[wp-trac] [WordPress Trac] #14682: Privacy leakage: gravatars leak identity information

WordPress Trac wp-trac at lists.automattic.com
Wed Aug 25 14:03:13 UTC 2010 

#14682: Privacy leakage: gravatars leak identity information
-----------------------------+----------------------------------------------
 Reporter:  jmdh             |       Owner:                 
     Type:  feature request  |      Status:  new            
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Security         |     Version:  3.0.1          
 Severity:  normal           |    Keywords:                 
-----------------------------+----------------------------------------------

Comment(by jmdh):

 Firstly - is it customary on this trac instance to edit the description
 with commentary? Since there is no built-in attribution it might confuse
 other people reviewing the bug.

 Replying to [comment:3 jane]:
 > 1. If someone really wants to remain anonymous, they shouldn't enter
 their real email into any web form, regardless of whether it will be
 published or not, because the site owner will always have access to it and
 there have been plenty of cases where an unscrupulous author has published
 a commenter's email address.

 I disagree with this assertion. Clearly there are degrees of anonymity,
 and providing an email address with the promise that it won't be published
 is different to publishing it. I agree that you cannot necessarily trust a
 third party site owner to renege on this promise, but the software itself
 should not!

 > 2. The site owner chooses whether to enable gravatar or not.

 Yes, it's true that the site owner does have the ability to turn off
 gravatars, and I will be recommending this to my users as a matter of
 course in the absence of other fixes to this problem. However that's a
 shame, because it means that gravatars aren't available where the user
 doesn't mind being identified in that way.

 This doesn't have any bearing on the basic validity of the defect,
 however.

 > 3. The theme decides whether gravatars will be shown or not.

 In that case, please consider my bug report as including the default
 themes shipped with Wordpress.

 > I think the scenario you outline is a case where the burden of anonymity
 should fall on the commenter; if they don't want their identity to be
 findable, they shouldn't be using their real identity to leave comments.
 Will some site owners kill those comments b/c they don't seem to have a
 real person behind them? Sure. But it's up to the site owner: WordPress
 puts the power in the site owner's hands. Someone unwilling to let their
 identity be known may have valid reasons for wanting to hide, but that
 edge case shouldn't be determining functionality.

 Again, there are degrees of anonymity. If wordpress as a system isn't
 willing to even support its promise not to publish the email identity of
 the commenter, it should not make that promise.

 > "the software should be changed so that gravatars are not used for these
 sorts of posts" << what sorts of posts?

 The sort of comments which are made by non-authenticated parties (I
 mistakenly used the term posts rather comments previously).

 > the software should not be changed.

 I hope I've managed to clarify why I disagree with this statement.

 > And the text that is displayed about it can be left to the theme.

 In that case, please consider my bug report as including the default
 themes shipped with Wordpress.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/14682#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list