If you are dealing with WordPress then you will definitely know Akismet: one of the most popular anti-spam plugins that comes embedded with every new WordPress installation. And while millions of users around the world trust Akismet to eliminate spam comments, there seems to be an important privacy issue that most users are unaware of.
According to some reports, WordPress.org and Automattic they claim to provide an anti-spam solution that does not comply with international standards and privacy laws. So the use of this particular plugin may be obvious infringement of the new European regulation data protection (GDPR)?
Below we will try to analyze whether this is true and to what extent.
Anti-Spam and GDPR
Let's take things from the beginning. To understand the problem with cloud-based antispam services, we should first see how they work. As a point of reference we will take Akismet, bearing in mind that it is only part of a wider picture.
Cloud-based services of this kind operate by maintaining databases with user feedback on their servers. When a user submits a comment to a site using Akismet, his or her information is transferred to a third-party server and no longer has control over them. The server processes and reviews comments, stores them in its database and classifies them as spam or non-spam.
Collection of sensitive personal data
Each comment that Akismet controls contains a series of data that includes, among other things, the raw data of comments, names, IP addresses, and email addresses of users. Based on GDPR, all these are personal data, or personal identification information.
Although there is nothing wrong with evaluating this data for anti-spam protection and security reasons, the problems start with sending the data to third-party servers, the unclear way of processing it and storing it indefinitely.
These servers are located in other countries and governed by different laws. For example, Akismet's core servers are located in the United States. Although the company appears to have extended its datacenter to European countries, it does not seem to be able to guarantee in which country the data will be processed and under what conditions.
Moreover, there is no way to use any service without sending IP addresses and emails, these sensitive data that is compulsively collected by the company may be subject to inadequate data protection policies and inadequate user security mechanisms.
Simply put: The end user submitting the comment has no control over their data or the privacy. Επί του παρόντος, δεν υπάρχουν υπηρεσίες anti-spam που να βασίζονται σε cloud, οι οποίες να είναι πλήρως συμμορφωμένες με το GDPR, συμπεριλαμβανομένου του Akismet. Αυτοί οι τύποι υπηρεσιών θα μπορούσαν εύκολα να χρησιμοποιηθούν (ή να καταστρατηγηθούν) για τη συλλογή δεδομένων που θα μπορούσαν να πωληθούν σε αγοραστές δεδομένων και εμπόρους. Αρκετοί είναι μάλιστα αυτοί που υποπτεύονται ότι κάτι τέτοιο συμβαίνει ήδη, ειδικά μετά το σκάνδαλο με το Facebook. Είναι η Automattic / Akismet το επόμενο Facebook; Είναι ο Matt Mullenweg ο επόμενος Mark Zuckerberg; We do not know. The unpleasant truth is that big companies are not in the habit of valuing user privacy, so users should start taking care of their own privacy.
Securely transmitting feedback via HTTP?
The problems that affect the privacy and security of users do not seem to end here. Another important security issue is that Akismet does not enforce the use of SSL / TLS (HTTPS) connections when sending data from Web pages that use it to the Servers of the service.
Let's take a look at the plugin code (in version: 4.0.7)
/ * Try SSL first; if that fails, try without it and do not try it again for a while. * / $ ssl = $ ssl_failed = false;
This means that if HTTPS use fails for some reason or the server does not have the proper configuration, Akismet will not use HTTPS.
If this happens, it will be saved in the plugin settings to prevent the use of HTTPs for future connections.
// The request failed when using SSL but succeeded without it. Disable SSL for future requests.
if ($ ssl_failed) {update_option ('akismet_ssl_disabled', time ()); do_action ('akismet_https_disabled'); }
In other words, the data that will be transferred to Akismet's servers will not even be encrypted, but will be sent in clear text and can easily be intercepted by attackers.
Of course, this contrasts with one of the basic principles of GDPR, data protection by design, which means that secure coding practices must be used, while data protection features must be incorporated into functionality from the outset.
The only sure thing is that compliance with GDPR requires much more than using secure connections. Even if Automattic / Akismet took better measures and to strengthen its data protection policies, it would be very difficult to fully comply with the GDPR. It remains to look at the company's next steps in this direction, as it seems so far unable to meet the requirements of the European regulation.