Possible Bug - guests can view contact data in profile

Discuss general development subjects that are not specific to a particular version like the versioning control system we use or other infrastructure.
User avatar
Scanialady
Registered User
Posts: 13
Joined: Sat Sep 12, 2015 3:17 pm

Possible Bug - guests can view contact data in profile

Post by Scanialady » Sun Mar 13, 2016 1:13 am

On my board permissions for guests (and anonymous) are
can view profiles, memberlist, who is online = NEVER

If I view my board as a guest I see in topics in the profile the contact info for messengers and websites of users. Not cool.
Every guest can see your messengers IDs, Skype name and your weblink. If you click e.g. on ICQ contact info the profile of this user is shown. Same with Skype.

If memberlists are not public we imho have to protect user data for messenger contacts, too.
profilefields.png
profilefields.png (17.23 KiB) Viewed 7329 times
edit:// phpbb.com the same
profilefields2.png


edit 2:// ooooooooops... sorry - wrong category. Please move it to the right forum :oops:

User avatar
Dragosvr92
Registered User
Posts: 624
Joined: Tue May 31, 2011 12:08 pm
Location: Romania
Contact:

Re: Possible Bug - guests can view contact data in profile

Post by Dragosvr92 » Mon Mar 14, 2016 10:32 am

I see this problem also shows on my board, and phpbb.com. But not on area51, so i suppose that it has been fixed?
I cant find a permission for this.
Previous user: TheKiller
Avatar on Memberlist 1.0.3

User avatar
Scanialady
Registered User
Posts: 13
Joined: Sat Sep 12, 2015 3:17 pm

Re: Possible Bug - guests can view contact data in profile

Post by Scanialady » Mon Mar 14, 2016 1:08 pm

I see a major problem in terms of privacy/data protection with phpBB. Data protection for profile data of users should be by default - not by extensions.

I am sure, these data was not shown under phpBB 3.0 - and I noticed it just now. Months after upgrading.

Guests see profile data, guests see who is online, guests see user names - all by default. That is not the right way in Europe. We have not only the obligation to inform our visitors about cookies. We are especially be obliged to protecting user data.

http://ec.europa.eu/justice/data-protec ... dex_en.htm

You can disable userdefined profiles fields, of course. But that is not the purpose of user profile for communities.

In my opinion must be changed fundamentally dealing with user profiles, names, memberships and info about presence or the time of use, regarding the rights for guests. Guests have not to see anything about users without especially sharing. We have not to publish data about our members when they are on which place and what they do there and where they are to find on other places. And the best would be if users can ALLOW this by themself.

It is imho impossible that user data of any kind are publicly visible. You can find extensions if you are lucky. But privacy and data protection has to be supported by the core system, it should not be dependent on whether someone develops an extension or not.

Even on Facebook the user is able to select which data he wants to share and to whom.

User avatar
david63
Registered User
Posts: 215
Joined: Mon Feb 07, 2005 7:23 am
Location: Lancashire, UK

Re: Possible Bug - guests can view contact data in profile

Post by david63 » Mon Mar 14, 2016 3:35 pm

I think that you are going a bit extreme about "data protection"

Having been heavily involved with data protection in my working life there is nothing on a phpBB forum in contact data that would be a breach of any Data Protection Act as there are no "personal identifiers" showing (in fact unless explicitly entered by a user there are no personal identifiers anywhere in vanilla phpBB).

A personal identifier is something that connects to an individual but a username of say, Scanialady, does not identify you to anybody else.

Now if you were to have your board set up in such a way that usernames were actually a member's "real name" then there may possibly be an argument about Data Protection.

So, at the end of the day, it comes down to personal preference. I have no issue with anyone preferring not to have certain data visible to "guests" and that may be possible with an extension, but having said that all it takes is for a guest to register and they will see that data anyway. Yes I also accept that there some boards that are totally private so guests would not be able to register.
Scanialady wrote:
Mon Mar 14, 2016 1:08 pm
Even on Facebook the user is able to select which data he wants to share and to whom.
And we all know how good Facebook have been with data security.
David
Remember: You only know what you know -
and you do not know what you do not know!

