GDPR troll defense?

A Discourse forum was reportedly just “attacked” by someone posting a GDPR “troll” request: asking for 999 999 things the requester likely doesn’t care about — instead, his/her only purpose is, fairly likely, just to cause troubles for the forum owner. The forum owner got worried and decided to shutown the Discourse forum:

What if Discourse looked at the troll email, and created a standard response + instructions to Discourse forum admins, about how to reply to these requests? I imagine that with a standard response to this standard troll request, it’d take the forum staff maybe 10 minutes to reply to the request?

The troll apparently just copy-pasted a long example text, written by some lawyer who had in mind to help companies prepare themselves against GDPR requests. The example text was a worst-case-example of what could happen, and then the trolls started broadcasting it for real to different places. A copy-paste standard request = a copy-paste standard response makes sense?

Here someone wrote about how to reply to the troll email — but s/he didn’t actually write a reply. Maybe that’s what the Discourse team could do? (because for people who just install Discourse, without knowing much about GDPR or Discourse technically, it’s going to be a bit hard to write that reply) :

And here’s (one of?) the GDPR troll request(s): (which wasn’t intended as a troll thing, but … that’s how the trolls started using it) : The Nightmare Letter: A Subject Access Request under GDPR

(If all this seems like a good idea, maybe contact the Drone forum owner before he has deleted the forum?)


FYI This was already posted and started to be discussed here

I agree as you can see :slight_smile:


(removed this part of my comment — the prev comment looked differently when I first replied, then was (ninja)-edited. So this part of my comment is now off-topic & I removed it)

Thanks for the link b.t.w.

20 days old? The last response was a few hours ago and it’s in the top 20 most recently active topics :wink: np

1 Like

Topic started 23 days ago. I’m thinking that discussion will get lost, among the 80 other comments & topic title that is about sth else (“GDPR countdown and compliance”).

Topics can always be split at the mods discretion.

Part of the point of posting on an existing, relevant Topic is surely that its already being watched by a lot of people who are interested and involved in that exact subject matter?

Also what’s the point of duplicating and splitting the discussion? Important points could be lost.

Really? Seems completely relevant to a discussion about GDPR compliance

In any case I agree with you that this is a very important topic of conversation.

I have an idea, why don’t all of you especially all eu forum operators write letters to the eu data regulators asking for guidance, there is just so much interpretation here and you clearly need help and can not afford to hire lawyers.

I would love it if someone who actually worked with the data regulators posted here, in fact I would be happy to host a forum for them for free and forever to discuss this or set one up for them or just talk them through an install.


Sam, point of clarification: current interpretation of the law suggests it impacts anyone who has EU based users, it’s scope is ‘extraterritorial’, so for example, any US based services are in scope if they have EU based users.

" Key Takeaways

The GDPR was intentionally drafted to ensure that it applies not only to EU-based organizations, but also to organizations based outside of the EU that handle the personal data of EU data subjects. Given the ubiquity of digital commerce, many organizations outside the EU—acting as a controller or processor—are likely subject to the GDPR as a result of the expanded territorial scope under Article 3.

If they have not already done so, organizations outside the EU should review their digital activities to determine whether they are actually subject to the GDPR and, if so, develop and begin the implementation of a GDPR compliance roadmap."

I think the gist of this is that it’s 2018 and anyone who thinks they’re up to running a forum should also be up to taking responsibility and protecting the data they are collecting. If that results in people acting like a victim and shutting down their forum because they don’t want to invest time and energy in learning what is expected of them with respect to protecting the personal data of their users, then I really don’t feel sorry for that.

No one needs a lawyer to be able to comply with GDPR. Someone pointed this guy to our (long, but not very hard to understand) GDPR walkthrough and this guy says ‘The gdpr documentation is quite long and I lack the domain expertise to read and comprehend the document in full’. Well, that sounds like he just didn’t want to spend that hour reading the document but spend that hour writing a complaint about how hard everything is.

It’s like when I would open a restaurant and then shut it down because I have to deal with food regulations and taxes, and complain about how unfair all those laws and regulations are. No, those are the rules you have to play by, and if you’re not up to that then you should either invest the time and energy in that, or accept the fact that you don’t want to take it all seriously.

No forum owner should have to spend more than two hours on preparing for GDPR. Just read our documentation and do what it says :slight_smile: If you’d rather complain, then go for that, but don’t expect my sympathy.


Wholeheartedly agree, it’s just common sense and due diligence in this day and age.

Thanks for that Richard

I’d also recommend this brilliant talk:

That is assuming your very extreme definitions of “personal data”. Where data regulators could help is in properly defining in the context of a forum what is “personal data”.

