GDPR: draft submitted to counsel

classes/cookie.class.php

@@ -1,47 +1,57 @@
 <?php
+declare(strict_types=1);
 
-/*************************************************************************|
-|--------------- Cookie class --------------------------------------------|
-|*************************************************************************|
+/**
+ * Cookie
+ *
+ * This class handles cookies.
+ * $Cookie->get() is user-provided and untrustworthy.
+ */
 
-This class handles cookies.
-
-$Cookie->get(); is user provided and untrustworthy
-
-|*************************************************************************/
-
-/*
-interface COOKIE_INTERFACE {
-  public function get($Key);
-  public function set($Key, $Value, $Seconds, $LimitAccess);
-  public function del($Key);
-
-  public function flush();
-}
-*/
-
-class COOKIE /*implements COOKIE_INTERFACE*/
+class COOKIE
 {
-    const LIMIT_ACCESS = true; // If true, blocks JS cookie API access by default (can be overridden case by case)
-    const PREFIX = ''; // In some cases you may desire to prefix your cookies
+    # In some cases you may desire to prefix your cookies
+    const PREFIX = '';
 
     public function get($Key)
     {
-        if (!isset($_COOKIE[SELF::PREFIX.$Key])) {
-            return false;
-        }
-        return $_COOKIE[SELF::PREFIX.$Key];
+        return (!isset($_COOKIE[SELF::PREFIX.$Key]))
+            ? false
+            : $_COOKIE[SELF::PREFIX.$Key];
     }
 
     // Pass the 4th optional param as false to allow JS access to the cookie
-    public function set($Key, $Value, $Seconds = 86400, $LimitAccess = SELF::LIMIT_ACCESS)
+    public function set($Key, $Value, $Seconds = 86400)
     {
-        setcookie(SELF::PREFIX.$Key, $Value, time() + $Seconds, '/', SITE_DOMAIN, $_SERVER['SERVER_PORT'] === '443', $LimitAccess, false);
+        $ENV = ENV::go();
+
+        setcookie(
+            SELF::PREFIX.$Key,
+            $Value,
+            [
+                'expires' => time() + $Seconds,
+                'path' => '/',
+                'domain' => $ENV->SITE_DOMAIN,
+                'secure' => true,
+                'httponly' => true,
+                'samesite' => 'Strict',
+            ]
+        );
     }
 
     public function del($Key)
     {
-        setcookie(SELF::PREFIX.$Key, '', time() - 24 * 3600); //3600 vs 1 second to account for potential clock desyncs
+        # 3600s vs. 1s for potential clock desyncs
+        setcookie(
+            SELF::PREFIX.$Key,
+            '',
+            [
+                'expires' => time() - 24 * 3600,
+                'secure' => true,
+                'httponly' => true,
+                'samesite' => 'Strict',
+            ]
+        );
     }
 
     public function flush()

sections/donate/donate.php

@@ -50,7 +50,11 @@ View::show_header('Donate');
     <ul>
       <li>
         <strong>Server.</strong>
-        We currently use one budget VPS at 2.50€ per month, and can add more as needed.
+        We use one budget VPS at 2.50€ per month and may add more as needed.
+        Please consider using our
+        <a href="https://hetzner.cloud/?ref=mzIDQWTHipNB" target="_blank">affiliate link</a>.
+        You'd receive 20€ credit, effectively paying your server for 8 months.
+        BioTorrents would receive 10€ credit after a year, paying our server for 4 months.
       </li>
 
       <li>
@@ -70,7 +74,8 @@ View::show_header('Donate');
       <li>
         <strong>Company.</strong>
         Omics Tools LLC is <?= $ENV->SITE_NAME ?>'s parent company.
-        It's $50 per year in filing fees and $125 for resident agent services.
+        It's $50 per year for annual reports and $125 for resident agent services.
+        Also, DMCA agent registration is $6.
       </li>
     </ul>
   </div>
@@ -126,6 +131,9 @@ View::show_header('Donate');
       including <strong>Bitcoin</strong> and other cryptocurrencies:
       Monero, Litecoin, and Curecoin.
       <strong>PayPal</strong> and <strong>USPS money orders</strong> are also options.
+    </p>
+
+    <p>
       Please use
       <a href="https://pgp.mit.edu/pks/lookup?op=get&search=0x760EBED7CFE266D7" target="_blank">GPG 760EBED7CFE266D7</a>
       if you wish.

sections/legal/dmca.php

@@ -8,9 +8,9 @@ View::show_header('DMCA');
 
