request #11592 Captcha plugin makes use of 3rd party service without explicit consent of user
    Manuel Vacelet (vaceletm)
    2018-06-18 20:02
    2018-06-11 10:16
    Captcha plugin makes use of 3rd party service without explicit consent of user

    User should be warned that, in order to register, they should accept that we use a 3rd party service from google.

    If they refuse, they cannot register.

    • [ ] enhancement
    • [ ] internal improvement
    Referenced by request #11592


    User avatar
    Thomas Gerbet (tgerbet)2018-06-18 20:02

    I did not see this when it was submitted. So if I recall correctly the creation of the captcha plugin (story #9846) I made the choice to rely on Google reCaptcha to get a quick solution for our spam issue that was also not too bad in term of user experience (yeah, I know Tor users will not agree with this sentence).

    Now about the user consent: if we only consider RGPD, protecting our services might be qualified as a legitimate interest (cf Article 6 1.f) since our only goal here is to protect our resources both technical and human (cf Recital 49). That's said I'm not a lawyer and it's hard to tell what usages are done with the data collected by reCaptcha.

    I'm not really in favor of collecting user consent to let him register just because we have a reCaptcha on the register page: it's really not great for the user experience which defeat one of the initial choice of Google reCaptcha and, even if with these last weeks it's a lost cause, I would prefer to not train users on clicking random pop up. Also even with the collection of the user consent we do not really the root cause of the issue: we still depend on a 3rd party that might not be friendly with all our users.

    The usage of images with deformed letters and numbers is both terrible for the user experience (I personally hate them, you never know if you got it right or no) and not that hard to bypass with bots.

    I would like to explore another option with a Proof-of-Work captcha. Basically to validate the captcha a certain amount of work needs to be done by the user's computer to find a valid solution. It does not really distinguish human users from bots, but the resources needed to compute the solution makes the target more expensive to a spammer and less interesting. For the end user it is not that much different that what we currently have with reCaptcha, they wait a few moment after starting the captcha check. See HashCash [0] and [1] for discussion and implementation of this kind of solution for mail spam, you can also take a look at the captcha from CoinHive that works with a similar idea (users mine Monero as the proof-of-work...).
    It's probably less effective than whatever reCaptcha does to identify bots but I'm guessing it's probably good enough for our setup. It also has a nice side effect, the setup is easier for administrators since they do not need to ask Google for an API key.

    [0] http://hashcash.org/
    [1] http://www.wisdom.weizmann.ac.il/~naor/PAPERS/pvp_abs.html