Jump to content

Invision Community Blog


Our take on managing successful online communities


GDPR updates for Invision Community 4.3.3

Unless you've been living under a rock, or forgot to opt-in to the memo, GDPR is just around the corner.

Last week we wrote a blog answering your questions on becoming GDPR compliant with Invision Community.

We took away a few good points from that discussion and have the following updates coming up for Invision Community 4.3.3 due early next week.

Downloading Personal Data
Invision Community already has a method of downloading member data via the member export feature that produces a CSV.

However, we wanted Invision Community to be more helpful, so we've added a feature that downloads personal data (such as name, email address, known IP addresses, known devices, opt in details and customer data from Nexus if you're using that) in a handy XML format which is very portable and machine readable.

 

downloadPI.thumb.jpg.8b640409f0a61c4845fafe752ce300cc.jpg

You can access this feature via the ACP member view

The download itself is in a standard XML format.

pi.thumb.jpg.63811c7d7342de02bbc87f45036457fd.jpg

A sample export

Pruning IP Addresses
While there is much debate about whether IP addresses are personal information or not, a good number of our customers requested a way to remove IP addresses from older content.

There are legitimate reasons to store IP addresses for purchase transactions (so fraud can be detected), for security logs (to prevent hackers gaining access) and to prevent spammers registering. However, under the bullet point of not storing information for longer than is required, we have added this feature to remove IP addresses from posted content (reviews, comments, posts, personal messages, etc) after a threshold.

The default is 'Never', so don't worry. Post upgrade you won't see IP addresses removed unless you enter a value.

remove_ips.thumb.jpg.1aedba9f682760d54a8a2774d5f8050a.jpg

This new setting is under Posting

Deleting Members
Invision Community has always had a way to delete a member and retain their content under a "Guest" name.
We've cleaned this up in 4.3.3. When you delete a member, but want to retain their content, you are offered an option to anonymise this. Choosing this option attributes all posted content to 'Guest' and removes any stored IP addresses.

delete.thumb.jpg.3e76c4995f6306994947e491f79ae444.jpg

Deleting a member

Privacy Policy
We've added a neat little feature to automatically list third parties you use on your privacy policy. If you enable Google Analytics, or Facebook Pixel, etc, these are added for you.

privacy_acp.thumb.jpg.119f445df2f2d910521cb53006454422.jpg

The new setting

privacy_public.thumb.jpg.37618baa7c9ab9762d10393fd7a659c6.jpg

 

Finding Settings Easily
To make life a little easier, we've added "GDPR" as a live search keyword for the ACP. Simply tap that into the large search bar and Invision Community will list the relevant settings you may want to change.

gdpr.thumb.jpg.9c0cbf0abaa716061e07846d3f01ba14.jpg

 

These changes show our ongoing commitment to helping you with your GDPR compliance. We'll be watching how GDPR in practise unfolds next month and will continue to adapt where required.

Invision Community 4.3.3 is due out early next week.


Comments



Recommended Comments

28 minutes ago, TSP said:

Could there be an option to define the name to attribute to on that page directly? So we could input for example "Member 3312" (where 3312 would be their memberId). This will keep the discussion still somewhat reader friendly, so it would still be possible to differentiate different accounts as having written in the discussion, for readers reading old content. 

I like this idea.

Edited by Wolfie

Share this comment


Link to comment
Share on other sites

Nice, but too late and not enough for all gdpr specific bussiness cases.

For example, I can write little our experience. We have an external database service, external openid auth. (Our IPS is just a part of big services). So our users can request data export and send account removal request in their personal area on the external (if we watch from IPS point of view) site. If user ask for deletion our backend service send a message to rabbitmq special queue. This queue listen all our apps, which have internal user database. We provide "grace" period few days. We did it because we want to make user sure for his action (and he wouldn't hacked). It's ok by gdpr. In this grace period we anonimize it, block profiles, exclude from all searches and block all activity with them (like a ban functionality, but not it), change it's email field for block notifications, clear all stored sessions in devices. If user don't change his opinion in that grace period our service will send delete action/message to mq and all services start to do cleaning and anonymize tasks. For forum example it is: 1) we make new clean account with anonymized name and email; 2) merge this new account to the old (in this way we change posts author to the new anonymized account); 3) delete old account (and our internal apps which have special tables with additional member data do this clear by 'onDelete' action); 4) send to our service 'ok' state for requested action (if it dont' receive it - than it will periodically personally ask for doing that. and if service not provide good answer after some tries - notify our internal scheduled tech support).

