phpvms
phpvms copied to clipboard
nabeelio
Intermediate page for external downloads (GDPR regulations)
At least in Europe the current implementation of downloads page can be a problem. Downloads that are linked to external sites (like a file on google drive for example) are not visible as such for the user. The user will see a link to <currentDomain>/downloads/<downloadId> and could argue that he/she expects the file to be served by the phpvms host itself. After clicking the download link the user will be redirected to the external site which obviously will provide the external site with personal information like ipaddress, referer, etc. without explicit consent by the user. This was recently seen as a GDPR violation. (Yeah - silly as hell but it is what it is) I would recommend to add an intermediate page for external downloads that informs the user about being redirected to an external site submitting the personal information and a continue button/link which needs to be clicked by the user to accept. I have implemented this already for our own case and I would like to provide this to the standard if you are interested. If you like, we can also connect this behaviour to a new setting...
What are your thoughts about it?
A bootstrap modal would be enough i think with buttons for continue / cancel (and the legal notice of course) ? Though i did not read the regulations, it may not be ok.
Another problem about GDPR ... What about SimBrief API integration ? Do we need to get user approval for every OFP he/she wants to generate via our site using SimBrief ...
If yes then maybe we need to implement more than just a page but a "remember my choice" option which will be used sitewise.
Is it OK to outline these things during registration, when they agree? Or does it need to be every time? With SimBrief, it goes to an outside site, so I think before clicking "generate" having a notice above that button/link should be good enough.
The other option, on the download, it to steam/proxy that response through Laravel (which I'm actually looking at for the ACARS download)
I am not a lawyer, but to my understanding, the SimBrief API is different in that a) the user has to be registered on the page and has therefor already acctepted the privacy policy. Same with Vatsim prefile. Further more, the user clicks a button that says "prefile vatsim" or "create simbrief ofp" where it is kinda obvious that data will be transferred. We decided to put paragraphs about simbrief and vatsim in our privacy policy and that should be enough. Of course an additional notice when clicking the button does not do any harm.
With downloads it is different because a) the might be public and available for non-registered users and b) the link that is shown to the browser when a user hovers it showing the current domain which could be misleading.
A modal would be enough if it is built in a way that ensures execution or prevent the link from working. A user that has disabled javascript execution for example may not bypass this modal.
Streaming/Proxying downloads would also be a valid solution regarding GDPR but might introduce other problems. If the external site does not allow direct download as you have to agree something on their side, too. And links which will be redirected could be a problem as well, or user-agent checks on the external site. Onother problem could be an IP-based download limit from the external site as with stream/proxy the phpvms ip is always the downloader. This would require some kind of caching. We you implement this, you should add a flag to disable on a per download basis.
Okay, as far as I can see, we have no modals in default theme yet. Any preferences what I should use?
Bootstrap native is probably easiest though I'm gonna just thinking about a browser alert lol
i used bootstrap modals for testing, easy to implement and clean ... i do not think that they will be blocked. If javascript is completely blocked in a users pc, then this means that he/she will not be able to use phpvms v7.
Maps, dropdowns, simbrief etc all use javascript. So i think bootstrap modal will be just fine and enough