Maniphest T302066

Investigate Captcha for web page contact form
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Lokal_Profil
	Feb 18 2022, 10:56 AM

Description

Background:
The amount of spam received through the wikimedia.se contact form has drastically increased. The easiest way of doing something against this, while keeping the contact form would be to enable some type of Captcha.

We use Contact Form 7 on the website. Their pre-bundled captcha is reCaptcha (by Google) which is not GDPR-compliant (or can at least be argued to not be so).
Contact From 7 is also explicitly compliant with Really Simple CAPTCHA (was the default earlier), this however offers no alternative for screen readers.

hCaptcha:
hCaptcha should be a drop-in replacement for reCaptcha specifically designed to be privacy friendly. It also has a Wordpress-plugin which should make it easy for us to use both for the contact form and for any future needs. For a discussion around the privacy implications see T250227: Investigate and evaluate hCaptcha to replace Wikimedia's Fancy Captcha.

There is a theoretical possibility of generating revenue through visitors solving Captchas. hCaptcha comes with a feature where you can choose to donate any such revenue to the WMF. I'd suggest we make use of that feature, both to waylay any arguments that we are implementing this for profit and to ensure we don't have to deal with the potential headache of cashing it out.

Changes to Privacy policy etc.:

Under Integritetspolicy#Webbplatser we should insert a new bullet point before "Information om hur kakor hanteras på Föreningens webbplatser återfinns här.":
* För sidor med kontaktformulär använder vi oss av anti-bot-tjänsten hCaptcha för att skydda mot attacker och skräppost. För mer information om hur denna fungerar och behandlar din data se [[Integritetspolicy/hCaptcha|vår sammanfattning]].

Under Personuppgiftsbiträdesavtal (second table) we should add:

Företag	Typ av system/hantering	Företagets webbplats	Kommentar
Intuition Machines	anti-bot-tjänst (captcha)	https://www.hcaptcha.com/	Personuppgiftsbiträdesavtal utgörs av en bilaga till de [https://www.hcaptcha.com/terms Allmänna villkoren].

We should then add a new page Integritetspolicy/hCaptcha| which can be listed under Integritetspolicy/Bilagor giving some details about how the data is processed.

På våra webbplatser använder vi anti-bot-tjänsten hCaptcha för att kontrollera om de data som anges i ett kontaktformulär har skapats av en människa. Tjänsten tillhandahålls av Intuition Machines , Inc.  (IMI). Tjänsten fungerar genom att den analyserar besökarens beteende så snart hen kommer till en sida där hCaptcha har aktiverats. Information om besökaren (t.ex. IP-adress, hur länge besökaren varit på sidan, musrörelser gjorda av besökaren) samlas in och skickas till IMI för analys. Informationen används enbart för att avgöra om besökaren är en människa och kasseras sedan. 

Databehandlingen görs utifrån vårt legitimt intresse av att skydda våra webbplatser från spam och andra skadliga automatiserade attacker. För mer information se hCaptcha och IMIs [https://hcaptcha.com/privacy sekretesspolicy] och [https://hcaptcha.com/terms användarvillkor].

Related Objects

Mentioned Here: T250227: Investigate and evaluate hCaptcha to replace Wikimedia's Fancy Captcha

Event Timeline

Lokal_Profil created this task.Feb 18 2022, 10:56 AM

A very quick comment here.

hCaptcha should be a drop-in replacement for reCaptcha specifically designed to be privacy friendly. It also has a Wordpress-plugin.

T250227 is actively looking at hCaptcha for MediaWiki so might provide some insight about any privacy worries

Lokal_Profil added a comment.Feb 18 2022, 12:19 PM

This comment was removed by Lokal_Profil.

hCaptcha plugin added to Wordpress and underwent a quick test. The third party js is loaded only on the contacts page and only when one has scrolled down enough to get to the submit button.

Plugin has been de-activated again since a Privacy Policy addition is needed as well as internal discussions about potential other downsides.

Note that we can set any hCaptcha rewards to be automatically donated to the WMF if we don't want to deal with the potential headache of cashing it out.

Lokal_Profil updated the task description. (Show Details)Mar 14 2022, 9:58 PM

We should remember to reset the cookie notice on the website after the Privacy policy is updated (so that visitors get informed about the changes)

Lokal_Profil moved this task from 📥 Backlog to 📆 This week on the User-LokalProfil board.Mar 14 2022, 10:02 PM

Lokal_Profil edited projects, added WMSE-Organisational-Development-2022; removed WMSE.

Lokal_Profil moved this task from Backlog to In progress on the WMSE-Organisational-Development-2022 board.

Lokal_Profil updated the task description. (Show Details)Mar 14 2022, 10:09 PM

Tommy_Kronkvist subscribed.Mar 15 2022, 12:00 AM

Per-capsulam decision made.

Wiki has been updated as has the abbreviated version of the policy on the webpage.

Setting updated to donate any income to the WMF.

hCaptch activated on the website.

There seem to be no way of forcing the cookie banner to come up again =(