Our export doing by external service, which connected directly to DBs of a lot of registered as 'contain member data' services, get all data and notify about completed export process and ability to download export archive.

So, 4.3.3 features are too late now for us (we can't update so fast, because 4.2->4.3 changes broke most of our apps, plugins and themes). May be after we update the core we may improve our integration system for use this created tools. But in fact current default IPS GDPR good only for very small communities with a few amount of additions, which can easy update.

Anyway, thanks for you work.

Share this comment


Link to comment
Share on other sites
6 minutes ago, Upgradeovec said:

Nice, but too late and not enough for all gdpr specific bussiness cases.

....

But in fact current default IPS GDPR good only for very small communities with a few amount of additions, which can easy update.

And LEGO®, SEGA®, Warner Bros, etc. 🙂

Share this comment


Link to comment
Share on other sites

Great update. Huge step in the right direction. 🙂

 

Quote

While there is much debate about whether IP addresses are personal information or not, a good number of our customers requested a way to remove IP addresses from older content.

There is no debate about that. That has been determined time and time again by the highest of courts in Europe. IP addresses are personal information. 😉

Thanks for the retention feature! Highly appreciated! I guess setting this to 0 days would make it fully compliant 🙂

1 hour ago, TSP said:

Could there be an option to define the name to attribute to on that page directly? So we could input for example "Member 3312" (where 3312 would be their memberId). This will keep the discussion still somewhat reader friendly, so it would still be possible to differentiate different accounts as having written in the discussion, for readers reading old content. 

yes!! Also this would allow to delete all of member 3312s' content even if the member itself was removed.

Quote

These changes show our ongoing commitment to helping you with your GDPR compliance. We'll be watching how GDPR in practise unfolds next month and will continue to adapt where required.

I am very pleased to see that IPS is finally taking action on this 🙂 The remaining timeframe ist very very very very harsh unfortunately. 

Two things I still miss in your blog:

  • A data processing agreement
  • Options to opt-in for each use of the comment, contact, posting feature with documented history (like you've implemented for admin bulk mails)

I do miss the good old days with ikonboard. User credentials were stored unencrypted, no one cared. Better world back then 😉

Share this comment


Link to comment
Share on other sites
15 minutes ago, Matt said:

And LEGO®, SEGA®, Warner Bros, etc. 🙂

I'm glad you didn't say Sony Pictures 😮

Great work IPS Team. The 3rd party/privacy policy integration is excellent. I take it the screenshot only shows which apps are integrated e.g. Send Grid won't show if you don't use it?

And I add my support to @TSP's brilliant suggestion.

Edited by GlenP

Share this comment


Link to comment
Share on other sites
10 minutes ago, GlenP said:

Great work IPS Team. The 3rd party/privacy policy integration is excellent. I take it the screenshot only shows which apps are integrated e.g. Send Grid won't show if you don't use it?

Yes, only the enabled will be shown.

Share this comment


Link to comment
Share on other sites

These improvements and tools are excellent and well considered, just what we needed, thank you. 

I'd also urge some general caution and due diligence especially with any non-member requests for bulk personal data export, admins should put some procedures in place and make sure co-admins and staff are aware, to recognise a request and to reasonably check proof of identity before handing over bulk export data  to ex-members, banned or disgruntled ex-members who potentially have a grievance, or ex-members requesting deleting accounts. 

It may be useful for current registered members to have a convenient option in their Account Settings to be able to request an export, so export could be performed automatically and recorded in the member history audit trail.

I'd also urge caution in transmitting that XML data to the requester especially by email, be sure to provide some security such as sending it in a passworded and/or encrypted zip file. Double, triple check you're sending it to the correct person, email address!

 

Share this comment


Link to comment
Share on other sites
1 minute ago, The Old Man said:

These improvements and tools are excellent and well considered, just what we needed, thank you. 

