General Data Protection Regulation and Metafilter May 25, 2018 8:34 AM   Subscribe

There are some meta questions about Metafilter in the GDPR thread, and more are likely to come up soon given some US sites blocking EU users by default.

How is Metafilter's data management affected? What about the infodump?

And will links posted to the front page that aren't reachable by our European users make the site even more US-centric and less friendly for them?
posted by clawsoon to MetaFilter-Related at 8:34 AM (15 comments total) 4 users marked this as a favorite

Yeah, it seems we've come through the paroxysm of corporate email alerts to the day itself! How it all affects MetaFilter: not very much, fortunately, since much of the focus of the new GDPR requirements are on business practices that we steered away from to begin with. But there are still some aspects that we do need to account for, and we're working on making sure everything's up to date on that stuff.

Primarily we've been reviewing and will roll out updated versions of our privacy info in the FAQ (this hasn't required substantial changes, happily, but it's been a good reminder to check in on all that stuff) and signposting that a bit more for good measure, as well as making sure there's good signposting for how to contact the staff in cases where someone has a request or concern about personal data.

How is Metafilter's data management affected? What about the infodump?

We manage just about as little private data as we can, which simplifies the situation enormously. We also don't sell any user data to third parties, which likewise helps. Password data we manage in industry-standard secure ways. We're gonna continue looking at what little data we do handle internally, and part of the review of the privacy documentation is making sure it's all mentioned explicitly.

In line with the GDRP regulations on erasure of data, I'll reiterate what we talked about early last year in MetaTalk: anyone with a concern about us storing even the minimal private data we do have can absolutely contact us about stripping that out of the database.

The infodump consists solely of a subset of already public data; there's nothing in there that isn't published openly on the site itself in the process of normal commenting and posting, so questions about it are equivalent to questions about the public content of the site in general.

About which our position on preferring to keep comments and posts around where possible for public archive value isn't changed by GDPR, which specifically allows for that; but likewise we remain totally willing to look at privacy-specific cases like removing specific bits of content that have become a problem for someone (e.g. dealing with a stalker, regretting disclosing identifying email, profound regret about some previous comment/question), so contacting us to talk that stuff out on a case-by-case basis continues to be fine.

I'm also still reviewing some of the details of ad stuff; we'll be including links to some Google Adsense info specifically in the updated privacy stuff, to outline how Google specifically manages ad content on their end. We've always aimed for the most minimal, non-sketchy version of Adsense use cases to begin with to avoid tracker nonsense where possible, but I want to be sure that we are and/or Google is providing the appropriately compliant ad flow there for EU visitors. Logged in members, specifically, never see the Adsense stuff in the first place.

And will links posted to the front page that aren't reachable by our European users make the site even more US-centric and less friendly for them?

This is an interesting/frustrating bit of territory that I think we're basically gonna have to explore together to find out how stuff shakes out. I certainly think it's a good idea in cases where GDPR-related stonewalling by non-EU publishers affects the visibility of links to think about how new posts are structured and whether and when and how it's possible to use alternate/supplemental links in a post. Or folks doing so in the early comments if the poster didn't catch that there was an issue.

But that feels like, yeah, a big Thing The Web Is Gonna Have To Sort Out In The Next While subject, mostly; there's what MetaFilter users can do in creating posts and comments (and I think we can try and help each other out to mitigate the annoyance from EU blocks), but then there's the much broader question of how everybody is gonna deal with it, as the actual compliance and enforcement aspects of this shake out and major publishers who defaulted to "well, shut down EU access" catch up after the fact.
posted by cortex (staff) at 8:57 AM on May 25, 2018 [31 favorites]

Metafilter: Much of the focus of the new GDPR requirements are on business practices that we steered away from to begin with.
posted by Melismata at 9:10 AM on May 25, 2018 [33 favorites]

Probably-unrealistic wishlist item: When you're previewing a post, a warning that a link might not be accessible from the EU. (...or might be paywalled.)
posted by clawsoon at 9:34 AM on May 25, 2018 [2 favorites]

@melismata wins for best use of "metafilter:" ever.
posted by nikaspark at 10:25 AM on May 25, 2018 [6 favorites]

The profile info - even the picture and the real name, as shared in the minimal profile for non-login users - could be considered identifiable, no?
posted by scruss at 4:32 PM on May 25, 2018

Users have full control over that info; anyone can change or delete those fields on their profile at any time, and we do not store the removed info.
posted by cortex (staff) at 5:53 PM on May 25, 2018 [3 favorites]

That's what the cabal wants you to believe.
posted by medusa at 8:36 PM on May 25, 2018 [3 favorites]

So if I submit a right to be forgotten request will you remove all instances of my email address from all of your readable data stores? For instance, if I have I shared my personal email address with someone in memail will you mask or remove that data, or will you just delete my username from the memail thread and leave any potential PII intact in the body of the memail?
posted by nikaspark at 9:21 PM on May 25, 2018 [2 favorites]

That's an interesting one, specifically for the mefimail aspect. For just about everything else in terms of where it could appear, it's a gimme that we'd remove it one way or the other—nixing it from the user profile information on the back end, deleting or redacting comments or Jobs posts or etc. where you might have mentioned it, etc. That's been the case before GDPR came along, when someone's come to us with a privacy concern, so it's easy to say "yep, that's still the deal".

