I subscribed to a fairly new BOINC project called BOINC@TACC run by the University of Texas. I did so using my normal BOINC account name, and on their pages, my name appears as expected. I posted a "ready and waiting" type mail on their message board, but saw that rather than my name showing as the poster, a hash "nhSt38uMYu" appeared. I queried this and was told that it had been done in order to comply with GDPR rules. I could change it, but that required me to mail my requirement to an address. The next day, it was done, and my post has my name against it.

I suspect other projects might start to do this, when they notice it. I think a BOINC wide opt in or out, whatever, might be worth considering.

---

Wave upon wave of demented avengers march cheerfully out of obscurity into the dream.

Since Texas isn't a member of the European Union, I suspect their lawyers have failed to fully comprehend the GDPR.

Quite possibly true, but there are European projects. There are European crunchers at non European projects also, potential issues arise.

---

Wave upon wave of demented avengers march cheerfully out of obscurity into the dream.

A lot of work was done around this time last year to make the core BOINC code GDPR-compliant. The main problems were to do with getting informed user consent for the storage and display of their personal information; informed consent for the transfer of that personal information to third parties (external stats sites); and implementing the 'right to be forgotten' (ability to delete accounts).

I don't remember giving you a random name being part of the process, let alone taking away your ability to change it unilaterally. Just be grateful that you are not a number.

"I am not a number - I am a free man" said number 6.

<edit>
Assuming you are old enough to remember "The Prisoner" with Patrick McGoohan.
</edit>

---

Wave upon wave of demented avengers march cheerfully out of obscurity into the dream.

That was the reference, yes. I was never a real fan, but I was around when it was broadcast and saw some of the episodes.

I quite liked The Prisoner. Number 2's never seem to last long.

I'll pass on your thoughts. It is up to them what they do, if anything. Is there a url I can point them at where this sort of thing is explained? (They are American...)

---

Wave upon wave of demented avengers march cheerfully out of obscurity into the dream.

I'm slightly surprised that TACC are out of the loop on this, because they were one of the co-sponsors with David Anderson of his new Science United proposal.

Legal advice on GDPR was a bit of a last-minute scramble, and multiple sources were used. The lead people for BOINC were Kevin Reed of WCG (outside the EU, but advised by IBM); Oliver Behnke of Einstein (inside EU, at least the German part); and Laurence Field of CERN (straddling the EU border!). But I'm not sure if their accumulated wisdom has been gathered together into an easy reference document. I should be speaking with at least two of those people tomorrow evening, and I'll ask.

It might also be worth mentioning to TACC that there is a relatively new provision of a 'server stable' release version of the BOINC server code, currently accessible by cloning the 'Server_release/1.0/1.0.4' tag in the BOINC github repository. The server release was last updated on 6 March 2019, so it should include all the GDPR-related changes from last year.

I've posted in the thread we were using over there, and included a link back to the thread here should they wish to have a look.

Thanks Richard.

---

Wave upon wave of demented avengers march cheerfully out of obscurity into the dream.

Further to Richard's comments - one of the lesser known provisions of GDPR is that users have the right to readily and freely change their displayed name to one of their choosing, and that forcing their choice of name is probably contrary to that requirement. There are certain constraints on this freedom, the most obvious being where the user's chosen name is used to identify that user within the system - as far as I'm aware all BOINC based systems use the unique user identifier internally, with the user display name being just that - a display name not an identifier.

I just looked at my commuinty preferences here, and could not see a screen name modification tool. I have no wish to change it, but if that is the case, perhaps the method for changing it should be available here. Someone is bound to want it.

It is a bit dubious actually, a person can change their name after making a remark, and thus appear to be someone else.

Bit of a mess these rules...

---

Wave upon wave of demented avengers march cheerfully out of obscurity into the dream.

Account > Other account info will allow you to change your screen name.

---

Yes, it is there, I stand corrected, thanks.

---

Wave upon wave of demented avengers march cheerfully out of obscurity into the dream.

I asked on the contributors' call, but we haven't got anything else to suggest. The GDPR is new, complex, law, and will only be fully defined when the first few test cases have been determined by a Court. Until then, amateur interpretations which turn out to be wrong might establish the wrong sort of liability...

TACC identifies itself on its website as an offshoot of the University of Texas: universities in general have well established legal offices in their administrative structures. Might be best to ask for help there.

I've passed on comments from here and the url of the thread. It certainly appears to be a miss reading of the laws, or, given the complexity of them, an "overly caustious" approach. At the end of the day, the "issues" are pretty trivial.

---

Wave upon wave of demented avengers march cheerfully out of obscurity into the dream.

I've been "bit" by this compliance thing at a couple of sites that suddenly stopped exporting my data. I'm all for making SOMETHING BOINC-wide, which it seems has been done, instead of the current every-site-does-their-own-thing approach. It would be VERY nice if someone - perhaps from the DOJ - would issue a simple opinion that a web site hosted entirely OUTSIDE the GDPR region has no responsibility to care what the heck they do there. The TACC thing is especially annoying as both they and I are in TEXAS, which as has been mentioned, isn't part of the EU... If GDPR applied everywhere, every single web site in the world would either have to comply or (my preference) refuse to accept any accounts from anyone identifying as being in the EU. I'm ignoring it on my own site - if anyone ever loses a legal case on it, my fix will be to delete all accounts from anyone in the EU. If every web site would do that, these countries that try to "regulate the internet" would have some pushback.

Bill, it is easy for a small site non-EU to say F it for the GDPR, but any company of any size that thinks it might want customers in the EU, simply can't as a practice not do business with the EU. The issue may be worse if your website provider does business in the EU and perhaps unbeknownst to you your site is actually on a computer in a co-location site inside the EU. I would suggest for small personal micro sites to simply not collect any PII so that the GDPR does not apply. OBW California is considering a GDPR like bill which has been unanimously reported out of committee so it may soon apply to you, like it or not.

I understand wanting a BOINC wide switch to show info to stats sites, but unfortunately GDPR was written to apply on a site by site basis and does not know about multi-site DC.

...particularly where those sites and users are spread over a large number of servers in a large number of countries.
Also, as each project is administratively independent of BOINC it is the responsibility of each individual project administrator to ensure their appropriate level of compliance, not that of BOINC, which in itself does nothing apart from co-ordinating the processing on the users' computers, and as far as the projects are concerned they do not have a "direct connection" with "BOINC Central".
The only part of "BOINC Central" that has any need to consider the implications of GDPR are these forum.

As far as I know, these forums don't have a GDPR compliance policy, since they run from a Berkeley server.

---

I read somwhere yesterday, that California is considering similar laws.

---

Wave upon wave of demented avengers march cheerfully out of obscurity into the dream.