Premium Membership Privacy and Data Protection - MNHQ please clarify

[MoleSmokes]

This is to complement @Mnr2000 's thread asking members to reply asking if they would prefer to donate to Mumsnet rather than take out a Premium Subscription, with payment using Stripe:

www.mumsnet.com/Talk/site_stuff/3878296-List-of-MNers-who-would-anonymously-donate-to-MN

The big worries for many members about the Premium Subscription system are Privacy and Data Security. These concerns were not addressed clearly enough in the original thread by @JustineMumsnet here:

www.mumsnet.com/Talk/site_stuff/3874618-Mumsnet-Premium-membership-please-support-us-if-you-can

Relevant extracts from the "Mumsnet Privacy Policy"

www.mumsnet.com/info/privacy-policy

Your data - what we store and why

"We store IP address, cookies, your device’s unique ID, page browsing history, ads you’ve viewed and clicked, searches you’ve made on site, approximate location, and any enquiries you’ve made. For registered members we also store username, password and email address; discussions you may have with Mumsnet site moderators; and a summary of decisions we’ve taken about you if we’ve reviewed your use of Mumsnet Talk for any reason. Registered members may also have given us more data on sign up, such as the age of their children.

We store your email address to register you and contact you (if you have asked for email newsletters) and we store things such as IP address, cookies and device ID so that our systems recognise you if you return to Mumsnet."

Your registration data

"You can change the information that you provided when you registered, including your email address and Mumsnet username, on your My Account page.

If you have signed in using Facebook or Google, you can stop access at any time via your Facebook or Google account settings. If you still wish to post on Mumsnet you’ll then need to register a Mumsnet username and password via our Registration page."

Data requests

"If you’d like you can ask us to provide details of the personal information we hold about you, under the 2018 EU General Data Protection Regulation (GDPR). To request this information, please email us at [email protected] or write to Mumsnet Limited, Studios 13-16, Deane House Studios, 27 Greenwood Place, London NW5 1LB."

Complying with the law and best practice around data

"The way we store and process data is compliant with the UK 1998 Data Protection Act, the 2018 EU General Data Protection Regulation (GDPR), and other relevant pieces of legislation. We always aim to comply both with the spirit as well as the letter of the law and to be responsible with your data.

The way that we store and process data is compliant with the following legislation:"

UK Data Protection Act 1988 (DPA)
EU Data Protection Directive 1995 (DPD)
EU General Data Protection Regulation 2018 (GDPR)
ePrivacy Directive 2002 (amended 2009)

As well as keeping up-to-date with laws about data, we aim to take sensible decisions based on common sense, listening to users’ views and industry best practices."

If our data is compromised

"Mumsnet uses best practice, multi-tier web application security for our servers including Denial of Service protection and Web Application Firewall at the network edge. For staff access to all administrative systems, we enforce 2-step verification and IP-based access restrictions. Regular security updates keep Mumsnet staff informed of the latest security threats."

Mumsnet Premium subscription

"Mumsnet offers monthly and annual subscription service, giving users the opportunity to use the Mumsnet website and app ad-free. When you subscribe on our website, you will need to make payment for the goods or services you have ordered.

In order to process your payment, we use Stripe, a third-party payment processor, to manage recurring payments for this product. Stripe store the following information about anyone who subscribes:

Email address
Payment information (including name on card)
Postcode

Your payment will be processed by Stripe, who collect, use and process your information, including payment information, in accordance with their privacy policy. stripe.com/gb/privacy

• - - - - -

MNHQ - Please could you clarify:

1. Exactly what information collected by Stripe is shared with Mumsnet, ie. what information, linked to a Mumsnet Registration email address, does Mumsnet process and/or have access to via Stripe itself?

1. For what purposes do five members of the Mumsnet team require independent access to the above information?

1. Whether Mumsnet has conducted a Data Protection Impact Assessment (DPIA) in relation to the additional information processed and/or accessed by Mumsnet as part of the Premium Membership system?

Reference the last example on this page, "Risk of physical harm":

Risk of physical harm
"Where the processing is of such a nature that a personal data breach could jeopardise the [physical] health or safety of individuals."

ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/examples-of-processing-likely-to-result-in-high-risk/

1. Does changing a Mumsnet registration email address break the link with Stripe payments? If not, how is this resolved? Is it an automated system or are records updated manually, eg. by one of the five MMHQ staffers mentioned by Justine?

• - - - - -

Concerns have been raised repeatedly about previous hacking incidents and internal data breaches and any actions subsequently taken by Mumsnet to improve data privacy and security.

However, in many cases the facts have been mis-remembered and mis-reported by members. Some but not all of these issues were addressed in replies by MNHQ in Justine's thread.

In the interests of transparency and to reassure members who are concerned about entrusting identifying information to Mumsnet, would you please consider issuing an "FAQ" or statement addressing these issues?

The same concerns and questions are raised in threads all over the Talk Boards and piecemeal responses to specific posts are not an adequate way to address this.

What needs to be covered:

• what actually happened

• what Mumsnet did to reduce the risk of it happening again

• whether any disciplinary action and/or criminal prosecutions resulted, eg. as a result of police investigations into the 2015 "Dad Security hacking collective" that claimed it included a "Mumsnet Moderator" amongst its members:

www.ibtimes.co.uk/mumsnet-hackers-publish-3000-passwords-call-armed-police-ceo-justine-roberts-house-1516092

MoleSmokes raises some important points. I would be keen to hear MNHQ’s response

This is a genuine question, do you get into this much detail with other websites? I know I don’t, I really don’t think twice about, for example, Just Eat or other sites that ask for my card details.

I get that mumsnet has a more personal relationship with users than, say, twitter which doesn’t give a shit. But some if this seems a bit much.

I think the only mistake they made was announcing mumsnet premium before they had written the FAQs. But surely what you’ve posted above is the state of play and you make your decision based on that?

There’s no time limit. You could subscribe now, in a week, a month or never. But that’s the state of play - make a judgement on that.

I don’t see people sealoining over websites like this, like all one million or so of us is owed a personal message from Justine and I don’t get it.

*other websites

Quite by accident, following links in threads about an incident in 2018, I arrived at a thread by MNHQ with a link to an "FAQ" page buried somewhere on Mumsnet - both are relevant:

"Mumsnet Data Breach Q&A"
19 April 2018

www.mumsnet.com/Talk/site_stuff/3226724-Mumsnet-Data-Breach-Q-A

"Mumsnet Data Breach Q&A, April 2018"
Updated 21 April 2018

www.mumsnet.com/info/mumsnet-data-qa

Backlashstarts - "do you get into this much detail with other websites?"

I have never felt the need to do so before. The level of detail initially released depends on the website and the incident. There is sometimes massively detailed coverage in the "tech press", explanations from "HQ" on sites themselves with hundreds of comments and questions, mindbogglingly nerdy emails to users that might as well be written in Martian - which is not, incidentally, what Mumsnetters who have expressed concerns have been asking for.

"I really don’t think twice about, for example, Just Eat or other sites that ask for my card details"

I think you are missing the point here. It is not the sharing of card details per se that is the issue. It is the sharing of card details when those details are then linked to an account on a completely different website (Mumsnet) where many women need to remain anonymous for safety reasons.

Previous incidents, including hacking by a "Men's Rights Collective" and malicious "doxxing" of members by Mumsnet staff, obviously make some women anxious about data security.

Have a read to see what can happen - these articles relate to the example I gave in the OP:

"Mumsnet's co-founder suffers 'swatting attack'"
BBC 19 August 2015

www.bbc.co.uk/news/technology-33985706

"Mumsnet hackers publish 3,000 passwords and call armed police to CEO Justine Roberts' house"
International Business Times August 19, 2015

www.ibtimes.co.uk/mumsnet-hackers-publish-3000-passwords-call-armed-police-ceo-justine-roberts-house-1516092

If you are not someone who is bothered about that sort of thing, fine.

If you have never had all your personal details, name, address, etc. hacked and then posted on the open internet, the police sitting in your house watching the computer screen as some psychopath rallies other psychopaths to attack you, rape you and set your house on fire with you in it - you probably don't get it.

I was lucky, they only torched my car. That was for giving some stranger on the internet what he called "lip".

Other women on Mumsnet are worried about psychopaths they already know in real life.

"I get that mumsnet has a more personal relationship with users than, say, twitter which doesn’t give a shit. But some if this seems a bit much."

Which bits "seem a bit much"? Genuine question.

"But surely what you’ve posted above is the state of play and you make your decision based on that?"

If you are happy to make a decision without any further clarification, that is fine. Others are not.

I have not dreamed up these questions out of thin air. They were left unanswered when the original thread reached 1,000 posts and have been posted repeatedly in various threads across the Talk Boards since then.

A recurring theme is that people would be prepared to take out a Premium Membership subscription if they could be reassured about Data Security.

"There’s no time limit. You could subscribe now, in a week, a month or never. But that’s the state of play - make a judgement on that."

Thank you for the advice but I would prefer to hear from Mumsnet HQ. Justine explained that Premium Membership had been introduced sooner that originally intended due to the sharp drop in advertising revenue associated with Covid-19. So time might well be of the essence.

"I don’t see people sealoining over websites like this, like all one million or so of us is owed a personal message from Justine and I don’t get it."

Mmmm . . . I see you sealioning over this thread.

If I was looking for a "personal message from Justine" I would have emailed Mumsnet. The reason I posted here, publicly on "Site Stuff", is that it seems more constructive and, as mentioned, it is not just me asking these questions.

If you doubt that, Search for "Premium Membership" in messages using Advanced Search. That is what I did.

do you get into this much detail with other websites? I know I don’t, I really don’t think twice about, for example, Just Eat or other sites that ask for my card details.

Women on this site have been targeted by MRAs and the like. Having a link between a username and their personal information held by a site that has had security breaches in the past is a legitimate concern.

Just Eat users arent targeted by activists because of the food you've ordered.

backlash, I like MN. I’m a big fan.

But it has had more data breaches than any other site I know.

As you would read, an employee took MN-etters’ personal data and posted it online where it could have been seen by those who’ve made rape and death threats to certain women here.

This is the context for wanting these matters addressed.

Thank you for this MoleSmokes . All very relevant questions. I look forward to seeing the answers.

@Pelleas how many times? The screenshot showed that the user was a Nightwatch member. That's why she had moderation buttons on the screenshot. Release yourself from your tin foil hat!

@MoleSmokes

MNHQ - Please could you clarify:

1. Exactly what information collected by Stripe is shared with Mumsnet, ie. what information, linked to a Mumsnet Registration email address, does Mumsnet process and/or have access to via Stripe itself?

1. For what purposes do five members of the Mumsnet team require independent access to the above information?

1. Whether Mumsnet has conducted a Data Protection Impact Assessment (DPIA) in relation to the additional information processed and/or accessed by Mumsnet as part of the Premium Membership system?

Reference the last example on this page, "Risk of physical harm":

Risk of physical harm
"Where the processing is of such a nature that a personal data breach could jeopardise the [physical] health or safety of individuals."

ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/examples-of-processing-likely-to-result-in-high-risk/

1. Does changing a Mumsnet registration email address break the link with Stripe payments? If not, how is this resolved? Is it an automated system or are records updated manually, eg. by one of the five MMHQ staffers mentioned by Justine?

• - - - - -

Hi there,
Thanks for your questions - sorry it's taken a while to get back - there's a lot of detail here and I wanted to make sure I got it all right. So I'll start with the first set of questions and then do a separate answer to the second set...
Here's the first answers

1. We do not store or process any financial or payment data - that is all stored and processed by Stripe and is not imported into Mumsnet’s systems at all.

A limited number of staff will be able to view some financial and personal payment data in Stripe.

Via Stripe, staff who have access can see:
Payment details:
Last 4 digits of card details
Card expiry month/year
Stripe’s fraud risk evaluation - whether the user is flagged as fraudulent on Stripe’s systems
Name on credit/debit card
Post code
Device details:
Operating system
Browser
Device type (eg, mobile, desktop)
IP address
Location based on IP address
Email address and a unique ID to link to the Mumsnet account at the back end

1. The most senior staff on our moderation team are able to view this information on Stripe so they can respond to enquiries from Premium users about their Premium accounts. They need to be able to verify that users reporting problems with accessing Premium do actually have a Premium account, and whether any payment problems (eg expiring cards) have been flagged by Stripe.