 <section class="tldr">
   <p>
-    <em>If</em> you're a copyright owner or agent thereof,
-    <em>and</em> you believe that user-generated content (UGC) on the domain https://biotorrents.de infringes your
-    copyrights:
+    <em>If</em> you're a copyright owner or agent of one,
+    <em>and</em> you believe that user-generated content (UGC) on the domain
+    https://biotorrents.de infringes your copyrights:
     <em>then</em> you may notify our Digital Millennium Copyright Act (DMCA) agent in writing.
   </p>
 
@@ -135,6 +135,7 @@ View::show_header('DMCA');
     <a href="https://www.law.cornell.edu/uscode/text/17/512">17 USC 512(f)</a>,
     anyone who knowingly materially misrepresents infringement may be subject to liability.
     Also see
+    <a href="https://www.law.cornell.edu/uscode/text/17/107">17 USC 107</a> and
     <a href="https://www.law.cornell.edu/uscode/text/17/108">17 USC 108</a>.
   </p>
 

sections/legal/privacy.php

@@ -1,135 +1,260 @@
 <?php
 declare(strict_types=1);
 
-View::show_header('Privacy');
-?>
+View::show_header('Privacy'); ?>
 
 <h2>Privacy Policy</h2>
 
 <section class="tldr">
-  <p>
-    At BioTorrents.de, accessible from https://biotorrents.de, one of our main priorities is the privacy of our
-    visitors.
-    This Privacy Policy document contains types of information that is collected and recorded by BioTorrents.de and how
-    we use it.
-  </p>
 
   <p>
-    If you have additional questions or require more information about our Privacy Policy, do not hesitate to contact
-    us.
+    This policy explains how Omics Tools LLC handles the personal data we collect from you when you use our website.
+    You grant consent on account registration by checking the box that reads,
+    "I consent to the privacy policy and may revoke my consent at any time."
   </p>
 
 
-  <h3>General Data Protection Regulation (GDPR)</h3>
+  <h3>
+    Data collection: what and how
+  </h3>
+
+  <p>
+    We collect usernames, email addresses, GPG keys,
+    passphrases, API keys, site activity and preferences,
+    IP addresses, and server error logs.
+  </p>
 
   <p>
-    We are a Data Controller of your information.
+    We don't collect access logs or compile personal data for any commercial reason.
+    Also, we explicitly deny all known browser features, including not limited:
+    camera, microphone, sensors, wake-lock, USB, encrypted media, autoplay, etc.
   </p>
 
   <p>
-    BioTorrents.de's legal basis for collecting and using the personal information described in this Privacy Policy
-    depends on the Personal Information we collect and the specific context in which we collect the information:
+    You directly provide us with most of the data we collect.
+    We collect and process your personal data when you
   </p>
 
   <ul>
-    <li>BioTorrents.de needs to perform a contract with you</li>
-    <li>You have given BioTorrents.de permission to do so</li>
-    <li>Processing your personal information is in BioTorrents.de's legitimate interests</li>
-    <li>BioTorrents.de needs to comply with the law</li>
+    <li>
+      register online for our services,
+    </li>
+
+    <li>
+      query the tracker for BitTorrent peers,
+    </li>
+
+    <li>
+      participate in our forums and chat rooms, and
+    </li>
+
+    <li>
+      use our website with cookies or API keys.
+    </li>
   </ul>
+  <br />
+
+
+  <h3>
+    Data use and storage
+  </h3>
 
   <p>
-    BioTorrents.de will retain your personal information only for as long as is necessary for the purposes set out in
-    this Privacy Policy.
-    We will retain and use your information to the extent necessary to comply with our legal obligations, resolve
-    disputes, and enforce our policies.
+    We only use your data to manage your account and administer the site.
+    We never sell or otherwise provide data to third parties, except under subpoena.
   </p>
 
   <p>
-    If you are a resident of the European Economic Area (EEA), you have certain data protection rights.
-    If you wish to be informed what Personal Information we hold about you and if you want it to be removed from our
-    systems, please contact us.
+    All data read, written, or deleted under this policy will only be managed by SQL queries,
+    and any data returned will only be provided as database dumps.
   </p>
 
   <p>
-    In certain circumstances, you have the following data protection rights:
+    We securely store your data in our hardened MariaDB instance.
+    Only Unix socket connections are allowed, and certain services like IRC are denied.
+    Database tools aren't accessible on the public internet.
   </p>
 
