Page MenuHomePhabricator

Review Wikimedia Italia's technologies to keep everything in compliance with current policies
Closed, ResolvedPublic


It has been decided to double-check the Wikimedia Italia's services in order to assure a strict compliance with their current privacy policy. This means:

  • discover and drop incompatible web trackers (that may have been added in good faith by collaborators for some purposes)
  • wait for an official response from our GDPR manager to eventually update current policies

In short we will work on the mathematical proportion:

theory : practice = privacy policy : running technologies

Documentation (for members):

Event Timeline

valerio.bozzolan created this task.
NOTE: Given the potential severity I'm boosting this now as cowsay. Ehm volunteer.

In the documentation of our WordPress theme (checkout) there is a misleading section called "SEO" that is somehow unrelated from "search engine optimization stuff" but it's really about analytics and tracking stuff. From there I was able to identify some trackers and disable them. For historical reasons, note that this is the backend page I'm talking about:

From there I was allowed to disable these trackers:

<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src=""></script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'UA-178106070-1');
<!-- Facebook Pixel Code -->
fbq('init', '375183623897553'); 
fbq('track', 'PageView');
<img height="1" width="1"
<!-- End Facebook Pixel Code -->
WARNING: Apologies but I was not able to replace them with this backwards compatibility code because the server exploded with a 500 Internal Server Error before persisting:
< I'm a tracker! Trust me. >
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

wkimedia it error 500.png (179×1 px, 34 KB)

NOTE: This 500 Internal Server Error probably means that something server-side (the Apache HTTPd .htaccess?) has an effective cowsay-protection or, more likely, an esoteric security protection preventing weird things to be sent via POST (but with too much false-positives). So. If you are an author and you obtain an error 500 saving your post, drop your weird characters and drop your ASCII meme (like a pipe or a cowsay) or further investigate this server dysfunction.

In the meanwhile from that backend page I noticed an hardcoded logo stuck at the http:// protocol. That was causing this warning:

image.png (331×533 px, 31 KB)

Fixed just replacing the wrong absolute logo URL with its relative version:

diff --git

Also removed a tracker from this backend page:

And disabled the plugin Gravity Forms Event Tracking, now probably not used.

In the meanwhile we are contacting the service provider about:

  • a weird entry point that should be disabled / redirected to the canonical domain and protocol
  • a tracker that we are not able to disable without reverse-engineering or FTP or SSH access (again, actually everything is managed by the service provider and we have only access to the WordPress panel)

New story. Talking with @Galessandroni he has just discovered that in there was a (test?) legacy URL pointing to an unknown domain with a blank privacy page. It seems this domain is served by a CRM that we never seen in our life.

It was not easy to be detected because of that onclick bind event that was silently overriding the destination.

Anyway one of the Wikimedia Italia staff members with access to that system reported that she can change that behavior from this field:

wait-what.png (520×442 px, 48 KB)

So she fixed now. Now the webpage points to the real Wikimedia Italia privacy policy.

Uhm. At the same time we noticed that contains some legacy trackers that should not be present!, and Also some fonts can be deployed locally. Now the service provider is aware of these requests. We have to wait.

As pointed out by @Nemo_bis the website still has proprietary & third party trackers. This should be fixed ASAP but this well-known issue was not fixed by our provider/webmaster since December 2020 (and they have an exclusive management).

If I'm not mistaken @Maupao70 sent the third reminder recently, setting a call with them for some clarifications (for example, it is okay that the site is managed by a professional, but it is not good that it has the exclusive management).

@valerio.bozzolan: Hi, the Due Date set for this open task was a while ago.
Can you please either update or reset the Due Date (by clicking Edit Task), or set the status of this task to resolved in case this task is done? Thanks.

This task has an overly broad subject. It's impossible to check an unspecified number of things for an unspecified number of regulations. The subtasks appear to be about configuration of Wikimedia Italia websites for the sake of privacy and antifraud compliance, so the task could reflect that.

I'd add there isn't much to review. When something violates the privacy policy, it must be killed on the spot.

valerio.bozzolan removed valerio.bozzolan as the assignee of this task.

I'm inclined to mark this as resolved since T266998: Avoid third party resources from * websites is resolved.