Page MenuHomePhabricator

Privacy issues with Gadget-GoogleTrans.js (calls out to google APIs)
Open, LowPublic

Description

The gadget noted above seems to call out to google APIs (using jsonp) without telling the user that these requests aren't covered by the WMF privacy policy.

Despite of that the gadget is in a terrible state (like 99.9% of our gadgets) and eg. doing a lot of string mongering with innerHTML (XSS anyone)... but I don't think this is an issue right now as I couldn't find anything obvious on first sight.

The gadget is at least on:
enwiki
bewiki
frwikiversity
mkwikisource

(Probably way more, but mwgrep looks broken atm and I don't have the time to do more research).


Version: unspecified
Severity: normal

Details

Reference
bz63598

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:19 AM
bzimport added a project: Security-Other.
bzimport set Reference to bz63598.
bzimport changed Security from none to Software security bug.
Restricted Application changed the visibility from "Public (No Login Required)" to "acl*security (Project)". · View Herald TranscriptNov 22 2014, 3:19 AM
Restricted Application changed the edit policy from "All Users" to "acl*security (Project)". · View Herald Transcript

That gadget could use some cleanup in general, definitely.

Should we have the admins on each wiki add a notice in the gadget description to warn users (it would warn new users, although not existing ones)? Make users click some sort of opt-in that we save in their preferences (seems kinda annoying)?

I imagine that someone adding a "Google" gadget is probably ok with google seeing them, but would be nice to make it explicit.

(In reply to Chris Steipp from comment #1)

[...]
Should we have the admins on each wiki add a notice in the gadget
description to warn users (it would warn new users, although not existing
ones)? Make users click some sort of opt-in that we save in their
preferences (seems kinda annoying)?

The best solution would probably be to have a confirm dialog (with a remember choice option), but that's a little hard to implement. I'm ok with adding a notice to the gadget description.

I imagine that someone adding a "Google" gadget is probably ok with google
seeing them, but would be nice to make it explicit.

Yep, we *need* to make this explicit, although I agree that it's not this urgent over here. Also I don't think it's this obvious as the Translate extension also somehow invokes external translation service (in a privacy friendly manner... I hope/ guess).

Restricted Application changed the visibility from "acl*security (Project)" to "Custom Policy". · View Herald TranscriptNov 24 2014, 9:27 PM
Restricted Application changed the edit policy from "acl*security (Project)" to "Custom Policy". · View Herald Transcript
krenair@terbium:~$ mwgrep GoogleTrans
acewiki             MediaWiki:Gadget-GoogleTrans.js
arwiki              MediaWiki:Gadget-GoogleTrans.js
bewiki              MediaWiki:Gadget-GoogleTrans.js
bhwiki              MediaWiki:Gadget-GoogleTrans.js
bjnwiki             MediaWiki:Gadget-GoogleTrans.js
bugwiki             MediaWiki:Gadget-GoogleTrans.js
enwiki              MediaWiki:Gadget-GoogleTrans.js
eswiki              MediaWiki:Gadget-traductor-google.js
fawiki              MediaWiki:Gadget-googletranslator.js
fawikiquote         MediaWiki:Gadget-googletranslator.js
fawikisource        MediaWiki:GoogleTranslator.js
fawiktionary        MediaWiki:Gadget-googletranslator.js
frwikibooks         MediaWiki:Gadget-GoogleTrans.js
frwikiversity       MediaWiki:Gadget-GoogleTrans.js
frwiktionary        MediaWiki:Gadget-GoogleTrans.js
hiwiki              MediaWiki:Gadget-GoogleTrans.js
idwiki              MediaWiki:Gadget-GoogleTrans.js
mkwiki              MediaWiki:Gadget-GoogleTrans.js
mkwikisource        MediaWiki:Gadget-GoogleTrans.js
mswiki              MediaWiki:Gadget-GoogleTrans.js
newiki              MediaWiki:Gadget-GoogleTrans.js
nlwiki              MediaWiki:Gadget-GoogleTrans.js
nowiki              MediaWiki:Gadget-GoogleTrans.js
pswiki              MediaWiki:Gadget-GoogleTrans.js
ptwiki              MediaWiki:Gadget-traductor-google.js
simplewiki          MediaWiki:Gadget-GoogleTrans.js
siwiki              MediaWiki:Gadget-GoogleTrans.js
siwikibooks         MediaWiki:Gadget-GoogleTrans.js
sowiki              MediaWiki:Gadget-GoogleTrans.js
srwiki              MediaWiki:Gadget-GoogleTrans.js
srwikinews          MediaWiki:Gadget-GoogleTrans.js
tenwiki             MediaWiki:Gadget-GoogleTrans.js
test2wiki           MediaWiki:Gadget-GoogleTrans.js
ukwiki              MediaWiki:Gadget-GoogleTrans.js
urwiki              MediaWiki:Gadget-GoogleTrans.js
viwiki              MediaWiki:Gadget-GoogleTrans.js
(total: 36, shown: 36)
dpatrick added a project: Privacy.

