Re-link deleted user's content when they re-join?
-
@btc I wouldn't have thought so. Part of process would involve anonymising the data to comply with GDPR for example, and if NodeBB were able to "re-couple" data with an email address, that would indicate a full delete never actually took place which is a circumvention of GDPR in itself!
The process of anonymisation involves removing all attribution to any user.
-
@btc said in Re-link deleted user's content when they re-join?:
I see it's possible to delete a user without removing their content via the API, and that their posts show up as "A Former User" when that happens.
We often have people leave our service and then re-join after a period of time. Is there any way to re-link their old content to them if they re-join with the same email address?
I'm assuming not, but just in case!
I think there is ( @phenomlab ), although I have never used it, I remember seeing this plugin made by
@baris@gasovedGitHub - NodeBB/nodebb-plugin-undelete-users: A NodeBB plugin to re-associate deleted users with their content that are not removed.
A NodeBB plugin to re-associate deleted users with their content that are not removed. - NodeBB/nodebb-plugin-undelete-users
GitHub (github.com)
-
hi @baris , is the plugin above v3 compatible?
-
@crazycells This really is not a good idea in my view. The entire point of GDPR compliance is that if a user submits a SAR (Subject Access Request) and then subsequently removes their account (or asks the admin to remove it), then it should remove all attribution from any content that bears their identity.
If there is a plugin that can reverse that, it's a circumvention of GDPR, and much worse, if the plugin is able to attribute content to that same user, then the attribute was never removed in the first place. If this plugin simply re-attributes to another user under a completely different identity as WordPress does when you delete an account, then this is still a circumvention because that data could contain sensitive information that means the original owner is able to be identified.
GDPR is a sticky topic, and one (as a security expert) I am well versed in.
-
@phenomlab I believe it is OK because NodeBB works as you described by default.
This is just an additional plugin that admins should install to have this ability, it is not by default. Since GDPR is only required in EU countries, there might be a use case for this. I have to admit that we had cases where deleted users asked to have their old accounts back. So, I really understand @btc
-
@crazycells said in Re-link deleted user's content when they re-join?:
Since GDPR is only required in EU countries
That's not technically true. If you have users from Europe, you are in scope and have to comply even if your site resides outside of the EU. GDPR is designed to protect European citizens and their data, not the country of system origin.
-
@crazycells said in Re-link deleted user's content when they re-join?:
I think there is ( @phenomlab ), although I have never used it, I remember seeing this plugin made by
@baris@gasovedGitHub - NodeBB/nodebb-plugin-undelete-users: A NodeBB plugin to re-associate deleted users with their content that are not removed.
A NodeBB plugin to re-associate deleted users with their content that are not removed. - NodeBB/nodebb-plugin-undelete-users
GitHub (github.com)
Thanks for this! Unfortunately doesn't seem to be v3 compatible though. But at least it shows it's possible in principle.
-
@phenomlab said in Re-link deleted user's content when they re-join?:
This really is not a good idea in my view. The entire point of GDPR compliance is that if a user submits a SAR (Subject Access Request) and then subsequently removes their account (or asks the admin to remove it), then it should remove all attribution from any content that bears their identity.
It was because of GDPR that we expanded the scope of account deletions from the one (delete account but preserve all content), to three:
- Purge account but preserve all content (pre-existing behaviour)
- Preserve account but purge all content
- Purge account and all content
When processing a request for GDPR, an end user is given the ability to do #1 only. Their content is always preserved (but anonymized to front-end users) so that existing conversations do not lose context.
An end user who wishes to fully exercise their right to be forgotten is encouraged to contact an admin who will conduct a full account+content purge.
Separately, if the
formerUid
field affixed to anonymized content runs afoul of GDPR, then that is something that needs to be addressed. -
hi @julian , I want to address a related matter and would love to hear your professional opinion on it...
when someone quotes a reply in its entirety, the username of the original commenter appears there... This has created some situations in the past when users who have deleted their accounts reach out to us requesting the removal of these quoted comments due to the presence of their personal information. I believe those posts are found by google searches. Since there have been only several posts like this, I have manually edited the quoted part by removing the usernames and keeping the rest of the comment, effectively resolving the problem for the time being.
However, I am now curious to understand if this is within the scope of GDPR? ( @phenomlab ? What do you think?) While we have been lucky that we had this situation only on a few occasions, it is possible that this question may come from highly active users who have made numerous posts on the forum, creating a problem that will be very hard to solve.
Any advice or recommendations would be highly appreciated.
-
@crazycells said in Re-link deleted user's content when they re-join?:
However, I am now curious to understand if this is within the scope of GDPR? ( @phenomlab ? What do you think?)
It is, in fact in scope. The right to be forgotten includes all references, and there are no exceptions.
-
@phenomlab but when all content of a user is purged, these quoted parts stay in the forum, right?
-
@crazycells currently, yes (from recollection)
-
@crazycells That is correct. Quoted content is not associated with the original post and so it is not scrubbed.
To change the behaviour of all mentions so that they are also scrubbed would be fairly significant. Right now we just save the
@mention
text, not the actual user association. -
@julian said in Re-link deleted user's content when they re-join?:
Right now we just save the @mention text, not the actual user association.
And provided this does not provide direct attribution, then this is in fact acceptable and within GDPR. For example, having John Smith as the @ name is obviously providing attribution (but you could argue that the name means nothing given it's popularity and it would be a valid point), but a handle like "theWasp" doesn't - unless there is a post that directly correlates that handle to a physical person.
For example, if someone posted "@thewasp is John Smith who lives at ....." (you get the picture), then this clearly provides direct attribution, and you'd have no foundation to keep data in this manner. Unfortunately, the only way around something like this is to develop a plugin that performs regex matches and purposely looks for data to redact or expunge.
This specific method can be expensive (in the performance sense) on large forums and associated databases, and complex in nature owing to the type of regex you'd need to build. Even then, you cannot possibly catch everything because you'd run into issues such as the regex being too "greedy" (affecting large portions of text in a gratuitous nature) or too lenient (not going far enough). There is seldom any sensible balance - it's either too much, or not enough.
You'd need to search the entire database looking for possible matches, and that would take significant effort to ensure you removed or redacted information that could provide attribution.
This is where the waters of GDPR and privacy become muddied in the sense that you need to impose sane limits on what is necessary to either remove or redact. For example, if a user claimed that "the" personally identified them, you couldn't remove it for obvious reasons otherwise literally everything your other users have posted would need redaction, and that makes zero sense.
This is why "legitimate interest" exists in the first place. You are entitled to keep data intact if it is considered impactful to the consistency if you were to remove it, but you cannot claim implied consent (assuming it's ok to keep without foundation).
GDPR is a complex animal and most people either go way overboard, or do nothing at all, which is arguably worse. NodeBB has this balance just right.