If you are dealing with WordPress then you will definitely know Akismet: one of the most popular anti-spam plugins that comes embedded with every new WordPress installation. And while millions of users around the world trust Akismet to eliminate spam comments, there seems to be an important privacy issue that most users are unaware of.
According to some reports, WordPress.org and Automattic they claim to provide an anti-spam solution that does not comply with international standards and privacy laws. So can the use of this particular Plugin to constitute a clear violation of the new European regulation data protection (GDPR)?
Below we will try to analyze whether this is true and to what extent.
Anti-Spam and GDPR
Let's start things from the beginning. To understand the problem with cloud-based antispam services, we should first see how they work. As a benchmark we will take Akismet, keeping in mind that it is only one part of a larger one image.
Cloud based services of this kind work by maintaining fundamentals data with submitted user comments on their servers. When a user submits a comment on a site that uses Akismet, the information are transferred to a third party server, without his control over them. The server processes and evaluates the comments, stores them in its database and classifies them as spam or non-spam.
Collection of sensitive personal data
Each comment that Akismet controls contains a series of data that includes, among other things, the raw data of comments, names, IP addresses, and email addresses of users. Based on GDPR, all these are personal data, or personal identification information.
While there is nothing wrong with evaluating this data for anti-spam protection and security reasons, the problems start with Mission των δεδομένων σε τρίτους διακομιστές, τον μη σαφή τρόπο επεξεργασίας τους και την επ' αόριστον αποθήκευσή τους.
These servers are located in other countries and governed by different laws. For example, Akismet's core servers are located in the United States. Although the company appears to have extended its datacenter to European countries, it does not seem to be able to guarantee in which country the data will be processed and under what conditions.
Moreover, there is no way to use any service without sending IP addresses and emails, these sensitive data that is compulsively collected by the company may be subject to inadequate data protection policies and inadequate user security mechanisms.
Simply put: The end user submitting the comment has no control over their data or privacy. There are currently no cloud-based anti-spam services that are fully compliant with GDPR, including Akismet. These types of services could easily be used (or circumvented) to collect data that could be sold to data buyers and traders. Many are even suspecting that this is already happening, especially after the Facebook scandal. Is Automattic / Akismet the next Facebook? Is Matt Mullenweg the next Mark Zuckerberg? We do not know. The unfortunate truth is that big companies do not have the habit of valuing users' privacy, so users should start taking care of their privacy.
Securely transmitting feedback via HTTP?
The problems that affect the privacy and security of users do not seem to end here. Another important security issue is that Akismet does not enforce the use of SSL / TLS (HTTPS) connections when sending data from Web pages that use it to the Servers of the service.
Let's take a look at the plugin code (in version: 4.0.7)
/ * Try SSL first; if that fails, try without it and do not try it again for a while. * / $ ssl = $ ssl_failed = false;
This means that if HTTPS use fails for some reason or the server does not have the proper configuration, Akismet will not use HTTPS.
If this happens, it will be saved in the plugin settings to prevent the use of HTTPs for future connections.
// The request failed when using SSL but succeeded without it. Disable SSL for future requests.
if ($ ssl_failed) {update_option ('akismet_ssl_disabled', time ()); do_action ('akismet_https_disabled'); }
In other words, the data that will be transferred to Akismet's servers will not even be encrypted, but will be sent in clear text and can easily be intercepted by attackers.
Of course, this contrasts with one of the basic principles of GDPR, data protection by design, which means that secure coding practices must be used, while data protection features must be incorporated into functionality from the outset.
The only sure thing is that compliance with GDPR requires much more than using secure connections. Even if Automattic / Akismet took better measures and to strengthen its data protection policies, it would be very difficult to fully comply with the GDPR. It remains to look at the company's next steps in this direction, as it seems so far unable to meet the requirements of the European regulation.
