[wp-trac] [WordPress Trac] #16778: wordpress is leaking user/blog information during wp_version_check()
WordPress Trac
noreply at wordpress.org
Wed Dec 7 09:00:31 UTC 2016
#16778: wordpress is leaking user/blog information during wp_version_check()
----------------------------+----------------------
Reporter: investici | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Administration | Version:
Severity: minor | Resolution: invalid
Keywords: has-patch | Focuses:
----------------------------+----------------------
Comment (by DvanKooten):
It saddens me to read through this ticket and notice the general
unwillingness to improve.
Let me start out by saying that the number of registered users I have on
my site tied to the URL that is sent with tracking request gives out vital
information on how well my business could be doing. Information that is
mine and mine only.
If this is really used to "help plan and improve future updates" then
there are much more privacy friendly ways to go about this. At the very
least we could make it very clear that WordPress is tracking this
information and what exactly it is doing with it, I really do not think
there is any excuse for that.
We would not opt-in to usage tracking in a plugin without knowing what
exactly it tracks. WordPress doesn't have to play by this rule as the
download is the opt-in, but let's at least make it super clear what we're
opting into then.
This becomes even more important as the collected data is not visible to
us, lone contributors outside of a8c. All we have is your word.
Replying to [comment:35 chriscct7]:
> As for this ticket, WordPress is now used by almost a quarter of the
internet, and since 6 years ago a total of what appears to be just 6
(quick count on my part; could be off +/-2) have expressed interest in a
filter for this. Aside from the performance implications of calling
apply_filter() which albeit while small is still a consideration factor,
there is also WordPress's core philosophies of "Design for the majority"
and "The Vocal Minority": https://wordpress.org/about/philosophy/. It is
unlikely that of the many tens of millions of active WordPress installs
more than a handful would actually use this filter. Furthermore,
introducing new filters have to be done with care, particularly out of
consideration for future development. Does a filter here prevent WordPress
from being able to achieve future goals due to backwards compatibility
concerns? Probably not, but again another thing to consider.
This is a very oversimplified way of looking at things. Just because only
6 people replied to this Trac ticket does not mean that no one else has an
issue with this. WordPress sending the number of users your site has is
undocumented behaviour which you would only know of by going through the
WordPress source code, and we both know that the majority of WordPress
users never does this. Furthermore, you are comparing "a quarter of the
internet" vs "the # of Trac users". Certainly a quarter of the internet is
not using Trac.
Wrapping up: '''the very least we could do to improve is to document this
behavior and to create a page on what data exactly WordPress is
collecting, and why.'''
People should know without having to go through each line of code in
WordPress one by one, so they can make an informed decision on whether
they want this or not. Alternatively, WordPress should quit saying stuff
like "own your data", because apparently you don't.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/16778#comment:44>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list