GDPR and forum registration requiring "legitimisation" data

m_c · October 2023

So another forum I'm occasionally on (totally unrelated to guitars!), changed ownership a few years ago, but have recently decided that due to GDPR legislation, all members have to be verified which involves submitting your 'real' name and phone number.

I've naturally put in fake information, but is there any actual legal basis to request this information for a forum?

Sporky · October 2023

That's why I always use my real name when I sign up to forums.

Kittyfrisk · October 2023

^ Me too.

NothingOnTheTele · October 2023

Can't imagine why GDPR would require them to collect your personal details. No doubt they've been inundated with silly names.

Tannin · October 2023

It's a scam. Say that on the forum so that other members know it too, then leave.

dano · October 2023

Sporky said:

That's why I always use my real name when I sign up to forums.

So your real name is I C Weiner ?

stickyfiddle · October 2023

Yeah that sounds like the polar opposite of GPDR requirements.

digitalscream · October 2023

Well, that's...insane, with regard to GDPR regulations - it actually puts more of a burden on them and automatically creates more liability for them.

However, there are other laws that are coming soon regarding online safety which could require this in some interpretations, depending on the size of the site. I'm currently reviewing it, and my MP has been absolutely zero help in understanding the government's intent - it's possible that it would create such a huge liability that the site may have to shut down.

It's the Online Safety Bill - it mandates that all social media must verify the age of all of their users, and block anyone under 13. On top of that, it also mandates that all members have to be able to block unverified users (implying that efforts should be made to verify the real identity of all users where possible).

Obviously, there is no way in hell this site would ever have the budget to be able to do that, so if it does apply to small forums...we all have to wave goodbye to tFB.

In case anybody wants to help me out with deciphering the stupidity, the latest text of the Online Safety Bill is here:

https://bills.parliament.uk/publications/52368/documents/3841

ewal · October 2023

Can't think of a DPA requirement for identities to be verified. In fact it runs counter to the DP data minimisation principle - if you don't need the personal information to provide the service, don't collect it. It's also bollocks in identity authentication terms, because clearly they are not using the information provided for authentication purposes.

thumpingrug · October 2023

digitalscream said:

Well, that's...insane, with regard to GDPR regulations - it actually puts more of a burden on them and automatically creates more liability for them.

However, there are other laws that are coming soon regarding online safety which could require this in some interpretations, depending on the size of the site. I'm currently reviewing it, and my MP has been absolutely zero help in understanding the government's intent - it's possible that it would create such a huge liability that the site may have to shut down.

It's the Online Safety Bill - it mandates that all social media must verify the age of all of their users, and block anyone under 13. On top of that, it also mandates that all members have to be able to block unverified users (implying that efforts should be made to verify the real identity of all users where possible).

Obviously, there is no way in hell this site would ever have the budget to be able to do that, so if it does apply to small forums...we all have to wave goodbye to tFB.

In case anybody wants to help me out with deciphering the stupidity, the latest text of the Online Safety Bill is here:

https://bills.parliament.uk/publications/52368/documents/3841

This is a worrying development and almost certainly unintended for small specific interest groups such as ours. For it to create the possibility that the site may close is something that we need to rally against.

That link appears to be over 300 pages long - Im happy to try to find relevant bits but I doubt my legal knowledge is up to much.

Does this deserve its own area of discussion?

digitalscream · October 2023

@thumpingrug - yes, it may well do.

The advice from my (Conservative) MP is that it applies to every site with any kind of social interaction, apart from the exceptions listed in one of the appendices - none of which are based on site size, and (in his opinion) none of which apply to tFB.

Basically, his opinion was that the Bill was drafted without anybody considering smaller sites, but that smaller sites disappearing would be an acceptable loss compared with thinking of the children (and, presumably, the votes that come with it).

steven70 · October 2023

digitalscream said:

@thumpingrug - yes, it may well do.

The advice from my (Conservative) MP is that it applies to every site with any kind of social interaction, apart from the exceptions listed in one of the appendices - none of which are based on site size, and (in his opinion) none of which apply to tFB.

Basically, his opinion was that the Bill was drafted without anybody considering smaller sites, but that smaller sites disappearing would be an acceptable loss compared with thinking of the children (and, presumably, the votes that come with it).

I would say that smaller sites disappearing is an intended outcome of the bill. And yes, votes as well.

mgaw · October 2023

I agree there is a constant shift of regulations each step making things increasingly difficult for smaller players in many fields.

Funkfingers · October 2023

Seems like another of those sweeping changes in the law that are intended to root out the small minority of miscreants but do so by making life more difficult for the law-abiding majority.

See also: firearms legislation, e-scooters and Sunak's proposed increased minimum age for buying and using tobacco products.

Nutters who want guns or big knives and kids who choose to smoke will ignore the law and find ways around it.

