Make WordPress Core

Opened 3 years ago

Closed 2 years ago

#52970 closed defect (bug) (fixed)

Improve text in help tabs of Personal Data Exporter/Eraser

Reported by: dimadin's profile dimadin Owned by: marybaum's profile marybaum
Milestone: 6.0 Priority: normal
Severity: normal Version:
Component: Help/About Keywords: has-patch has-privacy-review commit assigned-for-commit
Focuses: privacy, ui-copy Cc:

Description

In #43994, it was proposed to add help tabs to Personal Data Exporter/Eraser tools. They were added in [50147] based on proposal by @burtrw. However, text that was committed gives incorrect information and it's inconsistent.

The biggest issue is that it gives false information about what data is deleted/anonymized by default. The only thing that is actually deleted/anonymized is the data about author of the comment user has made. My patch makes the following changes:

  • Only lists things that eraser actually does.
  • Reviews listing of things that are exported, and uses names that are used in an export file.
  • Uses sentence case for listing.
  • Appends "Personal" in front of "Data Exporter/Eraser".

Exporter: BEFORE | AFTER
Eraser: BEFORE | AFTER

Attachments (9)

New_copy_for_erase-personal-data_help_text_per_ticket_52970.patch (3.5 KB) - added by marybaum 3 years ago.
New_copy_for_erase-personal-data_help_text_per_ticket_52970.2.patch (3.5 KB) - added by marybaum 3 years ago.
New_copy_for_erase-personal-data_help_text_per_ticket_52970.3.patch (3.5 KB) - added by marybaum 3 years ago.
New_copy_for_export-personal-data_help_text_per_ticket_52970.patch (3.6 KB) - added by marybaum 3 years ago.
52970.diff (6.2 KB) - added by azaozz 3 years ago.
New_copy_for_erase-personal-data_help_text_per_ticket_52970.3.patch and New_copy_for_export-personal-data_help_text_per_ticket_52970.patch together in one diff.
52970.patch (6.0 KB) - added by paapst 3 years ago.
Corrected the Right to be forgotten back to the Right of dataportability.
New_copy_for_export-personal-data_help_text_per_ticket_52970-second revision.patch (8.7 KB) - added by marybaum 3 years ago.
Contains the changes for both exprt-data and erase-data.
New_copy_for_personal-data_help_text_per_ticket_52970.patch (8.9 KB) - added by marybaum 3 years ago.
Update_for_ticket_52970_new.patch (9.0 KB) - added by paapst 3 years ago.

Download all attachments as: .zip

Change History (68)

#2 @SergeyBiryukov
3 years ago

  • Keywords needs-privacy-review added
  • Milestone changed from Awaiting Review to 5.7.1

dimadin commented on PR #1166:


3 years ago
#3

To clarify, I didn't expect changes to be included in 5.7.1, but your proposal makes sense: delete the inaccurate text without introducing new string, while the rest will land in 5.8.

If we are going that route, please let me know how should I update PR. I guess new PR for the text that would be deleted, then refreshing this one for other changes?

#4 @dimadin
3 years ago

This was reply to the following comment on GitHub:

Is it possible to limit the changes for 5.7.1 to deleting the inaccurate text in src/wp-admin/erase-personal-data.php only?

While the proposed text changes improve clarity, I am not sure they are currently unclear enough to require immediate string changes and the associated translation updates needed.

Not sure if this is intended behavior, but looks like comments left during PR review aren't copied here.

This ticket was mentioned in PR #1174 on WordPress/wordpress-develop by peterwilsoncc.


3 years ago
#5

https://core.trac.wordpress.org/ticket/52970

5.7.1 change without new strings.

#6 @peterwilsoncc
3 years ago

@dimadin I've created a new pull request that only deletes the incorrect strings. Are you able to review it and make sure I've got everything correct?

I would have expected more data was deleted but given I am neither a lawyer or European my understanding of GDPR requirements is rudimentary at best :)

#7 @dimadin
3 years ago

Done.

For a reference, this is the only eraser used in WordPress core.

This ticket was mentioned in Slack in #core by audrasjb. View the logs.


