[wp-hackers] Revisiting phone home and privacy

Lynne Pope lynne.pope at gmail.com
Tue Dec 8 02:13:59 UTC 2009


I hear what you are saying Jacob but have to wonder if there would be more
people seeing update notifications if some were not disabling these over
privacy concerns. With the company I mentioned, I had no idea they had used
these plugins to avoid sending their blog URL. I imagine there would be a
lot of us who work with users and who don't know what they have installed
until there is a problem.

A subset of current users were around in 2007 and took note when all hell
broke loose over the phone home. I suspect a larger proportion never see
reports about such things. The average user doesn't see Slashdot or follow
tech news. Since then, of course, thousands of new users have come along and
I doubt many of them are even aware of what information gets sent back.

Then there's the users who, in 2007, installed the plugins to block update
checks (the 2.3 announcement even linked to this) and who have just
blissfully carried on blocking. This is where the privacy concerns are
actually hurting WordPress. If we want people to use the automatic update we
should, in my opinion, not be giving them reasons for not using it. Sure,
its easy to look at the numbers and say most people don't care, but its just
as valid to say they might, if they knew about it.

For my last comment on this issue I just want to ask one thing - is it so
hard to simply remove the blog URL from being sent as part of the User-Agent
in the core? A function is all very well (and I thank you for that) but by
the time anyone mentions that they won't use WordPress or that they are
using plugins to remove update notifications its already too late to help
them out.

Lynne

2009/12/8 Jacob Santos <wordpress at santosj.name>

> I should apologize, I realize that you are correct. It has been a long time
> and I've forgotten a lot of the issues that were bought up at that time.
>
> Given the lack of popularity of the Tin-foil hat plugin compared to those
> using WordPress, I can say that it is unlikely that any options will be
> added. I believe it was discussed at that point, but a lot of the argument
> against it was that if only a few are ever going to turn it on, then it
> wasn't worth spending the time for development and testing to do it.
>
> As far as the business connection, I think that well, it doesn't really
> matter what I think. I would hope that any business would weigh the
> advantages of what WordPress offers for keeping WordPress and plugins
> up-to-date and the time that is saved, however that is their business with
> how they want to handle that.
>
> Furthermore, the lack of opt-in was intentional and there was, I believe,
> fear that people would care more about privacy than security and opt-out
> rather than be updated on when new releases are out. Given the apathy in the
> past, it seemed reasonable to assume it and given recent events, it seems
> that even with the update notifications that people are still not taking the
> update notifications seriously.
>
> The Tin-foil hat plugin should solve your problems, but the code below
> could be applied to a plugin and would do what you wish with at least the
> useragent.
>
> function paranoia_remove_url($default)
> {
>   global $wp_version;
>   return 'WordPress/'.$wp_version;
> }
>
> add_filter('http_headers_useragent', 'paranoia_remove_url');
>
> For what it is worth, I'm not against your idea, it is just that there are
> alternatives to which you speak and I'm wondering why those alternatives
> (i.e the filters) weren't applied first to the problem before attempting to
> change WordPress fundamentally for everyone. Also, I'll rather the
> statistics for PHP version be sent so that PHP4 can be dropped as soon as
> possible, unless their using PHP4, then please use the Tin-foil hat, so that
> they'll skew the results towards quicker adoption of PHP5+.
>
> It should also be noted that the above will only remove the URL from the
> useragent. The plugins and themes and wp_version will still be sent, but I
> believe that is the only place where the Blog URL is sent.
>
>
> Jacob Santos
>
> Lynne Pope wrote:
>
>> 2009/12/8 Jacob Santos <wordpress at santosj.name>
>>
>>
>>
>>> In what way does WordPress.org or Automattic having your URL affect the
>>> security and privacy of your site?
>>>
>>>
>>>
>>
>> It compromises privacy because users are not being given the option to
>> send
>> or not send information about their site. It compromises security when
>> users
>> disable update checks in order to avoid sending information they don't
>> wish
>> to send.
>>
>> The specific response I got from the people I was working with was that
>> business information, such as which plugins they use, is nobody's business
>> except theirs. They consider this to be business information. Plugin and
>> theme data contains identifying information about products and staff which
>> they do not want broadcast to anyone.
>>
>>
>>
>>
>>> How does preventing WordPress.org from using this data protect you from
>>> anything?
>>>
>>>
>>>
>>
>> WordPress.org is not a legal entity and cannot therefore be held legally
>> accountable for misuse of data. They have no confidence in WordPress.org's
>> ability to keep the data private and confidential and say that as they do
>> not opt-in to sharing it then wordpress.org has no legal right to collect
>> it.
>>
>>
>>
>>
>>> Why doesn't the plugins available address your problems with privacy?
>>>
>>>
>>> The filters were placed in for the sole purpose of overriding the URL
>>> that
>>> is sent and for those concern with privacy. While it could be said that
>>> the
>>> small amount of people who downloaded the plugin verses the much larger
>>> amount that uses WordPress says that not enough people consider sending
>>> an
>>> URL is all that important. It might just be that not enough people
>>> realize
>>> that their WordPress is sending this information.
>>>
>>>
>>>
>>
>> Which plugin just overrides the blog URL? If there is one that simply does
>> that then I'd point them to it.
>>
>>
>>
>>
>>> It is but the URL, plugins, and themes, along with the PHP version that
>>> is
>>> sent. None of the passwords, visitors (unless you use the WordPress.com
>>> Stats plugin), etc is sent. There is also a legitimate and reasonable
>>> purpose behind sending this data and it is to allow for upgrading those
>>> plugins (however, the URL isn't required, unless they changed that, but
>>> you
>>> could just send www.example.com if you wanted).
>>>
>>> By the way, the filters were a compromise to those who said to fork it.
>>>
>>>
>>>
>>
>> Providing the means to check if plugins, theme, or core updates are
>> available is great. The stickler is the sending of the blog URL (and for
>> this company - data about custom plugins).
>>
>> IMO, there needs to be more transparency about what WordPress does behind
>> the scenes and what data is collected. I understand the concerns when
>> custom
>> plugins & themes use staff and product names - this sends way too much
>> identifying information!
>>
>> The alternative would be if WordPress only checked against theme and
>> plugin
>> names that are in the WordPress repository, instead of collecting data on
>> every theme and plugin.
>>
>> I love the work you did on this Jacob. However, its now 2 years since
>> wordpress.org started collecting blog URL's with the update and it's
>> still
>> unnecessary data capture. If WordPress.org has future plans for using this
>> information then a simple opt-in would prevent these kinds of issues. If
>> there is no good reason for capturing the URL then perhaps its time it was
>> removed?
>>
>> Lynne
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
http://twitter.com/elpie/


More information about the wp-hackers mailing list