[wp-hackers] Revisiting phone home and privacy

Mon Dec 7 08:36:26 UTC 2009

2009/12/7 Mark Jaquith <markjaquith at gmail.com>

> On Mon, Dec 7, 2009 at 1:33 AM, Lynne Pope <lynne.pope at gmail.com> wrote:
> > That doesn't cover data that is sent from WordPress installs though Mark.
> It
> > only relates to people who visit wordpress.org.
>
> It specifically mentions data sent from servers (my emphasis):
>
> > Like most website operators, WordPress.org collects
> non-personally-identifying information of the sort that web browsers ***and
> servers*** typically make available
>

This does not cover data collected from software. If any reasonable person
read that statement they would infer that it relates to visiting
wordpress.org and what information may be disclosed on wordpress.org, but
not what information is collected when they install the WordPress
application.

> And it specifically mentions api.wordpress.org, which is what
> WordPress installs contact (my emphasis):
>
> > WordPress.org may collect statistics about the behavior of visitors to
> its websites. For instance, WordPress.org may reveal how many downloads a
> particular version got, or say which plugins are most popular based on
> checks from ***api.wordpress.org, a web service used by WordPress
> installations to check for new versions of WordPress and plugins***.
>

"from its websites" - no mention of what is collected from other people's
websites without their explicit permission.

>
> > My question relates to the sending of the blog URL in the
> > http_headers_useragent. I still cannot see any reason why this
> information
> > is being sent to WordPress or what use WordPress is making of it.
>
> For one thing, it gives us a nice, standard, unique identifier for the
> blog. That's what URLs were made for! Matt suggested some theoretical
> anonymous uses that related to looking for patterns.
>

This is also not anonymous and no opt-in, consent or otherwise is available.
There are other ways of submitting unique identifiers without compromising
privacy.

>
> > Since Matt
> > indicated that its use would be revisited, and that was 2 years ago with
> > nothing happening since, I'd like to know if there are any plans to
> change
> > this for non-identifying data or if it even that is not needed.
>
> I haven't seen any continuing strenuous objections. I know I'm the one
> that started that thread — but my objections were largely addressed by
> Matt's responses and the privacy policy. The privacy policy makes it
> pretty clear what WordPress.org can and can't do with the data. So no,
> I'm not aware of any plans to change this.
>

Sure, there was a knee-jerk reaction back in 2007 but given the responses at
that time (specifically, "if you don't like it, fork") its not surprising
that people just shut up and either went their own way or hacked the core.
The question still remains - why does WordPress need to use an identifying
blog URL and why is it such a big deal to change this?

> The more I thought about it, the more my knee-jerk objections faded
> away. Your server is doing an HTTP request, so the server knows your
> server's IP address. You can figure out what blog domains are hosted
> on that IP with a search on Bing or several other search engines. So
> if WordPress.org really wanted to know your URL, it could find it.
>

Irrelevant. A lot of information is discoverable if anyone wants to search
for it. If WordPress wanted to run whois and IP lookups that is up to
WordPress. People should not be mandated to hand over personal information
without knowledge that they are doing so and without the option to opt-in to
this.

> > The reason I'm asking now is that I have been fixing a site that was
> hacked.
> > The reason it was hacked was that the owner didn't know of an update that
> > would have protected his site. The reason he didn't know was because he
> was
> > using plugins to prevent update checks - and was only using those because
> he
> > didn't want to send his site URL to WordPress. (Ok, he would have known
> if
> > he had been keeping track of updates externally, but this is a case where
> > privacy concerns removed an important feature from WordPress and
> > disadvantaged him in the process).
> >
> > A quick look at the plugins shows that people are still disabling these
> > update checks:
> >
> http://wordpress.org/extend/plugins/search.php?q=core+update+notification
> > How many are doing this just because they want to protect their privacy?
>
> That sounds like a case of squashing a fly with a sledgehammer. If you
> still feel strongly about not sending a URL, even after reading the
> WordPress.org privacy policy and doing a few "ip:<server IP>" searches
> on Bing, there are ways of doing that without completely eliminating
> update checks. As a WordPress consultant, I would hope that you would
> strongly advise your clients against eliminating update checks!
>

What I would advise has no bearing on what people are actually doing. The
plugins are available and people are using them. While I see the update
checks as invaluable, not everyone knows how to anonymise these.

It seems such a trivial change to make - why not just a "send stats to
wordpress.org y/n" to switch the blog URL on or off?
At the moment, I'm just at a loss as to how to respond to the questions I am
getting about this, especially when I agree with people who don't like this
aspect of WordPress.

Lynne