If you are dealing with WordPress then you will definitely know Akismet: one of the most popular anti-spam plugins that comes built-in with every new WordPress installation. And while millions of users around the world trust Akismet to eliminate spam comments, there seems to be an important privacy issue that most users are ignoring.
According to some reports, WordPress.org and Automattic are alleged to provide a spam protection solution that does not comply with international standards and privacy laws. So the use of this plug-in can be a clear violation of the new one European regulation data protection (GDPR)?
Below we will try to analyze whether this is true and to what extent.
Anti-Spam and GDPR
Let's take things from the beginning. To understand the problem with cloud-based antispam services, we should first see how they work. As a point of reference we will take Akismet, bearing in mind that it is only part of a wider picture.
Cloud-based services of this kind operate by maintaining databases with user feedback on their servers. When a user submits a comment to a site using Akismet, his or her information is transferred to a third-party server and no longer has control over them. The server processes and reviews comments, stores them in its database and classifies them as spam or non-spam.
Collection of sensitive personal data
Each comment moderated by Akismet contains a range of data including, but not limited to, raw comment data, users' names, IP addresses and email addresses. According to GDPR all this is personal data, or otherwise data personally identifiable information.
Παρότι δεν υπάρχει τίποτα μεμπτό στην αξιολόγηση αυτών των δεδομένων για λόγους anti-spam προστασίας και ασφάλειας, τα προβλήματα ξεκινούν με την αποστολή των δεδομένων σε τρίτους διακομιστές, τον μη σαφή τρόπο processingand their indefinite storage.
These servers are located in other countries and governed by different laws. For example, Akismet's core servers are located in the United States. Although the company appears to have extended its datacenter to European countries, it does not seem to be able to guarantee in which country the data will be processed and under what conditions.
Moreover, there is no way to use any service without sending IP addresses and emails, these sensitive data that is compulsively collected by the company may be subject to inadequate data protection policies and inadequate user security mechanisms.
Simply put: The end user submitting the comment has no control over their data or privacy. There are currently no cloud-based anti-spam services that are fully GDPR compliant, including Akismet. These types of services could easily be used (or circumvented) to collect data that could be sold to data buyers and marketers. Many even suspect that something like this is already happening, especially after the Facebook scandal. Is Automattic / Akismet the next Facebook? Is Matt Mullenweg next Mark Zuckerberg; We do not know. The unpleasant truth is that big companies are not in the habit of valuing user privacy, so users should start taking care of their own privacy.
Securely transmitting feedback via HTTP?
The problems that affect the privacy and security of users do not seem to end here. Another important security issue is that Akismet does not enforce the use of SSL / TLS (HTTPS) connections when sending data from Web pages that use it to the Servers of the service.
Let's take a look at the plugin code (in version: 4.0.7)
/ * Try SSL first; if that fails, try without it and do not try it again for a while. * / $ ssl = $ ssl_failed = false;
This means that if HTTPS use fails for some reason or the server does not have the proper configuration, Akismet will not use HTTPS.
If this happens, it will be saved in the plugin settings to prevent the use of HTTPs for future connections.
// The request failed when using SSL but succeeded without it. Disable SSL for future requests.
if ($ ssl_failed) {update_option ('akismet_ssl_disabled', time ()); do_action ('akismet_https_disabled'); }
In other words, the data that will be transferred to Akismet's servers will not even be encrypted, but will be sent in clear text and can easily be intercepted by attackers.
Of course, this contrasts with one of the basic principles of GDPR, data protection by design, which means that secure coding practices must be used, while data protection features must be incorporated into functionality from the outset.
The only sure thing is that compliance with GDPR requires much more than using secure connections. Even if Automattic / Akismet took better measures and to strengthen its data protection policies, it would be very difficult to fully comply with the GDPR. It remains to look at the company's next steps in this direction, as it seems so far unable to meet the requirements of the European regulation.