See also T208188.

For the author(s) of the gadget, they'll want to make sure that the description shown before enablement informs the user about it using a third-party API. In the mid-to-long term, the author(s) will need to opt-in to this via the CSP mechanism from T208188.

Also, prior to T208188 they'll need to switch from JSON-P to CORS/JSON because JSON-P is effectively script execution which won't be allowed even with the CSP exemption in place.

Looks like usage has grown a little. I guess we're actively violating our PP for at least 35k enwiki users right now? And obviously much more across all projects. I wonder if most of these are importing it from User:Endo999.

$ mwgrep GoogleTrans.js |grep -v Gadgets-definition
acewiki             MediaWiki:Gadget-GoogleTrans.js
arwiki              MediaWiki:Gadget-GoogleTrans.js
azbwiki             MediaWiki:Gadget-googletranslator.js
azwiki              MediaWiki:Gadget-GoogleTrans.js
bhwiki              MediaWiki:Gadget-GoogleTrans.js
bugwiki             MediaWiki:Gadget-GoogleTrans.js
enwiki              MediaWiki:Gadget-GoogleTrans.js
eswiki              MediaWiki:Gadget-traductor-google.js
eswikibooks         MediaWiki:Gadget-traductor-google.js
fawiki              MediaWiki:Gadget-googletranslator.js
frwikibooks         MediaWiki:Gadget-GoogleTrans.js
frwiktionary        MediaWiki:Gadget-GoogleTrans.js
gomwiki             MediaWiki:Gadget-GoogleTrans.js
hiwiki              MediaWiki:Gadget-GoogleTrans.js
hiwikiquote         MediaWiki:Gadget-GoogleTrans.js
hiwikiversity       MediaWiki:Gadget-GoogleTrans.js
hrwiki              MediaWiki:Gadget-GoogleTrans.js
idwiki              MediaWiki:Gadget-GoogleTrans.js
kkwiki              MediaWiki:Gadget-GoogleTrans.js
kowiki              MediaWiki:Gadget-GoogleTrans.js
kowiktionary        MediaWiki:Gadget-GoogleTrans.js
lvwiki              MediaWiki:Gadget-GoogleTrans.js
maiwiki             MediaWiki:Gadget-GoogleTrans.js
map_bmswiki         MediaWiki:Gadget-GoogleTrans.js
mkwiki              MediaWiki:Gadget-GoogleTrans.js
mkwiki              MediaWiki:GoogleTrans.js
mkwikisource        MediaWiki:Gadget-GoogleTrans.js
mswiki              MediaWiki:Gadget-GoogleTrans.js
newiki              MediaWiki:Gadget-GoogleTrans.js
nlwiki              MediaWiki:Gadget-GoogleTrans.js
pswiki              MediaWiki:Gadget-GoogleTrans.js
ptwiki              MediaWiki:Gadget-traductor-google.js
sdwiki              MediaWiki:Gadget-GoogleTrans.js
simplewiki          MediaWiki:Gadget-GoogleTrans.js
siwiki              MediaWiki:Gadget-GoogleTrans.js
siwikibooks         MediaWiki:Gadget-GoogleTrans.js
sowiki              MediaWiki:Gadget-GoogleTrans.js
srwiki              MediaWiki:Gadget-GoogleTrans.js
srwikinews          MediaWiki:Gadget-GoogleTrans.js
srwiktionary        MediaWiki:Gadget-GoogleTrans.js
suwiki              MediaWiki:Gadget-GoogleTrans.js
tcywiki             MediaWiki:Gadget-GoogleTrans.js
tenwiki             MediaWiki:Gadget-GoogleTrans.js
test2wiki           MediaWiki:Gadget-GoogleTrans.js
ukwiki              MediaWiki:Gadget-GoogleTrans.js
urwiki              MediaWiki:Gadget-GoogleTrans.js
viwiki              MediaWiki:Gadget-GoogleTrans.js
Aklapper added a subscriber: Endo999.