In the case of on-line abuse, it won't be long before AI 'bots can be prompted to create their own plausible but entirely false identities and, then, generate and direct abusive content at the target(s) of one's choice.

DuploLicks · October 2023

Funkfingers said:

Nutters who want guns or big knives and kids who choose to smoke will ignore the law and find ways around it.

Always this. People who have no interest in following the laws, surprise - won’t follow the law but ‘normies’ who are compliant get weighed down with more laws. it sucks

I remember not long after GDPR came in a board game forum closed down as one bad apple created a nightmare for the admins with the requests so they just folded the whole thing. I think they over reacted & could have pushed back but at the same time sympathise that they just didn’t want the drama.

Sporky · October 2023

"Bad people will still do bad things" isn't to my mind a valid reason not to control availability of bad things.

Grunfeld · October 2023

thumpingrug said:

digitalscream said:

In case anybody wants to help me out with deciphering the stupidity, the latest text of the Online Safety Bill is here:

https://bills.parliament.uk/publications/52368/documents/3841

Does this deserve its own area of discussion?

Probably does deserve a new thread. Personally, I'm in the not an expert camp so I look to those who know more.

This is especially because I'm getting a sense that the Online Safety Bill is not so much about protecting children but more about increasing surveillance through the eventual use of telemetry embedded in a computer's operating system. A tin-foil hat mentality is truly the last thing I want; my bottom line is always be guided by the evidence -- the problem here is understanding what's going on.

digitalscream · October 2023

Grunfeld said:

thumpingrug said:

digitalscream said:

In case anybody wants to help me out with deciphering the stupidity, the latest text of the Online Safety Bill is here:

https://bills.parliament.uk/publications/52368/documents/3841

Does this deserve its own area of discussion?

Probably does deserve a new thread. Personally, I'm in the not an expert camp so I look to those who know more.
This is especially because I'm getting a sense that the Online Safety Bill is not so much about protecting children but more about increasing surveillance through the eventual use of telemetry embedded in a computer's operating system. A tin-foil hat mentality is truly the last thing I want; my bottom line is always be guided by the evidence -- the problem here is understanding what's going on.

Yeah, I'll start a new thread when I understand a bit more about it. I'll contact Ofcom to figure out exactly what the intent is before doing anything.

As for the Bill itself...the cynical amongst us might consider that, if there really are no exceptions for smaller sites, it's designed to do two things:

1 - Make the provision of online social interaction services economically un-viable for smaller players
2 - Force larger social media providers to perform the surveillance on behalf of the government

Of course, because of #1, only the large providers are left - thus making it easier for the authorities to track people's activities because they have fewer places to look.

Grunfeld · October 2023

digitalscream said:

2 - Force larger social media providers to perform the surveillance on behalf of the government

My concern, the thing which has spooked me, is the confluence of a couple of things: (1) the realisation that end-to-end encryption is truly secure. So "they" cannot decrypt your private data -- whether it's child abuse, anti-government sentiment, or harmless fluff. (2) the emergence of computing power with the ability to analyse previously unfeasibly huge amounts of data and it's a safe prediction this will only increase. So I'm wondering:

3 - If "they" can't decrypt your communications, and they wanted to see them, then the only place your data are unencrypted is on your computer.

When Windows 11 came along I was annoyed enough at its unnecessary telemetry to ditch the OS altogether. I don't think W11 is sinister. However, the way to skirt around end-to-end encryption is to analyse the unencrypted data on your computer. Anti-virus programs already check the files on the machine so, in my slightly-more-paranoid mind, it's not a stretch to combine checking for a virus with checking for other data of interest. And it would have to be built into the OS -- because no one would willingly install such telemetry.

For me it's not about what I think is happening now, it's more about what I think has the potential to happen. I have no idea if the Online Safety Bill is the thin end of this wedge, but for the first time in my life I've wondered if it could be.

crosstownvamp · October 2023

What's the situation with regards to moving the hosting out of the UK?

Ignoring latency and hassle the EU should be ok shouldn't it?

Whitecat · October 2023

crosstownvamp said:

What's the situation with regards to moving the hosting out of the UK?
Ignoring latency and hassle the EU should be ok shouldn't it?

If Ofcom decided to go hard on it they could force the forum to have to verify all UK-users ages anyway, despite being based abroad, and block access to if if they failed to comply. That would be the worst-case scenario anyway.

There is much international shouting at the UK for how stupid a law the OSB is.

digitalscream · October 2023

Grunfeld said:

digitalscream said:

2 - Force larger social media providers to perform the surveillance on behalf of the government

My concern, the thing which has spooked me, is the confluence of a couple of things: (1) the realisation that end-to-end encryption is truly secure. So "they" cannot decrypt your private data -- whether it's child abuse, anti-government sentiment, or harmless fluff. (2) the emergence of computing power with the ability to analyse previously unfeasibly huge amounts of data and it's a safe prediction this will only increase. So I'm wondering:

3 - If "they" can't decrypt your communications, and they wanted to see them, then the only place your data are unencrypted is on your computer.