3 years ago

#9 @audrasjb
3 years ago

  • Milestone changed from 5.7.1 to 5.8

Moving to Milestone 5.8 as WordPress 5.7.1 Release Candidate 1 is planned for today.

This ticket was mentioned in Slack in #core by peterwilsoncc. View the logs.


3 years ago

This ticket was mentioned in Slack in #core by audrasjb. View the logs.


3 years ago

#12 @desrosj
3 years ago

  • Type changed from enhancement to defect (bug)

Today is feature freeze for the 5.8 release. But, I think it's reasonable to consider this a bug since the text is inaccurate. Reclassifying as such.

This ticket was mentioned in Slack in #core by jeffpaul. View the logs.


3 years ago

#14 follow-up: @JeffPaul
3 years ago

  • Milestone changed from 5.8 to 5.9

While this appears near ready to commit, we're minutes away from 5.8 Beta 1 so I'm sadly inclined to punt this to 5.9 to land then.

This ticket was mentioned in Slack in #core by abhanonstopnews. View the logs.


3 years ago

#16 in reply to: ↑ 14 @marybaum
3 years ago

  • Owner set to marybaum
  • Status changed from new to assigned

Replying to JeffPaul:

I think if we take a look at the copy for readability and polyglot suitability, we can have an early commit on the milestone!

While this appears near ready to commit, we're minutes away from 5.8 Beta 1 so I'm sadly inclined to punt this to 5.9 to land then.

This ticket was mentioned in Slack in #core by marybaum. View the logs.


3 years ago

This ticket was mentioned in Slack in #core by marybaum. View the logs.


3 years ago

This ticket was mentioned in Slack in #core by abhanonstopnews. View the logs.


3 years ago

#20 @webcommsat
3 years ago

  • Focuses ui-copy added
  • Version 5.7 deleted

Summary from the bug scrub

1) The adapted wording from @marybaum and @webcommsat

WordPress collects a number of personal data items from the users of your site. Those items can include:
Profile Information: user email address, username, display name, nickname, first name, last name, description/bio, and registration date.
Community Events Location: The IP Address of the user to let the Community Events dashboard widget show nearby events.
Session Tokens: User login information, IP Addresses, Expiration Date, User Agent (Browser/OS), and Last Login.
Comments: For any comments a user makes, Email Address, IP Address, User Agent (Browser/OS), Date/Time, Comment Content, and Content URL.
Media: A list of URLs for all media files a user uploads.

2) To do: make clear that the IP address, email address etc will not be published, if it is just being collected? (@webcommsat)

3) Question: Do we need to clarify it is only for "site users" that have an account on the site, not for "visitors to the site"? (@azaozz)

4) @marybaum will work on an updated patch. Two queries above to be resolved.

#21 follow-up: @marybaum
3 years ago

  • Keywords needs-testing needs-screenshots added; needs-copy-review needs-privacy-review removed

Okey dokey. Patches attached! Kept them separate pending review in case they need separate treatment on their way to commit.

Apologies for my itchy trackpad finger and the THREE copies of the erase-text file.

I think we're at needs-review and test — did my level best to incorporate feedback from the scrub!

Thanks to @webcommsat, @azaozz, @audrasjb, @costdev, @joyously, @meher, @nalini

This ticket was mentioned in Slack in #core-privacy by paapst. View the logs.


3 years ago

#23 in reply to: ↑ 21 @azaozz
3 years ago

Replying to marybaum:

Apologies for my itchy trackpad finger and the THREE copies of the erase-text file.

That's okay, no problems. Seems it would be easier if all changes are in the same patch though, no matter how many versions of it are there. Going to merge New_copy_for_erase-personal-data_help_text_per_ticket_52970.3.patch and New_copy_for_export-personal-data_help_text_per_ticket_52970.patch first.

@azaozz
3 years ago

New_copy_for_erase-personal-data_help_text_per_ticket_52970.3.patch and New_copy_for_export-personal-data_help_text_per_ticket_52970.patch together in one diff.

