If you are dealing with WordPress τότε σίγουρα θα γνωρίζετε το Akismet: ένα από τα πιο δημοφιλή anti-spam plugins που έρχεται ενσωματωμένο με κάθε νέο installation του WordPress. Και ενώ εκατομμύρια χρήστες ανά τον κόσμο εμπιστεύονται τo Akismet για την εξάλειψη των spam σχολίων, φαίνεται πως υπάρχει ένα σημαντικό ζήτημα προστασίας προσωπικών δεδομένων που οι περισσότεροι χρήστες αγνοούν.
According to some reports, WordPress.org and Automattic are alleged to provide a spam protection solution that does not comply with international standards and privacy laws. So the use of this plug-in can be a clear violation of the new one European regulation data protection (GDPR)?
Below we will try to analyze whether this is true and to what extent.
Anti-Spam and GDPR
Let's take things from the beginning. To understand the problem with cloud-based antispam services, we should first see how they work. As a point of reference we will take Akismet, bearing in mind that it is only part of a wider picture.
Cloud-based services of this kind operate by maintaining databases with user feedback on their servers. When a user submits a comment to a site using Akismet, his or her information is transferred to a third-party server and no longer has control over them. The server processes and reviews comments, stores them in its database and classifies them as spam or non-spam.
Collection of sensitive personal data
Each comment that Akismet controls contains a series of data that includes, among other things, the raw data of comments, names, IP addresses, and email addresses of users. Based on GDPR, all these are personal data, or personal identification information.
Παρότι δεν υπάρχει τίποτα μεμπτό στην αξιολόγηση αυτών των δεδομένων για λόγους anti-spam προστασίας και ασφάλειας, τα προβλήματα ξεκινούν με την Mission των δεδομένων σε τρίτους διακομιστές, τον μη σαφή τρόπο επεξwork τους και την επ' αόριστον αποθήκευσή τους.
Οι διακομιστές αυτοί βρίσκονται σε άλλες χώρες και διέπονται από διαφορετικούς νόμους. Για παράδειγμα, οι βασικοί servers του Akismet βρίσκονται στις Ηνωμένες Πολιτείες. Παρότι η εταιρεία φαίνεται να έχει επεκτείνει τα datacenter της και σε ευρωπαϊκές χώρες, δεν φαίνεται να μπορεί να εγγυηθεί σε ποια χώρα θα γίνει η processing των δεδομένων και κάτω υπό ποιες συνθήκες.
Moreover, there is no way to use any service without sending IP addresses and emails, these sensitive data that is compulsively collected by the company may be subject to inadequate data protection policies and inadequate user security mechanisms.
Simply put: The end user submitting the comment has no control over their data or privacy. There are currently no cloud-based anti-spam services that are fully compliant with GDPR, including Akismet. These types of services could easily be used (or circumvented) to collect data that could be sold to data buyers and traders. Many are even suspecting that this is already happening, especially after the Facebook scandal. Is Automattic / Akismet the next Facebook? Is Matt Mullenweg the next Mark Zuckerberg? We do not know. The unfortunate truth is that big companies do not have the habit of valuing users' privacy, so users should start taking care of their privacy.
Securely transmitting feedback via HTTP?
Τα προβλήματα που επηρεάζουν την ιδιωτικότητα και την ασφάλεια των χρηστών δεν φαίνεται να τελειώνουν εδώ. Ένα ακόμη σημαντικό ζήτημα για την ασφάλεια είναι ότι το Αkismet δεν κάνει enforce την χρήση συνδέσεων SSL/TLS (HTTPS) κατά την αποστολή δεδομένων από τις ιστοσελίδες που το χρησιμοποιούν στους Servers της υπηρεσίας.
Let's take a look at the plugin code (in version: 4.0.7)
/ * Try SSL first; if that fails, try without it and do not try it again for a while. * / $ ssl = $ ssl_failed = false;
This means that if HTTPS use fails for some reason or the server does not have the proper configuration, Akismet will not use HTTPS.
If this happens, it will be saved in the plugin settings to prevent the use of HTTPs for future connections.
// The request failed when using SSL but succeeded without it. Disable SSL for future requests.
if ($ ssl_failed) {update_option ('akismet_ssl_disabled', time ()); do_action ('akismet_https_disabled'); }
In other words, the data that will be transferred to Akismet's servers will not even be encrypted, but will be sent in clear text and can easily be intercepted by attackers.
Of course, this contrasts with one of the basic principles of GDPR, data protection by design, which means that secure coding practices must be used, while data protection features must be incorporated into functionality from the outset.
The only sure thing is that compliance with GDPR requires much more than using secure connections. Even if Automattic / Akismet took better measures and to strengthen its data protection policies, it would be very difficult to fully comply with the GDPR. It remains to look at the company's next steps in this direction, as it seems so far unable to meet the requirements of the European regulation.