You are not logged in.

#1 2018-05-16 2:29 pm

apico
Member
Registered: 2013-01-23
Posts: 7

Feature-Request: Make this poject safe for EU GDPR (DSGVO)

Great project! Thanks for this help to detect spammers for years, but with new EU GDPR (DSGVO) I have removed this function from my website. I think this is far away from allowed to use with the actual API.

I see that a new parameter "emailhash" since 2016/10 exists. But why as insecure MD5? (sha1 is insecure too). So its not valid to use with EU GDPR (in my eyes).

I would like that all parameters MUST be send as hash sha256(64 characters). All direct API calls like Username, real IP or E-Mail-Address should be forbidden.

So instead of
https://www.stopforumspam.com/api?ip=1.2.3.4&email=mail%40domain.tld&f=json

A new api version that submit only sha256 values:
https://www.stopforumspam.com/apiv2?ip=6694F83C9F476DA31F5DF6BCC520034E7E57D421D247B9D34F49EDBFC84A764C&email=F220011F073A7CFC303FF774BD121B441820101E8DD0198B21B3B27EC1D11E01&f=json

Thats a very small change in the exists code base but make a big impact for privacy policy.

Last edited by apico (2018-05-16 4:29 pm)

Offline

#2 2018-05-16 8:40 pm

ronaldvanbelzen
Member
Registered: 2017-06-28
Posts: 7

Re: Feature-Request: Make this poject safe for EU GDPR (DSGVO)

I think this service is allowed and is already in accordance with GDPR, but not sure.

I also do not know about publishing the data that SFS collects unencrypted. You might have a point there.

About sending data: using POST instead of GET to check a spam entry over ssl might be better.

Last edited by ronaldvanbelzen (2018-05-17 7:48 am)

Offline

#3 2018-05-17 8:30 am

Dark Byte
Member
Registered: 2011-05-30
Posts: 13

Re: Feature-Request: Make this poject safe for EU GDPR (DSGVO)

when using SSL the URL (the part after the domainname) is encoded as well

Last edited by Dark Byte (2018-05-17 8:31 am)

Offline

#4 2018-05-17 8:36 am

apico
Member
Registered: 2013-01-23
Posts: 7

Re: Feature-Request: Make this poject safe for EU GDPR (DSGVO)

Its not only a problem with sending, like you said, POST with SSL is maybe a solution here. This hint should be in the documentation, like that use https instead of http. I have include SFS looong time before SSL was popular. smile

The primary issue here is in my eyes, that stopforumspam receives for only simple checking personal data as unencrypted. For simply checking is a secure hash more as sufficient.

Last edited by apico (2018-05-17 8:44 am)

Offline

#5 2018-05-17 9:53 am

ronaldvanbelzen
Member
Registered: 2017-06-28
Posts: 7

Re: Feature-Request: Make this poject safe for EU GDPR (DSGVO)

A dummy post to be able to say what I actually want.

Offline

#6 2018-05-17 9:57 am

ronaldvanbelzen
Member
Registered: 2017-06-28
Posts: 7

Re: Feature-Request: Make this poject safe for EU GDPR (DSGVO)

This is an interesting blogpost about some other anti-spam service and GDPR.

It ends with describing some other service that seems to be able to comply to GDPR.

It is a marketing driven story, of course, but it does give some food for thought.

Last edited by ronaldvanbelzen (2018-05-17 10:34 am)

Offline

#7 2018-05-17 2:44 pm

JamesC
Member
Registered: 2010-01-09
Posts: 43

Re: Feature-Request: Make this poject safe for EU GDPR (DSGVO)

I would like that all parameters MUST be send as hash sha256(64 characters). All direct API calls like Username, real IP or E-Mail-Address should be forbidden.

Please don't break the SFS API for those of us who are outside the EU and do not solicit EU eyeballs / pageviews / hitcounter stats.

You have the option to filter out potential EU citizens before running their IP, username, and/or email address through the SFS API:
- Do you reverse-lookup the IP to get their host? You may obtain a country from that (for example, t-connect.de indicates a German mobile connection).
- Does their email address end in .ie or .pl?
- various blocklists exist to identify connections from Russia, China, even Australia and the US. Reverse the logic; if an IP is on a Chinese blocklist then the connection does not originate from within the EU. wink

And please don't overlook the blatantly obvious: SFS is intended to help block registrants to a website (such as a forum). The registrant willingly gives us a username, email address, and IP as part of registration -- therefore they have consented to the collection, processing, and retention of these bits of personally identifying information.

All you need to do is add a notice just above where your website asks for these, notifying the registrant that by providing these details, they are giving consent. As long as the notice is provided before you collect personally identifying information, and the natural person has the choice to not provide that information (by abandoning their registration attempt), you are in compliance with GDPR. smile

And ... again, blatantly obvious ... if an EU citizen gives false information, such as a name or email address that is not their own, their false information is not protected by GDPR.

BTW, bots are not "natural humans" under GDPR; bots have no GDPR rights at all. wink

Last edited by JamesC (2018-05-17 2:45 pm)

Offline

#8 2018-05-17 3:58 pm

apico
Member
Registered: 2013-01-23
Posts: 7

Re: Feature-Request: Make this poject safe for EU GDPR (DSGVO)

Like I said in my start post, I don't want that this feature replace the exists api, I suggest a apiv2 version for this or new parameters.

So cool down :D

EDIT: Your complete logic is wrong (my opinion). I'm a EU citizen, I can be in holiday in russia, so I have a russian IP or other countries or proxy IP. If a EU website use my data, I can take a lawyer. Your rights are not limited of a stupid IP-Address or the domain of Mail-Address. So your tests are useless. In EU you never should submit personal data without permission or much better only encrypted as secure hash.

