New Terms of Service

tiomono

Pr0spect0r said:

Ok i must be daft, is there a way to update your info from the mobile page cuz I don't see it in the profile option

Dropdown menu on top left gives you an option of profile. Click that then click the same dropdown menu to edit profile.

Moon Roach

There's also mention in the announcement that "Please note, that we will be removing all accounts that have not logged into the forums after May 1, 2016 due to inactivity".

Hopefully the removal of accounts won't also result in the removal or unavailability of posts by those accounts.

BlackWidower

Right: there's basically two standards the a service can go by:

1. take the user at their word.
   
2. verify the information the user provides, possibly via a third party (e.g. ask to see government ID)
   

My point is that if you're doing (1), you've got no more assurance that the user is really over 18 than if you simply asked them that question directly.  And asking the question directly has the benefit that they don't need to store a piece of information that could be used for identity theft.

I work for a large pharmaceutical company and our code of ethics regarding Personally Identifiable Information (PII) dictates that asking information without absolute necessity is a violation of this code.  In fact, requiring a complete birth date is one of the highest offences.  Storing that information without absolute necessity is even worse.

At one point I worked exclusively with a particular drug in third phase testing that was only available on compassionate release.
If a medical professional faxed in a form (electronically) with anything other than the patient's year of birth (the month of birth is occasionally given if it is necessary, the day of birth is a huge NO NO), that is considered unnecessary PII.
We are required to black out the excessive information, save the corrected file, delete the original attached file, then attach the corrected version to the email.
We would then have to send the attending physician and the requester an email advising them that the document was amended and they should not include information on the request that is not required, nor requested.

Remember, the patient's name is not on this request either, they are given a patient number and are referred to only by their patient number.

The point of all this is that, there are responsible ways to deal with data and there are irresponsible ways (looking at your Facebook).

D3 has emails to CS (from messed up purchases) where I have given my complete name, email address and order information and now want to store my complete birth date as well.
At least there is no information at all on the Google Play receipts I have needed to attach.  I'm sure all of this information is also stored.

I feel that this is a mistake.  Although I have given my full date of birth.  I believe that ethically, the right thing to do is to provide some sort of assurance that at least part of the unnecessary PII stored will be will be destroyed, or at bare minimum, encrypted.

jamesh

DAZ0273 said:

jamesh said:

DAZ0273 said:

jamesh said:

Quebbster said:

HoundofShadow said:

What are the "more information" that you are referring to?

Our dates of birth, I assume.

It's quite all right to collect that data under GDPR as long as there is a clear purpose to the Collection, which there is in this case. It requires you to keep track of what data you collect, why you collect it, and where it is kept.

If they're willing to accept a user's date of birth without verification, then it offers no more assurance than directly asking whether the user is 18 years or older.  So why not ask the question directly?

If they don't have unnecessary information on file, then they can't misuse it.

Data Protection Laws require "Special" handling of data for minors but in reality on the internet, this is practically impossible to do. There are of course a gazillion ways around this but all D3Go have to demonstrate is that they are not knowingly processing data of an under 18 age user. As an under 18 user cannot give their own consent, if they willfully decieve D3Go then D3Go can say "Hey we don't allow under 18's to use our site!" and point to a breach of terms of service and remove the user and not fall foul of the regulations.

Right: there's basically two standards the a service can go by:

1. take the user at their word.
   
2. verify the information the user provides, possibly via a third party (e.g. ask to see government ID)
   

My point is that if you're doing (1), you've got no more assurance that the user is really over 18 than if you simply asked them that question directly.  And asking the question directly has the benefit that they don't need to store a piece of information that could be used for identity theft.

They aren't really asking for an assurance, they are saying "If you told us a lie - we ain't liable!". Whatever the simplest method of complying is = solution that will be taken. In this instance it is - wanna use our website, then consent to us holding specific data to help us comply with these new obligations. It isn't even like they will verify correct dates of birth for those who are over 18, which would open up a whole new can of worms as aesthetocyst points to above.

I don't think you understand what I wrote.  My point is that if you're not going to verify the information, then the simplest way to comply (which also collects the minimum amount of information) is to ask a simply boolean yes/no question.

I completely agree that they need to ask the question if they want to avoid the GDPR provision requiring parental consent if they deal with minors, but I disagree that this requires collecting everyone's date of birth.

The_A_Train

BlackWidower said:

Right: there's basically two standards the a service can go by:

1. take the user at their word.
   
2. verify the information the user provides, possibly via a third party (e.g. ask to see government ID)
   

My point is that if you're doing (1), you've got no more assurance that the user is really over 18 than if you simply asked them that question directly.  And asking the question directly has the benefit that they don't need to store a piece of information that could be used for identity theft.

I work for a large pharmaceutical company and our code of ethics regarding Personally Identifiable Information (PII) dictates that asking information without absolute necessity is a violation of this code.  In fact, requiring a complete birth date is one of the highest offences.  Storing that information without absolute necessity is even worse.

At one point I worked exclusively with a particular drug in third phase testing that was only available on compassionate release.
If a medical professional faxed in a form (electronically) with anything other than the patient's year of birth (the month of birth is occasionally given if it is necessary, the day of birth is a huge NO NO), that is considered unnecessary PII.
We are required to black out the excessive information, save the corrected file, delete the original attached file, then attach the corrected version to the email.
We would then have to send the attending physician and the requester an email advising them that the document was amended and they should not include information on the request that is not required, nor requested.