I'd also urge some general caution and due diligence especially with any non-member requests for bulk personal data export, admins should put some procedures in place and make sure co-admins and staff are aware, to recognise a request and to reasonably check proof of identity before handing over bulk export data  to ex-members, banned or disgruntled ex-members who potentially have a grievance, or ex-members requesting deleting accounts. 

It may be useful for current registered members to have a convenient option in their Account Settings to be able to request an export, so export could be performed automatically and recorded in the member history audit trail.

I'd also urge caution in transmitting that XML data to the requester especially by email, be sure to provide some security such as sending it in a passworded and/or encrypted zip file. Double, triple check you're sending it to the correct person, email address!

 

All very sensible yes. There's a new Admin permission mask for the exports, so you can disable this per admin if you wanted to.

Share this comment


Link to comment
Share on other sites
1 hour ago, TSP said:

@Matt On deletion of members: 

Could there be an option to define the name to attribute to on that page directly? So we could input for example "Member 3312" (where 3312 would be their memberId). This will keep the discussion still somewhat reader friendly, so it would still be possible to differentiate different accounts as having written in the discussion, for readers reading old content. 

Alternatively let the Anonymize attribution do a md5 hash on the (memberId+some community specific value that is unlikely to be changed) and grab the first 8 letters or something. 

If you have deleted a handful of members and their content has been merged to Guest you will probably have several hundred postings over time.  Someone that took the time to read through all of these "Guest" postings would find it difficult to guess which posting was made by which prior member.  If the same postings were attributed to various "defined" accounts as mentioned above someone "could" comb through the site and see all of the content a particular deleted member wrote.  Those postings might include enough clues that someone could conceivably figure out the identity of the poster. "If" content left behind by a departing members "could" be attributed to them is the content "really" anonymized?  Something to consider.

Share this comment


Link to comment
Share on other sites
4 minutes ago, Christopher Anderson said:

If you have deleted a handful of members and their content has been merged to Guest you will probably have several hundred postings over time.  Someone that took the time to read through all of these "Guest" postings would find it difficult to guess which posting was made by which prior member.  If the same postings were attributed to various "defined" accounts as mentioned above someone "could" comb through the site and see all of the content a particular deleted member wrote.  Those postings might include enough clues that someone could conceivably figure out the identity of the poster. "If" content left behind by a departing members "could" be attributed to them is the content "really" anonymized?  Something to consider.

I have, which is why I settled on "Guest" to completely anonymise it and ensure no mining or pattern matching could occur.

31 minutes ago, DReffects2 said:

Options to opt-in for each use of the comment, contact, posting feature with documented history (like you've implemented for admin bulk mails)

That really is not required. It should all in the T&S and Privacy Policy which you have to opt-in to when registering, and this opt-in is recorded.

GDPR is not about putting a checkbox in front of every possible interaction with the site. What a nightmare that would be for everyone.

Share this comment


Link to comment
Share on other sites

@Matt @Christopher Anderson Well, it's pseudonymized at least. We personally take this road, so it will be useful to me if IPS would provide the option to let us input our own value to give as the new attribution. You can argue people can comb through all of the quoted content in others members posts and get the information that way anyway, or you could argue that an advanced AI in the future could be able to figure out which users are different anyway based on writing style alone.

I see no need to make it harder for people to understand how the flow of a previous conversation has been (if you choose not to delete the content in the first place), it only makes things confusing. 

There are 4 potential options here: 

  • Continue to attribute to Name (currently in this update)
  • Attribute to "Guest" only (currently in this update)
  • Attribute to the given name <Admin inputs new name>
  • Pseudonymize: The software generates a md5-hash based on some values there and then that does not retrieve any member data, just something like a timestamp + some other value and then gives that name to all content from that account before it's deleted.

@Matt Will I be able to hook into it at least? 

Edited by TSP

Share this comment


Link to comment
Share on other sites
17 minutes ago, Matt said:

That really is not required. It should all in the T&S and Privacy Policy which you have to opt-in to when registering, and this opt-in is recorded.

