Active discussions

Meet the Other Phone. Flexible and made to last.

Meet the Other Phone.
Flexible and made to last.

Buy now

Please or to access all these features

Talk

Back to thread
Original poster

Premium Membership Privacy and Data Protection - MNHQ please clarify

4 replies

MoleSmokes · 12/04/2020 13:02

This is to complement @Mnr2000 's thread asking members to reply asking if they would prefer to donate to Mumsnet rather than take out a Premium Subscription, with payment using Stripe:

www.mumsnet.com/Talk/site_stuff/3878296-List-of-MNers-who-would-anonymously-donate-to-MN

The big worries for many members about the Premium Subscription system are Privacy and Data Security. These concerns were not addressed clearly enough in the original thread by @JustineMumsnet here:

www.mumsnet.com/Talk/site_stuff/3874618-Mumsnet-Premium-membership-please-support-us-if-you-can

Relevant extracts from the "Mumsnet Privacy Policy"

www.mumsnet.com/info/privacy-policy

Your data - what we store and why

"We store IP address, cookies, your device’s unique ID, page browsing history, ads you’ve viewed and clicked, searches you’ve made on site, approximate location, and any enquiries you’ve made. For registered members we also store username, password and email address; discussions you may have with Mumsnet site moderators; and a summary of decisions we’ve taken about you if we’ve reviewed your use of Mumsnet Talk for any reason. Registered members may also have given us more data on sign up, such as the age of their children.

We store your email address to register you and contact you (if you have asked for email newsletters) and we store things such as IP address, cookies and device ID so that our systems recognise you if you return to Mumsnet."

Your registration data

"You can change the information that you provided when you registered, including your email address and Mumsnet username, on your My Account page.

If you have signed in using Facebook or Google, you can stop access at any time via your Facebook or Google account settings. If you still wish to post on Mumsnet you’ll then need to register a Mumsnet username and password via our Registration page."

Data requests

"If you’d like you can ask us to provide details of the personal information we hold about you, under the 2018 EU General Data Protection Regulation (GDPR). To request this information, please email us at [email protected] or write to Mumsnet Limited, Studios 13-16, Deane House Studios, 27 Greenwood Place, London NW5 1LB."

Complying with the law and best practice around data

"The way we store and process data is compliant with the UK 1998 Data Protection Act, the 2018 EU General Data Protection Regulation (GDPR), and other relevant pieces of legislation. We always aim to comply both with the spirit as well as the letter of the law and to be responsible with your data.

The way that we store and process data is compliant with the following legislation:"

UK Data Protection Act 1988 (DPA)
EU Data Protection Directive 1995 (DPD)
EU General Data Protection Regulation 2018 (GDPR)
ePrivacy Directive 2002 (amended 2009)

As well as keeping up-to-date with laws about data, we aim to take sensible decisions based on common sense, listening to users’ views and industry best practices."

If our data is compromised

"Mumsnet uses best practice, multi-tier web application security for our servers including Denial of Service protection and Web Application Firewall at the network edge. For staff access to all administrative systems, we enforce 2-step verification and IP-based access restrictions. Regular security updates keep Mumsnet staff informed of the latest security threats."

Mumsnet Premium subscription

"Mumsnet offers monthly and annual subscription service, giving users the opportunity to use the Mumsnet website and app ad-free. When you subscribe on our website, you will need to make payment for the goods or services you have ordered.

In order to process your payment, we use Stripe, a third-party payment processor, to manage recurring payments for this product. Stripe store the following information about anyone who subscribes:

Email address
Payment information (including name on card)
Postcode

Your payment will be processed by Stripe, who collect, use and process your information, including payment information, in accordance with their privacy policy. stripe.com/gb/privacy

  • - - - - -

MNHQ - Please could you clarify:

  1. Exactly what information collected by Stripe is shared with Mumsnet, ie. what information, linked to a Mumsnet Registration email address, does Mumsnet process and/or have access to via Stripe itself?
  1. For what purposes do five members of the Mumsnet team require independent access to the above information?
  1. Whether Mumsnet has conducted a Data Protection Impact Assessment (DPIA) in relation to the additional information processed and/or accessed by Mumsnet as part of the Premium Membership system?

Reference the last example on this page, "Risk of physical harm":

Risk of physical harm
"Where the processing is of such a nature that a personal data breach could jeopardise the [physical] health or safety of individuals."

ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/examples-of-processing-likely-to-result-in-high-risk/

  1. Does changing a Mumsnet registration email address break the link with Stripe payments? If not, how is this resolved? Is it an automated system or are records updated manually, eg. by one of the five MMHQ staffers mentioned by Justine?
  • - - - - -

Concerns have been raised repeatedly about previous hacking incidents and internal data breaches and any actions subsequently taken by Mumsnet to improve data privacy and security.

However, in many cases the facts have been mis-remembered and mis-reported by members. Some but not all of these issues were addressed in replies by MNHQ in Justine's thread.

In the interests of transparency and to reassure members who are concerned about entrusting identifying information to Mumsnet, would you please consider issuing an "FAQ" or statement addressing these issues?

The same concerns and questions are raised in threads all over the Talk Boards and piecemeal responses to specific posts are not an adequate way to address this.

What needs to be covered:

  • what actually happened
  • what Mumsnet did to reduce the risk of it happening again
  • whether any disciplinary action and/or criminal prosecutions resulted, eg. as a result of police investigations into the 2015 "Dad Security hacking collective" that claimed it included a "Mumsnet Moderator" amongst its members:
www.ibtimes.co.uk/mumsnet-hackers-publish-3000-passwords-call-armed-police-ceo-justine-roberts-house-1516092
Go to post
MNHQ

JustineMumsnet · 16/04/2020 11:52

@MoleSmokes

MNHQ - Please could you clarify:
  1. Exactly what information collected by Stripe is shared with Mumsnet, ie. what information, linked to a Mumsnet Registration email address, does Mumsnet process and/or have access to via Stripe itself?
  1. For what purposes do five members of the Mumsnet team require independent access to the above information?
  1. Whether Mumsnet has conducted a Data Protection Impact Assessment (DPIA) in relation to the additional information processed and/or accessed by Mumsnet as part of the Premium Membership system?

Reference the last example on this page, "Risk of physical harm":

Risk of physical harm
"Where the processing is of such a nature that a personal data breach could jeopardise the [physical] health or safety of individuals."

ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/examples-of-processing-likely-to-result-in-high-risk/

  1. Does changing a Mumsnet registration email address break the link with Stripe payments? If not, how is this resolved? Is it an automated system or are records updated manually, eg. by one of the five MMHQ staffers mentioned by Justine?
  • - - - - -

Hi there,
Thanks for your questions - sorry it's taken a while to get back - there's a lot of detail here and I wanted to make sure I got it all right. So I'll start with the first set of questions and then do a separate answer to the second set...
Here's the first answers

  1. We do not store or process any financial or payment data - that is all stored and processed by Stripe and is not imported into Mumsnet’s systems at all.

A limited number of staff will be able to view some financial and personal payment data in Stripe.

Via Stripe, staff who have access can see:
Payment details:
Last 4 digits of card details
Card expiry month/year
Stripe’s fraud risk evaluation - whether the user is flagged as fraudulent on Stripe’s systems
Name on credit/debit card
Post code
Device details:
Operating system
Browser
Device type (eg, mobile, desktop)
IP address
Location based on IP address
Email address and a unique ID to link to the Mumsnet account at the back end

  1. The most senior staff on our moderation team are able to view this information on Stripe so they can respond to enquiries from Premium users about their Premium accounts. They need to be able to verify that users reporting problems with accessing Premium do actually have a Premium account, and whether any payment problems (eg expiring cards) have been flagged by Stripe.
In addition the two most senior members of our Accounts team are able to view this information on Stripe for reporting purposes and the most senior staff in the Tech team are able to view this information on Stripe for reporting and further development of Premium (Stripe has a ‘developer’ access level for tech staff who need to integrate Stripe into products).
  1. No we haven’t conducted a DPIA because Premium does not require us to process or store any extra personal data - a deliberate decision we took as part of our security assessment during our technical design process. All personal data relating to Premium subscriptions is stored and processed only by Stripe. We store only the unique Stripe IDs along with the Mumsnet user ID of the subscriber.

Stripe’s privacy policy can be found here. It’s a very secure platform and follows all security regulation and best practice.

  1. No it doesn’t break the link totally, because each Premium user has a unique ID in Stripe that is also recorded in Mumsnet’s systems (this is the only piece of Stripe data that is recorded in our systems). But if the user needs us to resolve a query, it will take a little more time. For example, if we receive a query via Stripe about a Premium user’s account, our first step will be to search our user system for that email address. If that email address isn’t in Mumsnet’s user system, it will add a few steps to the process of identifying the user account on Mumsnet, and thus will take a bit longer to resolve the query.

Hope that helps.

MNHQ

JustineMumsnet · 16/04/2020 12:03

[quote MoleSmokes]

Concerns have been raised repeatedly about previous hacking incidents and internal data breaches and any actions subsequently taken by Mumsnet to improve data privacy and security.

However, in many cases the facts have been mis-remembered and mis-reported by members. Some but not all of these issues were addressed in replies by MNHQ in Justine's thread.

In the interests of transparency and to reassure members who are concerned about entrusting identifying information to Mumsnet, would you please consider issuing an "FAQ" or statement addressing these issues?

The same concerns and questions are raised in threads all over the Talk Boards and piecemeal responses to specific posts are not an adequate way to address this.

What needs to be covered:

  • what actually happened
  • what Mumsnet did to reduce the risk of it happening again
  • whether any disciplinary action and/or criminal prosecutions resulted, eg. as a result of police investigations into the 2015 "Dad Security hacking collective" that claimed it included a "Mumsnet Moderator" amongst its members:
www.ibtimes.co.uk/mumsnet-hackers-publish-3000-passwords-call-armed-police-ceo-justine-roberts-house-1516092[/quote]

And here are the answers to this bit. We've had our fair share of security incidents to be sure but I do believe there are a couple of mitigating factors and this narrative that MN is uniquely unsecure is just fallacious. For starters, I'm 100% sure that many sites and organisations have incidents about which you'll never hear. We, by contrast, have chosen to be completely transparent and upfront with our users with regard to any breaches of data, however small.

Secondly we are more of a target than most - my guess is that that's because we're somewhat famous for representing woman's interests but you might have your own views on this. I'm not pretending we've been in anyway perfect on security and we have learned many lessons along the way - and we're cognisant that however secure you think you are, you can never stop being paranoid about it, but I think the suggestion that we're cavalier with users data is untrue and unfair. I hope the answers below give some reassurance of that...

‘Jeffrey hack’/DadSec: August 2015
What actually happened?
You can read our page about this here. During this attack we were the target of multiple DDoS (‘distributed denial of service’) attacks, phishing and hacking. A bomb threat was called in to our offices and two people (a Mumsnet user who had engaged with the hackers on Twitter, and Justine) were also the target of swatting attacks (making an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get the police to send a swat team to the address). We don’t believe these address details were accessed from any data held by Mumsnet.

Mumsnet's administrative functions were breached; our homepage was redirected, a few posts were edited, and we believe that a false Mumsnet login page was set up. Users visiting the genuine Mumsnet login page were redirected to a phishing login page, allowing hackers to gain their login details (email addresses and passwords). We are confident that users' passwords were not taken from Mumsnet’s own login page or database because passwords are encrypted on Mumsnet. A list containing some Mumsnet users’ login details was subsequently published online; we believe these were gathered from the phishing login page.

We locked down all access to our admin functions and reported the attack to the police. Where we could see for sure that users’ accounts had been accessed, we emailed them to let them know. We forced all users to log out and change their passwords before they could log in again. We sent an email explaining what had happened to every registered Mumsnet user and pinned an urgent message to the top of our Talk forums. We emphasised the importance of checking the URL of the login page, particularly that it should have the prefix.

What did Mumsnet do to reduce the risk of it happening again?
We brought in an external security firm to run the rule over our systems and processes and to manage our firewall. We locked down access to site admins’ accounts in a number of ways and whilst no security is ever fail safe because new hacks are being devised all the time we think it extremely unlikely for a similar breach to occur.

Did you discipline any staff, take any police action or report Mumsnet to the ICO?
The police were involved from the outset, given the swatting. David Buchanan was convicted of hacking. After some investigation the police decided to drop the swatting case because Twitter refused to reveal the DadSec account’s user data, and without that the police were unable to make any headway. You can read what they told us here.

We reported the breach to the ICO. We were transparent with our users about the breach, including sending emails to every registered Mumsnet user and ensuring that no user could carry on using Mumsnet without changing their password.

Intern-gate, April 2018
What actually happened?
You can see our page about this here. While doing a paid internship at Mumsnet, Emma Healey took screenshots of posts she considered to contain anti-trans sentiments. Because she was logged in as an admin when she took the screenshots, they included each user’s IP posting address in small faint digits at the bottom of the post. After leaving Mumsnet, she posted screenshots on Twitter that showed three users IP addresses. When told that the posts contained IP addresses, she deleted the Tweets. She contacted us to say she had deleted everything related in any way to Mumsnet from her personal devices, and apologised.

What did Mumsnet do to reduce the risk of it happening again?
Before Emma’s internship ended we had already set in place an audit of staff access to users’ data, and in the course of this Emma and some other staffers had her access to the admin system removed.

