Add support for Cloudflare Turnstile as a privacy preserving alternative to Google Recaptcha

[gene1wood]

I saw this empty PR, #989 , that was opened and closed on this topic, but it might be good to capture this potential feature here as an issue.

Could you/we through a PR add support for Cloudflare Turnstile as a privacy preserving alternative to Google Recaptcha?

https://blog.cloudflare.com/turnstile-private-captcha-alternative/

Here's a demo of it in use

https://demo.turnstile.workers.dev/

[takayukister]

For now, I'm not interested in natively supporting Turnstile. Cloudflare has not yet provided sufficient ground that supports Turnstile is greater than reCAPTCHA in privacy terms. Also it's still in the open beta stage.

[gene1wood]

Ok, sounds good.

Cloudflare has not yet provided sufficient ground that supports Turnstile is greater than reCAPTCHA in privacy terms.

I think the fact that Google's business is advertising (which benefits from analytics about the users who are their product that they sell to advertisers) and Cloudflare's business is selling services to people and companies who pay them is a good basis for the difference in their motivations and their different approach to protecting privacy.

An example of this is how Mozilla has partnered with Cloudflare because of this commitment to privacy that they have and their lack of a conflict of interests between user privacy and their business (which differs from Google). (Disclosure, I work at Mozilla)

Also it's still in the open beta stage.

Good point.

@takayukister If someone were to PR the addition of a Turnstile module would you be open to that? I ask just to get a sense of whether it's that you don't have an interest in putting dev time towards a Turnstile module, or if it's more that supporting Turnstile doesn't fit in with your vision for Contact Form 7?

[takayukister]

Maybe I would reject the PRs. Turnstile is not that attractive to me. I would suggest creating it as an independent plugin.

[gene1wood]

Sounds good, thanks @takayukister

[freinbichler]

Hey @takayukister, while I understand that Turnstile is not that attractive to you personally, it definitely is attractive in the EU, where the use of Google Recaptcha is illegal because of GDPR (it would need opt-in, which defeats the purpose of a captcha). Maybe that is something to consider, as I am assuming a significant amount of your users are based in the EU or develop websites targeting EU customers.

[takayukister]

Can you please provide a link to the court decision?

[freinbichler]

Every service that transfers personally identifiable information to somewhere outside of the EU, like an IP address, needs to be opt-in according to GDPR. While I am not aware of a specific court decision regarding Google Recaptcha, there was a recent decision regarding Google Fonts, which is basically only a single web request to Google servers, but just the fact that the IP address is transferred to the US makes it illegal if not opted-in, according to the court (I know, it's stupid).

The same is true for Google Analytics, Google Maps embeds, etc. As Google Recaptcha assumingly collects way more data than those services, to detect if you are human, it will only be a matter of time until there is a court order.

This summary might also be interesting to read regarding Recaptcha and GDPR: https://www.activemind.de/magazin/recaptcha/

While I am no law-expert, I know that our customers do not want to risk not being compliant with GDPR, and therefore for me as a developer (and many others in the EU) Google Recaptcha is sadly not an option.

[takayukister]

No, I'm not asking for explanation or your opinion about GDPR.

You claimed that Google reCAPTCHA is illegal.

the use of Google Recaptcha is illegal because of GDPR

So, where is the legal evidence?

[deflncha]

I haven't seen anything focusing specifically on the legality of Google reCAPTCHA, however there is definitely legal action being taken against Google Analytics. It wouldn't be a stretch to think that other Google services like reCAPTCHA could also be in violation of GDPR as @freinbichler mentioned.
I'm sure many EU businesses are rightfully being wary to remain compliant - so having an alternative for those users would be nice. That being said Turnstile is in early beta so waiting for an offical release / more info before adding native support makes sense.
For those looking for an independant plugin this looks interesting (use at your own risk / do your own due diligence).

Dropping this in incase it helps someone. At any rate love Contact Form 7 @takayukister keep up the awesome work ❤️

[houmark]

One more vote for adding Turnstile.

[Marcin-Kozyra]

https://wordpress.org/plugins/simple-cloudflare-turnstile/ it works with contact 7

[industrialsociety]

What a disappointing response from the developer. So grateful the community has come up with an alternative solution!