#24 @azaozz
3 years ago

Looking at 52970.diff thinking perhaps this can be enhanced further. Generally there are two types of "users" in WordPress:

  • Registered users that have an account on the site and can login with username/password.
  • Site visitors that do not have an account/cannot login.

The default data stored by WordPress depends on the "behavior" of each type of users. For example for site visitors there is no data stored at all. However if they post a comment, their name, email, website (if entered), IP, and the browser UA string are stored with the comment text and can be exported and/or deleted/anonymized.

Registered users can supply various data about themselves on their user profile page. They are in full control of that data, can see, change or delete it at any time. In addition their email address and login username are stored and used for security purposes (logging in, email notifications in some cases, etc.).

IMHO it is important to always make it clear which type of users the docs are talking about (even if that repeats a bit too often). Thinking the proposed changes here can be adjusted a bit to include this clarification.

@paapst
3 years ago

Corrected the Right to be forgotten back to the Right of dataportability.

#25 @paapst
3 years ago

In 52970.diff under export of data the "Right of Data portability" was deleted and mistakenly described as being the Right to be forgotten. In 52970.patch this is corrected.

Last edited 3 years ago by paapst (previous) (diff)

This ticket was mentioned in Slack in #core by abhanonstopnews. View the logs.


3 years ago

#27 @marybaum
3 years ago

Here's a patch with new copy per our conversation in the bug scrub at https://wordpress.slack.com/archives/C02RQBWTW/p1635793708008000.

@marybaum
3 years ago

Contains the changes for both exprt-data and erase-data.

#28 follow-up: @paapst
3 years ago

Hi @marybaum In your recent patch you have deleted:
Providing an export of all data that a business or website has collected about an individual is a requirement of many Privacy Laws around the world, and is sometimes referred to as the "Right To Data Portability".

and replaced this by:

Privacy Laws around the world require businesses and online services to delete, anonymize, or forget all the data they collect about an individual. The rights those laws enshrine are sometimes called the "Right of Data Portability".

I understand from the bug scrub that this has been done to create an active construction.
However, from a legal point of view, the currently proposed text is not correct. If you want to use an active construction on that particular place, it should be something like this:

Privacy Laws around the world require businesses and online services to provide an export of some of the data they collect about an individual. The rights those laws enshrine are sometimes called the "Right of Data Portability".

#29 in reply to: ↑ 28 ; follow-ups: @marybaum
3 years ago

Replying to paapst:

Hi @marybaum In your recent patch you have deleted:
Providing an export of all data that a business or website has collected about an individual is a requirement of many Privacy Laws around the world, and is sometimes referred to as the "Right To Data Portability".

and replaced this by:

Privacy Laws around the world require businesses and online services to delete, anonymize, or forget all the data they collect about an individual. The rights those laws enshrine are sometimes called the "Right of Data Portability".

I understand from the bug scrub that this has been done to create an active construction.
However, from a legal point of view, the currently proposed text is not correct. If you want to use an active construction on that particular place, it should be something like this:

Privacy Laws around the world require businesses and online services to provide an export of some of the data they collect about an individual. The rights those laws enshrine are sometimes called the "Right of Data Portability".

Thanks for this feedback! If I understand you correctly, the law requires we export or erase some, but not all, of the cata we collect?

I'll give it another go in about 13 hours.

#30 in reply to: ↑ 29 @paapst
3 years ago

Replying to marybaum:

The law differentiates between the right of data portability (exporting data) and the right to be forgotten (deleting/anonymising data).

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another.

The right only applies to information an individual has provided to a controller. So this indeed means not all of the data a controller has collected have to be included in the export.

Exporting data is in legal terms, not the same as deleting or anonymising personal data. With exporting data the controller is still allowed to keep and use a copy of the data itself. So this is why you can not use the following help text when describing the export: Privacy Laws around the world require businesses and online services to delete, anonymize, or forget all the data they collect about an individual. That particular text only applies to the right to be forgotten.

The right to be forgotten (or the right to erase) gives individuals the right to have personal data erased. The right is not absolute and only applies in certain circumstances.

