
Ask HN: What does GDPR mean for banning users? - japhyr
It&#x27;s been interesting to read about the impact of GDPR on sites of all sizes and purposes. Let&#x27;s say I have a site where people can write and share math problems. I have a simple policy stating that any problem that directly or indirectly harasses anyone or any group will be flagged and deleted, and that repeated behavior like this will lead to banning.<p>Say a user gets banned. They then ask me to remove all information about them from my site. Am I allowed to keep any information that would help me keep this person from starting this cycle all over again?<p>What impacts will GDPR, and other data retention policies like it, have on the issue of moderation?
======
svennek
Yes.

You then clearly have a "business need" (banning troublesome members), that
clearly allows handling and storage of data. Hence "right to be deleted" does
not apply any more (or more correctly, it is overruled by a more specific
right)...

I work with a bank. They have a general 3 or 6 month rule for "non customers"
and "ex customers" (i.e. 3-6 months after you are not a customer anymore you
will be deleted by normal retention).

If you are fraudulent, the retention interval is now 10 years! They have a
full-time DPO who has spoken both to external legal council (he is a legal-
trained person himself) and our local DPA.

~~~
merinowool
What if a user you want to ban is not fraudulent, but a nuisance?

~~~
svennek
That is not as clear cut, but if you have stated your thoughts and decisions
you should be in the clear.

The worst that would happen would be a letter from your DPA asking you to
rectify sitation (and giving you more specific guidelines)...

------
dogma1138
If you are a billable service you don't have to worry about it that much. GDPR
does not overwrite current EU or member state laws and you are compelled to
keep financial transactions and related information usually for at least 5-7
years.

If it's a free service then just pseudoanonymize any identifiable information
such as first and last name, email address, phone number, IP address etc.
pretty much anything that you would use to identify the user with.

A hash of these values or an HMAC would be sufficient to comply with GDPR and
allow you to keep them banned.

You can also check your local legislation and see if you have any laws that
would support you keeping PII under the justification of protecting other
individuals.

------
thijsvandien
IANAL, TINLA.

From my superficial understanding of this law, you may weigh different
interests and make a judgement call as to what data to delete and what to
keep. Other regulations may be a factor in this, but even lacking those, it
could be argued that your community cannot function otherwise. You would need
to document how you came to your decision and inform the requestor about it.
Note that you must still try your best. For example, you may not need to keep
their actual email address to keep blocking it; a salted hash should do.

------
stephenwilcock
I think storing a salted hash of their email address is a reasonable measure
that should satisfy GDPR ...

~~~
p49k
Maybe a stupid question, but once your list grows large, how would you then
check if a new address is in your salted hashed list without iterating over
every item? Unless I’m mistaken, you can’t index salted hashed lists unless
the salt is predictable (which defeats the purpose of a salt).

~~~
0xfaded
But you can index the hashes.

Hash the email first, then check if the hash exists.

~~~
thijsvandien
To check for matches against that index, you'd still need to hash the email
you're checking for with every distinct salt in your database, separately.

~~~
0xfaded
Good point, if each email is individually salted as best practice for storing
passwords they could not be indexed.

However, this would also mean that logging in using an email/username would
also require a full scan.

More generally, if you want to uniquely salt your keys, you’re in trouble.

~~~
p49k
> However, this would also mean that logging in using an email/username would
> also require a full scan

No it wouldn’t, and that’s what makes this specific case different. In your
scenario, you can lookup the column you need by username or email, which is
indexed. You can then retrieve the unique salt and password hash with no
lookup penalty. This is not possible in the other case because there is no
known column that can serve as the index.

------
hal_9000
no, you don't have to. math problems are not considered "personal
information". their email address on the other hand it is. So the "trick" is
to just delete the address and change their username to a random word ex.
Guest323

------
philip1209
Interesting question. Have you considered opening an issue on the Discourse
software for help?
[https://github.com/discourse/discourse](https://github.com/discourse/discourse)