-  <ul>
-    <li>The right to access, update or to delete the information we have on you</li>
-    <li>The right of rectification</li>
-    <li>The right to object</li>
-    <li>The right of restriction</li>
-    <li>The right to data portability</li>
-    <li>The right to withdraw consent</li>
-  </ul><br />
+  <p>
+    Email and IP addresses, and private messages between users,
+    are encrypted and then decrypted in memory.
+    Certain data is hashed before storage and therefore unrecoverable,
+    including passphrases and API keys.
+    Please don't request ciphertext.
+  </p>
+
+  <p>
+    We'll keep your data for your account's lifetime.
+    Once this period expires, we'll delete your data by written request.
+  </p>
+
+
+  <h3>
+    GDPR data protection rights
+  </h3>
 
+  <p>
+    We'd like to make sure you're fully aware of your data protection rights.
+    Every user is entitled to GDPR protections regardless of their jurisdiction:
+  </p>
 
-  <h3>Log Files</h3>
+  <ul class="p">
+    <li>
+      <strong>Access.</strong>
+      You have the right to request copies of your personal data.
+      We may charge a small fee for this service.
+    </li>
+
+    <li>
+      <strong>Rectification.</strong>
+      You have the right to request that we correct what you believe is inaccurate,
+      and to request that we complete what you believe is not.
+    </li>
+
+    <li>
+      <strong>Erasure.</strong>
+      You have the right to request that we erase your personal data, under certain conditions.
+    </li>
+
+    <li>
+      <strong>Restrict Processing.</strong>
+      You have the right to request that we restrict processing your personal data,
+      under certain conditions.
+    </li>
+
+    <li>
+      <strong>Object to Processing.</strong>
+      You have the right to object to our processing your personal data, under certain conditions.
+    </li>
+
+    <li>
+      <strong>Data Portability.</strong>
+      You have the right to request that we transfer data we've collected to you or others,
+      under certain conditions.
+    </li>
+  </ul>
 
   <p>
-    BioTorrents.de only logs server errors.
-    The information collected by log files include internet protocol (IP) addresses, browser type, date and time stamp,
-    and referring/exit pages.
-    These are not linked to any information that is personally identifiable.
-    The purpose of the information is for administering the site.
+    If you make a request, we have one month to respond.
+    Please contact us if you'd like to exercise any of these rights.
   </p>
 
 
-  <h3>Cookies and Web Beacons</h3>
+  <h3>
+    Cookies: what and how
+  </h3>
+
+  <p>
+    Cookies are text files placed on your computer to store functional information.
+    When you log into our website, we save cookies to your browser's local storage.
+  </p>
+
+  <p>
+    We strongly encourage you to use an updated browser with sandboxed tabs,
+    and to set your browser to deny disk permissions and to wipe transient data on shutdown.
+  </p>
 
   <p>
-    Like any other website, BioTorrents.de uses "cookies."
-    These cookies are used to store information including visitors' preferences, and the pages on the website that the
-    visitor accessed or visited.
-    The information is used to optimize the users' experience by customizing our web page content based on visitors'
-    browser type and/or other information.
+    We use cookies to keep you signed in.
+    Our secure session cookie parameters include
   </p>
 
+  <ul>
+    <li>
+      one-day expiry time,
+    </li>
+
+    <li>
+      scoped to https://biotorrents.de,
+    </li>
+
+    <li>
+      TLS 1.2+ transmission only,
+    </li>
 
-  <h3>Third Party Privacy Policies</h3>
+    <li>
+      unavailable to JavaScript APIs, and
+    </li>
+
+    <li>
+      strict same-origin policy.
+    </li>
+  </ul>
 
   <p>
-    BioTorrents.de's Privacy Policy does not apply to other advertisers or websites.
-    Thus, we are advising you to consult the respective Privacy Policies of these third-party ad servers for more
-    detailed information.
-    It may include their practices and instructions about how to opt-out of certain options.
+    You can set your browser to deny cookies
+    but our website won't function as intended.
   </p>
 
+
+  <h3>
+    Other websites' policies
+  </h3>
+
   <p>
-    You can choose to disable cookies through your individual browser options.
-    To know more detailed information about cookie management with specific web browsers, it can be found at the
-    browsers' respective websites.
+    BioTorrents.de links to other websites.
+    Our privacy policy only applies to our website.
+    If you click an external link, please read their privacy policy.
   </p>
 
 
-  <h3>Children's Information</h3>
+  <h3>
+    Changes to our policy
+  </h3>
 
   <p>
-    Another part of our priority is adding protection for children while using the internet.
-    We encourage parents and guardians to observe, participate in, and/or monitor and guide their online activity.
+    We regularly review our policy and publish updates here.
+    Updates will usually describe new security developments.
+    We last updated this policy on 2021-02-11.
   </p>
 