Is a like that you gave someone on a forum “personal data”? What is “personal” about it?
Is a like someone gave to you “personal data”?
If someone talks about “bob” on your forum is it your responsibility to hunt that down and erase it? Or is is “bob’s” responsibility to find the post for you?
Where is the boundary between a post you make publicly on the internet and “personal data”.
IP address vagaries
and the list goes on

The law is vague and untested. It lives in the context of 10s of thousands of other laws. The existing tested laws very rarely lead to fines in the EU.

I think there is a balancing act and regulators should help the public here, I think it is irresponsible that the EU is allowing the level of mania that is going on, to go on. They should be here on the ground helping forum operators that are helping the free internet continue to be free do a very important job. Bleeding off to reddit and facebook and other walled gardens is totally against their interest.

So yeah, I was more hoping for a response here of “here are a bunch of links to places you can write letters to”.

And yeah I wish they would post here and help out the thousands of Discourse forums in the wild instead of letting speculation run a-mock

I would also recommend contacting the EFF here especially about the forum that got shut down, they should make a public post about it, shutting down the forum is destructive to the Internet and the EFF ought to talk about this.


I know you were just giving examples, but I’m going to answer your questions, not just to answer them but also to show that the answers are not hard.

‘personal data’ means any information relating to an identified or identifiable natural person
Yes, that might be considered extreme, but it is properly defined.

Yes and yes, because they both fit the definition. If you want to know what is personal about it, I recommend the thought exercise: “can the information be harmful to a person” where taking it to the extreme is allowed when performing the exercise. So if I like a post that praises terrorism, I could lose my job. If my post is liked by a terrorist, I would at least have some explaining to do and people would associate me with terrorism.

Just keep asking ‘what post’ until Bob either points it out or gives up.

There is no boundary, those are different and overlapping definitions: something can be personal data and also public. My avatar on this forum is even personal data because it gives away information about my skin color.

There is nothing vague about IP addresses. They are personal data and they have an extra paragraph about them to take away any FUD for network and server operators who are worried about their logs.

People that are involved in making the regulations will not be talking about how to interpret them, that is up to the judicial system. The GDPR comes with 173 recitals that take away most of the interpretation issues.

Most countries have also set up very extensive informational websites in order to guide people, for instance the UK ICO.


That is your opinion based on zero emails and letters that were sent to them. As is your entire rebuttal it can not constitute legal advice as you are not a lawyer and do not want to be held accountable for providing legal advise.

I see zero downside in writing letters and emails asking for help if people are finding the existing guidelines confusing.

The trias politica (I think in US it’s called separation of powers) makes it hard (or impossible) for regulators to comment on their law because they would be on the territory of the judges, creating jurisprudence in interpretation of their own laws.

I think there is also a cultural difference here. In Europe it’s not very common to send letters to regulatory institutes or to your congressman or senator. In the EU there is no perception of a ‘mania’ regarding GDPR either - there is no overwhelming feeling of vagueness.

I am convinced that any time that is spent writing a letter about how confusing a regulation is, is better spent in trying to actually understand the regulation.


In this particular case I don’t see what the big deal was with anonymizing the user. Then the data is all effectively nullified because it can no longer be attached to any person.

So if you get a scarygram, confirm it’s a valid user (not a troll with no account), then anonymize the account with a few clicks. Done and done.

There were enhancements to anonymize in 2.0, but we’ve had that feature for many years now. I’m sure we’ll continue to improve it in the future, as well as reduce places where we are storing IPs that we don’t need to be, with the help of @riking.


There is absolutely no automated solution for that. So, ask the user whether they want it done or not. Different people may have different definitions of which post contents are effectively PII.

These are public posts, the requester can be expected to do their due diligence imo.


The letter doesn’t simply ask for that. It asks a million questions that have to be answered, too.

No, they don’t, because at that point you don’t have their data any more – not in a form that can be tied to a person.

1 Like

Ah. So you reply with “what PII? You don’t have an account here.” Lol. Makes sense.


I think the CC-By license doesn’t allow that — attribution required, but anonymizing the account = attribution gone.

… Unless the user explicitly says s/he wants to become anonymous of course. I don’t think the troll request asked for that though. The request apparently wasn’t related to Discourse, so … it couldn’t ask for such Discourse specific things. The request just says “Please advice about … I would like to know … Please inform me … Have you … Please advice …” but doesn’t ask for anything to actually be done.

People who have posted CC-By comments and then send the troll email = maybe one actually needs to reply (if one is based in the EU).

Or one can delete the user + all his/her comments :- ) then the attribution problem = gone. Likely such a troll hasn’t said so many meaningful things anyway