[wp-hackers] Revisiting phone home and privacy

Will Norris will at willnorris.com
Wed Dec 9 00:49:51 UTC 2009

On Dec 7, 2009, at 10:40 PM, Matt Mullenweg wrote:

> On 2009-12-06 10:33 PM, Lynne Pope wrote:
>> The reason it was hacked was that the owner didn't know of an update that
>> would have protected his site. The reason he didn't know was because he was
>> using plugins to prevent update checks - and was only using those because he
>> didn't want to send his site URL to WordPress. (Ok, he would have known if
>> he had been keeping track of updates externally, but this is a case where
>> privacy concerns removed an important feature from WordPress and
>> disadvantaged him in the process).
> One would imagine if you install a "disable update check" plugin you'd be conscious of the responsibility of checking for updates manually.
> Even with updates on many people don't update, unfortunately.
> There was a different plugin that just hashed the URL but still checked for updates, which we recommended for the paranoid.
> All in all though, not a high priority. I've never met anyone in person who disables update checks.* (Maybe they're scared to come to WordCamps.)
> * I have met people who disabled it for clients whose sites they managed and were responsible for.

It seems like lines are getting crossed (or perhaps I'm mis-reading some of these)... Lynne isn't asking for, nor advocating, disabling of update checks.  Everyone in the community agrees that updates are vitally important for security.  Lynne's point is that many of the people who disable updates or not doing it because they don't want the security.  They do it because it's the only way they know to prevent identifying data from being sent to wordpress.org.  

I can't help but think of a lot of software I have on my Mac... the first time I run it, it pops up with a little window asking if I want to check for updates automatically (thanks Sparkle.framework).  And a number of them have an additional checkbox to "send additional system data", or whatever the language is.  These are two different things... turning on updates which *everyone* should do, and providing additional statistical data if you wish to.

I understand that there is a privacy policy which covers how the data can and cannot be used.  And yes, I do agree that it covers the data in question here, and there are methods of discovering the data by other means anyway (like the IP address).  But to ask "why so paranoid?" is placing the burden on the wrong party.  Privacy should be the status quo.  The right question is "why does WordPress.org need the data?"  (that's rhetorical, I understand the stats and stuff you do with the data).

If Automattic, the company, wants to require certain data to be provided to use various services like IntenseDebate or PollDaddy, that's fine... those are company products.  But as long as WordPress is a community effort, I would strongly vote +1 to adding options in WordPress core to prevent unnecessary identifying data from being sent during software update checks.  Besides, that privacy page is looking really lonely withe the sole "Blog Visibility" option.


More information about the wp-hackers mailing list