[wp-trac] [WordPress Trac] #16778: wordpress is leaking user/blog information during wp_version_check()
WordPress Trac
noreply at wordpress.org
Wed Jan 18 14:39:09 UTC 2017
#16778: wordpress is leaking user/blog information during wp_version_check()
----------------------------+------------------------------
Reporter: investici | Owner:
Type: enhancement | Status: reopened
Priority: normal | Milestone: Awaiting Review
Component: Administration | Version:
Severity: minor | Resolution:
Keywords: has-patch | Focuses:
----------------------------+------------------------------
Comment (by Myatu):
Reading the Slack logs it is disappointing to see:
@sam [https://wordpress.slack.com/archives/design/p1484173435001106 Slack
log]:
> ... but data collected that is "non-identifiable" or "un-identified" is
not a privacy concern because there's no way to identify it.
> So, no, it's not on the privacy page.
and @michaelarestad
[https://wordpress.slack.com/archives/design/p1484174633001159 Slack log]:
> The answer is definitely nope. It’s a niche option that could be covered
in a potentially super cool plugin.
So in a nutshell, WordPress.org considers sending 'non-identifiable' data
without the knowledge nor consent of the end-user as "okay"?
If that is so, then WordPress.org is certainly running a conflicting
standard between its own developers and third party developers (a.k.a
[https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-
guidelines/ plugin developers]):
> The plugin may not “phone home” or track users without their informed,
explicit, opt-in consent.
>
> In the interest of protecting user privacy, plugins may not contact
external servers without the explicit consent of the user via requiring
registration with a service or a checkbox within the settings.
> ...
> Documentation on how any user data is collected, and used, should be
included in the plugin’s readme, preferably with a clearly stated privacy
policy.
The plugin guideline does not state that there's an exception to 'non-
identifiable' data, and there certainly ought not be any "It is okay if
WordPress.org does it" exception.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/16778#comment:89>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list