I think in all this discussion we lost track of these two excellent questions by @ildi . @ellativity would you be willing to answer these?
All this talk of privacy has made me curious about the scenario when a user requests to have their profile deleted (which includes all their data) how can that user verify for themselves that the deletion has taken place with 100% certainty since the database itself is not publicly available?
Also going back to my original comment on this post, I mentioned that in the emails tab each member of my community shows as “email is not verified”. I’m a bit confused by this and what it means.
To @ildi's first question, I think this question really gets to the heart of what we're trying to do with Forem. Although having full access to our database would be the most transparent way (for a former member to prove the absence of their data after they request a deletion), we all recognize that the outcome of that would be giving everyone access to everyone's data. As far as personal privacy goes, that wouldn't be ok (and would definitely fall foul of GDPR laws!)
One of our reasons for being open source is to try to reach levels of transparency that just aren't possible without giving away other people's privacy. Here's the part of our codebase where data deletion begins after a deletion request. You can see that we have several functions built in here that determine what data belongs to the user, and ensures it doesn't unravel other interactions on the site. We don't rely on manual deletion, because this would be just too much to expect a Forem admin to process for each deletion request.
Without publicly-visible code, we could only speak to the way we manage our own communities and their data. By building the software in the open, and automating the deletion processes according to this logic, we hope Forem is a viable community platform that provides peace of mind, for both members and admins, that data is handled responsibly and cautiously.
If you ever want to test that your data is deleted after you request deletion, you could always create a new account using the same credentials. That would confirm that those credentials had been removed from the system upon deletion, otherwise you wouldn't be able to create a new account with them.
And to your second point, the email verification is required for members to switch their accounts over to email-only sign-in, if that's enabled on your Forem under /admin/customization/config > Authentication - hope this helps make sense of that one!
If you ever want to test that your data is deleted after you request deletion, you could always create a new account using the same credentials. That would confirm that those credentials had been removed from the system upon deletion, otherwise you wouldn't be able to create a new account with them.
I think being open-source and having the option to spin up your own Forem and test things out on your own is the transparency that im looking for, so this was a great explenation, thank you @ellativity!
And to your second point, the email verification is required for members to switch their accounts over to email-only sign-in, if that's enabled on your Forem under /admin/customization/config > Authentication - hope this helps make sense of that one!
As you know 1VIBE is currently invite-only but I had email and Twitter login enabled before. So im confused why all members (30+ users) shows up as "email not verified". Most members did sign up via email so shouldn't it say "verified" for them?
As you know 1VIBE is currently invite-only but I had email and Twitter login enabled before. So im confused why all members (30+ users) shows up as "email not verified". Most members did sign up via email so shouldn't it say "verified" for them?
You know what? I'm going to look into this further, because this doesn't make sense to me either...
For further actions, you may consider blocking this person and/or reporting abuse
I think in all this discussion we lost track of these two excellent questions by @ildi . @ellativity would you be willing to answer these?
Thanks for the reminder, @jennieocken!
To @ildi's first question, I think this question really gets to the heart of what we're trying to do with Forem. Although having full access to our database would be the most transparent way (for a former member to prove the absence of their data after they request a deletion), we all recognize that the outcome of that would be giving everyone access to everyone's data. As far as personal privacy goes, that wouldn't be ok (and would definitely fall foul of GDPR laws!)
One of our reasons for being open source is to try to reach levels of transparency that just aren't possible without giving away other people's privacy. Here's the part of our codebase where data deletion begins after a deletion request. You can see that we have several functions built in here that determine what data belongs to the user, and ensures it doesn't unravel other interactions on the site. We don't rely on manual deletion, because this would be just too much to expect a Forem admin to process for each deletion request.
Without publicly-visible code, we could only speak to the way we manage our own communities and their data. By building the software in the open, and automating the deletion processes according to this logic, we hope Forem is a viable community platform that provides peace of mind, for both members and admins, that data is handled responsibly and cautiously.
If you ever want to test that your data is deleted after you request deletion, you could always create a new account using the same credentials. That would confirm that those credentials had been removed from the system upon deletion, otherwise you wouldn't be able to create a new account with them.
And to your second point, the email verification is required for members to switch their accounts over to email-only sign-in, if that's enabled on your Forem under
/admin/customization/config> Authentication - hope this helps make sense of that one!I think being open-source and having the option to spin up your own Forem and test things out on your own is the transparency that im looking for, so this was a great explenation, thank you @ellativity!
As you know 1VIBE is currently invite-only but I had email and Twitter login enabled before. So im confused why all members (30+ users) shows up as "email not verified". Most members did sign up via email so shouldn't it say "verified" for them?
You know what? I'm going to look into this further, because this doesn't make sense to me either...