-
-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add report spam link #344
base: master
Are you sure you want to change the base?
Add report spam link #344
Conversation
Add report spam action link to spam list (#73)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like this feature. Just browsing through the code, I was wondering, if we really should collect IP, email etc. this way.
// URLencode comment data. | ||
$name = rawurlencode( $comment->comment_author ); | ||
$email = rawurlencode( $comment->comment_author_email ); | ||
$ip = rawurlencode( $comment->comment_author_IP ); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure about the GDPR implications, when we collect those values.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We already do this now. This is just a a helpful link to prefill the form.
But if we want to follow this path. My research says:
Consent must be “freely given, specific, informed and unambiguous.”
Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.
Children under 13 can only give consent with permission from their parent.
You need to keep documentary evidence of consent.
The sixth legal basis is to have a “legitimate interest” to process the person’s data.
I think the legitimate interest in fighting spam outweighs the rights of any spammer (or false positive user). But I am not a lawyer. I try to ping someone from the community to have look.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From a legal point of view, I would have no problems with this.
In terms of data protection, this is possible without consent as it is within the context of a legitimate interest. (In the case of a legitimate interest, an opt-out option is required, but that is easily possible for the spammer, so you don't need to think of it.)
Also I don't see any major problems in terms of copyright law, because on the one hand, emails of this kind regularly do not have the necessary level of creation for copyright protection, on the other hand, the author has also consented to storage and processing by sending, because that is exactly the purpose of his mail.
So: just make it!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @PraetorIM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Going through the discussion here, I get the impression that we are only looking at whether we as the pluginkollektiv get the user's consent to get access to this data.
However, what we are doing here is giving immediate access to a third-party (Google) via these unencrypted URL values. The way I see it, we would also need to inform the user about which third-parties we'd also give access to this data and need the user's consent for that as well.
So, even if we say that we don't need consent in this case, we still need to let the user know about the third-parties involved, no?
@PraetorIM It's not clear to me whether you consider this (we're sending unencrypted user data via a URL to a Google application), so I'd be grateful for any further clarification you can provide.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
with mention and opt-out option in the data protection declaration or at the comment-form
What do you mean with that?
This PR adds a link to every spam comment in the admin area which is a link called "Report to Antispam Bee" which is going to a Google Form page and prepopulates it with the data from the comment.
It is just an external link IMHO. Everyone can see where it goes. If I need to mention it in a data protection declaration, I would need to mention every external link to a non-EU website ... or not?
And to which data protection declaration should we add it? On the website where it is used? This would not be working out I think. And why should we add it to the comment form? It is just added in the admin area and it does not do anything in the frontend. And how should I provide an opt-out for a link? You click it or you don't click it. How can we opt-out there?
I think we are all not in the same boat and speak about completely different things here.
Maybe we can talk about this in a chat. Maybe in German. To get this sorted out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@schlessera @PraetorIM @websupporter I really would like to get 2.9.3 released soon. Any chance to get this legal question solved?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First of all: The reporting of a URL is irrelevant in terms of data protection law, since a URL (apart from extreme exceptional cases) is not a personal date. Even a URL like firstname-lastname.de is initially without privacy problems (hard to believe in today's hysteria, I know). This would only become personal data if the person of the commentator / spammer was also transmitted. But that's not what you've planned. So just get that feature in.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@PraetorIM We are not just reporting an URL.
We are reporting what was entered as author name, e-mail and website url. Additionally the IP address used by the visitor, the host (for this IP), the content of the comment and the user agent used.
These values are send to a Google form via URL, so that the Google form is prepopulated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Torsten, melde dich einfach einmal bei mir, ehe wir hier noch eine Brieffreundschaft anfangen ;-)
After the discussion: This is a nice feature. Thank you @Zodiac1978 for introducing it ❤️ Imo good to merge. |
Maybe this is important to know. This PR adds the report link just to spam links. This is because of the already existing code. Should we add this report link to all comments? |
@websupporter I don't know why Travis is still using the old behat test. Even if I restart the job it is not using the changed test and therefore fails because of the changed string. |
You would need to merge the master I think. But currently master seems to fail for coding standards 😄 Imo its good to merge from the test side, as we know it just fails for the outdated test setup. |
Ah sorry, I see it now I think. @schlessera did the first commit into an old branch (d53187d) and than it was merged it into this one here (dd4ab86). This branch here has the updated tests, this is why the first test fails while the second works imo. |
Due to missing feedback I have punted this PR to milestone 2.10. :( |
Without clear information about the privacy implications I don't see a possible path forward here. Additionally I will close the form and delete the excel sheet, because I am the owner of it to protect me. If anyone is seeing a possible solution to the whole problem, please add your comment. Otherwise I don't see another way as to close the hole issue/PR and remove any report mechanism due to unknown law implications. |
|
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Supper
SonarCloud Quality Gate failed. 5 Bugs No Coverage information |
SonarCloud Quality Gate failed. 2 Bugs No Coverage information |
SonarCloud Quality Gate failed. 2 Bugs No Coverage information |
Add report spam action link to spam list (#73)