Murder by Death
So far, the limited conversations about this site that have centered around privacy and visibility is that everybody is for making the site private. Since this current test site is my personal domain, I’ve already taken all steps to make it as inaccessible to the public as possible and I’m comfortable with its current status.
But once our Euro friends who fall under the GDPR laws join us, it’s a different ball game, as, if I understand this correctly, the law states that all users must list their real names/addresses, unless the site is private. My current settings would count as private, in my opinion.
Currently, it’s possible to make posts and pages private using the Visibility function, but the glitch with that is setting that to Private makes the post or page visible only to administrators (handy on the future perm. site for administrators to basically PM each other). The other option is Password Protected and that just seems a bit too much, asking everybody to enter a password to read the posts.
The only way to make the entire site private is through a plug-in, which is free. It will enable whole site privacy, and as they say on the site: “Now, whenever anyone who isn’t registered and logged into your site comes to see it, this is all they’ll get: the login screen.” (source: https://www.websiteplanet.com/blog/how-to-make-wordpress-private/)
Do we want to do this? We can still ask new members to join us, but they won’t be able to approach us blindly; they’ll have to come to us through another member.
Thoughts? Personally I want our Euro members, TA, Lillelara et. al to be able to join us without stressing about GDPR. If that means I publish my personal details along with everybody else’s on my privacy page, or make the entire site visible to members only, so be it. But this is definitely a discussion for the committee.
Themis and I started this conversation, and I think it’s an important one to have. I’ve done a little bit of research into the GDPR and while it is about as clear as mud, I don’t think that non-EU bloggers can just shrug our shoulders and say that we aren’t in the EU, so it doesn’t apply to us. My reading suggests that the GDPR applies to anyone who collects data and whose target audience includes members who live in GDPR covered countries. That would essentially be everyone on the planet. Maybe even off the planet.
A couple of other things – it seems that the GDPR is really focused on data collection of personal information, so our first task would be to determine what data is being collected. This is likely being done without our active involvement, by the hosting service. The little note below that says “Learn how your comment data is processed” is very likely be sufficient to provide the required notice to potential commenters about the length of time their data will be held and what it will be used for.
The other question would be whether Ashley collects data from site visitors as part of the hosting service, how she stores it, and what she does with it. For example, does she collect IP addresses from visitors?
The other thing that I read, although I haven’t dug into it very deeply, is that a fine for non-compliance with the GDPR is 4% of revenue. We will have no revenue. We will not be using the data that we collect – to the extent that data is collected, it will be a byproduct of individuals coming to the site, reading the posts, and choosing to comment.
The most important thing, I think, is that the personal details thing seems to be the least important element of the GDPR as far as I can tell. The bigger issue is data collection & cookies & how our plugins might use the data that they collect without our participation, knowledge and not to our benefit.
Ugh.
Edited to move it under Christine’s comment, as it’s a direct reply.
“The other question would be whether Ashley collects data from site visitors as part of the hosting service, how she stores it, and what she does with it. For example, does she collect IP addresses from visitors?”
Are we thinking we’ll use Ashley’s hosting service? We don’t have to – I don’t on my personal blog. We just purchase the plug-ins and install them on whatever WP.org site we use. I don’t think she collects anything from the plug-ins she sells, as there’s no disclaimer or privacy notice attached to her plug-ins (and she wrote them in the UK, when the UK was part of the EU so she’d have had to comply with the laws of the day).
If we stuck with the hosting service I use, Dreamhost, I’d have to see if they collect any data, and if so, what data. I’m certain they collect analytics pertinent to the performance of their servers and equipment, but I’ve never seen any indication that they collect anything personal (I’ve never once gotten anything communication from them other than a bill, for example).
But the more basic question, at the moment, is: do we want to make the entire site private? Members only visible? Doing that will certainly eliminate a lot of the GDPR issues that aren’t related to data collection.
But the more basic question, at the moment, is: do we want to make the entire site private? Members only visible? Doing that will certainly eliminate a lot of the GDPR issues that aren’t related to data collection.
I think that this would actually eliminate ALL of the issues, even the ones related to data collection, because the only data we would collect would be each other, and we can make it clear when people join that they are consenting to that collection.
I am fine with a completely private site. Yes, it means that we won’t grow, except insofar as we invite other people to join us, but we basically weren’t growing on BL either, since the small core were the only ones left.
I also have no problem with Dreamhost as the hosting service.
Understand that while I’ve never had any problems with them, I only recommend Dreamhost insofar as we don’t have to pay hosting fees, as we can just branch it off my account.
So – totally private is on the table. Hopefully our other committee members will chime in to voice their thoughts. I can implement the plug in whenever we’re ready to.
I’ve also heard from TA – I told her I found the plug-in – and she’ll be checking in with us here soon.
Great!
Hi MbD,
I have a different understanding. The advice to companies running websites is to have Privacy By Design. This translates to collecting as little data as possible and getting consent for any data collected.
There is no requirement to collect people’s real names.
The idea is to collect as little data as possible and to anonymize any data that you collect and aggregate. That’s why the stats data on WP will show you how many people from which country have touched your site but it won’t show you who they are or what they looked at. It collects the geodata of the visitor but doesn’t link it to name or IP address of MAC address or device type the way FB does.
My understanding is that the impact of GDPR on a site like this is to make sure that cookie consent is taken and not to plug in and use anything that processes the user data in a way that breaches their privacy.
In other words, we’re fine as long as whoever hosts the site has set up GDPR compliant processes for notification.
