Privacy API #3239
Comments
|
This seems like a sticky situation to start getting involed in. Red (core) is only storing data collected from Discord (such as profile information or information from messages; anything that Discord delivers to bots). The right to be forgotten, as enshrined in the GDPR under Article 17, does not allow an individual to simply assert that any data that exists must be deleted. The GDPR specifically states that the right to be forgotten does not apply insofar as the processing is necessary to the exercise of freedom of expression and information (Art. 17 Section 3). Discord processing data about messages as a communications platform is kinda what they need to do... Discord have done a fantastic job in ensuring that as little information is required from you, no DOB, address, Social Security - nothing personal. It doesn't expose this information to Red bots, either. I don't think that (core) should implement such a feature, but encourage that if a Cog Author is writing a Cog that could be potentionally seen as "invasive" or "illegal" under privacy concerns, they are outlawed / reported to Discord T&S. |
|
The sections I referenced in the API ToS have more strict requirements than the GDPR, such as requiring bots to delete what they define as "End User Data" in Section 2.4 within 7 days of the account being deleted. The point that I'm trying to make is that Discord has conditions in its ToS that I don't think any bot is following so far. |
|
Core Red doesn't store anything which qualifies under those sections. I also don't think Discord has ever sent a bot one of those notifications. |
|
I also think that your blanket statement on outlawing cogs seen as "invasive" is not a good stance to take. One of the many cogs I have a bounty out for is to implement an analytics function to find out how much activity and engagement your Discord server is having over time. Cogs like these that capture analytics cannot be properly implemented while still being legal or adhering to the ToS without a Privacy API. CURRENTLY core does not collect data like this both of you are correct, but if something like this is not implemented it stifles innovation for future cogs. |
Plenty of quote cogs and other message storing cogs do though. Badly coded quote cogs store the User Name along with the message contents, which counts as End User Data. Even without usernames, simply storing the User ID counts as "message metadata" under Section 2.4. There is a clear distinction between End User Data (as defined by Discord), and Personally Identifiable Information (as defined by the GDPR). I'm not arguing if we're storing PII, I'm arguing if we're storing EUD. Core cogs do not store any PII, core cogs may be storing EUD. |
|
I don't think it does. For the record on this, I think some user data fetching (for packaging like GDPR) / deletion request handlers (etc) could be useful in core Red for cogs to make use of. However, until discord actually sends a data deletion request, nobody is bound by those sections. It's likely to get added eventually, but under the current circumstances, there isn't much of a rush for it either. |
|
I understand the differences between PII and EUD and also your concerns go advocate privacy, I also agree with it. Which is why I reached out to discord and asked them, specifically this:
To which they replied: I agree with Sinbad above, it definitely is something that would be useful to implement but is low priority / not feasible at this moment. |
|
In regards to deleting the data discord will contact the bot owner to let them know if they need to delete the data if any is required to be deleted (in regards to data having to be deleted within 7 days of account deletion) In addition to this user ID and the such is NOT EUD, upon an audit of core cogs EUD is stored in 3 places of which one has explicit content from the user. One has a PR to remove it as it is no longer required and the other is in talks. But as I mentioned this data would only require to be removed if discord contacts the bot owner to remove such data. |
|
Freezing this until we have a more formal plan for creating APIs and until after the higher priority APIs have been created. |
mikeshardmind
added
Status: Accepted
|
This will be worked on, and is on my personal todo list for the bot. It needs much more discussion before it gets started code wise, and we also want to try the design of it with a simpler prospect first. |
Jackenmen
added
Status: Accepted
Jackenmen
added
Status: In Progress
Feature request
Select the type of feature you are requesting:
Describe your requested feature
Would like to see Red implement a Privacy API so that cog creators can hook their cogs up to it and be more GDPR and Discord ToS compliant.
Relevant Discord API ToS sections: Sections 2.2.v, 2.4, 2.5.c, 2.5.d, 2.5.f, and Section 13
https://discordapp.com/developers/docs/legal
Functionality should include:
- Checking stored cog data periodically to see if it's associated with a user account that has been deleted, which according to Discord ToS end user data for deleted accounts needs to be deleted within 7 days (unless the data is required for the base functionality of the cog)No longer necessary because Discord eliminated this oddly specific requirement in their newly updated API TOS. There are new requirements that should instead be considerated, see Begin work on a data request API #4045Obviously Discord has not enforced these terms in the API ToS because I've never in my life seen a bot with the ability to delete End User Data upon request, or check for data that is associated with accounts that are deleted and remove that data within 7 days, both of which are requirements according to the Discord API Terms of Service:
However I believe we as a community have an opportunity here to provide tools for people to "do the right thing", even if there's no fear of violating the ToS.
The text was updated successfully, but these errors were encountered: