TYPO3 9.2.1, 8.7.14 and 7.6.28 released

Categories: Development, TYPO3 CMS Created by TYPO3 Core Team
The TYPO3 Community announces the versions 9.2.1, 8.7.14 LTS and 7.6.28 LTS of the TYPO3 Enterprise Content Management System.

The TYPO3 Community announces a special release that offers improved GDPR compliance tools right out of the box. This release was lead by the GDPR Initiative, aiming to make it easier for TYPO3 developers to create applications and websites that provide data protection by default and by design.

We are announcing the release of the following TYPO3 updates:

All versions are maintenance releases and contain improvements only.

GDPR in a nutshell

The European Union’s new privacy requirements outlined in the General Data Protection Regulation (GDPR) mean website and application developers must provide users with better controls, informed consent, and data protection. Important note: This article does not constitute legal advice. 

If you’re designing and developing web applications that handle sensitive personal data or even just setting cookies for site visitors, the regulations affect every aspect of planning and development. By taking a proactive, defensive stance of “privacy by default” and “privacy by design” you can ensure your sites and applications are GDPR compliant. Developers are considering how they can ensure the data they collect is minimal and stored securely. They are also looking for ways to provide better controls to users. 

Those who are responsible for managing user data in their applications see this as win-win because it will reduce risk in the long term, and improve user confidence and trust in the applications they use every day.  Read what you need to know about GDPR. 

TYPO3 CMS’s commitment to data protection

TYPO3 had many privacy features already before GDPR was an issue. As a community, we have always taken user control and data-privacy and -protection seriously. This latest release makes it even easier for you to build GDPR compliant websites with TYPO3.  

A recent post by Georg Ringer of the TYPO3 GDPR Initiative outlined some of the data protection features TYPO3 already had. For example, TYPO3 supported secure connections with HTTPS/TLS, allowing administrators to force users to use it for both front and back end. TYPO3 already employed cryptographic password hashing containing random salts (“salted passwords”) to avoid storing this sensitive information in cleartext. You could also easily delete old records to clean out personal data. TYPO3 CMS also has sophisticated user and group access management for backend users to grant access permissions to information only as strictly needed. 

Let’s look at some highlights from this release.

Anonymization

Recital 26 of the GDPR clarifies that data which has been irreversibly anonymized is not subject to the data protection principles. Here is how TYPO3 helps anonymize user data. 

  • IP address can be anonymized by default. The full IP address still persists in internal logging but this can be anonymized automatically. For example, by using the tools provided to anonymize all data older than 3 months.
    • Last two segments of IPv4 addresses are anonymized - e.g. 192.168.0.0
    • Last segment of IPv6 prefix and complete network identifier are anonymized - e.g. fe80:1234:5678:0000:0000:0000:0000:0000
    • IP addresses used for internal logging for website visitors as well as editors & administrators
    • IP addresses used for built-in website usage and search result statistics
    • A recurring task runner can anonymize IP addresses after a given time.
  • Cookie usage
    • Cookies are used for website visitors only when required for logins or shopping cart functionality - per default, no cookie is set
    • Cookies are set to control access for editors, administrators and maintainers to ensure proper authorization and permissions handling
  • External media
    • Using cookie-less endpoints to embed media from external sources
    • In particular, TYPO3 uses youtube-nocookie.com for embedding YouTube videos which does not send new tracking cookies

"Oblivion"

Recital 66 of the GDPR outlines a person’s right to be forgotten and have control over their data and the right to have it deleted or removed. 

  • TYPO3 focuses on data minimization.
  • Recurring task runners ensure that logged data is removed after a given period of time
  • For example, protocols and logs only contain information of the last 30 days - the period can be configured for each individual website project

Data retrieval layer

GDPR broadly affects any application which stores and retrieves personal data. 

  • The long-term vision and goal of TYPO3 and the Doctrine DBAL is to be extensible and customizable.
  • The adjusted abstraction layer can be extended by extensions of 3rd party vendors to protect data access in order to be compliant with GDPR
  • This allows the possibility to define read/write access for particular user groups on specific data. For example, only individual customers and members of ‘back office’ group are allowed to see bank account details

Individual data protection with GDPR extension

GDPR’s essential principle is that data protection is a fundamental right of natural persons. Core team member, Georg Ringer has announced the TYPO3 GDPR Extension to make it easier for developers to data protection in these ways.

  • Extends basic functionality of TYPO3 core API and comes both with a free/basic and a paid/professional plan
  • The basic plan includes possibility make use of an API that controls visibility information based on a particular role (data owner, website visitor, website maintainer, etc.)
  • The professional plan includes sophisticated data protection as well as pseudonymisation & anonymization
    • For instance, John Doe, as a customer of a company, requests to be completely deleted from the company’s website and online community. It might be easy to remove all posts and comments from the online community section. However, removing John’s orders and invoices might not, since that is still required for accounting processes of the company. In this way, pseudonymization transforms “John Doe” into “Abcdef Ghijklm.” This becomes information that no longer contains any personal information, but still can be used in order to keep data integrity of the whole application intact.
  • The paid professional plan supports further development of this 3rd party GDPR extension.
  • Detailed information at https://gdpr.extension.support/

Download

Update: Known regression in v8.7.14 Indexed Search
TYPO3 v8.7.14 unfortunately introduced a regression in Indexed Search - see https://forge.typo3.org/issues/85064 for details.
TYPO3 v8.7.15 has been released in between which fixes the mentioned misbehavior.

TYPO3 can be installed in various ways. For example the traditional way by using the source package at get.typo3.org or the modern way by setting up a project using composer, to name just two. Further details can be found in the according release notes: