Does the GDPR block you from installing unaudited addons?

[Alpha1]

As webmaster we install free and paid addons. Most webmasters are not able to audit the code of these addons, so its a matter of blind faith. Most admins are not able to do the required due diligence.

Addons could include backdoors, callbacks, malicious scripts. Or they can be coded in a bad way that opens up your site to vulnerabilities.

But now we have the GDPR approaching. Which forces data protection & privacy by design and default.
When a breach takes place and personal data is exposed then the authorities must be alerted. These will asses if the webmaster has complied with the GDPR or not.

If not, then there could be millions in fines.
Read this: https://www.gdpreu.org/compliance/fines-and-penalties/

Some points from the article:

Fines are administered by individual member state supervisory authorities (83.1). The following 10 criteria are to be used to determine the amount of the fine on a non-compliant firm:

• Preventative measures: how much technical and organizational preparation the firm had previously implemented to prevent non-compliance
• Certification: whether the firm had qualified under approved certifications or adhered to approved codes of conduct

There are many other factors, as you can read on the page.

Lower level
Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher...
Upper level
Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher...

It seems to me that if your site gets hacked and it turns out your site is running vulnerable software, then unless you are able to proof that you have done your due diligence then there may be very serious consequences.

So this makes me wonder.. considering the above can we even install / run addons anymore without having them audited? What do you think?

 

[we_are_borg]

You cant run any software without audit unless you want to be liable this includes add-ons. If for example XF has a security issue and it get exploited you have a data leak. But most people have no experience with auditing software so how this is going to be played out i have no idea.

Lets say they believe you and say well you do not have the knowledge to audit this you get off with a warning. But now they find out that you have been warned about add-on x because it was from a person/Organization known for making backdoors in there add-ons, what will they do then.

I think in 2 years we have some answers its 6 weeks until its in effect so until then its going to be a waiting game.

 

[Maddox]

It's quite a large dirty laundry basket to work through. There are going to be basket loads of questions asked regarding the new GDPR. The Internet is like a veritable sieve, full of holes that some shady character or group will attempt to exploit and we only have ten fingers to plug a million holes; not going to be easy.

Having said that, the yardstick that is going to be used to determine if you were reckless (that's the keyword) is 'did you do everything possible to the best of your knowledge'? If the answer is yes and you can prove it - then there's no need for alarm or worry. Now if you install something on your server that you 'know' is shady and you do it because it adds some functionality that you desire, then you are acting recklessly.

The best rule that you can apply in any instance (and one that's been around for millenia) is that if you are in any doubt, don't! It's like coming to a rickety bridge that looks like it could collapse under you, but there is a safer bridge 5 miles away that you know of; if you chance the rickety bridge and it does go from under you then you acted recklessly knowing that a safer bridge was available and you have paid the price for being reckless.

When it comes to add-ons, reputation of the developer and feedback from buyers will help you to minimise risk; you cannot be expected to be an expert in all things, so you have to rely on the evidence before you. If you buy from Joe Soap who has no previous reputation you can check and no reviews - you are taking a risk. I believe that good sense generally is the way forward.

 

[Ummagumma]

As webmaster we install free and paid addons. Most webmasters are not able to audit the code of these addons, so its a matter of blind faith. Most admins are not able to do the required due diligence.

Addons could include backdoors, callbacks, malicious scripts. Or they can be coded in a bad way that opens up your site to vulnerabilities.

But now we have the GDPR approaching. Which forces data protection & privacy by design and default.
When a breach takes place and personal data is exposed then the authorities must be alerted. These will asses if the webmaster has complied with the GDPR or not.

If not, then there could be millions in fines.
Read this: https://www.gdpreu.org/compliance/fines-and-penalties/

Some points from the article:

There are many other factors, as you can read on the page.

It seems to me that if your site gets hacked and it turns out your site is running vulnerable software, then unless you are able to proof that you have done your due diligence then there may be very serious consequences.

So this makes me wonder.. considering the above can we even install / run addons anymore without having them audited? What do you think?

Damn. More crap to worry about. Cheers Alfa, you've really brightened my day
Will respond to this in a more apt manner when time permits, but interesting take on it.

 

[Alpha1]

When it comes to add-ons, reputation of the developer and feedback from buyers will help you to minimise risk; you cannot be expected to be an expert in all things, so you have to rely on the evidence before you. If you buy from Joe Soap who has no previous reputation you can check and no reviews - you are taking a risk. I believe that good sense generally is the way forward.