This data breach occurred around the same time that GDPR was coming into force, and as a part of that we also undertook all-staff training on personal data, security and our legal obligations, as well as a company audit of personal data held and how we could ensure access to it was as limited to the minimum possible to run the site - and that it is deleted after a specified time where that’s appropriate.

We are continually refining our hiring practices, and since this breach have taken greater care to be as forensic as we can in ensuring new hires share our values of trustworthiness and commitment to our users.

Did you discipline any staff, take any police action or report Mumsnet to the ICO?
We reported this incident to both the police and the ICO. Both decided to take no further action; the ICO commented ‘there is no evidence of a systemic problem within your organisation.’

Emma Healey was no longer at Mumsnet so could not be disciplined.

Log-in errors: February 2019
What actually happened?
You can read our page about this here. After releasing a new piece of code, we became aware that a code error meant that some users were inadvertently logging in as a different user, meaning they could see that user’s personal information. No user did this deliberately or maliciously; the error occurred when two users logged in at exactly the same time. Our logs showed that a total of 44 users were affected before we rolled back the code and fixed the bug. We forced all users to log out and change their passwords before they could log back in.

What did Mumsnet do to reduce the risk of it happening again?
The case of users logging in simultaneously - ‘concurrence’ - is hard to replicate in testing, which is why this problem didn't manifest in our systems testing at the time. We now triple and quadruple check the code for service upgrades rather than relying on testing to pick up problems.

Did you discipline any staff, take any police action or report Mumsnet to the ICO?
We reported ourselves to the ICO, who decided to take no further action.

MNHQ

JustineMumsnet · 19/04/2020 19:48

@MoleSmokes

JustineMumsnet - Thank you very much for all that detail - and the links to further information.

The clarifications about Stripe, data protection and access to information about Premium Membership details are really helpful.

I cannot be the only one who was not on Mumsnet at the time of the previous incidents and who therefore found it hard to piece together what actually happened. The various conflicting accounts that were posted by members on the original thread about Premium Membership made everything very confusing.

The vast majority of members are likely unaware that the vendettas against Mumsnet continue.

On another thread, there are screenshots of a male NHS GP bragging on Twitter today that, "having mumsnet lose its main source of funding - ie from advertising and sponsorship deals - and being driven further towards financial ruin is entirely in line with my objectives".

Just one of the replies (Trigger warning! Woman being sarcastic!):
"Spot on. It's important that women have fewer options when their baby is crying at three in the morning and they're trying to research solutions and get support"

As a regular poster on FWR (Feminism/Womens Rights), I appreciate the continued support from Mumsnet in hosting FWR despite the constant attacks on MN as an organisation. That's not to say that I don't get frustrated by the "Special Rules", sometimes seemingly erratic moderation and the tedious trolls trying to goad members into impatient replies.

I post much less often on other Boards but, like many other "lurkers", I have found discussions and information shared on other topics very useful and extremely comforting when I have been going through some very distressing and difficult times.

These include: being financially and emotionally abused within a relationship; deaths of close family members; partner and other family members' terminal illnesses; serious illness myself with a lengthy period on an Intensive Care ward.

It is only because of the Premium Membership post that I bothered to explore the wider Mumsnet site, outside of the Talk Boards, and realised that there is a lot more to Mumsnet. Still though, a huge part of the value of Mumsnet is contributed by members.

I am sure I will get flack for not picking up on various financial aspects that others have highlighted. If others want to do that, that is their prerogative. My concerns were to do with privacy and data security issues.

I hope that Mumsnet weathers the Covid-19 storm and that your replies help members who can afford Premium Membership to decide whether or no to go for it.

As far as I am concerned, I am by no means wealthy but I can afford approx £5 pcm and have signed up.

Thanks Molesmokes, much appreciated Wine

MNHQ

JustineMumsnet · 19/04/2020 19:52

@ItsAllGoingToBeFine

Thanks for taking the time to answer that question in so much detail mnhq!

I have another question if I may. If someone litigious wanted all of the information about a particular user would they be limited to the information about the user that you hold or also the information you can access ?

IE a premium user has a throw away email address with MN and has given you no other info. Would you only disclose the email address, or would you also give them all the information stripe has?

Hi there - thanks for the question. Generally we've followed the principle (and it has only occurred on a handful of occasions at most) that in the event of a court order demanding user details we will respond only with what info we hold in our database. Hope that helps.

Watch this thread for updates

Tap "Watch" to get all the latest updates

End of posts

There are no more MNHQ posts on this thread

Back to thread