Well...the corollary to this is that if their solution is to amalgamate all social media into the hands of a few big players, it follows that they must then have a way to get at those communications wholesale (rather than just in individual cases via the courts) for it to be a solution in the first place - meaning that they've already broken Facebook, Instagram et al.

crosstownvamp said:

What's the situation with regards to moving the hosting out of the UK?
Ignoring latency and hassle the EU should be ok shouldn't it?

The Online Safety Bill is the UK government giving themselves the right to go after any organisation in any jurisdiction, whether they have anything to do with the UK or not. Now, whether any other countries would accept that or just tell them to piss off is an entirely different matter.

If I was going to do it, I'd probably start with hosting in Norway or similar - a relatively powerful country outside EU with very little in terms of laws in common with the UK. I'd have to move everything, though - hosting, domain, emails etc.

Whitecat said:

crosstownvamp said:

What's the situation with regards to moving the hosting out of the UK?
Ignoring latency and hassle the EU should be ok shouldn't it?

If Ofcom decided to go hard on it they could force the forum to have to verify all UK-users ages anyway, despite being based abroad, and block access to if if they failed to comply. That would be the worst-case scenario anyway.

There is much international shouting at the UK for how stupid a law the OSB is.

That's my fear. Although...it remains to be seen how Ofcom could do anything to block access to a website, much less thousands (potentially millions) - both in a technical sense and the fact that there would be absolute uproar once they got started.

Don't forget, it's not just small forums. What do you think Reddit will do if the UK government tries to make them verify everybody's identity?

And what about sites like Stack Overflow? It's basically a required development tool at this point, and they've got absolutely zero chance of getting anybody to verify on there. What are the UK government going to do...block the whole country from accessing the #1 technical resource in the world?

Whitecat · October 2023

digitalscream said:

Whitecat said:

crosstownvamp said:

What's the situation with regards to moving the hosting out of the UK?
Ignoring latency and hassle the EU should be ok shouldn't it?

If Ofcom decided to go hard on it they could force the forum to have to verify all UK-users ages anyway, despite being based abroad, and block access to if if they failed to comply. That would be the worst-case scenario anyway.

There is much international shouting at the UK for how stupid a law the OSB is.

That's my fear. Although...it remains to be seen how Ofcom could do anything to block access to a website, much less thousands (potentially millions) - both in a technical sense and the fact that there would be absolute uproar once they got started.

The government/courts can order websites to be blocked at the ISP level in the UK, and they do it a lot.

Would absolutely be a lot of backlash if they did it at scale too - and once people figure out VPNs, they'd have to come for those next, which I absolutely believe they would.

https://en.wikipedia.org/wiki/List_of_websites_blocked_in_the_United_Kingdom

Websites will more than likely shut off access from UK IP addresses instead - not worth the hassle for them.

Another issue is that you'd hope that once the Tories get voted out next year (hopefully) that a lot of their crap policy will be altered/reversed, but it doesn't look like this one is ripe for that yet as Labour seem to be mostly completely onboard with it all, and they do have illiberal streaks in them when it comes to privacy and ID etc...

digitalscream · October 2023

Whitecat said:

digitalscream said:

Whitecat said:

crosstownvamp said:

What's the situation with regards to moving the hosting out of the UK?
Ignoring latency and hassle the EU should be ok shouldn't it?

If Ofcom decided to go hard on it they could force the forum to have to verify all UK-users ages anyway, despite being based abroad, and block access to if if they failed to comply. That would be the worst-case scenario anyway.

There is much international shouting at the UK for how stupid a law the OSB is.

That's my fear. Although...it remains to be seen how Ofcom could do anything to block access to a website, much less thousands (potentially millions) - both in a technical sense and the fact that there would be absolute uproar once they got started.

The government/courts can order websites to be blocked at the ISP level in the UK, and they do it a lot.

Would absolutely be a lot of backlash if they did it at scale too - and once people figure out VPNs, they'd have to come for those next, which I absolutely believe they would.

https://en.wikipedia.org/wiki/List_of_websites_blocked_in_the_United_Kingdom

Ah, but those orders are limited to five ISPs - the ones with >400k users. For example, I can access every site on those lists (ironically, using an ISP with massive government subsidy to bring fibre to rural locations).

Going after VPNs would be an even worse problem; they can't outlaw VPNs (they tried, but the entire business world gave them an almighty slap), but equally there are too many VPN providers worldwide for them to block.

The only way they can possibly make this work is to have a China-style whitelist of allowed websites - that's the only end result of something as stupid as this law.

