required to comply with ICO regulations, using "We don't have to do it so we won't do it" card is extremely unprofessional. It shows how little you actually care about your users. Of course TB users don't expect much so most of them will let it slide (probably due to their ignorance to the subject), but that's not a reason to disregard industry-standard practices that are basically expected on every website.
In a nutshell you could make a cookie request prompt, add "about us" page and update your policy all in few hours. It would improve your website, it would stop people like me from crying and it would save you from any troubles in the future. There's literally 0 excuses not to do it.