[wp-hackers] Revisiting phone home and privacy

[Doug Stewart]

On 12/9/09, Otto <otto at ottodestruct.com> wrote:
> Notice what he said though: "let's just close it until there are
> compelling new arguments".
>
> That's basically what I'm looking for here. What is a legitimate,
> real-world, argument to provide such an option?
>

We're not providing disclosure of 1) the fact that WordPress is
submitting the data 2) what Automattic does/intends to do with said
data and 3) not allowing a chance to opt-out before the data is sent
the very first time -- i.e., you have to install a plugin and activate
it, thus firing the update check *at least once* in order to complete
the opt-out.

> To put it another way: Would you use such a privacy option?

I personally wouldn't. My chief clients would.

> Why would you use it?

To prevent a fairly detailed application profile of my install from
being sent to and potentially stored by a third party in a way that is
directly traceable to me/my installation.

> What rationale can you provide that isn't mere paranoia,
> but is actually a reasonable and logical reason for not giving
> somebody the info described previously?
>

Is it "paranoia" to worry about my credit card company's databases
being compromised and thus revealing far more information about me
than I want public? Is it "paranoia" to be concerned about the same
thing when it comes to my health care insurance provider? Is it
paranoid for me to worry about Facebook sharing my contact
information, likes, dislikes, etc. with third party advertisers?

You seem to be making the argument that "Well, if you install
WordPress, you're defacto signing away any notions of privacy, at
least inasmuch as Automattic is concerned".

The plain point of the matter is that the base/core WordPress project
is not even disclosing this submission of data, which could
potentially be illegal in certain jurisdictions. A single blog post
made > 2 years ago concerning a version of the software that is 6+
versions out of date with the current is NOT sufficient disclosure.
How many WP installs have been deployed since Sept. 2007? How many
people have been added to the WP community in that time? (Snarky
aside: The very functionality under discussion could actually allow us
to answer those questions with some degree of certainty...) Are they
going to know enough to go back and peruse those blog posts?

The point that I have yet to see YOU make is a compelling case for WHY
a blog's URL needs to be sent to Automattic at all. Why not an MD5
hash of the URL, as was suggested in this thread, the '07 thread and
the Trac ticket? This guarantees uniqueness with at least a gloss of
anonymity, potentially satisfying both ends of the transaction's
concerns.

Opt-out options, full disclosure, etc. are part of the social
engineering/social compact/good citizen argument, which is a separate
matter from the technical concerns.

-- 
-Doug
@zamoose
http://literalbarrage.org/blog/