[wp-hackers] Revisiting phone home and privacy
zamoose at gmail.com
Wed Dec 9 21:11:40 UTC 2009
On 12/9/09, Otto <otto at ottodestruct.com> wrote:
> Yes, yes, and no.
> Credit card companies have been exploited fairly regularly. However,
> nobody much cares because I and anybody else can get a copy of your
> credit report for just a few bucks, with nothing more than your name
> and perhaps your address or past address. Credit information is
> generally public by its very nature. If I got your credit card number,
> I could charge a few things up, but you wouldn't owe squat, and I'd
> get cut off and probably caught fairly quickly nowadays. Fraud
> detection has advanced leaps and bounds. I know this from working
> directly with several credit card companies on the subject.
Bad example #1. Credit cards "ship" to their users wrapped in reams of
disclosure statements, privacy statements, etc. WordPress doesn't.
> Health care information is protected by laws and medical ethics and
> such, so while it's not paranoid to be sure that the company uses
> HIPAA certified software, it is paranoid to require that they tell you
> in advance. They all use HIPAA software, because the alternative is
> basically jail-time.
Bad example #2. You explicitly sign a HIPAA disclosure form every time
you join a new plan, visit a new specialist or in some cases even when
you hand your prescription card over at Walgreens. WordPress doesn't
disclose nor does it ask your consent.
> Facebook, on the other hand, has had many privacy problems. They are
> trying to address them, and generally failing at it, IMO.
signs up with them agrees to. WordPress does not.
>> You seem to be making the argument that "Well, if you install
>> WordPress, you're defacto signing away any notions of privacy, at
>> least inasmuch as Automattic is concerned".
> Not at all. I'm making the argument that there's no particular damage
> that can be done with the information that can't be done without the
Simply untrue. You're thinking outside the firewall. I'm thinking
inside (previously known as "Intranets").
> Many sites have lists of the plugins they use right on
And every single site that does so explicitly installed and activated
a plugin, of their own volition, in order to do so.
> You can browse the source of a site and make an educated guess
> at what plugins he's using. Heck, if you visit /wp-content/plugins on
> most sites, the directory isn't even protected against indexing, so
> you can see the list right there. This is not top-secret information
> here. Knowing what plugins you run helps not in the slightest for most
You can, certainly, as an anonymous third party. You're also not the
provider, maintainer and architect behind the software running on
their site. WP.org/Automattic are.
> No, I disagree. The burden of proof is not on me, the burden of proof
> lies on the person wanting to obfuscate things for no reason that I
> can figure out.
> See, your URL is not top-secret information. It's information that is
> readily available.
Not true. See point above in re: intranets.
> It's in Google, it's in your address bar, your site
> sends it to Ping servers every time you post, it sends it to random
> other blogs as pingbacks whenever you link to them.
An inapt comparison. If my blog was sending a full dump of its WP
version, installed plugins, MySQL and PHP version strings, etc. to
every pingback service in the world, I'd have a problem with that too.
> Your URL is not something you hide anywhere else, it makes no sense to
> me to hide it here.
My point isn't the URL, it's the URL *in combination with a whole host
of other, less-publicly-available information*.
More information about the wp-hackers