GDPR is not about putting a checkbox in front of every possible interaction with the site.

eRecht24 (among many other established services) explicitly advises webmasters to implement checkboxes for forms. eRecht is a premier service for data privacy issues. The contact form in IPS does not require a user to be registered first, nor does the comment function for articles.

https://www.e-recht24.de/news/abmahnung/10651-abwarnung-kontaktformulare-einwilligung.html

Quote

What a nightmare that would be for everyone.

giphy.gif

Indeed it is. Matt, you've stated in another blog that the GDPR is very vague at times.  You ask three lawyers and get four answers. None of them are legally binding.

I've seen dozens of lawsuits years ago about the cookie notice thingy. It was a HUGE hassle for everyone, even if you were proven right in court after thousands of dollars.
Most data privacy advisors currently advise to implement checkboxes to be safe than sorry. I've read about alternating interpretations on this, but until this has been fought out in court the situation remains unchanged: You can only be safe if you do more than maybe required. Most of the large companies have equipped their websites with checkboxes in contact forms or at least a dedicated data privacy notice right before the submit button. Many have removed contact forms altogether.

I do fully understand that this a huge annoyance for everyone involved.

Share this comment


Link to comment
Share on other sites
23 minutes ago, TSP said:

@Matt @Christopher Anderson Well, it's pseudonymized at least. We personally take this road, so it will be useful to me if IPS would provide the option to let us input our own value to give as the new attribution. You can argue people can comb through all of the quoted content in others members posts and get the information that way anyway, or you could argue that an advanced AI in the future could be able to figure out which users are different anyway based on writing style alone.

I see no need to make it harder for people to understand how the flow of a previous conversation has been (if you choose not to delete the content in the first place), it only makes things confusing. 

There are 4 potential options here: 

  • Continue to attribute to Name (currently in this update)
  • Attribute to "Guest" only (currently in this update)
  • Attribute to the given name <Admin inputs new name>
  • Pseudonymize: The software generates a md5-hash based on some values there and then that does not retrieve any member data, just something like a timestamp + some other value and then gives that name to all content from that account before it's deleted.

@Matt Will I be able to hook into it at least? 

Something to consider for a future release. You should be able to hook into it. 

Share this comment


Link to comment
Share on other sites
5 minutes ago, DReffects2 said:

eRecht24 (among many other established services) explicitly advises webmasters to implement checkboxes for forms.

5 minutes ago, DReffects2 said:

Most data privacy advisors currently advise to implement checkboxes to be safe than sorry.

 

Many? Most? Really? Sorry, but I don’t think those are honest claims. You happened to found one—that’s far from many or even most. 

My tip: read the GDRP text yourself. It clearly addresses this. If the processing of data was necessary anyway, the GDRP changes nothing. Shipping a product requires a shipping address. A contact form requires a way to reply to the request. GDRP doesn’t change that. It’s in there. 

Share this comment


Link to comment
Share on other sites
1 hour ago, DReffects2 said:

There is no debate about that. That has been determined time and time again by the highest of courts in Europe. IP addresses are personal information. 

With all due respect, the highest courts in Europe can only decide for Europe. Also, anyone who truly understands networking knows that an IP address isn't personal information, regardless of the opinion of a court.

Share this comment


Link to comment
Share on other sites
4 minutes ago, Wolfie said:

Also, anyone who truly understands networking knows that an IP address isn't personal information, regardless of the opinion of a court.

So when a court (interpreting the law) says it, it’s just an opinion, but your opinion is just declared common knowledge, that doesn’t need demonstration? That won’t work. 

An IP address is neither always personal data, nor never personal data. It depends. It is a (temporary) piece of information potentially identifying you, just like less temporary data like an address (which can also change), a birthday, a social security number and so on. The IP address can be used to identify the individual (e.g. by internet services providers acting on behalf of authorities). That’s how people are fined for file sharing or criminal online activities. In fact it is the number one tool to do that. So if—under certain conditions—it is a piece of data that might make it possible to identify a single person, that makes it personal data by definition under those conditions. 

Share this comment


Link to comment
Share on other sites
2 hours ago, TSP said:

Could there be an option to define the name to attribute to on that page directly? So we could input for example "Member 3312" (where 3312 would be their memberId). This will keep the discussion still somewhat reader friendly, so it would still be possible to differentiate different accounts as having written in the discussion, for readers reading old content.

