Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add report spam link #344

Draft
wants to merge 10 commits into
base: master
Choose a base branch
from
Draft

Add report spam link #344

wants to merge 10 commits into from

Conversation

Zodiac1978
Copy link
Member

Add report spam action link to spam list (#73)

Add report spam action link to spam list (#73)
@Zodiac1978 Zodiac1978 added this to the 2.9.3 milestone Aug 13, 2020
@Zodiac1978 Zodiac1978 linked an issue Aug 13, 2020 that may be closed by this pull request
Copy link
Contributor

@websupporter websupporter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this feature. Just browsing through the code, I was wondering, if we really should collect IP, email etc. this way.

Comment on lines +168 to +171
// URLencode comment data.
$name = rawurlencode( $comment->comment_author );
$email = rawurlencode( $comment->comment_author_email );
$ip = rawurlencode( $comment->comment_author_IP );
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure about the GDPR implications, when we collect those values.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already do this now. This is just a a helpful link to prefill the form.

But if we want to follow this path. My research says:

        Consent must be “freely given, specific, informed and unambiguous.”

        Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”

        Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.

        Children under 13 can only give consent with permission from their parent.

    You need to keep documentary evidence of consent.

The sixth legal basis is to have a “legitimate interest” to process the person’s data. 

I think the legitimate interest in fighting spam outweighs the rights of any spammer (or false positive user). But I am not a lawyer. I try to ping someone from the community to have look.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From a legal point of view, I would have no problems with this.

In terms of data protection, this is possible without consent as it is within the context of a legitimate interest. (In the case of a legitimate interest, an opt-out option is required, but that is easily possible for the spammer, so you don't need to think of it.)

Also I don't see any major problems in terms of copyright law, because on the one hand, emails of this kind regularly do not have the necessary level of creation for copyright protection, on the other hand, the author has also consented to storage and processing by sending, because that is exactly the purpose of his mail.

So: just make it!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @PraetorIM

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Going through the discussion here, I get the impression that we are only looking at whether we as the pluginkollektiv get the user's consent to get access to this data.

However, what we are doing here is giving immediate access to a third-party (Google) via these unencrypted URL values. The way I see it, we would also need to inform the user about which third-parties we'd also give access to this data and need the user's consent for that as well.

So, even if we say that we don't need consent in this case, we still need to let the user know about the third-parties involved, no?

@PraetorIM It's not clear to me whether you consider this (we're sending unencrypted user data via a URL to a Google application), so I'd be grateful for any further clarification you can provide.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

with mention and opt-out option in the data protection declaration or at the comment-form

What do you mean with that?

This PR adds a link to every spam comment in the admin area which is a link called "Report to Antispam Bee" which is going to a Google Form page and prepopulates it with the data from the comment.

It is just an external link IMHO. Everyone can see where it goes. If I need to mention it in a data protection declaration, I would need to mention every external link to a non-EU website ... or not?

And to which data protection declaration should we add it? On the website where it is used? This would not be working out I think. And why should we add it to the comment form? It is just added in the admin area and it does not do anything in the frontend. And how should I provide an opt-out for a link? You click it or you don't click it. How can we opt-out there?

I think we are all not in the same boat and speak about completely different things here.

Maybe we can talk about this in a chat. Maybe in German. To get this sorted out.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@schlessera @PraetorIM @websupporter I really would like to get 2.9.3 released soon. Any chance to get this legal question solved?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First of all: The reporting of a URL is irrelevant in terms of data protection law, since a URL (apart from extreme exceptional cases) is not a personal date. Even a URL like firstname-lastname.de is initially without privacy problems (hard to believe in today's hysteria, I know). This would only become personal data if the person of the commentator / spammer was also transmitted. But that's not what you've planned. So just get that feature in.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@PraetorIM We are not just reporting an URL.

We are reporting what was entered as author name, e-mail and website url. Additionally the IP address used by the visitor, the host (for this IP), the content of the comment and the user agent used.

These values are send to a Google form via URL, so that the Google form is prepopulated.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Torsten, melde dich einfach einmal bei mir, ehe wir hier noch eine Brieffreundschaft anfangen ;-)

@websupporter
Copy link
Contributor

After the discussion: This is a nice feature. Thank you @Zodiac1978 for introducing it ❤️

Imo good to merge.

@Zodiac1978
Copy link
Member Author

Maybe this is important to know. This PR adds the report link just to spam links. This is because of the already existing code.

Should we add this report link to all comments?

inc/columns.class.php Outdated Show resolved Hide resolved
inc/columns.class.php Outdated Show resolved Hide resolved
@Zodiac1978
Copy link
Member Author

@websupporter I don't know why Travis is still using the old behat test. Even if I restart the job it is not using the changed test and therefore fails because of the changed string.

@websupporter
Copy link
Contributor

You would need to merge the master I think. But currently master seems to fail for coding standards 😄

Imo its good to merge from the test side, as we know it just fails for the outdated test setup.

@websupporter
Copy link
Contributor

Ah sorry, I see it now I think. @schlessera did the first commit into an old branch (d53187d) and than it was merged it into this one here (dd4ab86). This branch here has the updated tests, this is why the first test fails while the second works imo.

@Zodiac1978 Zodiac1978 modified the milestones: 2.9.3, 2.10 Sep 17, 2020
@Zodiac1978
Copy link
Member Author

Due to missing feedback I have punted this PR to milestone 2.10. :(

@Zodiac1978 Zodiac1978 modified the milestones: 2.10, Future Release Dec 21, 2020
@Zodiac1978
Copy link
Member Author

Without clear information about the privacy implications I don't see a possible path forward here.

Additionally I will close the form and delete the excel sheet, because I am the owner of it to protect me.

If anyone is seeing a possible solution to the whole problem, please add your comment. Otherwise I don't see another way as to close the hole issue/PR and remove any report mechanism due to unknown law implications.

@florianbrinkmann
Copy link
Member

florianbrinkmann commented Feb 10, 2021

  • Add modal before sending data
  • Use own form for storing the data

@florianbrinkmann florianbrinkmann marked this pull request as draft February 10, 2021 10:43
@florianbrinkmann florianbrinkmann self-assigned this Feb 10, 2021
@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@pfefferle pfefferle modified the milestones: Future Release, 2.11 Sep 9, 2021
Copy link

@Dilshadadhil Dilshadadhil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Supper

@sonarqubecloud
Copy link

SonarCloud Quality Gate failed.    Quality Gate failed

Bug E 5 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 5 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@sonarqubecloud
Copy link

SonarCloud Quality Gate failed.    Quality Gate failed

Bug C 2 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 10 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@sonarqubecloud
Copy link

SonarCloud Quality Gate failed.    Quality Gate failed

Bug C 2 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 11 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@Zodiac1978 Zodiac1978 removed this from the 2.12.0 milestone Aug 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Collect spam data in a smart way
7 participants