WordPress and phone home

[chipbennett]

Someone in the comment thread over at WLTC was kind enough to bring up Adobe, since many of their products also auto-update:

Chip i understand what you’re saying but what you describe as far as i can see is a routine nowadays, since you dont use any of the 3 big email services im going to pick one particular piece of software that almost everyone uses…Adobe flash Player


Do they ask you when the warning pops up on the screen “update available” if the program can send data to their servers and how long its going to be retained? Yep…its a closed/commercial program…no way to know…to my knowledge theres dozens of them outhere…from bigger companies than Automatic

Wouldn't you know it? Adobe has an awfully darn extensive Privacy Policy.

Key Points:

On collection of personal information while using products or services:

When you use the Site and the Products and Services, Adobe may also collect certain information about your computer to facilitate, evaluate and verify your use of the Site and the Products and Services. For example, we may log environmental variables, such as browser type, operating system, CPU speed, referring or exit webpages, click patterns, Session ID (a unique identifier assigned to the browser in connection to the Site), and the Internet Protocol (IP) address of your computer. Adobe also uses such information to measure traffic patterns on the Site and usage of the Products and Services. We do not match such information with personal information held about you by Adobe unless we have your consent, except as otherwise described in this Privacy Policy.

On how collected information is used:

Adobe may collect information about the use of the Products and Services and the Site, such as the number of downloads, types of Services used, how many users we receive daily, Site pages visited, and the IP address of your computer. This information is generally collected in aggregate form, without identifying any user individually, although IP address and Session ID in relation to purchases and downloads may be tracked as part of Adobe's customer order review and fraud prevention efforts. Other exceptions to this, where an individual may be identified individually, are noted in this Privacy Policy or in additional privacy terms connected to a specific Product, Service or website.



Adobe may use aggregate, nonidentifying statistical data for improving the Site and the Products and Services, providing more relevant experiences to our customers and for statistical analysis.

On Update Notification specifically:

Certain Products and Services may require you to use the most current version of such Product and Service or are offered in conjunction with other Products and Services, which you may or may not have already downloaded. The Product and Service may automatically check to determine if you are using the most current version or have other Products and Services and through e-mail messages, pop-up boxes or similar mechanisms inform you if need to upgrade in order to use the Product and Service you have requested. During this process, an IP address identifying your computer and the Product and Service version may be sent to a Web server, but system profile information is not transmitted nor are cookies used to store information.

Any takers on whether or not I could find similar language in the privacy policy for other relevant web apps?

[chipbennett]

Mozilla's Privacy Policy for Firefox is even more analogous - and even more damning for Matt Mullenweg's current stance.

Types of Information

As with most Internet web browsers, Firefox sends certain information to the websites that you visit. This information falls into the following categories:


“Personal Information” is information that you provide to us that personally identifies you, such as your name, phone number or email address. Except as described below, Mozilla does not collect or require end-users of Firefox to furnish Personal Information.


“Non-Personal Information” is information that cannot be directly associated with a specific person or entity. Non-Personal Information includes but is not limited to your computer’s configuration and the version of Firefox you use.


“Potentially Personal Information” is information that is Non-Personal Information in and of itself but that could be used in conjunction with other information to personally identify you. For example, Uniform Resource Locators (“URLs”) (the addresses of web pages) and Internet Protocol (“IP”) addresses (the addresses of computers on the internet), which are Non-Personal Information in and of themselves, could be Personal Information when combined with internet service provider (“ISP”) records.


“Aggregate Data” is information that is recorded about users and collected into groups so that it no longer reflects or references an individually identifiable user.

Money graf:

Automated Update Service. Firefox’s automatic update feature periodically checks to see if an updated version of Firefox and installed add-ons are available from Mozilla.

Firefox
This feature sends Non-Personal Information to Mozilla, including the version of Firefox you are using, build ID and target, update channel, your operating system, and your language preference. This feature also sends Potentially Personal Information to Mozilla in the form of a cookie named “aus” that contains a unique numeric value to distinguish individual Firefox installs. Mozilla uses this information to provide you with updated versions of Firefox and to understand the usage patterns of Firefox users. We use this information to improve our products and services and to support decision making regarding feature and capacity planning.

Add-Ons
The add-ons update version check sends Non-Personal Information to Mozilla, including the version of Firefox you are using, version of the add-ons you have installed, build ID and target, update channel, your operating system, and your language preference with each check of an add-on that uses https://addons.mozilla.org/en-US/firefox/ as its update host. If any of your add-ons use a third party update URL, Firefox will check that URL for updates to those add-ons.

We do not collect or track any Personal Information or any information about the Web sites you visit, and we do not release the raw information we obtain from these features to the public. We may release reports containing Aggregate Data so that our global community can make better product and design decisions. To prevent Mozilla from obtaining this information, you can turn this feature off in Firefox’s preferences. An article in our Firefox Knowledge Base gives you information about changing your preferences.