Last edited by apico (2018-05-17 4:13 pm)

Offline

#9 2018-05-17 7:32 pm

ronaldvanbelzen
Member
Registered: 2017-06-28
Posts: 7

Re: Feature-Request: Make this poject safe for EU GDPR (DSGVO)

"In EU you never should submit personal data without permission"

Iirc there are 6 criteria that define when you are allowed to gather personal data, and permission is only one of them.

Offline

#10 2018-05-17 8:38 pm

apico
Member
Registered: 2013-01-23
Posts: 7

Re: Feature-Request: Make this poject safe for EU GDPR (DSGVO)

Don't forget, a user can anytime withdraw his permission and you must delete his data everywhere. How do you delete their data here on SFS?

And you must make a contract with SFS what acutal is not possible? Hash encrypting is the only chance to use this project.

Last edited by apico (2018-05-18 2:24 pm)

Offline

#11 2018-05-21 12:05 am

pedigree
uıɐbɐ ʎɐqǝ ɯoɹɟ pɹɐoqʎǝʞ ɐ buıʎnq ɹǝʌǝu ɯ,ı
From: New Zealand
Registered: 2008-04-16
Posts: 6,636

Re: Feature-Request: Make this poject safe for EU GDPR (DSGVO)

GDPR makes no reference to the minimum security  requirements used for encryption or hashing.  MD5 is considered cryptographically insecure if you wish to use it as a method of hashing a master password in order to encrypt a secret key, but no crypto is being done here, its a simple one way obfuscation method supported by every platform. A reminder, that by hashing email addresses, you completely remove the ability to process blacklisted domains.

You can POST to the API if you believe that someone is running a man-in-the-middle attack on your HTTP connections, and you can also use HTTPS (if you have a modern client supporting SNI), ie

curl -o- "https://europe.stopforumspam.org/api" -d "ip=1.2.3.4"

Web server logs are retained for 5 days, and then deleted, mainly because they simply arent needed after that, and I dont have the server space for them.  I cant remember the last time I even looked at the logs.  POST data is NOT logged.  If you want to ensure your queries are not logged, remain without the EU, and not open to MITM attacks, then POST via HTTPS to the domain below

You can force all your queries to remain within the EU by querying europe.stopforumspam.org/api

All in all, as a British citizen myself, I think GDPR is a horrible piece of legislation due to its poor definitions and huge lack of consideration, which is often the case when laws governing technology are written by people with no, or very poor understanding of the platform that will eventually be attacked by it.

As far as the legal scope of GDPR, it applies to companies that process PII of citizens on EU countries.  This website is not a company, nor is it operated or owned by one.

To fall within the remit of the GDPR, the processing has to be part of an “enterprise”. Article 4(18) of the Regulation defines this as any legal entity that’s engaged in economic activity.  SFS engages in no economic activity.  This is where the vagueness of the legislation all fails.  Nothing is stopping anyone from posting someone's details on Twitter, but Twitter will remove that data if contacted.  SFS will do the same.

SpamHaus, SpamCop (etc) will all be facing this issue, and as GDPR is enforced by EU courts, rather than civil action, I'm going to put money on them being swamped with pointless cases from day #1, 99.999% without any merit.

A username by itself in not PII, however combined with an email address, it could be PII, but that will be established by the courts as the legislation is not specific as of yet.

Now, this is interesting, as GDPR has exemptions, including
- the prevention, investigation, detection or prosecution of criminal offences;
- other important public interests, in particular economic or financial interests, including budgetary and taxation matters, public health and security;

Stopping someone from posting adverts for illegal drugs, which could be fatal, to stop someone from selling illegal pass ports which could be used for criminal fraud, terrorism etc, certainly something that I would consider public interests and prevention of criminal activities.

This entire process would need legal input.  As the website has exactly $0.00 income (and $0.00 outgoing), I'm not going to front the 4 to 5 figure costs in order to consult a lawyer.  If it comes to this then I would have to shut SFS down, so let's hope that doesnt happen.  Now, if anyone here is a GDPR lawyer or knows of one that would be happy to help a community driven crime prevention project such as this, please do let me know.  Before a shutdown happens, I would love the server to the US and the EU courts can try to get 10 million Euros out of me from there

Offline

#12 2018-05-21 7:21 pm

kpatz
Member
Registered: 2008-10-09
Posts: 1,295

Re: Feature-Request: Make this poject safe for EU GDPR (DSGVO)

I'm not in the EU, nor am I familiar with this GDPR, but there's only two ways SFS "sees" possibly personal identifying information:

1.  When an API call is done to query the database, such as during registration or when a forum admin queries the API to see if the information could be a spammer, and
2.  When a spammer's information is submitted to the database.

The information in question is the username, email and IP address of the registration, of course.  About the only thing that would make it "personally identifiable" is if the registrant uses their real name as their username, or their email contains their real name.

API queries aren't stored either, so in order to be intercepted there would have to be a man in the middle attack, or a compromise on one end of the connection (the forum's server or SFS's).

If a spammer is submitted, that information is stored in the SFS database, but spammer's data is mostly fake anyway... no spammer uses their real name or email when registering on forums, unless they're dumber than most... and I think the law is written in such a way that if there is criminal activity involved (such as what spamming usually is) then it wouldn't count anyway.

So, IMHO, the only concern would be API queries, and allowing all three data values to be hashed, or allow for SSL POST would take care of that.


We need better spam proofing technology - preferably the kind that electrocutes spammers with 50,000 volts 100 amps the moment they click "Post".

Offline

Board footer

Powered by FluxBB

Close
Close