[wp-hackers] Revisiting phone home and privacy

Doug Stewart zamoose at gmail.com
Wed Dec 9 21:11:40 UTC 2009

On 12/9/09, Otto <otto at ottodestruct.com> wrote:
> Yes, yes, and no.
> Credit card companies have been exploited fairly regularly. However,
> nobody much cares because I and anybody else can get a copy of your
> credit report for just a few bucks, with nothing more than your name
> and perhaps your address or past address. Credit information is
> generally public by its very nature. If I got your credit card number,
> I could charge a few things up, but you wouldn't owe squat, and I'd
> get cut off and probably caught fairly quickly nowadays. Fraud
> detection has advanced leaps and bounds. I know this from working
> directly with several credit card companies on the subject.

Bad example #1. Credit cards "ship" to their users wrapped in reams of
disclosure statements, privacy statements, etc.  WordPress doesn't.

> Health care information is protected by laws and medical ethics and
> such, so while it's not paranoid to be sure that the company uses
> HIPAA certified software, it is paranoid to require that they tell you
> in advance. They all use HIPAA software, because the alternative is
> basically jail-time.

Bad example #2. You explicitly sign a HIPAA disclosure form every time
you join a new plan, visit a new specialist or in some cases even when
you hand your prescription card over at Walgreens. WordPress doesn't
disclose nor does it ask your consent.

> Facebook, on the other hand, has had many privacy problems. They are
> trying to address them, and generally failing at it, IMO.

Bad example #3. FB has a ToS and a privacy policy that everyone that
signs up with them agrees to. WordPress does not.

>> You seem to be making the argument that "Well, if you install
>> WordPress, you're defacto signing away any notions of privacy, at
>> least inasmuch as Automattic is concerned".
> Not at all. I'm making the argument that there's no particular damage
> that can be done with the information that can't be done without the
> information.

Simply untrue. You're thinking outside the firewall.  I'm thinking
inside (previously known as "Intranets").

> Many sites have lists of the plugins they use right on
> them.

And every single site that does so explicitly installed and activated
a plugin, of their own volition, in order to do so.

> You can browse the source of a site and make an educated guess
> at what plugins he's using. Heck, if you visit /wp-content/plugins on
> most sites, the directory isn't even protected against indexing, so
> you can see the list right there. This is not top-secret information
> here. Knowing what plugins you run helps not in the slightest for most
> things.

You can, certainly, as an anonymous third party.  You're also not the
provider, maintainer and architect behind the software running on
their site. WP.org/Automattic are.

> No, I disagree. The burden of proof is not on me, the burden of proof
> lies on the person wanting to obfuscate things for no reason that I
> can figure out.
> See, your URL is not top-secret information. It's information that is
> readily available.

Not true. See point above in re: intranets.

> It's in Google, it's in your address bar, your site
> sends it to Ping servers every time you post, it sends it to random
> other blogs as pingbacks whenever you link to them.

An inapt comparison. If my blog was sending a full dump of its WP
version, installed plugins, MySQL and PHP version strings, etc. to
every pingback service in the world, I'd have a problem with that too.

> Your URL is not something you hide anywhere else, it makes no sense to
> me to hide it here.

My point isn't the URL, it's the URL *in combination with a whole host
of other, less-publicly-available information*.


More information about the wp-hackers mailing list