+
+  <h3>
+    How to contact us
+  </h3>
+
   <p>
-    BioTorrents.de does not knowingly collect any Personal Identifiable Information from children under the age of 13.
-    If you think that your child provided this kind of information on our website, we strongly encourage you to contact
-    us immediately and we will do our best efforts to promptly remove such information from our records.
+    If you have any questions about our policy,
+    the data we hold on you,
+    or you'd like to exercise one of your data protection rights,
+    please don't hesitate to contact us.
   </p>
 
+  <p>
+    <strong>
+      Address
+    </strong>
+    <br />
+
+    Data Protection Officer<br />
+    Omics Tools LLC<br />
+    30 N Gould St Ste 4000<br />
+    Sheridan, WY 82801
+  </p>
 
-  <h3>Online Privacy Policy Only</h3>
+  <p>
+    <strong>
+      Email
+    </strong>
+    <br />
+    gdpr at biotorrents dot de
+  </p>
 
   <p>
-    Our Privacy Policy applies only to our online activities and is valid for visitors to our website with regards to
-    the information that they shared and/or collect in BioTorrents.de.
-    This policy is not applicable to any information collected offline or via channels other than this website.
+    Please use
+    <a href="https://pgp.mit.edu/pks/lookup?op=get&search=0x760EBED7CFE266D7" target="_blank">GPG 760EBED7CFE266D7</a>
+    if you wish.
   </p>
 
 
-  <h3>Consent</h3>
+  <h3>
+    How to contact the appropriate authority
+  </h3>
 
   <p>
-    By using our website, you hereby consent to our Privacy Policy and agree to its terms.
+    Should you wish to report a complaint,
+    or if you feel that we haven't satisfactorily addressed your concerns,
+    contact the Information Commissioner's Office.
   </p>
 </section>
 

sections/register/index.php

@@ -7,10 +7,9 @@ $ENV = ENV::go();
 
 /*
 if (isset($LoggedUser)) {
-
-  // Silly user, what are you doing here!
-  header('Location: index.php');
-  error();
+    // Silly user, what are you doing here!
+    header('Location: index.php');
+    error();
 }
 */
 
@@ -35,14 +34,13 @@ if (!empty($_REQUEST['confirm'])) {
         include('step2.php');
     }
 } elseif ($ENV->OPEN_REGISTRATION || !empty($_REQUEST['invite'])) {
-    $Val->SetFields('username', true, 'regex', 'You did not enter a valid username.', array('regex' => USERNAME_REGEX));
-    $Val->SetFields('email', true, 'email', 'You did not enter a valid email address.');
-    $Val->SetFields('password', true, 'regex', 'Your password must be at least 6 characters long.', array('regex'=>'/(?=^.{6,}$).*$/'));
-    $Val->SetFields('confirm_password', true, 'compare', 'Your passwords do not match.', array('comparefield' => 'password'));
-    $Val->SetFields('readrules', true, 'checkbox', 'You did not select the box that says you will read the rules.');
-    $Val->SetFields('readwiki', true, 'checkbox', 'You did not select the box that says you will read the wiki.');
-    $Val->SetFields('agereq', true, 'checkbox', 'You did not select the box that says you are 18 years of age or older.');
-    //$Val->SetFields('captcha', true, 'string', 'You did not enter a captcha code.', array('minlength' => 6, 'maxlength' => 6));
+    $Val->SetFields('username', true, 'regex', "You didn't enter a valid username.", array('regex' => USERNAME_REGEX));
+    $Val->SetFields('email', true, 'email', "You didn't enter a valid email address.");
+    $Val->SetFields('password', true, 'regex', "Your password was too short.", array('regex'=>'/(?=^.{6,}$).*$/'));
+    $Val->SetFields('confirm_password', true, 'compare', "Your passwords don't match.", array('comparefield' => 'password'));
+    $Val->SetFields('readrules', true, 'checkbox', "You didn't agree to read the rules and wiki.");
+    $Val->SetFields('readwiki', true, 'checkbox', "You didn't provide consent to the privacy policy.");
+    $Val->SetFields('agereq', true, 'checkbox', "You didn't confirm that you're of legal age.");
 
     if (!apcu_exists('DBKEY')) {
         $Err = "Registration temporarily disabled due to degraded database access (security measure).";
@@ -51,15 +49,11 @@ if (!empty($_REQUEST['confirm'])) {
     if (!empty($_POST['submit'])) {
         // User has submitted registration form
         $Err = $Val->ValidateForm($_REQUEST);
-        /*
-        if (!$Err && strtolower($_SESSION['captcha']) !== strtolower($_REQUEST['captcha'])) {
-          $Err = 'You did not enter the correct captcha code.';
-        }
-        */
+
         if (!$Err) {
             // Don't allow a username of "0" or "1" due to PHP's type juggling
             if (trim($_POST['username']) === '0' || trim($_POST['username']) === '1') {
-                $Err = 'You cannot have a username of "0" or "1."';
+                $Err = "You can't have a username of 0 or 1.";
             }
 
