WordPress and phone home

[zamoose]

A common complaint from those in favor the the status quo is: what harm could there possibly be in storing your URL? Allow me to give two examples to illustrate potential for harm.

Military/Gov't Contractor blogging environment
I don't know how many of you have worked for a military or US gov't contractor in the past, but one of their concerns when it comes to information disclosure is the revelation of employee names to third parties. Foreign intelligence officers (FIOs) from e.g. Syria, North Korea, China, Iran, etc. are always on the lookout for employee names/identifiable information so that they can potentially exploit that person as an intelligence asset, either via compromising their home (or work) machines with spear-phishing attacks or via direct physical surveillance. The vast majority of proprietary/classified information leaks come not through direct technological hacks/cracks but through social engineering and careful use of human factors (see Mitnick, et al.)

In the event that a contractor is using WordPress internal to the company and employing custom themes or plugins whose authors (as is a good practice in the WP community) have identified themselves, the .org site is potentially storing said information in a way directly tied to the company. If WordPress.org inadvertantly discloses the information in question, either through human error on their part or through a security breach by FIOs, you now have exploitable humint on discrete employees working for said contractors.

If it was widely known, this fact alone is enough to make most contractors' IT departments ban WordPress outright. At the very least, they will disable update checking in its entirety. Neither of these situations is particularly a good thing.

Political Dissident blogging environment
I referred to FIOs above. For hostile/totalitarian regimes, FIOs generally serve two purposes: exploitation of information from gov't interests and observation/intimidation of political dissidents.

As in the gov't contractor example I gave above, if dissidents are using any custom themes or plugins, their information could be accidentally disclosed to FIOs which could either lead to direct physical danger for themselves (if they are living within the borders of an oppressive state) or, in the case of ex-pats with families that remain behind, danger for their families still under the sway of these states.

Or, say a plugin was written that made your stylesheet go green in support of the protestors in Iran. If WP.org's data was compromised, Iranian IOs would have access to a comprehensive list of folks running said plugin (and a list of everyone using the Farsi locale) and thus be able to narrow their intelligence-gathering and intimidation efforts based solely upon an installed plugin.

If you think I'm being paranoid here, please see the recent examples of Egypt and Cuba jailing political bloggers and the Iranian intelligence services threatening expats (http://online.wsj.com/article/SB1259...LEFTTopStories)

(I'm not even going to get into the area of compulsory legal disclosure of the info -- i.e., a third party brings suit or attempts to get law enforcement to retrieve .org's data based upon discovery or a warrant.)

I sincerely and truly don't understand the resistance to 1) full disclosure of retention policies and 2) anonymyzation of data via a one-way hash. Contra Otto, it's not "just" a URL in these situations, it's real people whose real lives stand to be substantively affected in the event of a disclosure, unintentional or otherwise.

[zamoose]

So basically this whole debate would not exist if the URL was hashed before it was transmitted?

In large part, yes. And I suggested such on Trac two years ago when this debate first sprung up.

[Elpie]

The debate would still exist unfortunately. Users have to have control over their personal data and give explicit consent to share it. Informed consent isn't possible when nobody knows how the data is being used or how long it is kept for.

Since this debate made it out to the web other privacy issues have been raised. All center around the lack of disclosure, the type of data that is captured, and lack of consent.

I've asked the team to discuss contacting the Software Freedom Law Center for advice on what they can and can't legally do, and how to do it. http://wpdevel.wordpress.com/2009/12.../#comment-4157
I hope they get legal advice & act on it. It'd be nice if this debate was ended.

[zamoose]

Shorter form: it's not paranoid to seek these answers when people actually are out to get you. It's rational.

[PaulCunningham]

The debate would still exist unfortunately. Users have to have control over their personal data and give explicit consent to share it. Informed consent isn't possible when nobody knows how the data is being used or how long it is kept for.

But minus the blog URL doesn't the rest of the data become basically anonymous?

[chipbennett]

Matt was just trying to be funny. Probably not the best situation to do it in though. I suspect he isn't aware of how ticked off a few people are about it around here.

Perhaps. And I would have no problem with humor - if, say, we were sitting around a table, enjoying some adult beverages at a WordCamp after-party, and, most importantly, if that humor were preceded or followed by a sincere answer.

I suspect the only way this will get through to the core team is if someone can come up with a sound legal argument as to why they have to do it. At the moment I don't really see any logical reason why they would, so I suspect a legal one will probably be necessary.

That's why I'm quoting from stopbadware.org - a group that takes issues such as undisclosed transmission of user data very seriously.

Others are taking other approaches (e.g. Elpie's client who has consulted a lawyer).

Either that or an obviously large number of users who are unhappy about this situation, but I can't imagine many people will care. I certainly don't.

The incredibly infuriating part of the whole thing - for me, at least - is that, for the most part, I would consent to what they're doing... if only they would properly disclose it.

It is absolutely a matter of propriety, trust, and goodwill. I completely understand those who say, "if they will collect these data today without disclosure, what is to say that they won't collect other data tomorrow, without disclosure?"

As for the actual legal argument, I'm starting more in-depth research on that, and will compose my findings in a blog post of my own.

[Elpie]

I deliberately didn't mention the political dissident bloggers on wp-hackers since Google Groups indexes the mailing list very quickly. Back in 2005, WordPress + Tor was recommended for blogging: http://advocacy.globalvoicesonline.org/projects/guide/ While that is about wordpress.com the rise in availability of anonymous servers makes WordPress stand-alone attractive.

Under the Patriot Act the US government can get its hands on wordpress.org data at any time. However, this is a small risk - much smaller than someone intercepting the data. api.wordpress.org collects its data with unsecured transmissions. HTTP is so easy to snoop on its scary.

The fact that WordPress gathers information immediately it is installed, before plugins are activated, means that very few sites aren't captured.

Tor type services can protect on the frontend but nothing is protecting from WordPress if users don't know data collection is happening.

[chipbennett]

But minus the blog URL doesn't the rest of the data become basically anonymous?

Read my excerpt above from stopbadware.org - disclosure and ability to opt-out are required for transmission of all user data - whether or not those data are personally identifiable.

I'm primarily asking for disclosure, so that every user is made aware of what data are retained by api.wordpress. I'm hoping the issue is largely resolved by such disclosure.

However, if data are being retained, and especially if those data can be tied to blog URL, then users must absolutely have the right to opt out of that data retention.

Hashing the URL just shows respect for user privacy.

[ifranky]

I am going to add here what I just replied to @wptavern when he wondered why the people defending privacy concerns are being thrown under a bus:

'It is hard to discuss privacy concerns with those who don't understand privacy (concerns)'.
Ask Zuckerberg

Experience learned me this, life doesn't stop reminding me of it.

[zamoose]

@ifranky or those who aren't directly affected by disclosure.

Privacy might not be a big deal for big name bloggers like Matt, Scoble, Om Malik or Anil Dash, as they're already fairly public figures. It is a big deal to those that would prefer to remain anonymous for safety or convenience.