In addition the two most senior members of our Accounts team are able to view this information on Stripe for reporting purposes and the most senior staff in the Tech team are able to view this information on Stripe for reporting and further development of Premium (Stripe has a ‘developer’ access level for tech staff who need to integrate Stripe into products).

1. No we haven’t conducted a DPIA because Premium does not require us to process or store any extra personal data - a deliberate decision we took as part of our security assessment during our technical design process. All personal data relating to Premium subscriptions is stored and processed only by Stripe. We store only the unique Stripe IDs along with the Mumsnet user ID of the subscriber.

Stripe’s privacy policy can be found here. It’s a very secure platform and follows all security regulation and best practice.

1. No it doesn’t break the link totally, because each Premium user has a unique ID in Stripe that is also recorded in Mumsnet’s systems (this is the only piece of Stripe data that is recorded in our systems). But if the user needs us to resolve a query, it will take a little more time. For example, if we receive a query via Stripe about a Premium user’s account, our first step will be to search our user system for that email address. If that email address isn’t in Mumsnet’s user system, it will add a few steps to the process of identifying the user account on Mumsnet, and thus will take a bit longer to resolve the query.

Hope that helps.

[quote MoleSmokes]

Concerns have been raised repeatedly about previous hacking incidents and internal data breaches and any actions subsequently taken by Mumsnet to improve data privacy and security.

However, in many cases the facts have been mis-remembered and mis-reported by members. Some but not all of these issues were addressed in replies by MNHQ in Justine's thread.

In the interests of transparency and to reassure members who are concerned about entrusting identifying information to Mumsnet, would you please consider issuing an "FAQ" or statement addressing these issues?

The same concerns and questions are raised in threads all over the Talk Boards and piecemeal responses to specific posts are not an adequate way to address this.

What needs to be covered:

• what actually happened

• what Mumsnet did to reduce the risk of it happening again

• whether any disciplinary action and/or criminal prosecutions resulted, eg. as a result of police investigations into the 2015 "Dad Security hacking collective" that claimed it included a "Mumsnet Moderator" amongst its members:

www.ibtimes.co.uk/mumsnet-hackers-publish-3000-passwords-call-armed-police-ceo-justine-roberts-house-1516092[/quote]

And here are the answers to this bit. We've had our fair share of security incidents to be sure but I do believe there are a couple of mitigating factors and this narrative that MN is uniquely unsecure is just fallacious. For starters, I'm 100% sure that many sites and organisations have incidents about which you'll never hear. We, by contrast, have chosen to be completely transparent and upfront with our users with regard to any breaches of data, however small.

Secondly we are more of a target than most - my guess is that that's because we're somewhat famous for representing woman's interests but you might have your own views on this. I'm not pretending we've been in anyway perfect on security and we have learned many lessons along the way - and we're cognisant that however secure you think you are, you can never stop being paranoid about it, but I think the suggestion that we're cavalier with users data is untrue and unfair. I hope the answers below give some reassurance of that...

‘Jeffrey hack’/DadSec: August 2015
What actually happened?
You can read our page about this here. During this attack we were the target of multiple DDoS (‘distributed denial of service’) attacks, phishing and hacking. A bomb threat was called in to our offices and two people (a Mumsnet user who had engaged with the hackers on Twitter, and Justine) were also the target of swatting attacks (making an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get the police to send a swat team to the address). We don’t believe these address details were accessed from any data held by Mumsnet.

Mumsnet's administrative functions were breached; our homepage was redirected, a few posts were edited, and we believe that a false Mumsnet login page was set up. Users visiting the genuine Mumsnet login page were redirected to a phishing login page, allowing hackers to gain their login details (email addresses and passwords). We are confident that users' passwords were not taken from Mumsnet’s own login page or database because passwords are encrypted on Mumsnet. A list containing some Mumsnet users’ login details was subsequently published online; we believe these were gathered from the phishing login page.

We locked down all access to our admin functions and reported the attack to the police. Where we could see for sure that users’ accounts had been accessed, we emailed them to let them know. We forced all users to log out and change their passwords before they could log in again. We sent an email explaining what had happened to every registered Mumsnet user and pinned an urgent message to the top of our Talk forums. We emphasised the importance of checking the URL of the login page, particularly that it should have the prefix.

