WordPress and phone home

[Elpie]

In 2007, when WP2.3 implemented the "phone home" there was a lot of concern over privacy. At that time, it was too close to the release of 2.3 so the issue was going to be revisited later. Matt said it would be reviewed with 2.5. That review never happened and I've just reopened the issue.

If you don't know, everytime WordPress checks for updates it sends information such as your PHP version, WordPress version, and blog URL.
If it checks plugins then all data about all plugins is sent to wordpress.org - this means name, version, description - for every plugin. Including the custom ones you wrote, and including inactive plugins. The theme update checker does much the same thing.

All of this is sent to wordpress.org with your blog URL but the update checkers do not need the blog URL. (Remove it and they still work fine).

It's a trivial matter to remove the blog URL but because people are not asking for this its not likely to get done. People are using plugins that prevent the update checks from being run and we'll never know how many people decide not to use WordPress once they learn about this data disclosure.

I've opened up the discussion on wp-hackers. You can read it on Google Groups here: http://j.mp/66qnI3

If you agree that WordPress should not collect blog URL's (given there is no need for them to do so and no use being made of this information that anyone knows of) then please add your voice to this discussion.

I block this on my own sites but have just been working with someone whose site was hacked after they used a "Disable Updates" plugin. The only reason they were using this was to prevent their private data being sent to wordpress.org. It concerns me that there are likely to be others doing the same thing, which is stupid when a small change in the core would remove privacy issues.

[chipbennett]

If you agree that WordPress should not collect blog URL's (given there is no need for them to do so and no use being made of this information that anyone knows of) then please add your voice to this discussion.

I agree, wholeheartedly.

What information is sent to WP should be configurable, both in the option to send (or not to send), and in determining what information is sent. I agree that blog URL is unnecessary, and serves no legitimate purpose that cannot be met otherwise. Thus, if given the option, I would disallow that information to be sent.

As for those who ask, "what are you so paranoid about?", my answer is: none of your [expletive deleted] business. It is my server, my WordPress installation, and my information. I have the right to choose to be paranoid, thankyouverymuch.

[Ryan]

I assumed that anyone who was paranoid about their data being used by WordPress.org or Automattic would disable all of the data being sent anyway so just removing the URL seems rather pointless to me. I could be wrong though.

I suspect the URL is being stored in case it is of use for market analysis or to manually check sites if the need arose. I can't think of any reasons why that would be necessary, but keeping the data there in case it is seems like a good idea to me. I can't imagine most people would care less if their URL is being sent to WordPress.org anyway.

[chipbennett]

I assumed that anyone who was paranoid about their data being used by WordPress.org or Automattic would disable all of the data being sent anyway so just removing the URL seems rather pointless to me. I could be wrong though.

I suspect the URL is being stored in case it is of use for market analysis or to manually check sites if the need arose. I can't think of any reasons why that would be necessary, but keeping the data there in case it is seems like a good idea to me. I can't imagine most people would care less if their URL is being sent to WordPress.org anyway.

I'm quite happy letting WordPress know what version of PHP I'm running. The sooner their "official" numbers show PHP4 at 10% or less, the sooner we start getting to take advantage of PHP5. :)

[Elpie]

I assumed that anyone who was paranoid about their data being used by WordPress.org or Automattic would disable all of the data being sent anyway so just removing the URL seems rather pointless to me. I could be wrong though.

Two things here - wordpress.org is not Automattic and contributing to WordPress does not give Automattic any right to use the data collected by WordPress.

Some data does need to be sent back otherwise the update checker cannot notify users if updates are available. This, IMO, should be anonymous data though and only enough for the feature to work.

I suspect the URL is being stored in case it is of use for market analysis or to manually check sites if the need arose. I can't think of any reasons why that would be necessary, but keeping the data there in case it is seems like a good idea to me. I can't imagine most people would care less if their URL is being sent to WordPress.org anyway.

Consider this - wordpress.org is not a legal entity so there is nobody to sue if data is misused. You can't sue a community. There is no disclosure about what data is collected or how it will be used. People are just supposed to trust that volunteers working on an open source project can be relied upon to keep personal data private?

Remember this? http://wordpress.org/development/2007/03/upgrade-212/
Ok, that was someone who got into the server and added malicious code to the download. What if someone got into the server and accessed the site information for hundreds of thousands, if not millions, of sites? That data would be a goldmine.

I wasn't too concerned about all this myself until I started considering the implications. Once this data has gone out there is no control over what its used for.

Thing is, if Google or Microsoft said, "we want to collect your site URL and information about everything running on your site, just in case we find some way to use this data later" and didn't say why they wanted it, or how they would protect that data, or even if they could be held accountable for it - would you give it to them? I wouldn't.

[ifranky]

Thing is... should anything really phone home without having the option to deactivate it? 7 Years ago almost any Windows board would advise you to block these functions in XP. Me inclusive.

Today... well people usually have come to accept it. Anyone using Snow Leopard here? Have you tried to find a trigger to deactivate 'reports of this crash will be send to Apple' in any easily accessible utility/preference panel?

There should be a very well defined, and written in clear language not legalese, disclosure though so everyone knows what data are send, why and can agree or block it all together.

Sending the URL and evt. storing this data? Could this somehow be used to the advantage of the community? If yes, explain why to the user and I'm all for this. But only if they allow the user to decide themselves.

[conorp]

Two things here - wordpress.org is not Automattic and contributing to WordPress does not give Automattic any right to use the data collected by WordPress.

Does it really matter if the blog url is sent? Whats the difference between this, and having your site listed on your .org forums profile?

[Ryan]

Does it really matter if the blog url is sent? Whats the difference between this, and having your site listed on your .org forums profile?

You choose to add your URL to your .org profile. You don't choose to have your URL sent to them via the software, it happens automatically.

[Elpie]

Does it really matter if the blog url is sent? Whats the difference between this, and having your site listed on your .org forums profile?

When plugins are checked for updates the information that is sent back to WordPress is:

Your IP
Blog URL
WordPress version
PHP version
MySQL version
Locale setting if there is one
Plugin title, description, author - including all URL's that form part of this.
Full list of all plugins on your site, whether they are active or not.

This happens every 12 hours or when you load the plugin page if its been over 12 hours.

wordpress.org gets that information. If they also have a forum profile or trac login then they also have email addresses.

This information isn't just going out from live blogs. If you are developing a site locally on your computer then your computer also sends this information.

If your site is an intranet then you are passing out information that is not public.

All without knowing about it and all without any opt-in or readily-available way to stop this happening.

Without the blog URL its just a little bit harder to pull all the data together. With it, its not anonymous and the collection is open to abuse.

[conorp]

You choose to add your URL to your .org profile. You don't choose to have your URL sent to them via the software, it happens automatically.

Theres still Google, but I see your point.