GDPR and Akismet go together or do not they?

If you are dealing with WordPress then you will definitely know Akismet: one of the most popular anti-spam plugins that comes embedded with every new WordPress installation. And while millions of users around the world trust Akismet to eliminate spam comments, there seems to be an important privacy issue that most users are unaware of.

Akismet

According to some reports, WordPress.org and Automattic are alleged to provide a spam protection solution that does not comply with international standards and privacy laws. So the use of this plug-in can be a clear violation of the new one European regulation data protection (GDPR)?

Below we will try to analyze whether this is true and to what extent.

Anti-Spam and GDPR

Let's take things from the beginning. To understand the problem with cloud-based antispam services, we should first see how they work. As a point of reference we will take Akismet, bearing in mind that it is only part of a wider picture.

Cloud-based services of this kind operate by maintaining databases with user feedback on their servers. When a user submits a comment to a site using Akismet, his or her information is transferred to a third-party server and no longer has control over them. The server processes and reviews comments, stores them in its database and classifies them as spam or non-spam.

Collection of sensitive personal data

Each comment that Akismet controls contains a series of data that includes, among other things, the raw data of comments, names, IP addresses, and email addresses of users. Based on GDPR, all these are personal data, or personal identification information.

Although there is nothing wrong with evaluating this data for anti-spam protection and security reasons, the problems start with sending the data to third-party servers, how it is not processed, and how it is stored indefinitely.

These servers are located in other countries and governed by different laws. For example, Akismet's core servers are located in the United States. Although the company appears to have extended its datacenter to European countries, it does not seem to be able to guarantee in which country the data will be processed and under what conditions.

  Top 10 Most Pirated Movies on BitTorrent

Moreover, there is no way to use any service without sending IP addresses and emails, these sensitive data that is compulsively collected by the company may be subject to inadequate data protection policies and inadequate user security mechanisms.

Simply put: The end user submitting the comment has no control over their data or privacy. There are currently no cloud-based anti-spam services that are fully compliant with GDPR, including Akismet. These types of services could easily be used (or circumvented) to collect data that could be sold to data buyers and traders. Many are even suspecting that this is already happening, especially after the Facebook scandal. Is Automattic / Akismet the next Facebook? Is Matt Mullenweg the next Mark Zuckerberg? We do not know. The unfortunate truth is that big companies do not have the habit of valuing users' privacy, so users should start taking care of their privacy.

Securely transmitting feedback via HTTP?

The problems that affect the privacy and security of users do not seem to end here. Another important security issue is that Akismet does not enforce the use of SSL / TLS (HTTPS) connections when sending data from Web pages that use it to the Servers of the service.

  TechEd 2013 subscriptions started

Let's take a look at the plugin code (in version: 4.0.7)

/ * Try SSL first; if that fails, try without it and do not try it again for a while. * / $ ssl = $ ssl_failed = false;

This means that if HTTPS use fails for some reason or the server does not have the proper configuration, Akismet will not use HTTPS.

If this happens, it will be saved in the plugin settings to prevent the use of HTTPs for future connections.

// The request failed when using SSL but succeeded without it. Disable SSL for future requests.
if ($ ssl_failed) {update_option ('akismet_ssl_disabled', time ()); do_action ('akismet_https_disabled'); }

In other words, the data that will be transferred to Akismet's servers will not even be encrypted, but will be sent in clear text and can easily be intercepted by attackers.

Of course, this contrasts with one of the basic principles of GDPR, data protection by design, which means that secure coding practices must be used, while data protection features must be incorporated into functionality from the outset.

The only sure thing is that compliance with GDPR requires much more than using secure connections. Even if Automattic / Akismet took better measures and to strengthen its data protection policies, it would be very difficult to fully comply with the GDPR. It remains to look at the company's next steps in this direction, as it seems so far unable to meet the requirements of the European regulation.

Registration in iGuRu.gr via email

Your email for sending each new post

Follow us on Google News iGuRu.gr at Google news

Leave a reply

Your email address Will not be published.

  + 32 = 35

Previous Story

How to Automatically Switch the Brightness of the Windows 10 Screen Each Night

Next Story

Sale of BitTorrent Inc and uTorrent to Justin Sun