This site uses cookies. By continuing to browse the site, you agree to our use of cookies. Find out more about cookies.
Skip to main content
Metadecidim's official logo
  • English Triar la llengua Elegir el idioma Choose language
    • Català
    • Castellano
Sign Up Sign In
  • Home
  • Processes
  • Assemblies
  • Initiatives
  • Consultations
  • Conferences
  • Help

Propose new functionalities for Decidim software

#DecidimRoadmap Designing Decidim together

Phase 1 of 1
Open 2019-01-01 - 2030-12-31
Process phases Submit a proposal
  • The process
  • Debates
  • Propose new features
  • News
chevron-left Back to list

GDPR / Right to be forgotten - User authorizations metadata

Avatar: Antti Hukkanen Antti Hukkanen
10/10/2019 11:52  

When the user account is removed, the authorization metadata is still kept in the database which can store user's personal data.

I very well understand the reason for this as otherwise users could possibly cast an unlimited amount of votes e.g. in participatory budgeting.

However, the problem is that the GDPR's right to be forgotten is not complied with this approach.

I don't know exactly how to solve this correctly to serve these requirements:

- Make sure that the user does not cast duplicate votes (with the authorization's "unique_id")
- The authorization metadata is available for validating the votes in case there is some investigation required for the validity of the voting result
- The user's personal data would be cleared after some period of time when the voting has already ended

Possibly after the voting has ended, the voting could be somehow permanently "validated" and locked which would count the results and make it impossible to cast any further votes, even if voting would be re-enabled for the component (cannot vote after voting results have been validated). Then, after this validation, the authorization metadata could be destroyed for the deleted user accounts if they don't have any more votes in components where the voting is still ongoing.

  • Filter results for category: Registration and Verification Registration and Verification

List of Endorsements

Avatar: JosanFFiG JosanFFiG
Avatar: Ivan Vergés Ivan Vergés verified-badge
Endorsements count2
GDPR / Right to be forgotten - User authorizations metadata Comments 7

Reference: MDC-PROP-2019-10-14850
Version number 1 (of 1) see other versions
Check fingerprint

Fingerprint

The piece of text below is a shortened, hashed representation of this content. It's useful to ensure the content hasn't been tampered with, as a single modification would result in a totally different value.

Value: 2f6d68f5235fc387a3bd42ced318d948bab9dd66acf1d4c17cf69fc7b6b415cd

Source: {"body":{"en":"When the user account is removed, the authorization metadata is still kept in the database which can store user's personal data.\r\n\r\nI very well understand the reason for this as otherwise users could possibly cast an unlimited amount of votes e.g. in participatory budgeting.\r\n\r\nHowever, the problem is that the GDPR's right to be forgotten is not complied with this approach.\r\n\r\nI don't know exactly how to solve this correctly to serve these requirements:\r\n\r\n- Make sure that the user does not cast duplicate votes (with the authorization's \"unique_id\")\r\n- The authorization metadata is available for validating the votes in case there is some investigation required for the validity of the voting result\r\n- The user's personal data would be cleared after some period of time when the voting has already ended\r\n\r\nPossibly after the voting has ended, the voting could be somehow permanently \"validated\" and locked which would count the results and make it impossible to cast any further votes, even if voting would be re-enabled for the component (cannot vote after voting results have been validated). Then, after this validation, the authorization metadata could be destroyed for the deleted user accounts if they don't have any more votes in components where the voting is still ongoing."},"title":{"en":"GDPR / Right to be forgotten - User authorizations metadata"}}

This fingerprint is calculated using a SHA256 hashing algorithm. In order to replicate it yourself, you can use an MD5 calculator online and copy-paste the source data.

Share:

link-intact Share link

Share link:

Please paste this code in your page:

<script src="https://meta.decidim.org/processes/roadmap/f/122/proposals/14850/embed.js"></script>
<noscript><iframe src="https://meta.decidim.org/processes/roadmap/f/122/proposals/14850/embed.html" frameborder="0" scrolling="vertical"></iframe></noscript>

Report inappropriate content

Is this content inappropriate?

Reason

7 comments

Order by:
  • Older
    • Best rated
    • Recent
    • Older
    • Most discussed
Avatar: Antti Hukkanen Antti Hukkanen
10/10/2019 11:52
  • Get link Get link

This is also somewhat related to this:
GDPR / Data portability - User authorizations metadata

Conversation with Ivan Vergés
Avatar: Ivan Vergés Ivan Vergés verified-badge
11/10/2019 11:03
  • Get link Get link

Could the authorization metadata create a unique hash with some of the identification data of the user and keep that as a prove of vote when removing the rest of personal data?
In the event that the user registers and goes through verification again, the verification should generate the same hash and prevent him for voting again. Not sure if it would be easy to guarantee this "uniqueness" due the many methods of verification (the simplest would be to hash the email with the verification identifier)

Avatar: Antti Hukkanen Antti Hukkanen
11/10/2019 11:08
  • Get link Get link

This is what we are already doing through the "unique ID" of the authorization. This is controlled by the authorization method itself which knows about its metadata and can generate the "unique ID" based on that.

However, the other personal data could be still needed for validating the voting result, even after the user account has been deleted. The unique ID itself is not sufficient for validating the result.

Avatar: Ivan Vergés Ivan Vergés verified-badge
11/10/2019 11:17
  • Get link Get link

You mean an "offline" validation? Yes you're right. Probably different legal frameworks affects too, for instance about how long the data has to be kept in order to be reviewed.

Avatar: Antti Hukkanen Antti Hukkanen
11/10/2019 11:21
  • Get link Get link

Yes, I mean manual offline validation. Similar to validating the voter lists of a presidential election (list of all the people eligible for the vote and then check that all voters are in that list).

In different situation this validation may e.g. require to check the official home city of the person or their age. Technical systems can always fail with these validations due to bugs, so the availability of this data is important recording the official validation for the voting. This also adds more credibility to the voting process.

In case the metadata was cleared with the user account, this could not be done.

Avatar: Ivan Vergés Ivan Vergés verified-badge
11/10/2019 11:26
  • Get link Get link

This indeed is complex and should be discussed seriously by the association.

Avatar: Antti Hukkanen Antti Hukkanen
11/10/2019 11:24
  • Get link Get link

As a sidenote, we are not only using this unique ID across one authorization method. There are multiple authorizations (e.g. digital, manual offline) which all generate the same unique ID to prevent the voters voting multiple times with different authorizations.

Add your comment

Sign in with your account or sign up to add your comment.

Loading comments ...

  • Terms and conditions of use
  • About the community
  • Download Open Data files
  • Metadecidim at Twitter Twitter
  • Metadecidim at Instagram Instagram
  • Metadecidim at YouTube YouTube
  • Metadecidim at GitHub GitHub
Creative Commons License Website made with free software.
Decidim Logo

Confirm

OK Cancel

Please sign in

decidim Sign in with Decidim
Or

Sign up

Forgot your password?