User avatar
Scanialady
Registered User
Posts: 13
Joined: Sat Sep 12, 2015 3:17 pm

Re: Possible Bug - guests can view contact data in profile

Post by Scanialady » Mon Mar 14, 2016 5:27 pm

I hope you don't think: if facebook is not good enough, then nobody else has to be?

You think we should remove registering instead, because there is no difference to see what you want as a guest or as a member?

User avatar
paulus
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 361
Joined: Thu Sep 16, 2004 9:02 am
Contact:

Re: Possible Bug - guests can view contact data in profile

Post by paulus » Mon Mar 14, 2016 5:28 pm

If you think it is a bug you should report it in the bugtracker at http://tracker.phpbb.com/
Image

User avatar
Dragosvr92
Registered User
Posts: 624
Joined: Tue May 31, 2011 12:08 pm
Location: Romania
Contact:

Re: Possible Bug - guests can view contact data in profile

Post by Dragosvr92 » Tue Mar 15, 2016 12:31 am

Dragosvr92 wrote:
Mon Mar 14, 2016 10:32 am
I see this problem also shows on my board, and phpbb.com. But not on area51, so i suppose that it has been fixed?
Can someone comment on this please?
Previous user: TheKiller
Avatar on Memberlist 1.0.3

User avatar
Scanialady
Registered User
Posts: 13
Joined: Sat Sep 12, 2015 3:17 pm

Re: Possible Bug - guests can view contact data in profile

Post by Scanialady » Tue Mar 15, 2016 1:44 am

Dragosvr92 wrote:
Tue Mar 15, 2016 12:31 am
Dragosvr92 wrote:
Mon Mar 14, 2016 10:32 am
I see this problem also shows on my board, and phpbb.com. But not on area51, so i suppose that it has been fixed?
Can someone comment on this please?
If you log out and view this posting, than you can see it is the same here.

User avatar
RMcGirr83
Registered User
Posts: 357
Joined: Fri Mar 09, 2007 1:51 am
Contact:

Re: Possible Bug - guests can view contact data in profile

Post by RMcGirr83 » Tue Mar 15, 2016 11:21 am

The EU law doesn't have any bearing on your contact information that I can see
Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose.
The forum software doesn't "gather" anything. It is up to the user to enter in the information. The software does not "track" a user.
Furthermore, persons or organisations which collect and manage your personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by EU law.
Again, the forum software doesn't "collect and manage", the end user manages the information.

Saying that, I do believe that many of the items in the contact drop down (ICQ, Skype, etc) that allow communication with a user should be hidden to guests. Websites, youtube channels, facebook pages, etc, not so much. As for usernames, again that is up to the user to disseminate information. If you Google my username you will see images of me, may get my email address which may lead to a general vicinity of where I live. But that is something that I choose to have out in the open.

Haven't seen where a ticket has been opened for this. Has there been one?
Do not hire Christian Bullock he won't finish the job and will keep your money

User avatar
Dragosvr92
Registered User
Posts: 624
Joined: Tue May 31, 2011 12:08 pm
Location: Romania
Contact:

Re: Possible Bug - guests can view contact data in profile

Post by Dragosvr92 » Tue Mar 15, 2016 11:28 am

Scanialady wrote:
Tue Mar 15, 2016 1:44 am
If you log out and view this posting, than you can see it is the same here.
Oh yes, i only loaded the page in IE(not logged or using that) and didnt see the contact for your user. Assumed its been fixed. My bad.
You should open a ticket in the tracker. We should be able to make this information unavailable to guests.
Guests are unable to see the Email and PM contact methods by default, since 3.0. They shouldnt be able to see contact fields at all.
Previous user: TheKiller
Avatar on Memberlist 1.0.3

Post Reply