[wp-hackers] Revisiting phone home and privacy

Jacob Santos wordpress at santosj.name
Mon Dec 7 14:51:35 UTC 2009


In what way does WordPress.org or Automattic having your URL affect the 
security and privacy of your site?

How does preventing WordPress.org from using this data protect you from 
anything?

Why doesn't the plugins available address your problems with privacy?


The filters were placed in for the sole purpose of overriding the URL 
that is sent and for those concern with privacy. While it could be said 
that the small amount of people who downloaded the plugin verses the 
much larger amount that uses WordPress says that not enough people 
consider sending an URL is all that important. It might just be that not 
enough people realize that their WordPress is sending this information.

It is but the URL, plugins, and themes, along with the PHP version that 
is sent. None of the passwords, visitors (unless you use the 
WordPress.com Stats plugin), etc is sent. There is also a legitimate and 
reasonable purpose behind sending this data and it is to allow for 
upgrading those plugins (however, the URL isn't required, unless they 
changed that, but you could just send www.example.com if you wanted).

By the way, the filters were a compromise to those who said to fork it.

Jacob Santos


Lynne Pope wrote:
> 2009/12/7 Mark Jaquith <markjaquith at gmail.com>
>
>   
>> On Mon, Dec 7, 2009 at 1:33 AM, Lynne Pope <lynne.pope at gmail.com> wrote:
>>     
>>> That doesn't cover data that is sent from WordPress installs though Mark.
>>>       
>> It
>>     
>>> only relates to people who visit wordpress.org.
>>>       
>> It specifically mentions data sent from servers (my emphasis):
>>
>>     
>>> Like most website operators, WordPress.org collects
>>>       
>> non-personally-identifying information of the sort that web browsers ***and
>> servers*** typically make available
>>
>>     
>
> This does not cover data collected from software. If any reasonable person
> read that statement they would infer that it relates to visiting
> wordpress.org and what information may be disclosed on wordpress.org, but
> not what information is collected when they install the WordPress
> application.
>
>
>   
>> And it specifically mentions api.wordpress.org, which is what
>> WordPress installs contact (my emphasis):
>>
>>     
>>> WordPress.org may collect statistics about the behavior of visitors to
>>>       
>> its websites. For instance, WordPress.org may reveal how many downloads a
>> particular version got, or say which plugins are most popular based on
>> checks from ***api.wordpress.org, a web service used by WordPress
>> installations to check for new versions of WordPress and plugins***.
>>
>>     
>
> "from its websites" - no mention of what is collected from other people's
> websites without their explicit permission.
>
>
>   
>>> My question relates to the sending of the blog URL in the
>>> http_headers_useragent. I still cannot see any reason why this
>>>       
>> information
>>     
>>> is being sent to WordPress or what use WordPress is making of it.
>>>       
>> For one thing, it gives us a nice, standard, unique identifier for the
>> blog. That's what URLs were made for! Matt suggested some theoretical
>> anonymous uses that related to looking for patterns.
>>
>>     
>
> This is also not anonymous and no opt-in, consent or otherwise is available.
> There are other ways of submitting unique identifiers without compromising
> privacy.
>
>
>   
>>> Since Matt
>>> indicated that its use would be revisited, and that was 2 years ago with
>>> nothing happening since, I'd like to know if there are any plans to
>>>       
>> change
>>     
>>> this for non-identifying data or if it even that is not needed.
>>>       
>> I haven't seen any continuing strenuous objections. I know I'm the one
>> that started that thread — but my objections were largely addressed by
>> Matt's responses and the privacy policy. The privacy policy makes it
>> pretty clear what WordPress.org can and can't do with the data. So no,
>> I'm not aware of any plans to change this.
>>
>>     
>
> Sure, there was a knee-jerk reaction back in 2007 but given the responses at
> that time (specifically, "if you don't like it, fork") its not surprising
> that people just shut up and either went their own way or hacked the core.
> The question still remains - why does WordPress need to use an identifying
> blog URL and why is it such a big deal to change this?
>
>
>   
>> The more I thought about it, the more my knee-jerk objections faded
>> away. Your server is doing an HTTP request, so the server knows your
>> server's IP address. You can figure out what blog domains are hosted
>> on that IP with a search on Bing or several other search engines. So
>> if WordPress.org really wanted to know your URL, it could find it.
>>
>>     
>
> Irrelevant. A lot of information is discoverable if anyone wants to search
> for it. If WordPress wanted to run whois and IP lookups that is up to
> WordPress. People should not be mandated to hand over personal information
> without knowledge that they are doing so and without the option to opt-in to
> this.
>
>
>   
>>> The reason I'm asking now is that I have been fixing a site that was
>>>       
>> hacked.
>>     
>>> The reason it was hacked was that the owner didn't know of an update that
>>> would have protected his site. The reason he didn't know was because he
>>>       
>> was
>>     
>>> using plugins to prevent update checks - and was only using those because
>>>       
>> he
>>     
>>> didn't want to send his site URL to WordPress. (Ok, he would have known
>>>       
>> if
>>     
>>> he had been keeping track of updates externally, but this is a case where
>>> privacy concerns removed an important feature from WordPress and
>>> disadvantaged him in the process).
>>>
>>> A quick look at the plugins shows that people are still disabling these
>>> update checks:
>>>
>>>       
>> http://wordpress.org/extend/plugins/search.php?q=core+update+notification
>>     
>>> How many are doing this just because they want to protect their privacy?
>>>       
>> That sounds like a case of squashing a fly with a sledgehammer. If you
>> still feel strongly about not sending a URL, even after reading the
>> WordPress.org privacy policy and doing a few "ip:<server IP>" searches
>> on Bing, there are ways of doing that without completely eliminating
>> update checks. As a WordPress consultant, I would hope that you would
>> strongly advise your clients against eliminating update checks!
>>
>>     
>
> What I would advise has no bearing on what people are actually doing. The
> plugins are available and people are using them. While I see the update
> checks as invaluable, not everyone knows how to anonymise these.
>
> It seems such a trivial change to make - why not just a "send stats to
> wordpress.org y/n" to switch the blog URL on or off?
> At the moment, I'm just at a loss as to how to respond to the questions I am
> getting about this, especially when I agree with people who don't like this
> aspect of WordPress.
>
> Lynne
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>   


More information about the wp-hackers mailing list