[wp-hackers] Plugin update & security / privacy
Andy Staines
andy at yellowswordfish.com
Mon Sep 24 16:36:14 GMT 2007
Personally I don't care that much but isn't this actually illegal in
some countries? I'm pretty sure it is here in Europe...
Andy
On 05:03 PM | Mon 24 Sep 07, at 05:03 PM | 24 Sep 07, Otto wrote:
> In the interests of clarity, let's state exactly what's going on.
>
> First case:
> Every 43200 seconds (12 hours) or so, depending on when your site is
> hit, the function will send a single HTTP request to
> http://api.wordpress.org. It sends the following information:
>
> WordPress Version
> PHP Version
> Locale setting (if there is one)
> The Blog's URL
>
> That's the main WordPress version check. It doesn't have anything to
> do with plugins. Disabling it is easy, one line of code will do it:
> remove_action('init','wp_version_check');
>
>
> Second case:
> Plugin update check. This occurs when you go to the plugin page and it
> has not checked for updates in more than 43200 seconds (12 hours). It
> also sends a single request to http://api.wordpress.org (different
> script though) consisting of:
> The Blog's URL
> WordPress Version
> Plugin names, url's, versions, etc. All the plugin info, basically,
> including inactive plugins.
>
> Disabling this is also easy, another one-liner:
> remove_action( 'load-plugins.php', 'wp_update_plugins' );
>
>
> WordPress and Automattic's privacy policies can be found here:
> http://automattic.com/privacy/
>
>
> Two things I have to say:
> 1. If the blog is set to "Private", on the privacy admin page, both of
> these should be disabled. Why? Because the user will have expressed a
> preference. Respect it.
> 2. There should be a link to the above privacy policy in the admin
> pages, somewhere.
>
> Given that WordPress has failed to do both of these, then yes, I agree
> that this "feature" is subversive and will cause an outcry. Regardless
> of *what* the information can be used (or not used) for, it's sending
> out information without informing the user of that fact or disclaiming
> what that information can and will be used to do. Furthermore, it has
> no opt-out mechanism, especially when there exists a mechanism already
> that allows the user to express such a preference.
>
> These two simple things are really not optional. They must be added.
> If you're collecting data, ever, then these are the absolute minimum.
>
> So, there's my 2 cents.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list