WordPress and phone home

[Otto]

Figured this was relevant.

From a technical standpoint, note that ALL requests made by the HTTP API send your blog URL as part of the useragent. This means that any RSS feed you retrieve or see has the blog URL in it.

The core update check is where the PHP and MySQL version are sent, along with locale for language determination and such.

The plugin and theme update checks send the plugin information and theme information only, though the blog URL is in the useragent as well.

Relevant code:

Core update:

PHP Code:

    $url = "http://api.wordpress.org/core/version-check/1.3/?version=$wp_version&php=$php_version&locale=$locale&mysql=$mysql_version&local_package=$local_package";

    $options = array(
        'timeout' => ( ( defined('DOING_CRON') && DOING_CRON ) ? 30 : 3),
        'user-agent' => 'WordPress/' . $wp_version . '; ' . get_bloginfo( 'url' )
    );

    $response = wp_remote_get($url, $options); 


Plugin update:

PHP Code:

$options = array(
        'timeout' => ( ( defined('DOING_CRON') && DOING_CRON ) ? 30 : 3),
        'body' => array( 'plugins' => serialize( $to_send ) ),
        'user-agent' => 'WordPress/' . $wp_version . '; ' . get_bloginfo( 'url' )
    );
$raw_response = wp_remote_post('http://api.wordpress.org/plugins/update-check/1.0/', $options); 


Theme Update:

PHP Code:

    $options = array(
        'timeout' => ( ( defined('DOING_CRON') && DOING_CRON ) ? 30 : 3),
        'body'            => array( 'themes' => serialize( $themes ) ),
        'user-agent'    => 'WordPress/' . $wp_version . '; ' . get_bloginfo( 'url' )
    );

    $raw_response = wp_remote_post( 'http://api.wordpress.org/themes/update-check/1.0/', $options ); 


[Otto]

If Automattic were to be sold to Google tomorrow would any of you be comfortable with this data being sent from your sites? I sure as hell wouldn't!

I use Google Analytics. Rest assured that the amount of data gathered by WordPress seems useless and trivial by comparison to the data that sucker gets.

[chipbennett]

Why do you consider the data non-anonymous? You think a blog URL, a public piece of information that is known by everybody, is somehow not anonymous?

A URL does not magically produce identity. It's a website. A domain. It doesn't tie anything to anybody unless you let it.

I reject the notion that the URL is non-anonymous or private data to begin with.

A URL is most assuredly non-anonymous, as it can be linked quite readily to a real, live person, business, or other entity.

Again, it is not the URL itself, but rather the ability to cross-reference the URL with personally identifiable or professionaly proprietary information.

Do you believe that the risk associated with this case is somehow "high"?

I cannot answer that question, without knowing either a) the api.wordpress data retention policy, or b) the severity of impact of a data breach of api.wordpress.

The plugin I posted earlier appears to have been badly written originally, after examining it. I'd suggest making a plugin filter the request itself, in the new HTTP API. Specifically, you'd want to filter http_request_args and http_headers_useragent to eliminate any instances of the blog URL. Not particularly difficult to do with some str_replace work.

So, I'd need to learn how to write such a filter, and then how to tie configurable privacy-option settings into it (as well as how to add such options to options-privacy.php, which, hopefully, would be fairly straightforward?

I take the viewpoint that in order to build, one must first tear existing structures down.

True enough; it's just more helpful when that which is being torn down is an idea, rather than a person - and that the re-building is a bit more... obvious.

[Elpie]

Can you point out which WP files or code or both are responsible for the phone home feature?

/wp-includes/update.php
/wp-includes/http.php

updates.php gathers all the data, http.php sets the user-agent string which includes the blog URL.

If you want to see what is sent from your blog go and grab Dion's Core Control plugin. http://dd32.id.au/wordpress-plugins/...n=core-control

[Otto]

So, I'd need to learn how to write such a filter, and then how to tie configurable privacy-option settings into it (as well as how to add such options to options-privacy.php, which, hopefully, would be fairly straightforward?