What did Mumsnet do to reduce the risk of it happening again?
We brought in an external security firm to run the rule over our systems and processes and to manage our firewall. We locked down access to site admins’ accounts in a number of ways and whilst no security is ever fail safe because new hacks are being devised all the time we think it extremely unlikely for a similar breach to occur.

Did you discipline any staff, take any police action or report Mumsnet to the ICO?
The police were involved from the outset, given the swatting. David Buchanan was convicted of hacking. After some investigation the police decided to drop the swatting case because Twitter refused to reveal the DadSec account’s user data, and without that the police were unable to make any headway. You can read what they told us here.

We reported the breach to the ICO. We were transparent with our users about the breach, including sending emails to every registered Mumsnet user and ensuring that no user could carry on using Mumsnet without changing their password.

Intern-gate, April 2018
What actually happened?
You can see our page about this here. While doing a paid internship at Mumsnet, Emma Healey took screenshots of posts she considered to contain anti-trans sentiments. Because she was logged in as an admin when she took the screenshots, they included each user’s IP posting address in small faint digits at the bottom of the post. After leaving Mumsnet, she posted screenshots on Twitter that showed three users IP addresses. When told that the posts contained IP addresses, she deleted the Tweets. She contacted us to say she had deleted everything related in any way to Mumsnet from her personal devices, and apologised.

What did Mumsnet do to reduce the risk of it happening again?
Before Emma’s internship ended we had already set in place an audit of staff access to users’ data, and in the course of this Emma and some other staffers had her access to the admin system removed.

This data breach occurred around the same time that GDPR was coming into force, and as a part of that we also undertook all-staff training on personal data, security and our legal obligations, as well as a company audit of personal data held and how we could ensure access to it was as limited to the minimum possible to run the site - and that it is deleted after a specified time where that’s appropriate.

We are continually refining our hiring practices, and since this breach have taken greater care to be as forensic as we can in ensuring new hires share our values of trustworthiness and commitment to our users.

Did you discipline any staff, take any police action or report Mumsnet to the ICO?
We reported this incident to both the police and the ICO. Both decided to take no further action; the ICO commented ‘there is no evidence of a systemic problem within your organisation.’

Emma Healey was no longer at Mumsnet so could not be disciplined.

Log-in errors: February 2019
What actually happened?
You can read our page about this here. After releasing a new piece of code, we became aware that a code error meant that some users were inadvertently logging in as a different user, meaning they could see that user’s personal information. No user did this deliberately or maliciously; the error occurred when two users logged in at exactly the same time. Our logs showed that a total of 44 users were affected before we rolled back the code and fixed the bug. We forced all users to log out and change their passwords before they could log back in.

What did Mumsnet do to reduce the risk of it happening again?
The case of users logging in simultaneously - ‘concurrence’ - is hard to replicate in testing, which is why this problem didn't manifest in our systems testing at the time. We now triple and quadruple check the code for service upgrades rather than relying on testing to pick up problems.

Did you discipline any staff, take any police action or report Mumsnet to the ICO?
We reported ourselves to the ICO, who decided to take no further action.

JustineMumsnet - Thank you very much for all that detail - and the links to further information.

The clarifications about Stripe, data protection and access to information about Premium Membership details are really helpful.

I cannot be the only one who was not on Mumsnet at the time of the previous incidents and who therefore found it hard to piece together what actually happened. The various conflicting accounts that were posted by members on the original thread about Premium Membership made everything very confusing.

The vast majority of members are likely unaware that the vendettas against Mumsnet continue.

On another thread, there are screenshots of a male NHS GP bragging on Twitter today that, "having mumsnet lose its main source of funding - ie from advertising and sponsorship deals - and being driven further towards financial ruin is entirely in line with my objectives".

Just one of the replies (Trigger warning! Woman being sarcastic!):
"Spot on. It's important that women have fewer options when their baby is crying at three in the morning and they're trying to research solutions and get support"

As a regular poster on FWR (Feminism/Womens Rights), I appreciate the continued support from Mumsnet in hosting FWR despite the constant attacks on MN as an organisation. That's not to say that I don't get frustrated by the "Special Rules", sometimes seemingly erratic moderation and the tedious trolls trying to goad members into impatient replies.