All that being said, I think that we’d be better off keeping this a private site, visible only to authors and then giving all the people playing the game author rights.
We probably also need a statement about reblogging content belonging to others outside of this site – Don’t do it. If you must reblog, do it from the personal site of the the person you’re reflagging from.
I’ll make a separate post with some background information.
Mike, the requirement to publish people’s names comes in under two headings:
(1) German national law: Every publication not explicitly private / personal, in this country, HAS to specifically include the author of that publication. That was the law here even before the GDPR kicked in; it’s essentially a response to the Nazi era, where anonymous public smear campaigns were a favorite method of oppression and harassment.
(2) The GDPR rights of the user — users have the right to learn where and by whom their data are being processed. As far as I’m following the IT community’s discussion here, there is unanimity as to the fact that this requires publication of a website owner’s real name. (In fact, there are even some who argue that you now have to have an “About Me” / “Impressum” section on Facebook and Twitter.)
I can’t judge to what extent the German interpretation of the GDPR, which is doubtlessly in part influenced by what used to be the law here before — and by the laws that continue to be applicable, such as the one concerning publications in Germany — differs from the interpretation it is given elsewhere. What I CAN say is that (1) as a result of the doxxing / harassment going on in many social media, German authorities take compliance with the GDPR extremely seriously and do prosecute non-compliance; and (2) German courts basically take the view that any website / blog accessible in Germany (or even designed to be accessible in Germany, such as out blog would be) must follow the rules such as they are interpreted in Germany, or risk fines and / or being sued in Germany. For practical purposes, that would mean Lillelara and me as the most logical first targets (and authorities here would be able to obtain our contact details from WP, even if we didn’t disclose them here and even if I hadn’t already done so with regard to mine on my personal blog anyway).
Mike, I didn’t specifically mention how much I agree with you about reblogging. Our community would basically be Las Vegas – what happens on the Outpost stays on the Outpost. If people are cross-posting on their personal public blogs, linking to that on another personal public blog would be kosher.
I always HATED the BL reblog feature anyway. I felt like it super sucked because it did a terrible job of redirecting back to the original author, and if a post was reblogged more than once then the original post author was completely eliminated from the reblogging. It felt exploitative.
Yes, yes, and yes. Absolutely no reblogging outside of that particular blog. (There is a way to disable the “share” funciton on WP, btw; I’m using it on my personal blog, too.)
Thank you both, MbD and Christine, for taking this up!
If we could make this group blog private, we’d avoid a whole host of issues, both in connection with German national law (re: “publications” targeting or accessible to readers in Germany) and the GDPR.
Because you’re both right: as soon as a blog can be publicly accessed in Europe (or the EU — whether or not including post-Brexit Britain remains to be seen), the GDPR covers every scrap of data being collected, not merely by us but more importantly by WP and every other service we’re using — Gravatar, Dreamhost, Nose Graze, etc. Unless we’re using the WP plugin that limits data collection in line with the GDPR to a bare minimum (IP addresses, locations and user names of site visitors plus other, possibly anonymized, information necessary for the functionality of their service), that may include everything from a person’s type of activity (“passive” visit or commenting / interaction), the posts being visited and their topics (maybe down to frequently-used keywords), book data and other external information linked in our posts, etc.
Basically, that in turn would require us to visit the website of every service we’re using and determine (1) precisely what sort of data they’re collecting and (2) what their own privacy policy is, and then include the relevant information in our own privacy policy page. Having done so once before for my personal blog, let me tell you this is extremely cumbersome, even if we ultimately end up the “data collection limitation” plugin offered by WP for use in connection with the GDPR — because we’d still have to determine what limited types of data get transferred to whom exactly if we use the plugin.
In addition — since both the GDPR and the German law regarding “publications” attach to anything that can be accessed in Germany / the EU, regardless whether (in case of a website / blog) it is actually hosted or authored here –, as indicated by MbD, every member of this site / blog would have to publish their legal name and contact details: and it would have to be in a place on this blog complying with the “one-click” rule (which says that this information must be accessible from every single page of the website in such a fashion as to be only one click away — that is why most European corporate websites have links to their “About Us” and “Privacy Policy” pages either in their overall headers or footers). For me personally this ultimately isn’t an issue; I’ve already had to do it on my own blog anyway, but I can see others having concerns about it, and I totally get that.
I already have a private blog – I use it to track my retirement plans and financial information, as an organization tool. It is inaccessible. We can definitely do it. I don’t have an issue with making this private beyond the 50 or so of us who may decide to migrate over here as a community.
That’s what it would be, really – a community. Not a blog, but a private library space where those of us who have become real friends can gather and talk about everything, most importantly books, but also cooking and traveling and gardening and crafting and all of the stuff that friends talk about.
The idea of it is just so wonderful to me – better even than BL, in a way, because we would be totally free of spammers and data scrapers and authors stopping by who are pissed off about a bad review.
Members of this group who want to invite others to join us would be free to do that, but any invitations should be discussed with the group first, and adding a member basically means that the inviting member is vouching for the character and good will of the person they are bringing in. In addition, for a while at least, I would say that we should let this group percolate in its new home before trying to grow.
Anyway, I think that this feels like it could be a real home.
It definitely feels that way — I so very much hope it will be, at last!
For what it’s worth, I am definitely all for us going completely private.
Ok, it sounds like we’re all on board with going private, so shall I pull the plug-in trigger and get us there? I can do it in just a few minutes.