That's a really interesting point about developer reputation. Many developers are anonymous, unverified without credentials or company registration. For example when I look at a developer profile on Freelancer, Codementor, Stackoverflow Talent, Upwork or other sites to hire developers then I can see skills, tests, certifications, work history, portfolio, feedback, education, CV or even LinkedIn.
Example: https://www.freelancer.com/u/Indexpage

That is very different from developer profiles on xenforo.com which give no information. IIRC for IPS its the same.
In many cases you are buying from a stranger or even hiring a stranger for development or services. In my experience this often goes wrong and can be a complete gamble. I'm pretty happy that after all the disaster projects I now have a clear idea of whom to avoid and who is reliable.

Reputation on Xenforo.com is relative, because the rating system is very basic and therefore there is no rating for specific things like code quality, so you don't know what ratings mean. If you post negative reviews then expect aggressive pushback. There are developers with lots of addons, extremely high reputation who do not know the most basic things about development or who consistently put out buggy releases.

If you buy from Joe Soap

Considering the above, are you not buying from Joe Soap in many cases?

I think anonymity is partly inherit to forum administration. Developers who are also forum admins will often want to keep anonymity, as they do not need forum drama at their door. I can highly appreciate that.

But in regards to the GDPR, security breaches and the millions in fines: buying addons from sources without credentials raises questions.

 

[Nev_Dull]

Really good question. This could be one of the unforeseen consequences of GDPR; forcing some good small developers out of business, simply because they cannot afford the cost of certification. Because, for the forum owner, you really will have to verify the credentials of add-on makers to cover our own butts.

 

[Maddox]

It is a bag of worms that is going to cause a lot of anxiety and questions to be asked. As for developers, you can gauge their reputation, to a degree, with reference to the feedback they receive from purchasers, how they respond to support requests and how long they have been around and whether they continue to develop and update their wares when necessary.

The beauty of buying from the IPS marketplace is that it is IPS that is making the sale on behalf of developers therefore it is their responsibility to ensure that what they are selling is reputable. A contract is made between the seller and the buyer when money has been exchanged between the two parties; in the case of IPS the two parties are IPS and You if you are the buyer. If something doesn't work as it is intended to work and causes you problems then you have redress against IPS.

In the XF marketplace (known as the Resource Manager) all sales take place off-site and so the seller becomes the developer and you remain as the buyer; thus the contract is between Joe Soap and You. Which immediately brings into play caveat emptor - which by definition is "the principle that the buyer alone is responsible for checking the quality and suitability of goods before a purchase is made."

A lot of this comes down to using good sense - you see an add-on that has umpteen purchases, good reviews, good support and continuous development over a period of time. It's a reasonably good bet that it will do as described; if not, you ask for support and if it's given great. If not, then you learn by experience.

If you see a new add-on with few purchases, nothing said about support or ongoing development and updates - then whatever happens after that is down to you. It's unlikely you will gain any traction with any developer if they decide to up sticks.

And Alfa1 raises a good point with regards to the anonymity of people selling on the Internet - if JS does up sticks how do you track them down to gain redress? Once again, this is where buying from IPS is a safer bet than buyer from an unknown entity.

Good debate!

 

[LeadCrow]

There are developers with lots of addons, extremely high reputation who do not know the most basic things about development or who consistently put out buggy releases.

One reason is account transfers/merges from buyouts. Transfers of ownership should normally never carry pre-existing reputation of addons and dev accounts to a new party that might not be trustworthy. Let the new dev account prove his worth with actual releases instead of sitting on an unearned reputation essentially paid for.

 

[Pete]

Let me back this up with a slightly more pointed question.

Does the GDPR block you from installing any unaudited software including the forum platform itself?

Moreover, what does an audit look like? Who can judge the competence of an auditor? The presumption is that if you purchase a platform, and the platform itself has a vulnerability, that you remedy it as soon as is possible.

But, here's the thing, if you're running - say - XF without any addons, and there's a fault in XF itself leading to a data leak, are you still liable? What about if you audit the software? What about if I say I've audited the software, is my opinion worth anything? What about anyone else?

We've just had this situation with a platform we deal with at work, the vendor notified us that there was a security hole - potentially quite a serious one - but that the vendor wasn't going to issue the patch until their next patch cycle, 2 weeks away because they always release it like that... if that is now exploited, who's liable?

To the original question: it doesn't block you. It does nothing of the sort, it just outlines that it's your responsibility to do due diligence before deploying anything. More importantly, if you make the decision that a piece of software is 'acceptable' today, there's no guarantee it won't break with tomorrow's update.

And remember: almost all software is so large and complex, it's virtually impossible to be risk free and '100% safe'.