Boldly subscribing @Endo999 to this non-public task as the author of this code.
@Endo999: Could you take a look at the previous comments, please? TIA!

this gadget has been running quite well for 10 years now and has around 50,000 loaders on the all the wikis. It was rewritten as a JS object several years ago so it only now exports the javascript variable GT and all the other variables are internal to the GT object

I'm not sure what CSP is or whether GoogleTrans (or Yandex) translation services can be called from it. Someone will have to point me to a page that describes how to implement CSP. I guess I can put on the GoogleTrans help page about using a third party translation api (but Wikipedia now does this on the Content Translation System anyway).

For a website that aims to have all information available to all people in the world, an ancillary task for this goal is to overcome language barriers, which the gadget does. Therefore it has a place on the Wikipedia gadget space.

There used to be the similar Word Translator on the Google toolbar but Google seems to have discontinued support for this, and nobody in business or government can install this toolbar (but they can use the Googletrans gadget okay).

I looked on Wikipedia for meaning of CSP (Commonwealth Supported Place., ie) and finally got to Content Security Policy. I'd need to read some description of CSP to give an answer to the query posed here

@Endo999: Thanks for the quick reply, and sorry for having been cryptic in this task!
I think the main aspect of this ticket is to make sure that gadget users know that they interact with a third party service. When it comes to the privacy of users, they need to be aware that they send personal data to another party which is not under Wikimedia's Privacy Policy.

CSP was also mentioned but that is a separate aspect. https://www.mediawiki.org/wiki/Requests_for_comment/Content-Security-Policy should hopefully provide some more info on CSP.

I'm in the process of changing the GoogleTrans gadget language selector box (availalbe under the MORE menu item at the top right of the wiki page) to include the string

"Google or Yandex third party API is used

This is being tested now, should be in production in several days.

This is being tested now, should be in production in several days.

@Endo999: Hi, did this work out?

Hi Aklapper,

The notification is in production now.

Regards,

Paul Cheffers

Quoting Aklapper <no-reply@phabricator.wikimedia.org>:

Aklapper added a comment.

In T65598#6199679

https://phabricator.wikimedia.org/T65598#6199679, @Endo999 wrote:

> This is being tested now, should be in production in several days.

@Endo999: Hi, did this work out?

TASK DETAIL

https://phabricator.wikimedia.org/T65598

EMAIL PREFERENCES

https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: Aklapper
Cc: Endo999, sbassett, Aklapper, Krenair, csteipp, hoo,
JFishback_WMF, Dsharpe, EBjune, Rxy, Legoktm, chasemp

JFishback_WMF moved this task from Watching to In Progress on the Privacy Engineering board.
JFishback_WMF subscribed.

I'd like to run this by WMF-Legal and investigate a better solution. While a step in the right direction, I'm not sure the notice that @Endo999 added is sufficient.

The notification is in production now.

Thanks!

Hey @Endo999, I hope you're doing well.
Thanks for inserting the "Google or Yandex third party API is used" note in the gadget. I've checked with WMF-Legal whether the notice should be adjusted, and it is indeed the case.

Could you consider the recommendations below?