             $DB->query("
@@ -69,7 +63,7 @@ if (!empty($_REQUEST['confirm'])) {
             list($UserCount) = $DB->next_record();
 
             if ($UserCount) {
-                $Err = 'There is already someone registered with that username.';
+                $Err = "There's already someone registered with that username.";
                 $_REQUEST['username'] = '';
             }
 
@@ -79,7 +73,7 @@ if (!empty($_REQUEST['confirm'])) {
           FROM invites
           WHERE InviteKey = '".db_string($_REQUEST['invite'])."'");
                 if (!$DB->has_results()) {
-                    $Err = 'Invite does not exist.';
+                    $Err = "The invite code is invalid.";
                     $InviterID = 0;
                 } else {
                     list($InviterID, $InviteEmail, $InviteReason) = $DB->next_record(MYSQLI_NUM, false);
@@ -137,13 +131,13 @@ if (!empty($_REQUEST['confirm'])) {
         DELETE FROM invites
         WHERE InviteKey = '".db_string($_REQUEST['invite'])."'");
 
-	    // Award invite badge to inviter if they don't have it
-	    /*
-            if (Badges::award_badge($InviterID, 136)) {
-                Misc::send_pm($InviterID, 0, 'You have received a badge!', "You have received a badge for inviting a user to the site.\n\nIt can be enabled from your user settings.");
-                $Cache->delete_value('user_badges_'.$InviterID);
-	    }
-	     */
+            // Award invite badge to inviter if they don't have it
+            /*
+                if (Badges::award_badge($InviterID, 136)) {
+                    Misc::send_pm($InviterID, 0, 'You have received a badge!', "You have received a badge for inviting a user to the site.\n\nIt can be enabled from your user settings.");
+                    $Cache->delete_value('user_badges_'.$InviterID);
+            }
+             */
 
             $DB->query("
         SELECT ID

sections/register/step1.php

@@ -35,9 +35,9 @@ if (empty($Sent)) { ?>
     <tr valign="top">
       <td align="left">
         <p>
-          Use common sense when choosing your username.
-          <strong>Do not choose a username that can be associated with your real name.</strong>
-          If you do so, we will not be changing it for you.
+          Use common sense when picking your username.
+          <strong>Don't choose one associated with your real name.</strong>
+          If you do, we won't be changing it for you.
         </p>
 
         <input type="text" name="username" id="username" class="inputtext" placeholder="Username"
@@ -71,26 +71,27 @@ if (empty($Sent)) { ?>
 
     <tr valign="top">
       <td align="left">
-        <input type="checkbox" name="readrules" id="readrules" value="1" <?php if (!empty($_REQUEST['readrules'])) { ?>
+        <input type="checkbox" name="agereq" id="agereq" value="1" <?php if (!empty($_REQUEST['agereq'])) { ?>
         checked="checked"<?php } ?> />
-        <label for="readrules">I will read the rules</label>
+        <label for="agereq">I'm 18 years or older</label>
       </td>
     </tr>
 
     <tr valign="top">
       <td align="left">
-        <input type="checkbox" name="readwiki" id="readwiki" value="1" <?php if (!empty($_REQUEST['readwiki'])) { ?>
+        <input type="checkbox" name="readrules" id="readrules" value="1" <?php if (!empty($_REQUEST['readrules'])) { ?>
         checked="checked"<?php } ?> />
-        <label for="readwiki">I will read the wiki</label>
+        <label for="readrules">I'll read the site rules and wiki</label>
       </td>
     </tr>
 
     <tr valign="top">
       <td align="left">
-        <input type="checkbox" name="agereq" id="agereq" value="1" <?php if (!empty($_REQUEST['agereq'])) { ?>
+        <input type="checkbox" name="readwiki" id="readwiki" value="1" <?php if (!empty($_REQUEST['readwiki'])) { ?>
         checked="checked"<?php } ?> />
-        <label for="agereq">I am 18 years of age or older</label>
+        <label for="readwiki">I consent to the privacy policy and may revoke my consent at any time</label>
         <br /><br />
+
       </td>
     </tr>