Page MenuHomeMiraheze
Create Task
Maniphest T7912

Review minotar CSP Entry
Closed, ResolvedPublic
Actions

Description

CSP REVIEW: plausible.io (used for analytics by minotar)

  • Is the site equipped with a privacy policy? Yes
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights? Yes, see PP
  • Does the site provide a list of personal data being collected by using the service? Yes, see PP
  • Is the website owner known to have a bad reputation regarding privacy? No
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking? Yes
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker? Yes
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze? No specific DPO since company seems quite small, general support can be contacted for such questions
  • Is the site equipped with a security policy? Not specifically
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources? Not specifically
  • Is the website owner known to have a bad reputation regarding information security? No
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze? General support can be contacted (small company)

Related Objects

Event Timeline

John triaged this task as Normal priority.Aug 28 2021, 19:41
John created this task.
Herald added a subscriber: RhinosF1. · View Herald TranscriptAug 28 2021, 19:41
RhinosF1 moved this task from Backlog to Short Term on the MediaWiki (SRE) board.Oct 26 2021, 22:19
Herald added a subscriber: Unknown Object (User). · View Herald TranscriptOct 26 2021, 22:19
Reception123 subscribed.Jan 21 2022, 09:38

Attempted to contact owner/maintainer in order to clarify whether personal data is collected.

Reception123 added a comment.Jan 21 2022, 13:49

Response has been received: https://github.com/minotar/imgd/issues/212#issuecomment-1018517207

Reception123 updated the task description. (Show Details)Jan 21 2022, 13:58

Based on the comments above from the maintainer, the website uses Cloudflare and Plausible. Cloudflare has already been reviewed in T7903 and approved and I've reviewed Plausible above. It seems like a small but serious company that's committed to GDPR and data privacy. The website itself minotar.net only collects User Agent, Request URI and Referrer but it doesn't collect IPs associated with them. Therefore, in my view this should be fine to approve. Passing onto T&S.

Reception123 moved this task from SRE Review to T&S Review on the CSP Review board.Jan 21 2022, 14:00
Reception123 added a project: Trust & Safety.
Dmehus subscribed.Jan 23 2022, 21:17
In T7912#175093, @Reception123 wrote:

Based on the comments above from the maintainer, the website uses Cloudflare and Plausible. Cloudflare has already been reviewed in T7903 and approved and I've reviewed Plausible above. It seems like a small but serious company that's committed to GDPR and data privacy. The website itself minotar.net only collects User Agent, Request URI and Referrer but it doesn't collect IPs associated with them. Therefore, in my view this should be fine to approve. Passing onto T&S.

Hrm, this seems similar to AddThis. Though no IP addresses are being tracked, I'm concerned with the User Agent tracking. Is the User Agent tracking trackable back to logged in Miraheze users? If so, I'd have more questions and/or potentially some reservations about this. What sort of analytics data is Minotar looking for that MatomoAnalytics can't provide?

Reception123 added a comment.Jan 24 2022, 06:39
In T7912#175389, @Dmehus wrote:
In T7912#175093, @Reception123 wrote:

Based on the comments above from the maintainer, the website uses Cloudflare and Plausible. Cloudflare has already been reviewed in T7903 and approved and I've reviewed Plausible above. It seems like a small but serious company that's committed to GDPR and data privacy. The website itself minotar.net only collects User Agent, Request URI and Referrer but it doesn't collect IPs associated with them. Therefore, in my view this should be fine to approve. Passing onto T&S.

Hrm, this seems similar to AddThis. Though no IP addresses are being tracked, I'm concerned with the User Agent tracking. Is the User Agent tracking trackable back to logged in Miraheze users? If so, I'd have more questions and/or potentially some reservations about this. What sort of analytics data is Minotar looking for that MatomoAnalytics can't provide?

Well Minotar.net has nothing to do with the minotar Miraheze wiki as far as I'm aware. Since there are no IPs tracked, I don't see how UAs could be tracked back to Miraheze users.

Owen subscribed.Feb 2 2022, 16:24

This can be approved.

Owen moved this task from T&S Review to EM Review on the CSP Review board.Feb 2 2022, 16:24
John closed this task as Resolved.Feb 6 2022, 13:49
John claimed this task.
John moved this task from EM Review to Completed on the CSP Review board.