  1. Updating the note on to the pop up. It is recommended that the existing notice "Google or Yandex third party API is used" be replaced with the following: “Note on privacy: Translations will be processed by Google or Yandex, who may receive data from your device. Please check their respective privacy policies.”
  2. Giving a heads-up through the Preferences page. It is also recommended that a message be included in the preference page, enabling end-users to know beforehand that data will be transmitted to third parties during any translation. The following one-liner could be used: “Translations will be processed by Google and Yandex, who may receive data from your device. Please check their respective privacy policies”. Here's a preview:
    Screen Shot 2021-03-15 at 4.28.43 PM.png (154×788 px, 45 KB)

I will add your notice on this weekend. I have already added the notice to the help page. I don't know how to add this to the Preference Page (where the gadget is clicked). You may have to do that.

I will add your notice on this weekend. I have already added the notice to the help page. I don't know how to add this to the Preference Page (where the gadget is clicked). You may have to do that.

Hello @Endo999 and thanks for your prompt response. For the Preference page, my assumption is that the text can be edited here: https://en.wikipedia.org/wiki/Special:Gadgets. However, I think giving the community a gentle heads-up on the Gadgets talk page would diffuse any potential pushback (https://en.wikipedia.org/wiki/Wikipedia_talk:Gadget).

Kindly let me know if you have some concerns or questions.
Cheers

I have added your legal notice to the perference page of the gadget (the control page for the gadget under MORE on the screen.

I have added your legal notice to the perference page of the gadget (the control page for the gadget under MORE on the screen.

@Endo999, Thank you for updating it. As for the preference page, you can change the gadget description here instead https://en.wikipedia.org/w/index.php?title=MediaWiki:Gadget-GoogleTrans&action=edit. Once this is done, I think we can mark this ticket as closed.

please add xaosflux to this ticket. I'm not sure how to do this. He has refused to update the description file for the gadget, and has asked to be added to this ticket.

Aklapper changed the edit policy from "Custom Policy" to "Custom Policy".
Aklapper added a subscriber: Xaosflux.

please add xaosflux to this ticket.

I've edited the view and policy of this ticket; @Xaosflux should be able to see this ticket now.

Hey @Endo999, I hope you're doing well.
Thanks for inserting the "Google or Yandex third party API is used" note in the gadget. I've checked with WMF-Legal whether the notice should be adjusted, and it is indeed the case.

Could you consider the recommendations below?

  1. Updating the note on to the pop up. It is recommended that the existing notice "Google or Yandex third party API is used" be replaced with the following: “Note on privacy: Translations will be processed by Google or Yandex, who may receive data from your device. Please check their respective privacy policies.”
  2. Giving a heads-up through the Preferences page. It is also recommended that a message be included in the preference page, enabling end-users to know beforehand that data will be transmitted to third parties during any translation. The following one-liner could be used: “Translations will be processed by Google and Yandex, who may receive data from your device. Please check their respective privacy policies”. Here's a preview:
    Screen Shot 2021-03-15 at 4.28.43 PM.png (154×788 px, 45 KB)

I'd rather not clog up Special:Preferences#mw-prefsection-gadgets with legalese blurbs in the description of any gadget that has an external integration; would an indicator with a link that could apply to any gadget with third party connections suffice? (Perhaps a secondary indicator for gadgets that are loading from userspace as well, as they may be changed with less scrutiny than "community managed" gadgets.

Example on https://en.wikipedia.org/wiki/Special:Preferences#mw-prefsection-gadgets ; where we've begun adding the (D) indicator with a tool tip to identify default gadgets on the preferences page, perhaps a legend and some other indicators such as (E): Externally loaded code and privacy (U):Loads a Userscript maintained by a single user. Absent some sort of updates to the gadget definition this would all be per-project free form text though.

Example on https://en.wikipedia.org/wiki/Special:Preferences#mw-prefsection-gadgets ; where we've begun adding the (D) indicator with a tool tip to identify default gadgets on the preferences page, perhaps a legend and some other indicators such as (E): Externally loaded code and privacy (U):Loads a Userscript maintained by a single user. Absent some sort of updates to the gadget definition this would all be per-project free form text though.

