Wikimedia Security Team/Random Meetings/2020 01 07 Captcha Working Group

From mediawiki.org

Date/time: January 7th, 2020 - 08:00 AM PDT

Attending: David, Jan, Evan, Scott, Chase

Agenda

  1. Do we know if Dan Foy ever had a conversation with Google re: reCaptcha? Is this even worth pursuing any further given the extremely high likelihood we cannot use reCaptcha and Google is unlikely to compromise for us? Should we pass this on to someone else in Partnerships or is that just not worthwhile?
    1. Dan had some communications with Google, passed around some of our requirements, little to no traction.
    2. Draft and send message or write blog post as to why WMF could not use reCaptcha in our quest to improve captchas. Would need to go through Comms approval, would need to be positive/neutral in tone.
  2. Has there been any update for CPT and their Captcha product statement? Are development cycles (internal or vendor) likely to happen within 2020? Do we have a sense of what features, etc. might be completed?
    1. This project did not fit within this FY for CPT project planning.
    2. Product is interested in this problem - see point below re: new proposal.
    3. CPT not entirely comfortable owning all technical pieces.
    4. Potentially use contractors or even an OSS prize system that WMF sponsors.
    5. T&S to help shepherd any potential issues through WMF-legal.
    6. Now might be an opportune time to seek WMF funding for the contracting piece. Plan to have some kind of proposal for All-hands.
  3. Gergo's new propsoal: https://phabricator.wikimedia.org/T241921
    1. Good place too discuss and further coordinate this problem.
    2. Need to be cautious in aggressively steering this towards an actual result or series of improvements.
    3. Be sure to reference Corrective Action Plan(s) from previous incidents to capture complete details of this issue.
  4. The BishopFox Captcha assessment will begin in Jan 2020 and we should hopefully have results by the end of Jan 2020 or soon thereafter. We can share that report with CPT and any other interested parties and hopefully even make it public (or maybe parts of it - not sure about vendor/contract issues) at some point.
  5. Evaluate and reset any other expectations around this work.