consent tracking: option not to save IP / mail address

  • I am using gdpr-framework 1.0.10 on a small site where I have no interest into collecting more data than absolutely required (data minimization). Cause what is not there, does not need any protection or regulations. Currently I use something like this every 10 minutes:

    mysql --defaults-extra-file=[…] --database "somedb" --execute "UPDATE wp_comments SET comment_author_IP='', comment_author_email='', comment_author_url='', comment_karma=0, comment_agent=''; UPDATE wp_gdpr_consent SET ip='';"

    to kick out any data I don′t choose to be saved in the first place. Comments are allowed only for registered users and only I can add a new user.

    I′d rather have WordPress not track any IP addresses whatsoever in the database. Is it possible to disable storing the IP in consent table?

    Also it seems gdpr-framework appears to be using the mail address to reference the user if I read the table schema correctly. This does not work for two reasons:

    1. The user can change mail address at any time
    2. I patched the WordPress installation to make IP address in profile optional

    Could gdpr-framework use a different field to reference to the user like the user ID from table wp_users or the username user_login.

    Also it would be nice to be able to search data subjects by username.

    I chose to make it optional for users whether they like to provide their mail address.

Viewing 9 replies - 1 through 9 (of 9 total)
  • Thread Starter helios2121

    (@helios2121)

    Hmmm, data export also does not include comments anymore after I removed the mail addresses from it. Please, pretty please provide a way not to use the mail address to reference to the user. The mail address is more sensitive than the user name. And the user can change it. While at least in profile settings WordPress claims that the user name cannot be changed. So I think it would be more reliable and more sensitive regarding privacy to use the user name.

    > I′d rather have WordPress not track any IP addresses whatsoever in the database. Is it possible to disable storing the IP in consent table?

    Not at the moment. We could definitely add a simple filter in the source to make it possible to disallow that. However, this is a very gray area, but GDPR seems to suggest that it would be good to log this information for auditing purposes. I don’t really know though.

    On second thought, I’ll just add the filter. Check the latest push on github, all IPs in consent table are now filtered with ‘gdpr/consent/log_ip’ – this is a quick n dirty solution and might change a bit in the future.

    > Also it seems gdpr-framework appears to be using the mail address to reference the user if I read the table schema correctly. This does not work for two reasons:
    > Hmmm, data export also does not include comments anymore after I removed the mail addresses from it. Please, pretty please provide a way not to use the mail address to reference to the user. The mail address is more sensitive than the user name. And the user can change it.

    I see what you mean, but the plugin must be able to work with data subjects who do not have an account on the site. However, I’d like the plugin to be flexible enough to handle a case like yours. I will think about this for a moment.

    Thread Starter helios2121

    (@helios2121)

    Hmmm, identifying the user with mail address appears to be quite central to this plugin. Even the Privacy Tools page states: “You are identified as [email protected]”. I think it is good to reconsider this due to the sensitivity of the mail address. If a plugin user chooses to optionally store the mail address in the consent database, their choice, but please do not require the user to have a mail address.

    Thread Starter helios2121

    (@helios2121)

    Ah, I understand, for user who are not registered and who enter their mail address when commenting. Okay, I get where you are coming from. However in my use case no unregistered user can comments – which by the way is great to minimize comment spam to zero :).

    Yep, that’s one thing. Contact and other forms are another – all covered by GDPR, but the only possible way to identify the user is via email.

    Regarding security, as of 4.9 we have this: https://www.dropbox.com/s/x1ycndx6039apgq/change%20email%20wp.PNG?dl=0 so emails are validated.

    > Please, pretty please provide a way not to use the mail address to reference to the user.
    I’d love to accommodate your request, but realistically, your case is quite rare (as you said you modified WP core to make this work ?? ) and I need to pick my battles right now due to the massive backlog. I can put this on the todo list, but I cannot guarantee anything.

    You’re more than welcome to make some changes to the plugin and submit a pull request, though! (In this case, it would make sense to discuss the implementation first)

    • This reply was modified 6 years, 9 months ago by indrek_k.
    Thread Starter helios2121

    (@helios2121)

    Hmmm, I could make a page where users post a comment to agree to the privacy policy – I bet this would work for now. But exporting comments without mail addresses still would not work. Not sure whether another plugin can do this. However this may be easy enough to fix. Just update the select statement to search by either mail or user name. Hmmm… I am not into digging deeply into PHP development again and I invested a lot of time already into making the blog gdpr compliant, but adapting that SQL query may be easy enough.

    Thread Starter helios2121

    (@helios2121)

    Hmmm, I′d need to change this and all callers of it to also include and check for username.

    179     public function getCommentsByEmail($email)
180     {
181         if (!$email || !is_email($email)) {
182             return [];
183         }
184 
185         $query = new \WP_Comment_Query;
186 
187         $comments = $query->query([
188             'author_email' => $email,
189             'include_unapproved' => true,
190             'status' => 'all',
191         ]);
192 
193         return $comments;
194     }
    Thread Starter helios2121

    (@helios2121)

    And the callers of the callers… hmmm… so this is not an isolated change.

    Thread Starter helios2121

    (@helios2121)

    Okay, after digging a bit more into the source code, it appears to me that the plugin completely looses track of a user in case they change their mail address. Changing that appears to be a complete refactoring of the plugin to me. So I may be better off looking for another gdpr plugin that identifies user by username.

    • This reply was modified 6 years, 9 months ago by helios2121.
Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘consent tracking: option not to save IP / mail address’ is closed to new replies.