10
latisfeire
276d

I am building my portfolio website and added a contact section. In the API call to the backend, I am logging potential API failures to Firebase Analytics. Is it ethical to include the request data (content of the contact form) in log data?

Comments
  • 8
    Might run into GDPR issues. Also, take care to sanitise the input as potential attack vector - the current Log4j affair is a cautionary tale how user controlled data can wreak havoc in the backend.
  • 7
    Analytics shouldn't contain PII* data, if it does it counts as logging.

    Check with your local laws and the GDPR / CCPA.

    But in essence, never store more then you need, and never store it any longer then you need it.

    * https://en.wikipedia.org/wiki/...
  • 1
    I agree about not storing in GA.

    But regarding GDPR, since its a contact form, anyone that fills it out gives you permission to store and process that data for the purpose of the form.

    You can also store it temporarily in a log but not long term since the logging is not the purpose of the form, but logging is usually a requirement for the running of a site and that gives you the right to log necessary data for at least some minimum time.

    For more information search for “Legal grounds gdpr” for a list of valid reasons to store and process data.

    And remember that explicit consent is a last resort :). If any of the others work they are easier and better.
  • 3
    Take my advice.

    Just setup a mailto link with a filtered inbox(think Gmail and forward to your real account).

    You will save yourself about 2 days of effort and it will be a bit more secure.
  • 1
    @sariel

    Contact forms are indeed overrated, especially in these cases.

    I always prefer personally to send an e-mail directly so I can keep track of it in own inbox.
Add Comment