[wp-hackers] Revisiting phone home and privacy

Lynne Pope lynne.pope at gmail.com
Mon Dec 7 06:33:24 UTC 2009


2009/12/7 Mark Jaquith <markjaquith at gmail.com>

> On Mon, Dec 7, 2009 at 12:08 AM, Lynne Pope <lynne.pope at gmail.com> wrote:
> > In the absence of any statement on wordpress.org to tell users what data
> is
> > being collected and how it is being used, I would like to know if
> WordPress
> > has found any need to collect blog URL's?  If it has, then this should be
> > disclosed, if it has not then perhaps we should be replacing the blog URL
> > with an anonymous identifier.
>
> wordpress.org has a privacy policy that applies to any information
> sent to the site, which would include the API.
>
> http://wordpress.org/about/privacy/
>
> It's fairly standard. The meat:
>
> "WordPress.org will not rent or sell potentially
> personally-identifying and personally-identifying information"
>

That doesn't cover data that is sent from WordPress installs though Mark. It
only relates to people who visit wordpress.org.

My question relates to the sending of the blog URL in the
http_headers_useragent. I still cannot see any reason why this information
is being sent to WordPress or what use WordPress is making of it. Since Matt
indicated that its use would be revisited, and that was 2 years ago with
nothing happening since, I'd like to know if there are any plans to change
this for non-identifying data or if it even that is not needed.

The reason I'm asking now is that I have been fixing a site that was hacked.
The reason it was hacked was that the owner didn't know of an update that
would have protected his site. The reason he didn't know was because he was
using plugins to prevent update checks - and was only using those because he
didn't want to send his site URL to WordPress. (Ok, he would have known if
he had been keeping track of updates externally, but this is a case where
privacy concerns removed an important feature from WordPress and
disadvantaged him in the process).

A quick look at the plugins shows that people are still disabling these
update checks:
http://wordpress.org/extend/plugins/search.php?q=core+update+notification
How many are doing this just because they want to protect their privacy?

Lynne


More information about the wp-hackers mailing list