[wp-trac] [WordPress Trac] #14682: Privacy leakage: gravatars leak identity information

WordPress Trac wp-trac at lists.automattic.com
Tue Aug 24 17:02:17 UTC 2010 

#14682: Privacy leakage: gravatars leak identity information
-----------------------------+----------------------------------------------
 Reporter:  jmdh             |       Owner:                 
     Type:  feature request  |      Status:  new            
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Security         |     Version:  3.0.1          
 Severity:  normal           |    Keywords:                 
-----------------------------+----------------------------------------------
Changes (by jane):

  * type:  defect (bug) => feature request


Old description:

> If a commenter on a blog leaves a comment without having a log in to the
> site, and the "Comment author must fill out name and e-mail" preference
> is enabled for the blog, the author must provide an email address. The
> form for this says "Mail (will not be published) (required)"
>
> It's true that the email address itself is not published, but if the site
> has gravatars enabled, the persistent identity of the commenter is
> nonetheless revealed. Together with inspection of other posts where the
> commenter has chosen to reveal their identity, on the same blog or other
> blogs, or a brute-force approach taking a known email address to find
> postings attributed to them (using a global search engine) this results
> in a complete loss of anonymity.
>
> At the bare minimum, the user should be aware of this, so that they can
> choose not to comment; preferably, the software should be changed so that
> gravatars are not used for these sorts of posts (or made configurable, in
> combination with the user being made aware).

New description:

 If a commenter on a blog leaves a comment without having a log in to the
 site, and the "Comment author must fill out name and e-mail" preference is
 enabled for the blog, the author must provide an email address. The form
 for this says "Mail (will not be published) (required)"

 It's true that the email address itself is not published, but if the site
 has gravatars enabled, the persistent identity of the commenter is
 nonetheless revealed. Together with inspection of other posts where the
 commenter has chosen to reveal their identity, on the same blog or other
 blogs, or a brute-force approach taking a known email address to find
 postings attributed to them (using a global search engine) this results in
 a complete loss of anonymity.

 At the bare minimum, the user should be aware of this, so that they can
 choose not to comment; preferably, the software should be changed so that
 gravatars are not used for these sorts of posts (or made configurable, in
 combination with the user being made aware).

 I would suggest closing as wontfix.

--

Comment:

 1. If someone really wants to remain anonymous, they shouldn't enter their
 real email into any web form, regardless of whether it will be published
 or not, because the site owner will always have access to it and there
 have been plenty of cases where an unscrupulous author has published a
 commenter's email address.

 2. The site owner chooses whether to enable gravatar or not.

 3. The theme decides whether gravatars will be shown or not.

 I think the scenario you outline is a case where the burden of anonymity
 should fall on the commenter; if they don't want their identity to be
 findable, they shouldn't be using their real identity to leave comments.
 Will some site owners kill those comments b/c they don't seem to have a
 real person behind them? Sure. But it's up to the site owner: WordPress
 puts the power in the site owner's hands. Someone unwilling to let their
 identity be known may have valid reasons for wanting to hide, but that
 edge case shouldn't be determining functionality.

 "the software should be changed so that gravatars are not used for these
 sorts of posts" << what sorts of posts? the software should not be
 changed. And the text that is displayed about it can be left to the theme.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/14682#comment:3>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list