#31 in reply to: ↑ 29 @marybaum
3 years ago

Replying to marybaum:

Just uploaded a new patch! We'll be talking about it in the bug scrub at 19:00 UTC. See you there?

Replying to paapst:

Hi @marybaum In your recent patch you have deleted:
Providing an export of all data that a business or website has collected about an individual is a requirement of many Privacy Laws around the world, and is sometimes referred to as the "Right To Data Portability".

and replaced this by:

Privacy Laws around the world require businesses and online services to delete, anonymize, or forget all the data they collect about an individual. The rights those laws enshrine are sometimes called the "Right of Data Portability".

I understand from the bug scrub that this has been done to create an active construction.
However, from a legal point of view, the currently proposed text is not correct. If you want to use an active construction on that particular place, it should be something like this:

Privacy Laws around the world require businesses and online services to provide an export of some of the data they collect about an individual. The rights those laws enshrine are sometimes called the "Right of Data Portability".

Thanks for this feedback! If I understand you correctly, the law requires we export or erase some, but not all, of the cata we collect?

I'll give it another go in about 13 hours.

#32 follow-up: @desrosj
3 years ago

When this is deemed ready, could we make sure to run the text changes by someone that legally represents the project just to ensure everything is good to go? That's not meant as disrespect to anyone's expertise here, but it would just make sure to cover all the bases.

This ticket was mentioned in Slack in #core by abhanonstopnews. View the logs.


3 years ago

This ticket was mentioned in Slack in #core by hellofromtonya. View the logs.


3 years ago

#35 in reply to: ↑ 32 @azaozz
3 years ago

Replying to desrosj:

could we make sure to run the text changes by someone that legally represents the project...

Great suggestion! Was just about to say the same :)

This ticket was mentioned in Slack in #core by abhanonstopnews. View the logs.


3 years ago

#37 @webcommsat
3 years ago

Update from the component bug scrubs:
1) November 8, 2021: @hellofromTonya volunteered to check with @chanthaboune about running the copy past WordPress Project legal resources, and to confirm the Project does not retain other data.

2) November 21, 2021:
@marybaum suggested running the copy past the privacy team. She will action this and update the ticket with any comments.

This ticket was mentioned in Slack in #core-privacy by paapst. View the logs.


3 years ago

#39 @paapst
3 years ago

  • Keywords has-privacy-review added

@marybaum On closer inspection of the proposed changes I found another problem:

In src/wp-admin/erase-personal-data.php on line 25 the following is stated:
You should also delete any data third parties collect about your users

That new statement is much too broad and also not correct. Probably it is not even possible to execute because no one has the power to delete all the data Google or Youtube collected with or without your knowledge about your users.

Instead, it is safer to keep the current text:

You should also delete any data collected by or stored with any 3rd party services used by your business or site.

It is all about responsibility. If you use a 3rd party service on your website, and that party is collecting data (on your behalf), you remain responsible for that data, and also for deleting it.

Last edited 3 years ago by paapst (previous) (diff)

This ticket was mentioned in Slack in #core-test by boniu91. View the logs.


2 years ago

This ticket was mentioned in Slack in #core-test by justinahinon. View the logs.


2 years ago

This ticket was mentioned in Slack in #core by audrasjb. View the logs.


2 years ago

#43 @audrasjb
2 years ago

  • Milestone changed from 5.9 to 6.0

As today is 5.9 beta 1 and since we're still looking to privacy legal advices, let's move this ticket to the next cycle for now.

Thanks for all the work done in this ticket during this cycle. Hopefully it can be fixed early in the 6.0 cycle.

This ticket was mentioned in Slack in #core by paapst. View the logs.


2 years ago

#45 @paapst
2 years ago

Privacy legal advice has already been given a few weeks ago. This resulted in the latest patch.

This ticket was mentioned in PR #2115 on WordPress/wordpress-develop by Paapst.


2 years ago
#46

Created a new PR for 6.0. For review purposes, I separated it from the text about erasing personal data.

Trac ticket: <https://core.trac.wordpress.org/ticket/52970>

This ticket was mentioned in PR #2116 on WordPress/wordpress-develop by Paapst.


