cross-cms-compliance

A Proposed Drupal privacy initiative and the Cross CMS privacy group

Background

At this point in the history of the open web, privacy is arguably the key issue in software development. As a range of scandals arising from the misuse of data bring pressure on governments and civil society to take action, it is important for software projects - including Drupal - to take proactive steps to value, resource, and support privacy work.

To date, the Drupal project has largely been reliant on the community to take the lead on privacy work. Development initiatives on privacy issues have mostly centred around contributed modules to implement privacy standards required by the EU’s GDPR privacy legislation.

The status of Drupal’s work on privacy was discussed at great length at Drupal Europe last year with members of the WordPress and Joomla communities, as well as a variety of community members in Drupal who are continuing to focus on privacy beyond GDPR.

As a result, we created the Cross-CMS privacy group, where participants from a number of open source CMSes learn from each other and work to bring our respective software ecosystems towards a common open standards and principles.

For DrupalCon Seattle we would like to present a core privacy initiative that will bring together  some of the existing work in contrib as well as the efforts of the others in the cross-CMS group.

Cross-CMS Privacy Group

We have representatives from the communities of Drupal, Joomla, WordPress and Umbraco meeting regularly on Wednesdays at 2-3pm UTC. It’s only been a few months, but we feel that we’ve achieved quite a bit. We’ve managed to stick to our weekly meetings and found that everyone involved has a passion for privacy generally, not just compliance with a specific set of laws.

We’ve found that although our software and community ecosystems are different, we’ve had to encounter the same set of problems - we’ve just handled things in differing ways. Different CMS’ have focused on different areas, which gives us much to learn from each other. For example, WordPress has done a great deal of work on privacy policies, whilst Joomla has fantastic export and import tools for site admins to manage, Umbraco has put a lot of effort into a Consent API, data export and handling of sensitive data fields.

We have already achieved a number of deliverables since beginning:

• We’ve been working towards a common understanding of how software projects should define privacy that has been influenced by GDPR but aims to go further than mere compliance here: https://github.com/webdevlaw/open-source-privacy-standards (Special thanks to Heather from the WordPress team)

• We’ve created a repository for posting minutes, and been producing them weekly here  (Special thanks to the Joomla! Team especially Luca and Achilleas): https://github.com/joomla/cross-cms-compliance

• We’ve created a structure for auditing software extensions that could be used by a Drupal privacy team to audit common modules here : https://github.com/joomla/cross-cms-compliance/blob/master/audit-your-software-extension.md

• We have begun discussing unified standards for file formats for data portability exports and imports, so that users could, in theory, move their data between sites regardless of CMS

• We’ve created some internal documents comparing the features of our CMSes with the aim to produce a common blueprint for how software best handles user data and privacy tools. We’ve been compiling some legal examples of times when fines have happened and are working together towards a common goal.

General Points on Privacy

Through our conversations we have become convinced that privacy is no longer just a legal requirement but one of ethical importance. We know that giving users the ability to control their own data, and having means to control their consent, isn’t just about avoiding the proverbial fine. As developers behind some of the largest CMSes in the world, we know that we cannot force website administrators to respect their users’ privacy, but we can at least make it so easy for them to do so that they will need a good reason to not enable these tools.

CMSes can often be the first point of processing an individual’s information. A recent discussion raised by Alan Mac Kenna from the Umbraco CMS community within the group centred on the need to be able to demonstrate accountability for processing not only based on consent, but for other ‘lawful bases’ also, enabling our platforms to become a key source of truth for realising accountability under data protection regulations.

However, putting aside the ethical imperative for privacy tools, there are a number of new legal privacy initiatives currently being worked on (which as of this writing include CCPA, the ePrivacy Regulation revamp, and the growing shape of the eventual US Federal privacy law). Therefore, especially for large organisations and enterprise, core functionality in databases and CMSes will likely be an incentive for future projects and funding.

We feel that the Cross-CMS group will assist their projects to value, resource, and support both the ethical reasons for caring about privacy as well as the business incentives for avoiding legal issues. The more we follow consistent design patterns, open standards, and proactive approaches to  legislation, the more all of our clients, users and customers will be protected. Whilst other CMSes will never dictate what Drupal needs to do, we can always benefit from mutual learning and understanding.

We hope that as this initiative grows, we will be able to work in cooperation with regulatory bodies themselves to add further authority to the technical approaches we will take in our software.

Drupal Privacy Initiative Goals

We have a number of potential goals for a Drupal privacy initiative:

• We want to have a clear roadmap of what features need to be in the Core of Drupal, so that other modules can extend that functionality, and what features can remain officially supported in Drupal.
• An example is the tools for data erasure and “Right to be forgotten” could be an extension of the existing options given when a site admin cancels a user;
• Whereas tools to make it easier to import user data from other CMSes could exist in contrib but using a data structure that the majority of major CMSes are using.
• We want to define what we currently believe are the essential features required to improve a website’s handling of user data and privacy, including:
• Functionality for logging consent or other legal basis for processing;
• Functionality for handling the exporting and erasure of user data, taking into account that Drupal stores a lot of data in custom fields or other modules.
• A privacy team-supported checklist, existing in contrib, to assist organisations in compliance and privacy issues outside of pure tech/code issues.
• A privacy team which, like the security team, vets submitted modules to see how well they respect privacy requirements, as the WordPress Privacy team does. This could instead be more similar to how the accessibility team operates.
• Potentially other features such as something like the legal module in core which would allow modules to submit wording for privacy policies, such as what cookies they used and how they handle user data.
• Build upon the work Brainsum (Peter) and FreelyGive (Jamie or yautja_cetanu) have done on the GDPR module on drupal.org to bring the essential functionality into core where appropriate.
• We want to create documentation within drupal.org to assist developers, site builders and site administrators alike in understanding the privacy issues which impact Drupal, including understanding what other software does.

Our Next Steps

We hope to follow this blog post up with some detailed presentations on the state of privacy tools in other CMSs with screenshots and a more detailed plan.

Currently the representatives of Drupal in the Cross-CMS Privacy Group are from two companies which worked on the /project/gdpr module and another individual who has worked on various encryption modules. We hope to open this up at Drupalcon Seattle.

Chris Teitzel is representing the initiative at Drupalcon Seattle. Many of the members of the working group are in Europe and while not in physical attendance, have pledged to make themselves available remotely for any discussions that are required and are willing to help in any way.

Chris hopes to bring together enough people to support this so an official initiative can be created.

In the long term we hope to secure funding for the group to cover travel and accommodation expenses for periodic in-person meetups and other directly relevant activities, such as conferences and workshops. We may also seek funding support for our time and labour contributing to opensource privacy, which is already a considerable commitment. We naturally must be careful to consider the values and ethics of any potential sponsors, particularly those which may have a mixed track record on privacy.

More information about the bof can be found here: https://events.drupal.org/seattle2019/bofs/drupal-privacy-initiative

The proposal can be found on drupal.org here: https://www.drupal.org/project/ideas/issues/3009356

This site is open source. Improve this page.