GDPR non-compliance

Project:Web
Component:Main
Category:bug report
Priority:normal
Assigned:david
Status:active
Description

https://trisquel.info/en/privacy

The privacy policy does not comply with GDPR on many points. Perhaps I won't be able to point out each and every issue because it would require several hours. Generally - one who knows the GDPR knows what to write. I will just give some examples (in no particular order):

> Our site only collects and stores from its users the needed data for it to work, that is

What is "our"? Who is "we"?

Article 13 mandates that the identity and the contact details of the controller must be provided. Where applicable of the DPO too. But what we have here is some anonymous entity "we" and a DPO presented by the name "david" with no contact details whatsoever. It is necessary to register (and submit personal data) in order to contact that DPO which is against the principles of data processing minimisation.

> The IP address you use to access our site, as part of the standard logs of the web server and the Drupal CMS

However those "standard logs" normally (with default settings of Apache for example) also include the time of access, the referring site/page, the protocol and the user agent. This is definitely much more info which can be correlated with the IP address. So that whole sentence about the "only" is really meaningless. Even without it it is obvious that every site collects this data. However processing is not just about collecting (keep reading).

Additionally it is not clear from the list who has what access to what particular data, e.g. which data is public, which is visible only to some admin team, which is visible to other registered users etc.

https://trisquel.info/en/forum/about-our-changes-better-comply-gdpr

> Our website should probably not be the type of objective the EU regulators are after with the GDPR, since we have just a bit of your personal information and it's both provided by direct means (when you register your account) and used only by the site software for its intended purpose of giving you a voice in the community, but it's better to be ready than regret some fine.

A qualified DPO who understands the GDPR should never say anything like that. GDPR is not about "a bit" or "a lot" or about "only by the site software". It is about the protection of personal data and the rules about it.

Back to the privacy policy text:

> A Drupal session cookie allowing you to stay logged-in until you decide to log out and others to store your language preferences

Again the "only" is not true. There are 2 cookies: the session cookie and one called "has_js". And BTW both cookies are not secure, i.e. the controller doesn't use the available technology to protect the data as it should.

> We don't use your data for any purpose different of those, and we don't sell or give any part of your data to any third party.

A compliant policy should not explain what you don't do but what you do with the data. It should explain about each data category who has access to it, the purpose of processing and retention time. No retention times are mentioned anywhere at all.

> (*) As the registered e-mail address is used to post to the Trisquel mailing-lists, it will be visible to any other users of those lists or the visitors of their archives. That's just the way mailing lists work and an inherent part of their design.

This is clearly against the principles of data protection because:

1. Making personal data public (e.g. name and email address) and thus crawl-able etc. is not data protection

2. Such publishing is not necessary for the technical purpose of participating in a mailing list. It is possible to pseudonymize the users, to hide the email addresses completely (not show even the "name at domain dot tld"). It is also possible to hide completely the email address of the participant (like GitHub does) without revealing it even to the participants.

3. The excuse "That's just the way mailing lists work and an inherent part of their design." is definitely anti-GDPR. To be GDPR compliant means to use/create a properly designed system, following the GDPR principles, not just writing some explanation about "well, this is how it is" - this is not data protection.

> we still encourage you to set-up your account with an e-mail address that you don't mind being public on those mailing lists and their archives.

You encourage a workaround which the data subject must take care about - again, because your system does not protect the data.

The site also publishes certain names and identifiers of those who donate + financial details about the donation. The policy doesn't even mention that.

> "Delete the account and make all content belong to the Anonymous user", which fully removes your account but keeps the things you wrote without mentioning your username

and... the (improperly designed) mailing list archive stays public. Basically this is depriving the data subject from the right to erasure and rectification. Additionally there is nothing that would clear the direct mention of someones name/username/other identifier in the post text. So this is incomplete and therefore misleading.

Something more - "deleting an account" does not equal complete personal data erasure. There must be a procedure for complete erasure "without undue delay" as GDPR says.

Example:

https://trisquel.info/en/forum/what-do-about-intellectual-dishonesty-trisquel-forum

The personal data (email addresses) of many users are published in the text of the OP, including that of the members who left the site at that time, violating their fundamental rights. That is not data protection. This is data publishing, making it crawl-able, index-able, correlate-able etc. So forum rules and moderation should also be compliant.

> Requesting your stored data

> You can also just check it yourself under your "My Account" page

No, I can't. It doesn't show me what is in your logs. Also this "check it yourself" is not data portability. (Article 20)

The registration process:

> Due to recent spam issues, new accounts need to be reviewed by hand. Please check your mailbox if you want to speed up the process. Sorry for the inconvenience.

Who reviews it? (= who has access to the data) What exactly does he review "by hand"? The password too? Again the controller is not clear, as well as the process.

First name and last name are mandatory - why? Why do you need someone's first and last name just to post in a forum? Or country? Again - no data minimisation.

https://trisquel.info/en/quotes

Nothing about this too. Names are public in quotes. What is the policy for this? - No idea.

It is not clear also what happens if one uploads an actual image of oneself as an avatar (which are also publicly visible, crawlable, etc). Users should be made aware explicitly about what shows publicly ("Personal information" in profile is actually public information).

Again about donations:

PayPal is a third party, so is the bank for wire transfers. Again - that "we don't share" is not true. You do share the fact of the payment with the payment processor. In this process you may also get additional personal data (through the transaction info). Nothing clarifies how that data is processed. In fact nothing even mentions that.

More:

$ host trisquel.info
trisquel.info has address 5.196.53.144
trisquel.info mail is handled by 10 correo.sognus.com.

correo.sognus.com is a third party host with different IP address and main domain. So mail goes through it along with personal data. No mention, no clarity how this is processed or for what purpose, no retention times either.

BTW how is the data hosted? The web hosting provider also has access to some personal data (IP address as a minimum). If this is a virtual or shared server - the provider could have more (or even full) access.

Lots of room for technical improvement too (for better data protection):

https://webbkoll.dataskydd.net/en/results?url=http%3A%2F%2Ftrisquel.info

Weak ciphers, deprecated TLS versions etc:

https://www.ssllabs.com/ssltest/analyze.html?d=trisquel.info&hideResults=on

And so on... perhaps I can continue but it is taking too much time. One must really read the GDPR and do what is in it. It is explained very clearly. No lawyers needed.

Mon, 07/29/2019 - 19:35
Assigned to:anonymous» david

Thanks for all the feedback, there's clearly a lot of room for improvement in many of the touched areas.

Some of the changes needed to attain full support of the GDPR are quite deep to be easily implemented in the current website and will probably have to wait for the new one to be ready. I will try and make sure to give most of the other points you raise the attention they deserve.

Thanks again for your help!