On GDPR and Mibew Messenger

Warning! This text should be considered only as a private (and non-professional) opinion. If you really want to comply with GDPR we’re strongly advise you to consult with a professional lawyer. We’re neither lawyers, nor EU-citizens. Please have that fact in mind. 😉

The roots of this text lies in the appropriate issue at Github.

TL;DR: Mibew Messenger is a tool, not a stand-alone application. At the moment we believe that it has all necessary means to help its owner comply with the GDPR, but it has to be set up the proper way. So, it’s up to a webmaster.

To begin with, what’s it all about? Almost 3 months ago EU started to so to say globally protect users from data leaks, privacy related issues, etc. And new rules contained in the document named General Data Protection Regulation (GDPR) affects almost every web site and/or app that somehow interacts with users and/or store any ‘personal data’.

Mibew Messenger is a relatively convenient tool that helps site owners to interact with their visitors. It can track visitors on a site, can ask for their names and emails (though, without any checks and validations), can store chat logs. Actually, in times before GDPR anyone who used Mibew Messenger on a site should have been asked a visitor from EU explicitly permit to use cookies. And as far as we know there are (and were) multiple ready to use solutions for that (useless if not to say more) task.

But at the moment anyone who use Mibew Messenger on a site should not only ask permissions for cookies, but also have a special Privacy Policy (one should swear that he will not sell emails to spammers? or not to share database dumps with a world and a dog? or not to publish a private sex conversation between EU commissar on family and childhood with non-standard taste and 86-years-old temporary employee impersonating a little girl? ah, nevermind.) Moreover, one should also give a visitor right to demand export and/or deletion of their personal data.

Please don’t get us wrong. We strongly believe in human rights. And we believe that people’s privacy should be protected. But we don’t believe that it can be achieved through some state regulations made by bureucrats who can barely use Google without a couple of assistants. And we doubt that GDPR will stop data leaks from sites owned by huge multinational corporations.

Actually we don’t care about EU and their regulations. But some users of our software does. And we’ve developed two things that can help site that use Mibew Messenger to comply with the GDPR.

1. The option to include link to a Privacy Policy in the pre-chat survey. So a visitor could start a chat only in case of agreement with that policy. One should either write a special document for his Mibew installation or use a site-wide version.

2. The plugin to perform bulk operations over chat logs. Now an administrator will be able to export or delete chats found by search query. (It’s easy to install, easy to use, and doubtfully useful.)

Also one could use another plugin to not store logs at all (erase it immediately).

An important thing that we have to mention. Mibew Messenger doesn’t store any ‘personal data‘ by default. It can ask a visitor to enter the name and the email at the pre-chat stage, but it’s an option and provided values are not validated. The name of a visitor could be (and in fact is) non-unique. So it’s impossible to identify a person with it. Multiple visitors could make use of the same name. Maybe one could identify a person with a combination of email, ip and a name, but it’s hard to tell. So if you’re going to export chat logs on demand, please make sure that you’re providing logs to a right person. In our opinion it is better to not provide chat logs at all than to give anyone other people’s messages.

So, to sum it up. Set up Mibew Messenger properly, keep your installation up to date, secure and protect it, write your legally competent privacy policy, and everything will be fine. Even by EU strict rules.