Cookie Policy Gdpr Compliancy


(Kirk Macdonald) #1

Ok im going to attempt my first plugin over the next few weeks

As I notice everyone of us at the moment does not have a cookie policy or cookie script pop up making us none gdpr compliant.

I know nothing at the moment about on how to create neth plugins but gonna learn over the next few weeks then develop the plugin.

When im ready if there are any other newbie devs and I mean newbie devs not the devs who learned at college I mean the ones like me if you want to help let me know and we can work on it together


(Giacomo Sanchietti) #2

Where do you want to include such plugin? Inside the Server Manager?


(Kirk Macdonald) #3

well yes because of the following reasons

  1. the website uses cookies

  2. the server manager holds sensitive data ie email address, usernames etc

which needs to comply with the gdpr policy which means there needs to be a cookie script by law and a gdpr policy in place

other wise there is a minimum 20million pound fine and this also covers people outside the eu if you have a company, website or any thing that collects data or holds data on anyone in who lives in the eu if you website or you live in America this policy still effects you too and even if you are in America they can fine you 20million pound minimum


(Alessio Fattorini) #4

Agree on the website we should add it
On the discourse side as well, just a checkbox during the registration


(Giacomo Sanchietti) #5

I’m not sure that the cookie law should be applied to the Server Manager.
The Server Manager is not a public a site, bu a web administration interface which can be accessed only from the administrator. Also, as a best practice, the access to Server Manager should be closed to specific IP address, so I think it can be considered an intranet service.

From UK document (https://ico.org.uk/media/for-organisations/documents/1545/cookies_guidance.pdf) which probably will not apply anymore after Brexit:

How do these rules apply to intranets?
In our view the rules do not apply in the same way to intranets. The Regulations
require that consent is obtained from the user or subscriber. A ‘user’ is defined
as any individual using a public electronic communications service. An intranet is
unlikely to be a public electronic communications service. Although the
regulations would not therefore apply in the same way to cookies that are set
on an intranet it is important to remember that the requirements of the DPA are
likely to apply if your use of cookies is for the purposes of monitoring
performance at work, for example. Wherever an organisation collects personally
identifiable information using cookies then the normal fairness requirements of
the DPA will apply.


(Michael Kicks) #6

Where users can change their passwords? Only via Server Manager?
Is also user/people oriented.


(Dan) #7

Which website uses cookies? The Neth-hosted website (i.e., the one(s) you’re hosting on your Nethserver(s))? If so, only to the extent you program it/them to, and in that case, GDPR compliance is your responsibility. I don’t believe the server manager uses cookies, and in any event, the cookies don’t collect or store user information. The “we use cookies” popups are pointless and not required under GDPR.

Yes, so they claim. Let them try.


(Giacomo Sanchietti) #8

Yes, but you can configure it to be accessible only from LAN.

The only cookies generated inside the Server Manager are only for authentication/authorization.


(Kirk Macdonald) #9

this is not aimed at the home user or for the use for personal setup.

But as a company that will have admin teams, personal client data you will have administrators logging remotely you will be storing email addresses passwords, and all sorts

And it does not matter if the uk leaves the eu as the law states anyone who collects and stores sensitive data the law applies.

And as business has changed and we have moved into a new era I don’t want my work force or admin team limited to just people in the uk when I can have a skilled team dotted all around the globe.

I mean you don’t have to use the plugin this is business orientated


(Dan) #10

What “plugin”, and what “this” are you referring to?


(Jeroen Visser) #11

Agreed. I do not think it applies. What is an issue tho, is that once an admin, you can see everything. Including information that you should only have access to under certain (monitored) conditions. Nethserver does not allow for that atm. I do not think it is useful to focus on that either at the moment. It is a nice to have tho.

Think of role-based access, where only in a certain proces you are allowed to access/alter certain info.
If there is no formal request for action X, you should not have access to the details you would need for action X. Being able to make an export of all users and their email addresses? An issue when those are customers.

Which exact issue are you trying to tackle ? If you are corporate, you will most likely use the Samba AD account provider, or an existing AD account provider. All administration should be done from within windows clients, bound by windows policies and access-rights based on best practices, given your demands. Likely there will be additional layers for proces based access thru centralized management software. Support will get an unlock button active when there is a ticket for it … in a non-mmc interface …

This can be done. Lock your servermanager with a 2 keys principle construct, and do as described above.

(You will not get around root usage for certain admin tasks … you will never get that past GDPR compliance without a whole bunch of paperwork to cover that scenario. The way the logs are organised will not get you there either, and the list is pretty long tbh. You will have to lock a lot down, and use other solutions like Elkstack to access sensitive data in a controlled fasion. It’s more of an adventure to guide a Linux based setup through GDPR compliance, without specialized management software)