Remember, the patient's name is not on this request either, they are given a patient number and are referred to only by their patient number.

The point of all this is that, there are responsible ways to deal with data and there are irresponsible ways (looking at your Facebook).

D3 has emails to CS (from messed up purchases) where I have given my complete name, email address and order information and now want to store my complete birth date as well.
At least there is no information at all on the Google Play receipts I have needed to attach.  I'm sure all of this information is also stored.

I feel that this is a mistake.  Although I have given my full date of birth.  I believe that ethically, the right thing to do is to provide some sort of assurance that at least part of the unnecessary PII stored will be will be destroyed, or at bare minimum, encrypted.

They are doing this to be compliant with GDPR, so we can assume the information will be stored appropriately. 

I believe the DoB is commonly used as an unique identifier in the medical industry so i can see why you maybe shouldn't be passing it around. At the same time, HIPAA rules that roost and you can probably look to those regs for a more detailed explanation of the practices you were a part of.

The_A_Train

Also, D3 doesn't store my name, address, ssn, etc. The only defined piece of pii they have of mine is my DoB and I know for a fact I'm not the only one born on the *** of *** in ** so shouldn't really matter  

abmoraz

My birthday is January 1st, 1900.  As the only 118 year old in this forum, I'd appreciate if you young whipper-snappers would show me some tinykitty respect.

BlackWidower

The_A_Train said:

They are doing this to be compliant with GDPR, so we can assume the information will be stored appropriately. 

I believe the DoB is commonly used as an unique identifier in the medical industry so i can see why you maybe shouldn't be passing it around. At the same time, HIPAA rules that roost and you can probably look to those regs for a more detailed explanation of the practices you were a part of.

The point of my (very long-winded - sorry) explanation was that, ethically, D3 should only store NECESSARY information.  Your day of birth (nor the month) is not necessary if you state you are born in 1945.

Like the person I quoted specified, a button that states, "I certify that I am 18 years or older" would suffice.
There are no such regulations in my country, so GDPR regulations are completely inconsequential.  Those that are required to provide such information should be identified via IP address.

Michaelcles

Anyone else who is jailed able to enter their birthday?

Taganov

The_A_Train said:

They are doing this to be compliant with GDPR, so we can assume the information will be stored appropriately. 

Oh, you sweet summer child . I did take some time to read their Privacy Notice, which is a huge part of GDPR compliance, and they mentioned that your username & password would be encrypted. No mention of PII being encrypted, though.

Moon Roach

As the GDPR applies only to EU residents, where's the opt-out for non-EU residents?

Bowgentle

Moon Roach said:

As the GDPR applies only to EU residents, where's the opt-out for non-EU residents?

Right behind the improvements to the forum software that have been coming since we moved.

Seriously  they can't even put a hyperlink in the announcement.
Do you think they'll manage to encrypt and safely store the data, or do anything that would mean touching any code beyond the absolute necessary minimum?

Carnifexx

I don’t see the big deal. Ever since I gave that Nigerian prince my social security number, it’s been fantastic! I’ve made purchases in Russia, China, and Kuwait, all without leaving my home. 

jamesh

Moon Roach said:

As the GDPR applies only to EU residents, where's the opt-out for non-EU residents?

While I'm not happy with them collecting everyone's date of birth and also live outside the EU, I'd be quite happy for them to manage my data under the EU data protection laws: it is pretty much the current gold standard for handling personal information.

Why wouldn't you want to have some control over information a company stores about you?  Why wouldn't you want to be notified if there was a breach in the security of a company holding your data?

Moon Roach

jamesh said:

Moon Roach said:

As the GDPR applies only to EU residents, where's the opt-out for non-EU residents?

While I'm not happy with them collecting everyone's date of birth and also live outside the EU, I'd be quite happy for them to manage my data under the EU data protection laws: it is pretty much the current gold standard for handling personal information.

Why wouldn't you want to have some control over information a company stores about you?  Why wouldn't you want to be notified if there was a breach in the security of a company holding your data?

I have no control over information a company stores.  I have a degree of control of what information I provide, but not over what is stored or how.

I want stored only the minimum information necessary to make possible whatever service a company is providing, and that's it.  I expect it to be stored securely.

Reecoh

Is there a law that requires them to ask us to cut & paste a URL to visit the page? Because if not I feel like the forum admins don't understand how to HTML.

Phumade

Reecoh said:

Is there a law that requires them to ask us to cut & paste a URL to visit the page? Because if not I feel like the forum admins don't understand how to HTML.

I'm sure their is case law somewhere that says cutting and pasting is considered more of an affirmative act than merely clicking through a link.

It probably relates to a legal test of whether they can demonstrate purposeful intent vs accidental misclick

Quebbster

Reecoh said:

Is there a law that requires them to ask us to cut & paste a URL to visit the page? Because if not I feel like the forum admins don't understand how to HTML.

It may not be possible for them to get the link to work in the announcement field. I bet if they could have made it clickable, they would have made it clickable.

madoctor

It could also work as a captcha of sorts. Preventing bots from just automatically using the link. Better than having to ask "select the pictures with vehicles in it"

Dragon_Nexus

Well since they now have out ates of birth, they can give us presents on our birthdays, right?