2 years ago
#47

Created a new PR for 6.0. For review purposes, I separated it from the text about exporting personal data.

Trac ticket: <https://core.trac.wordpress.org/ticket/52970>

This ticket was mentioned in Slack in #core-test by hellofromtonya. View the logs.


2 years ago

#49 follow-up: @Boniu91
2 years ago

@dimadin Thank you for creating the ticket and prviding the patch. Could you post the exact steps that should be done in order to reproduce the issue and confirm the enhancements?

#50 in reply to: ↑ 49 @paapst
2 years ago

Hi @Boniu91, thank you for volunteering to test the patches on this ticket.

The issue is that the help text about erasing data and the text about exporting data needs improvement. Both of the pull requests contain that improvement: https://github.com/WordPress/wordpress-develop/pull/2115 and https://github.com/WordPress/wordpress-develop/pull/2116

This ticket was mentioned in Slack in #core by nalininonstopnewsuk. View the logs.


2 years ago

#52 @webcommsat
2 years ago

From today's component scrub:

  • there is no testing needed on this ticket at present
  • @chantabourne would you be able to advise on getting an official legal check for this please. Comment 45 may also be useful for the checks to date. Thank you.

https://core.trac.wordpress.org/ticket/52970#comment:45

Last edited 2 years ago by webcommsat (previous) (diff)

#53 follow-up: @paapst
2 years ago

@webcommsat @marybaum As comment 45 indeed mentioned: That legal check has already been done before 5.9. I know @hellofromTonya has asked @chantaboune about this ticket about 4 months ago. And if I remember correctly the answer from Josepha was that there is no one legally representing the project, so there will be no "official" legal check other than that from volunteers with a legal background.
What has been done since then is that the text has been mentioned in the core-privacy channel for additional feedback, and after that, it has been thoroughly checked by myself. I am a law professor specialising in privacy law and IT law. I received my PhD on the topic of open source projects and policies, and I am also responsible for the legal research that has been done for the Complianz plugin.

#54 in reply to: ↑ 53 @webcommsat
2 years ago

Thanks @paapst for the info. It came up in today's component bug scrub to help move this ticket forward, and to ask Josepha. Your previous comment was highlighted in today's scrub. Thanks for adding the additional information.

@audrasjb and @davidbaumwald for awareness and any input on next steps following the discussion in the scrub today. The [latest patch]https://core.trac.wordpress.org/attachment/ticket/52970/Update_for_ticket_52970_new.patch. Thanks.

Replying to paapst:

@webcommsat @marybaum As comment 45 indeed mentioned: That legal check has already been done before 5.9. I know @hellofromTonya has asked @chantaboune about this ticket about 4 months ago. And if I remember correctly the answer from Josepha was that there is no one legally representing the project, so there will be no "official" legal check other than that from volunteers with a legal background.
What has been done since then is that the text has been mentioned in the core-privacy channel for additional feedback, and after that, it has been thoroughly checked by myself. I am a law professor specialising in privacy law and IT law. I received my PhD on the topic of open source projects and policies, and I am also responsible for the legal research that has been done for the Complianz plugin.

This ticket was mentioned in Slack in #core-privacy by pbiron. View the logs.


2 years ago

#56 follow-up: @audrasjb
2 years ago

Just to clarify: are we ok to ship the wording proposed in PR2115 and PR2116?

#57 in reply to: ↑ 56 @paapst
2 years ago

  • Keywords needs-testing removed

Replying to audrasjb:

Just to clarify: are we ok to ship the wording proposed in PR2115 and PR2116?

Yes, that is indeed the case.

#58 @audrasjb
2 years ago

  • Keywords commit assigned-for-commit added; needs-screenshots removed

Great, thanks for the confirmation.

#59 @audrasjb
2 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 53182:

Help/about: Improve text in help tabs of the Personal Data Exporter/Eraser.

This change clarifies the purpose of the personal data exporter/eraser tool in the related help tab.

Props dimadin, peterwilsoncc, audrasjb, marybaum, webcommsat, azaozz, paapst, desrosj.
Fixes #52970.

Note: See TracTickets for help on using tickets.