On 24/1/24 13:49, aberba wrote:
> Dub does indeed collect user data. Besides, having a privacy policy goes beyond that. See https://foundation.rust-lang.org/policies/privacy-policy/ <https://foundation.rust-lang.org/policies/privacy-policy/>
> 

I would like to point out that, at least in the EU, IP addresses are considered personal data under the GDPR [1]. This doesn't automatically mean that you need to ask for consent from your users*, but you might need to add a privacy policy on the website to inform them.

It also affects the dlang.org website, and even more so the forum web interface, where there is a registration that clearly involves personal data (as related to the GDPR).

I'm not sure how this applies to sites hosted outside the EU, but as long as you target EU users it wouldn't hurt to just add one. There are a lot of templates around that you can use.

Incidentally, this has interesting consequences when, for instance google fonts (or any other external resource) are hot-linked directly and not self-hosted. Then, according to at least a German Court [2], you are *transferring* collected personal information (the IP address) to a third party (google).

IANAL, so I have no idea of how this applies to the DLF, who I assume sits in the US, but I thought it might be of interest.

*:  You likely don't if you only do what is needed to keep the server running and healthy.

[1]: https://commission.europa.eu/law/law-topic/data-protection/reform/what-personal-data_en#examples-of-personal-data
[2]: https://www.cookieyes.com/documentation/google-fonts-and-gdpr/

The site search is a google applet. Google surely tracks it.

The books page on the D wiki has affiliate links to books about D, with the DLF as the beneficiary. Amazon surely tracks it.

Bugzilla is maintained independently by Brad Roberts.

The D forums have a login, and so must keep track of passwords and chosen names. You can access it via any NNTP app, which does not have a login, if you prefer. I recommend using a unique password for the D forums. The messages posted are all public (which is kinda the point!).

From time to time, a user will ask that all their postings be removed from the forums. We've complied, but since it's an NNTP server with the addition of a mailing list, we cannot do anything about copies that have been already transmitted.

The web site itself keeps track of aggregate usage statistics, such as which pages are most clicked on.

Beyond that, I don't know of any information gathering. We simply don't care about that aspect. I doubt any of it has any commercial value. Nobody has offered to buy the data, and we've never sold any of it.

We deliberately make no attempt to associate user names with real names.

And that's all I can think of.

On Wednesday, 24 January 2024 at 13:07:26 UTC, Arafel wrote:
> IANAL, so I have no idea of how this applies to the DLF, who I assume sits in the US, but I thought it might be of interest.

IANAL either, but I did the GDPR compliance engineering for my teams product at MSFT. The basic principle is that, unless the service is physically hosted in the EU, GDPR has no legal force. If a European connects to a US hosted service, they can have no legal expectation that GDPR regulations will be followed and if they do it is as a courtesy and no action may be brought under the GDPR.

IIRC, the EU originally tried to write the law as "any service that any European connects to must comply", but I think someone somewhere along the way pointed at that most of these services were held in the US and the most effective way to "comply" was to simply block EU IPs until the engineering work was completed (if the company had any compelling reason to stay accessible in the EU market). And enforcement would be impossible without US support and they got a hard "no" on that.

When I was doing this for MSFT, we just held off deploying our product into the EU datacenters and product offerings until the engineering and documentation was complete. Took a year of my life that work did.

For my current project, our non-US plans consist of "block their IPs." GDPR is a massive capital sink for an small business.