[wp-hackers] Revisiting phone home and privacy

Mark Jaquith markjaquith at gmail.com
Mon Dec 7 07:46:54 UTC 2009

On Mon, Dec 7, 2009 at 1:33 AM, Lynne Pope <lynne.pope at gmail.com> wrote:
> That doesn't cover data that is sent from WordPress installs though Mark. It
> only relates to people who visit wordpress.org.

It specifically mentions data sent from servers (my emphasis):

> Like most website operators, WordPress.org collects non-personally-identifying information of the sort that web browsers ***and servers*** typically make available

And it specifically mentions api.wordpress.org, which is what
WordPress installs contact (my emphasis):

> WordPress.org may collect statistics about the behavior of visitors to its websites. For instance, WordPress.org may reveal how many downloads a particular version got, or say which plugins are most popular based on checks from ***api.wordpress.org, a web service used by WordPress installations to check for new versions of WordPress and plugins***.

> My question relates to the sending of the blog URL in the
> http_headers_useragent. I still cannot see any reason why this information
> is being sent to WordPress or what use WordPress is making of it.

For one thing, it gives us a nice, standard, unique identifier for the
blog. That's what URLs were made for! Matt suggested some theoretical
anonymous uses that related to looking for patterns.

> Since Matt
> indicated that its use would be revisited, and that was 2 years ago with
> nothing happening since, I'd like to know if there are any plans to change
> this for non-identifying data or if it even that is not needed.

I haven't seen any continuing strenuous objections. I know I'm the one
that started that thread — but my objections were largely addressed by
Matt's responses and the privacy policy. The privacy policy makes it
pretty clear what WordPress.org can and can't do with the data. So no,
I'm not aware of any plans to change this.

The more I thought about it, the more my knee-jerk objections faded
away. Your server is doing an HTTP request, so the server knows your
server's IP address. You can figure out what blog domains are hosted
on that IP with a search on Bing or several other search engines. So
if WordPress.org really wanted to know your URL, it could find it.
Again, that's just based on the IP address, which you HAVE to send for
HTTP to work. If your URL is discoverable, and your IP address has to
be sent, withholding the URL doesn't actually get you more privacy,
ultimately. A search on ip: on Bing reveals
lynnepope.net, for instance (and for the record, I got that IP by
Google searching your name. :-) )

> The reason I'm asking now is that I have been fixing a site that was hacked.
> The reason it was hacked was that the owner didn't know of an update that
> would have protected his site. The reason he didn't know was because he was
> using plugins to prevent update checks - and was only using those because he
> didn't want to send his site URL to WordPress. (Ok, he would have known if
> he had been keeping track of updates externally, but this is a case where
> privacy concerns removed an important feature from WordPress and
> disadvantaged him in the process).
> A quick look at the plugins shows that people are still disabling these
> update checks:
> http://wordpress.org/extend/plugins/search.php?q=core+update+notification
> How many are doing this just because they want to protect their privacy?

That sounds like a case of squashing a fly with a sledgehammer. If you
still feel strongly about not sending a URL, even after reading the
WordPress.org privacy policy and doing a few "ip:<server IP>" searches
on Bing, there are ways of doing that without completely eliminating
update checks. As a WordPress consultant, I would hope that you would
strongly advise your clients against eliminating update checks!

Mark Jaquith
• http://markjaquith.com/http://coveredwebservices.com/

More information about the wp-hackers mailing list