Hey @Xaosflux and thanks for chiming in.
Actually, I think your idea is great. An indicator would definitely be more scalable and would not clutter the pref page. You mentioned the possibility of adding a link. How would that work? Are you suggesting that the privacy notice be moved to a page (sub user page) and referenced in the text/indicator?

@sguebo_WMF
I started adding some more of these on enwiki as examples - see: https://en.wikipedia.org/wiki/Special:Preferences#mw-prefsection-gadgets

Outside of someone fooling around with the API, this is the page that everyone has to go to for enabling the gadgets.

Added a legend with a disclaimer related to this. As this is ad-hoc though, it is only going to fix the "problem" here on enwiki, and the legend is only if your interface language is English. If the only concern about this is on the English Wikipedia, is that sufficient to resolve this?

Just saw the top description, a similar banner could be placed on those projects related to this as well - but it's certainly not a robust system (which may need serious work in gadgets 2.0 if that ever takes off)

Mock up:

image.png (470×700 px, 28 KB)

Hey @Xaosflux ,
Thanks for producing the mockup. I'll run this by WMF-Legal and revert back to you.

Hello @Xaosflux,

Thank you again for the mockup. I had the chance to surface it to WMF-Legal and I'd like to ask something. Is it possible to make the privacy indicator a bit more obvious? A few ideas to consider would be either giving the indicator a distinct color, or making its size larger, or putting them in bold, or using "(Privacy)" instead of the "(E)" indicator. Kindly let me know what's feasible or not.

FWIW I like the idea of using PRIVACY in small caps instead of E. It communicates a significant amount of information in a few letters.

Keep in mind, that all of this is free form text right now, which only displays on one project (enwiki) - and only to users with the default project language (US English).

Something more robust would be needed if this is to become any sort of wikimedia, or WMF-wide standard. A longer-term fix would be to integrate such indications in to the software, but development on Gadgets 2.0 has been stalled for a LONG time.

That being said, I don't think "PRIVACY" is very useful there alone - from a UX perspective that seems confusing, did you notice there is already a lengthy hover text on the "E"xternal indicator? It looks like this:

image.png (61×639 px, 5 KB)

Also keep in mind, there are actually much larger risks then "privacy" when loading third party scripts, such as account hijacking - surreptitious action making, etc.

Something more robust would be needed if this is to become any sort of wikimedia, or WMF-wide standard. A longer-term fix would be to integrate such indications in to the software, but development on Gadgets 2.0 has been stalled for a LONG time.

That being said, I don't think "PRIVACY" is very useful there alone - from a UX perspective that seems confusing, did you notice there is already a lengthy hover text on the "E"xternal indicator? It looks like this:

image.png (61×639 px, 5 KB)

Also keep in mind, there are actually much larger risks then "privacy" when loading third party scripts, such as account hijacking - surreptitious action making, etc.

Hello @Xaosflux,

I hear what you're saying here about the language limitation, UX concern, and other points, but I would like to share with you the rationale behind the "privacy" suggestion.

Although, privacy is not the only issue at stake when visitors use third-party scripts, such a notice is something that can be done in the meantime until a longer-term fix can be in place.

More importantly, per Legal's assessment, it is important that users be provided with the information as clear as possible so they are not surprised if their data is processed by third parties. So having the text be "privacy" (or something related, if you have another suggestion) may increase the odds that people will look at the information. I'm sorry if it feels like I'm pressing on with this, but I just want to make sure we explore all our options.

Hey @sbassett and @JFishback_WMF , do you have any strong objections to making this task public? Its content may inform the ongoing discussion around third-party resources in T296847.

@sguebo_WMF - I don't see anything that should prevent it from being made public.

@sguebo_WMF Agreed - I think it's fine to make public.

sguebo_WMF changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 8 2022, 2:28 PM
Aklapper changed the edit policy from "Custom Policy" to "All Users".Jan 23 2023, 8:07 PM