[wp-hackers] Revisiting phone home and privacy

[Otto]

On Wed, Dec 9, 2009 at 1:31 PM, Doug Stewart <zamoose at gmail.com> wrote:
> Is it "paranoia" to worry about my credit card company's databases
> being compromised and thus revealing far more information about me
> than I want public? Is it "paranoia" to be concerned about the same
> thing when it comes to my health care insurance provider? Is it
> paranoid for me to worry about Facebook sharing my contact
> information, likes, dislikes, etc. with third party advertisers?

Yes, yes, and no.

Credit card companies have been exploited fairly regularly. However,
nobody much cares because I and anybody else can get a copy of your
credit report for just a few bucks, with nothing more than your name
and perhaps your address or past address. Credit information is
generally public by its very nature. If I got your credit card number,
I could charge a few things up, but you wouldn't owe squat, and I'd
get cut off and probably caught fairly quickly nowadays. Fraud
detection has advanced leaps and bounds. I know this from working
directly with several credit card companies on the subject.

Health care information is protected by laws and medical ethics and
such, so while it's not paranoid to be sure that the company uses
HIPAA certified software, it is paranoid to require that they tell you
in advance. They all use HIPAA software, because the alternative is
basically jail-time.

Facebook, on the other hand, has had many privacy problems. They are
trying to address them, and generally failing at it, IMO.

> You seem to be making the argument that "Well, if you install
> WordPress, you're defacto signing away any notions of privacy, at
> least inasmuch as Automattic is concerned".

Not at all. I'm making the argument that there's no particular damage
that can be done with the information that can't be done without the
information. Many sites have lists of the plugins they use right on
them. You can browse the source of a site and make an educated guess
at what plugins he's using. Heck, if you visit /wp-content/plugins on
most sites, the directory isn't even protected against indexing, so
you can see the list right there. This is not top-secret information
here. Knowing what plugins you run helps not in the slightest for most
things.

> The point that I have yet to see YOU make is a compelling case for WHY
> a blog's URL needs to be sent to Automattic at all. Why not an MD5
> hash of the URL, as was suggested in this thread, the '07 thread and
> the Trac ticket? This guarantees uniqueness with at least a gloss of
> anonymity, potentially satisfying both ends of the transaction's
> concerns.

No, I disagree. The burden of proof is not on me, the burden of proof
lies on the person wanting to obfuscate things for no reason that I
can figure out.

See, your URL is not top-secret information. It's information that is
readily available. It's in Google, it's in your address bar, your site
sends it to Ping servers every time you post, it sends it to random
other blogs as pingbacks whenever you link to them.

Your URL is not something you hide anywhere else, it makes no sense to
me to hide it here.

But if you want to hide it and send an MD5, then make a plugin to do
so. It's easy, and the solution to doing so has been posted in this
very thread.

> Opt-out options, full disclosure, etc. are part of the social
> engineering/social compact/good citizen argument, which is a separate
> matter from the technical concerns.

I've seen no legitimate reason for this sort of thing to be in the
core code. There's no valid reason I can find to opt-out of sending
your blog URL, considering that it's not sending any other
particularly useful information along with it. The URL is a unique
identifier, we use it as such all the time. Permalinks are used as
GUIDs on a regular basis. This is standard practice.

I'm not saying that you can't obfuscate your URL. I'm saying that it
should not be a checkbox in the core, for these reasons:
1. There's no really valid reason to do so, other than paranoia.
2. It creates confusion. A lot of silly "WordPress spies on me?" and
the like. No amount of explanation will make this otherwise.
3. It is something that only an extremely small percentage of users
would ever use. This makes it plugin territory, more or less by
definition.

Now, if you want to argue that this sort of thing should be a
Canonical Plugin, well, then I'd say you have more ground to stand
upon. I'd see no particular problem with that. I just don't care for
useless options in the core. There's far too many of them in there
already, IMO.

-Otto
Sent from Memphis, TN, United States