So, where is WordPress' similar Privacy Policy?

[Jeffro]

I wonder, is it possible that adding that type of information to the privacy policy would open up Automattic or WordPress to more legal litigation. Could that be a legitimate concern or a good reason not to add onto the privacy policy?

[chipbennett]

I wonder, is it possible that adding that type of information to the privacy policy would open up Automattic or WordPress to more legal litigation. Could that be a legitimate concern or a good reason not to add onto the privacy policy?

Simple disclosure can't possibly open them up to litigation risk. Only their data retention practices could possibly do that.

It is entirely possible, though, that the failure of disclosure could open them up to risk of litigation - and that is a pointless risk, when all they have to do is write a privacy policy that discloses their data retention practices.

[Brad]

Mark was kind enough to answer a question from me on Twitter.
http://twitter.com/markjaquith/status/6617318748

Kudos to him.

[chipbennett]

Mark was kind enough to answer a question from me on Twitter.
http://twitter.com/markjaquith/status/6617318748

Kudos to him.

Indeed, I have appreciated Mark's attempts to give sincere answers to questions, even if he doesn't agree with the premise.

Of course, at this point, what is sent to api.wordpress.org is well-known (by anyone following this whole strung-out debate).

What is interesting is that, based on some of Matt's comments on the wpdevel blog regarding what is retained:

a) All data sent are retained, and
b) Only the most recent update is retained, but
c) Historical aggregate data are retained

Now, that makes me wonder about Elpie's original question: why is blog URL needed as a unique identifier, if only the most recent update is kept and only aggregate historical data are kept. It would seem that a hashed value would be equally useful in this scenario.

[Brad]

It was good to hear it from a Lead Developer though.

Of course, at this point, what is sent to api.wordpress.org is well-known (by anyone following this whole strung-out debate).

[chipbennett]

It was good to hear it from a Lead Developer though.

Agreed.

(Though, it was always right there in the PHP file - the array of data sent during an update check. I absolutely agree, though - nice to have a clear, concise statement.)

[chipbennett]

To help move the discussion along, I have drafted a WordPress Privacy Policy. Please have a look.

[markjaquith]

Recall that I was the one who started this whole discussion two years ago, and that my then objection was that the URL was transmitted. During the course of that discussion in 2007 I dropped my objection to this. Perhaps it would be useful for me to explain why I changed my mind.

1. An IP address, which TCP/IP dictates MUST be sent by the server, is not significantly more anonymous than a URL. That is to say that either of them can be used to discover a WordPress install. All of the "bad guys could intercept data, know which plugins you have installed, and hack your system" scenarios are just as achievable when starting with a server IP address as with a blog URL.

2. URLs have the benefit of being a unique, one-to-one, standardized, and verifiable identifier for a specific blog install. The main thing that you lose when going to a one-way hash is verifiability. You now have to accept the data that is anonymously given to you, with no way of distinguishing between actual WP installs and fake ones. We're not doing it now, but we could be using API data to report a plugin popularity. Right now it's based on downloads. It's not very accurate, because many people might download a plugin — what's meaningful is how many keep it installed. And guess what — it's being furiously exploited. We've had several instances of people creating "promotional" plugins for some service, and then downloading their own plugin tens or hundreds of thousands of times to inflate their ranking for plugin popularity. If we were to move towards measuring plugin popularity by the number of active installs, I have no doubt that they'd similarly try to exploit this by flooding the API with fake WordPress installs that supposedly have it installed. Without a verifiable identifier for a blog, we would have no way of telling fake installs from real installs, and our data — the data we use for the benefit of the WordPress community and for making intelligent choices about WordPress develpment — would be tainted.

3. The privacy policy was updated to cover data sent to api.wordpress.org

Those three things changed my opinion on this matter.

I object strenuously to having a UI option to disable update checks. Too many people will disable it without thinking and then wonder why their install keeps getting hacked. If someone is handling updates for them, then that person should install something to disable them. People with private, dissident, etc blogs, should use the constant in wp-config.php to disable external HTTP requests:

define('WP_HTTP_BLOCK_EXTERNAL', true); // block external requests

In that case, it's not just contact to WP.org that they might object to, but ALL client-based contact with the outside world. And if this is in a company intranet, they should be blocking this traffic at the firewall level.

The one good idea that I've seen surface from this kerfuffle's carnage is the suggestion that the WP.org/api.WP.org privacy policy be linked to from within a WordPress install. That seems reasonable. It should probably be visible as a link from the Install page. (As to the concern about host-based installers like Fantastico, I think the onus should be on them. We can't control how third parties install WordPress.)