I say mefimail is interesting only because it gets into the territory of altering the contents of someone else's inbox, which feels more complicated than altering the content of what we as a business are storing for the sake of storing. "Please delete or alter the content of someone else's received correspondence" feels quite different from "please remove my comment". On the other hand, it is in fact data that we are hosting.

And "feels" isn't really the right metric to work with ultimately—I'd rather work with a clear legal requirement or established best practices on it—but figuring out these edge-case bits is gonna be a little bit of a work in progress. Which is probably the reality for every tiny business nonetheless having to develop a toolset for the new GDPR requirements. I appreciate that the GDPR regs allow a 30 day window for specific requests when they arise, since I think that fits well in the "hmm, yeah, let's figure this out" case-by-case approach MeFi's always tended to take for stuff in this vein (even if it doesn't usually take us anywhere close to that long to resolve any specific person's request).

So, yeah! Basically: that's a new one by me, and bears thinking about. MeFi'd make a good faith effort to support the request, in any case; figuring out the best process and compromise to do so in a way that's useful to the requester but minimally disruptive to other users' experience is the key thing from my personal perspective, and that's what would need sorting out.
posted by cortex (staff) at 7:50 AM on May 26, 2018 [2 favorites]

Yeah, I’ve been dealing with over 100 wierd edge cases where I work but the company I work for is a global vacation rental company which is orders of magnitude more complicated than what you’re facing, but one thing we do have is a lot of transactional communication happening on our platform that looks a lot like memail on a super giant scale. The thing that I am wrapping my head around is “data stores and what to do about them” because at the end of the line that’s where GDPR in my experience bites down the toughest.
posted by nikaspark at 8:00 AM on May 26, 2018

How would a non-EU poster know if a link is accessible in the EU? Are we expected to test everything through a VPN? I see this come up with videos a lot -people complaining that it’s inaccessible in their country. It seems like a high bar.
posted by AFABulous at 11:55 AM on May 26, 2018 [3 favorites]

If it's an ongoing problem -- and not a short blip for a month or two after the introduction of the law -- people will probably post tools online that help with checking -- for example, this YouTube geo-block checker can be really helpful.

Beyond that we've handled it on a case-by-case basis -- if something's available to only a single country, so most of the site can't see it, and that link is the basis of the entire post, we'll probably delete it. If you've got a handful of articles about elections in Estonia (say), and one of them happens to be blocked for everyone outside Estonia, we'd probably let that stand as long as the post made sense and people could read the other links.

In a lot of cases, posters relatively quickly post an alternate, non-blocked link in the comments, which is super-helpful. Other times, a commenter who can see an article will summarize it and quote bits of it as appropriate. Also very helpful!

But yeah, we don't expect people to know and we handle it post hoc, but we do appreciate it when people do check their links (if they know how, and if it's possible to do), and we hope that people will keep in mind block problems as we as a community become aware of them -- for example, official SNL videos on YouTube are almost always geoblocked up the wazoo, so people tend to look for less-official videos when sharing them. Tronc right now is blocking Europeans from its sites; if that continues, we'd hope that people would remember (most of the time!) to either find an alternate site for the news article you're sharing or, if it's only available from a Tronc paper, to block quote the relevant bit and summarize if you can. And if you don't know Tronc is blocking, or if you forget, and you post a Tronc link, either a helpful fellow mefite can summarize or find an alternate link, or, in the worst case where it's totally undiscussable without the original source, we delete it until it's accessible to more users.

Basically like everything else we'll handle it on a case-by-case basis and ask people to be mindful of others (in seeking unblocked links), to cut each other some slack (if someone forgets), and to help each other out (by summarizing stuff or finding alternate links).

And it happens to all of us -- I posted an Oscar-nominated short that I had shared with a couple friends abroad so I "knew" it wasn't geoblocked (and it was hosted in a native video format on the Atlantic or New Yorker or somewhere, not something I could use a youtube checker on), but then it turned out that I just got lucky with my friends who could see it, it was available in Canada and some smaller European countries, but it was blocked in most of the larger European countries -- I assume because of exclusive distribution deals in bigger cinema markets. Anyway, I felt bad. But people were cool about it. The world did not end. :)
posted by Eyebrows McGee (staff) at 2:17 PM on May 26, 2018 [3 favorites]

Tronc right now is blocking Europeans from its sites

That's pretty shocking, but mostly I'm just amazed at how quickly we have normalized "Tronc".
posted by Rock Steady at 5:39 AM on May 30, 2018

TBH when they do something good I say "the Chicago Tribune" and when they do something bad I say "Tronc." (So Tronc is blocking Europeans, and Tronc was refusing to recognize their newsroom union, but then the Chicago Tribune decided to recognize the union and negotiate with it.)
posted by Eyebrows McGee (staff) at 5:58 AM on May 30, 2018 [2 favorites]

Usually people comment in the thread "blocked in France" or whatever and flag their own comment "other" so we come look at it. (We will then exercise our modly discretion on whether to delete the post, delete the comments talking about geoblocking, or do nothing in the hopes someone else will see your comment and find a non-geoblocked version.)

You can also just drop us a line at the contact form if you don't want to comment in the thread!
posted by Eyebrows McGee (staff) at 5:24 AM on June 1, 2018 [2 favorites]

« Older Sibling violence   |   Metatalktail Hour: Hot-Weather Recipes Newer »

You are not logged in, either login or create an account to post comments