1 hour ago, Christopher Anderson said:

If you have deleted a handful of members and their content has been merged to Guest you will probably have several hundred postings over time.  Someone that took the time to read through all of these "Guest" postings would find it difficult to guess which posting was made by which prior member.  If the same postings were attributed to various "defined" accounts as mentioned above someone "could" comb through the site and see all of the content a particular deleted member wrote.  Those postings might include enough clues that someone could conceivably figure out the identity of the poster. "If" content left behind by a departing members "could" be attributed to them is the content "really" anonymized?  Something to consider.

1 hour ago, Matt said:

I have, which is why I settled on "Guest" to completely anonymise it and ensure no mining or pattern matching could occur.

1 hour ago, TSP said:

Well, it's pseudonymized at least. We personally take this road, so it will be useful to me if IPS would provide the option to let us input our own value to give as the new attribution. You can argue people can comb through all of the quoted content in others members posts and get the information that way anyway, or you could argue that an advanced AI in the future could be able to figure out which users are different anyway based on writing style alone.

There is another option.  Retain the member ID (internally), but for each topic, have a pseudo-random number that remains consistent within that topic.  That way, if there are multiple deleted accounts posted inside of a single topic, instead of a bunch of posts by "Guests," have unique Guest ID's for each 'person' so that it's easy to follow the discussion for that topic.  But those ID's wouldn't match up in other discussions, so combing through would be a moot point.  Perhaps even have a list of pseudo names to use (like a dictionary), with names like Sam, Pat, Sydney, George, etc (names that can be, or have been used for either gender).  So one topic might have user 3312 as Guest Pat, while another might have them listed as Guest Bo.  Easier to follow the flow of a single topic, but not easy to piece information together from multiple topics.

Share this comment


Link to comment
Share on other sites
4 minutes ago, opentype said:

So when a court (interpreting the law) says it, it’s just an opinion, but your opinion is just declared common knowledge, that doesn’t need demonstration? That won’t work.

I suppose you've never heard the term, "opinion of the court?"

 

There are some services which provide a random IP address each time someone connects via their service.  The IP they had before is no longer theirs, and it never was.  But if someone wants to argue that an IP address is personal information, then surveillance footage of people outside of stores and banks are personal information, as it provides information on where they were at a particular time.

 

Let's also keep in mind the fact that those who interpret the laws don't always fully understand what they are deciding.  Not only that, but sometimes the laws aren't clear enough or up-to-date enough to allow for proper decisions.  I know of a streamer who has been ordered to not stream for a number of years because her (now ex) husband took her to court. Between the laws being behind the times and the courts not being fully aware of what it was deciding, it hurt her big time.  It was her means of income (she was doing well) and he only did it to be spiteful.  She also had to forfeit her streaming account, which promptly got turned over to a relative of his.  (For the record, that didn't last long.  It sank really fast.)

 

Point being, until there are tech savvy people on the benches, you'll have some rulings that aren't quite right.  If you still doubt my point, consider this...  If IP addresses are so personal, then why are so many trolls able to hide behind anonymity on the net?  It's a lot less personal than people think.

Share this comment


Link to comment
Share on other sites
8 minutes ago, Wolfie said:

There are some services which provide a random IP address each time someone connects via their service. 

Please! You don’t seriously go to that lame excuse after what I have explained already. I explicitly said it depends on the situation and you cite a possible exception to justify your broad claim. The logical fallacy is obvious, I can’t believe you even try that. 

And even a temporary IP address doesn’t make the user anonymous per se. It still can be connected to everything you do while having that session. Including logging into a service that has other data, which then again identifies you clearly in connection with that temporary IP. 

Quote

But if someone wants to argue that an IP address is personal information, then surveillance footage of people outside of stores and banks are personal information, as it provides information on where they were at a particular time.

Of course. The use of video footage is a highly sensitive subject because of the reason you just gave. 

Quote

If IP addresses are so personal, then why are so many trolls able to hide behind anonymity on the net?  

Same logical fallacy as mentioned before. 

Edited by opentype

Share this comment


Link to comment
Share on other sites

Guest
This is now closed for further comments

  Ask A Question ×