Whitecat · October 2023

digitalscream said:

Whitecat said:

digitalscream said:

Whitecat said:

crosstownvamp said:

What's the situation with regards to moving the hosting out of the UK?
Ignoring latency and hassle the EU should be ok shouldn't it?

If Ofcom decided to go hard on it they could force the forum to have to verify all UK-users ages anyway, despite being based abroad, and block access to if if they failed to comply. That would be the worst-case scenario anyway.

There is much international shouting at the UK for how stupid a law the OSB is.

That's my fear. Although...it remains to be seen how Ofcom could do anything to block access to a website, much less thousands (potentially millions) - both in a technical sense and the fact that there would be absolute uproar once they got started.

The government/courts can order websites to be blocked at the ISP level in the UK, and they do it a lot.

Would absolutely be a lot of backlash if they did it at scale too - and once people figure out VPNs, they'd have to come for those next, which I absolutely believe they would.

https://en.wikipedia.org/wiki/List_of_websites_blocked_in_the_United_Kingdom

Ah, but those orders are limited to five ISPs - the ones with >400k users. For example, I can access every site on those lists (ironically, using an ISP with massive government subsidy to bring fibre to rural locations).

Going after VPNs would be an even worse problem; they can't outlaw VPNs (they tried, but the entire business world gave them an almighty slap), but equally there are too many VPN providers worldwide for them to block.

The only way they can possibly make this work is to have a China-style whitelist of allowed websites - that's the only end result of something as stupid as this law.

But what % of users here use those five ISPs? Probably the vast majority. So in theory you might have websites that exist but have no active users because they're not tech-savvy enough or just can't be arsed to get around the blocks, even though it's relatively easy.

Anyway, it's all a clown show. I sincerely hope that it doesn't come to that whitelist suggestion... politicians shouldn't make these kinds of laws, they don't understand tech...

crosstownvamp · October 2023

Opera browser includes a free VPN that you can switch on or off. Just saying..

Reverend · October 2023

digitalscream said:

Well, that's...insane, with regard to GDPR regulations - it actually puts more of a burden on them and automatically creates more liability for them.

However, there are other laws that are coming soon regarding online safety which could require this in some interpretations, depending on the size of the site. I'm currently reviewing it, and my MP has been absolutely zero help in understanding the government's intent - it's possible that it would create such a huge liability that the site may have to shut down.

It's the Online Safety Bill - it mandates that all social media must verify the age of all of their users, and block anyone under 13. On top of that, it also mandates that all members have to be able to block unverified users (implying that efforts should be made to verify the real identity of all users where possible).

Obviously, there is no way in hell this site would ever have the budget to be able to do that, so if it does apply to small forums...we all have to wave goodbye to tFB.

In case anybody wants to help me out with deciphering the stupidity, the latest text of the Online Safety Bill is here:

https://bills.parliament.uk/publications/52368/documents/3841

the fact they sign up here is proof they are over 35.

thumpingrug · October 2023

I had a quick look at the exemptions this afternoon during a lull in the monotony of the day job. It would have to be a very basic and static site to be exempt and there are very few of those. We most certainly are not exempt.

Requiring everyone to access via a Patreon membership (or some other such platform) in their real-life name paid by a credit/debit card may be sufficient to pass the age verification. If they don't pass the entry test, they are not verified and therefore blocked for all.

It is a shift in site ethos but if the price of entry is very very low it might meet the requirements of the act.

The other way of course is to wait it out and see if it ever reaches the statute books in the current format.

Snags · October 2023

It won't reach statute in its current format, there will be a huge civil liberties/one child's purity kick off and it will get watered down or die the death.

It's prudent to keep a weather eye on things, but not to mine the foundations at this point.

digitalscream · October 2023

Snags said:

It won't reach statute in its current format, there will be a huge civil liberties/one child's purity kick off and it will get watered down or die the death.

It's prudent to keep a weather eye on things, but not to mine the foundations at this point.

Image: https://tfb-user-images.eu-central-1.linodeobjects.com/2b64925b1323cdd123ccf98a031ec30b6ca5cb255a63464290

Sadly, it's all the way through and is just waiting for Royal Assent. As far as I'm aware, that means it's going to become law in exactly its current state.

https://bills.parliament.uk/bills/3137

It's even worse, because it's an open-ended law - Ofcom get to decide how and when it's applied, and it relies on secondary legislation (which hasn't even been drafted yet) to decide a lot of the details...and in the absence of that secondary legislation, those details are up to Ofcom.

TTony · October 2023

thumpingrug said:

Requiring everyone to access via a Patreon membership (or some other such platform) in their real-life name paid by a credit/debit card may be sufficient to pass the age verification. If they don't pass the entry test, they are not verified and therefore blocked for all.

Lee's finally going to get the subscriber numbers up

Howdy, Stranger!

Categories

In this Discussion

Become a Subscriber!

GDPR and forum registration requiring "legitimisation" data

Comments