Filters are easy verging on trivial. Here's one:

PHP Code:

function paranoia_useragent($agent) {
   global $wp_version;
   return 'WordPress/'.$wp_version;
}
add_filter('http_headers_useragent', 'paranoia_useragent'); 


Voila, no more URL in the user agent.

Settings sections are more complex, but easy once you know how. I wrote a tutorial on the topic, in fact.

Plagiarizing from my own work a bit:

PHP Code:

function paranoia_admin_init(){
  register_setting( 'privacy', 'paranoia_options', 'paranoia_options_validate' );
  add_settings_section('paranoia_main', 'Paranoia', 'paranoia_section_text', 'privacy');
  add_settings_field('paranoia_enable', 'Activate Paranoid Mode', 'paranoia_setting_enable', 'paranoia', 'paranoia_main');
}
function paranoia_section_text() {
  echo '<p>Disable sending your blog URL to anybody.</p>';
}
function paranoia_setting_enable() {
  $options = get_option('paranoia_options');
  echo "<input id='paranoia_enable' name='paranoia_options[enable]' type='checkbox' value='1' <?php checked('1', $options['enable']); ?> />";
}
function paranoia_options_validate($input) {
  if ($input['enable'] == 1) $newinput['enable'] = 1; 
  else $newinput['enable'] = 0;
  return $newinput;
}
 add_action('admin_init', 'paranoia_admin_init');

And then $options = get_option('paranoia_options'); $options['enable'] will, of course, get your enabled flag anywhere in the system.

That's off-the-cuff code, of course. Might need proofing.

[ifranky]

Elpie, but it has taken many years before Google's privacy started to be watched and analysed. And trust me Google knows much more about most of its users than Automattic could query together.
Adsense is becoming more and more targeted. Personalised search results, great... but they tend to come with more targeted ads all over our dearest internet.

That said, I agree with the list you compiled and as I mentioned earlier you also have to add Polldaddy to the list and the ability to tie your votes to your blogs, comments aso. WP.org and WP.com also collect data via Quantserve.
The only question: has WP become that big that people will consider it a potential danger? (Hint: yes, of course)

Frankly, the more resistance there is to addressing privacy concerns the more red lights start flashing.

Bingo. The more resistance, the more momentum privacy defenders can create and the bigger the buzz could become.

[Brad]

So couldn't I simply remove ' . get_bloginfo( 'url' ) from the relevant code listed above to keep my URL from being sent?

[Elpie]

Hashes are not reversible. That's what makes them a hash.

So you trust MD5 hashes then? Decrypting these is not that difficult.

To me, an API_KEY in config makes more sense. Akismet uses this method and adding another key to config to be autogenerated when the other four are would be simple.

[Elpie]

So couldn't I simply remove ' . get_bloginfo( 'url' ) from the relevant code listed above to keep my URL from being sent?

Yes, you can. The updates work just fine without the blog URL. This doesn't prevent too much information being sent with the theme and plugin update checks though.

You can also use this filter:

Code:

function privacy_remove_url($default)
{
  global $wp_version;
  return 'WordPress/'.$wp_version;
}

add_filter('http_headers_useragent', 'privacy_remove_url');

[Otto]

It does not get your PHP/MySQL versions or the data from plugins and themes. It gets only what is available for it to get from the front end of your site.

It gets every single click every viewer of your site makes. It's a fairly awesome collection of data.

And again, your version numbers and plugin info is useless except in aggregate form. Large scale statistics. Knowing what version of PHP *you specifically* run is useless information. Knowing that 11% of all users run PHP 4 is very useful information.

I've had this same argument before, in fact, back on the Tivo forums. Tivo's collect a large amount of data and send it back. In theory, it's possible to determine what programs a specific person watched, what ads they skipped, very detailed stuff. In reality, nobody cares what you do. They care about what the masses do. Tivo didn't store all that massive amount of information that they collected. They ran it through analyzers and filters and other things to get useful stats. The raw data got dumped after a day or two, because it was totally useless to them.