I post much less often on other Boards but, like many other "lurkers", I have found discussions and information shared on other topics very useful and extremely comforting when I have been going through some very distressing and difficult times.

These include: being financially and emotionally abused within a relationship; deaths of close family members; partner and other family members' terminal illnesses; serious illness myself with a lengthy period on an Intensive Care ward.

It is only because of the Premium Membership post that I bothered to explore the wider Mumsnet site, outside of the Talk Boards, and realised that there is a lot more to Mumsnet. Still though, a huge part of the value of Mumsnet is contributed by members.

I am sure I will get flack for not picking up on various financial aspects that others have highlighted. If others want to do that, that is their prerogative. My concerns were to do with privacy and data security issues.

I hope that Mumsnet weathers the Covid-19 storm and that your replies help members who can afford Premium Membership to decide whether or no to go for it.

As far as I am concerned, I am by no means wealthy but I can afford approx £5 pcm and have signed up.

Thanks for taking the time to answer that question in so much detail mnhq!

I have another question if I may. If someone litigious wanted all of the information about a particular user would they be limited to the information about the user that you hold or also the information you can access ?

IE a premium user has a throw away email address with MN and has given you no other info. Would you only disclose the email address, or would you also give them all the information stripe has?

Thanks MNHQ! This is the sort of detail I always want to know from the off - the devil is always in the detail!

@MoleSmokes

JustineMumsnet - Thank you very much for all that detail - and the links to further information.

The clarifications about Stripe, data protection and access to information about Premium Membership details are really helpful.

I cannot be the only one who was not on Mumsnet at the time of the previous incidents and who therefore found it hard to piece together what actually happened. The various conflicting accounts that were posted by members on the original thread about Premium Membership made everything very confusing.

The vast majority of members are likely unaware that the vendettas against Mumsnet continue.

On another thread, there are screenshots of a male NHS GP bragging on Twitter today that, "having mumsnet lose its main source of funding - ie from advertising and sponsorship deals - and being driven further towards financial ruin is entirely in line with my objectives".

Just one of the replies (Trigger warning! Woman being sarcastic!):
"Spot on. It's important that women have fewer options when their baby is crying at three in the morning and they're trying to research solutions and get support"

As a regular poster on FWR (Feminism/Womens Rights), I appreciate the continued support from Mumsnet in hosting FWR despite the constant attacks on MN as an organisation. That's not to say that I don't get frustrated by the "Special Rules", sometimes seemingly erratic moderation and the tedious trolls trying to goad members into impatient replies.

I post much less often on other Boards but, like many other "lurkers", I have found discussions and information shared on other topics very useful and extremely comforting when I have been going through some very distressing and difficult times.

These include: being financially and emotionally abused within a relationship; deaths of close family members; partner and other family members' terminal illnesses; serious illness myself with a lengthy period on an Intensive Care ward.

It is only because of the Premium Membership post that I bothered to explore the wider Mumsnet site, outside of the Talk Boards, and realised that there is a lot more to Mumsnet. Still though, a huge part of the value of Mumsnet is contributed by members.

I am sure I will get flack for not picking up on various financial aspects that others have highlighted. If others want to do that, that is their prerogative. My concerns were to do with privacy and data security issues.

I hope that Mumsnet weathers the Covid-19 storm and that your replies help members who can afford Premium Membership to decide whether or no to go for it.

As far as I am concerned, I am by no means wealthy but I can afford approx £5 pcm and have signed up.

Thanks Molesmokes, much appreciated

@ItsAllGoingToBeFine

Thanks for taking the time to answer that question in so much detail mnhq!

I have another question if I may. If someone litigious wanted all of the information about a particular user would they be limited to the information about the user that you hold or also the information you can access ?

IE a premium user has a throw away email address with MN and has given you no other info. Would you only disclose the email address, or would you also give them all the information stripe has?

Hi there - thanks for the question. Generally we've followed the principle (and it has only occurred on a handful of occasions at most) that in the event of a court order demanding user details we will respond only with what info we hold in our database. Hope that helps.

surely yuour tech and admin team have 2FA by now.... ?