[wp-hackers] Revisiting phone home and privacy

Chris Jean gaarai at gaarai.com
Wed Dec 9 15:26:06 UTC 2009


I think just the fact that Peter felt the need to list the data sent to 
the servers in order to justify how everyone's privacy concerns are 
invalid does more to support the privacy concerns than dismiss them. If 
we, the list of hackers of all things WordPress, had to get a core dev 
tell us what is sent to the wp.org servers, how are standard users 
supposed to know what is or is not sent to the wp.org servers?

Additionally, if we have to have a legal analysis of whether or not the 
privacy statement on the wp.org site applies to the wp software or not, 
wouldn't it be reasonable to assume that not everyone is clear on 
whether that privacy statement applies to the software or not?

Personally, I don't care one bit. I know what information is sent all 
over the net each time I request a web page. I know how trivially-easy 
it is to start with a single piece of information (say an IP address) 
and determine a wealth of data from that information.

However, this isn't about what people may or may not know about the 
technical infrastructure of the internet nor is it about WordPress 
users' ability to interpret a privacy statement. What other software may 
or may not share when it sends data to a centralized system is also 
immaterial. This discussion is about the WordPress software and how 
people feel that they don't have adequate control over the information 
that the software they installed on their server sends out to the world.

If a user's potentially-unfounded fears cause them to do something that 
is reckless or dangerous (say disabling the automatic updater) and a 
solution is available that would remove those fears without also 
subjecting anyone else to reduced security (say being able to determine 
what information is sent to the wp.org servers), then wouldn't it be in 
the best interest of everyone to allow such solution? I'm sure that many 
will (and I believe many already have) argue that such a solution is 
available via plugins. While this is true, it does bring us to the true 
question that this topic begs an answer to:

If WordPress core has a feature that causes privacy concerns, is enabled 
by default, and runs automatically, is it acceptable that the only true 
solution to the privacy concern requires that the user discover the 
existence of a third-party plugin and then use that plugin?

Put another way, as a standard going forward, should the introduction of 
core features that introduce privacy concerns also require the inclusion 
in core of settings that allow the control of the information such 
features send?

Will Norris makes a great point when he shows that many that are having 
difficulty understanding the concerns are thinking about things 
backwards, from a WordPress-provider viewpoint rather than a 
WordPress-consumer viewpoint. He also makes a great point about the 
bareness of the Privacy page.

Would it really be that detrimental to put an additional section in the 
Privacy page talking about the updater, what information it sends, and 
allowing for the control over the information that is sent? This section 
could also include the privacy policy of WordPress.org so that it is 
clear what the privacy policy is.

Such an addition to the Privacy page could offer two options detailing 
what information is sent:

   1. Default
          * WordPress version and locale - This information is necessary
            in order to provide updates for your WordPress software.
          * Installed plugins - This information is necessary in order
            to provide updates for your plugins.
          * PHP and MySQL version numbers - This information allows
            WordPress developers plan what software support is needed by
            WordPress.
          * Site address (URL) - This information is used to determine
            how many installations of WordPress exist and how many of
            each version is run. This helps WordPress developers plan
            new release schedules. This information is only used to
            generate statistical usage information and is never shared
            with third parties.
          * Server IP address - Due to how the internet operates, each
            time your WordPress software contacts the update servers,
            the update servers also receive your server's IP address.
            This information is never stored.
   2. Minimal
          * WordPress version and locale - This information is necessary
            in order to provide updates for your WordPress software.
          * Installed plugins - This information is necessary in order
            to provide updates for your plugins.
          * Server IP address - Due to how the internet operates, each
            time your WordPress software contacts the update servers,
            the update servers also receive your server's IP address.
            This information is never stored.

At first I thought a third option could be provided that would disable 
plugin and WordPress updates while explaining that selecting that option 
is not recommended for security reasons. Then I thought better of it as 
it would be better to require the additional steps to disable features 
that greatly improve site security.

While I have no doubt that the data gathered from the updater requests 
is of great value, dismissing valid (or even invalid) privacy concerns 
of users due to a lack of majority demand and due to technical or legal 
arguments just to protect the gathering of data is a poor way of 
responding to users.

Chris Jean
http://gaarai.com/
@chrisjean



Peter Westwood wrote:
>
> In my experience the software that asks about phone home is asking 
> about sending detailed data about what you are doing with the software.
>
> For example if WordPress was recording which admin pages you visit 
> most often or how often your posted / how many comments you received 
> and phoning home that information I would expect to have a very visual 
> opt-out.
>
> This is not what we are doing we are sending back a very simple set of 
> information:
>
>  * The version WordPress you are using - we need this to be able to 
> give you the correct response
>  * The versions of PHP and mysql you are using - we need these to be 
> able to make sensible decisions about which versions we should support
>  * The locale you are using - so we can offer you the update in your 
> language
>  * The url of the site doing the checks - so we can differentiate 
> between different clients in order to aggregate the version numbers 
> correctly.
>


More information about the wp-hackers mailing list