WordPress Privacy Policy (draft)

[chipbennett]

So, here's my draft WordPress Privacy Policy (borrowed heavily from the Firefox Privacy Policy):

WordPress Privacy Policy

Types of Information

WordPress sends certain information to third-party servers. This information falls into the following categories:

“Personal Information” is information that you provide (e.g. in your User Profile) that personally identifies you, such as your name or email address. WordPress does not disclose this information to third-party servers.

“Non-Personal Information” is information that cannot be directly associated with a specific person or entity. Non-Personal Information includes but is not limited to your server's configuration (PHP/MySQL version), the version of WordPress you have installed, and the version of any plugins or themes you have installed.

“Potentially Personal Information” is information that is Non-Personal Information in and of itself but that could be used in conjunction with other information to personally identify you. For example, Uniform Resource Locators (“URLs”) (the addresses of web pages) and Internet Protocol (“IP”) addresses (the addresses of computers on the internet), which are Non-Personal Information in and of themselves, could be Personal Information when combined with internet service provider (“ISP”) records.

“Aggregate Data” is information that is recorded about users and collected into groups so that it no longer reflects or references an individually identifiable user.

Information WordPress Sends to Your Site Visitors

WordPress sends information to your site visitors, including (1) Non-Personal Information of the type that web applications typically make available, such as server configuration information (unless the server is configured not to disclose this information), and (2) Potentially Personal Information such as the IP address of your server. This information may be logged by the browsers that visit your website. What information is logged and how that information is used depends on the setup of the browsers that visit your website.

Interactive Product Features

Automated Update Service
The WordPress automatic update feature periodically checks to see if updated versions of WordPress and installed plugins and themes are available from api.wordpress.org.

WordPress Update Check
This feature sends Non-Personal Information to api.wordpress.org, including the version of WordPress you are using, your server's PHP version and MySQL version. This feature also sends Potentially Personal Information to api.wordpress.org, including locale setting.

This information is used by api.wordpress.org to determine if an updated version of WordPress is available, and to provide the proper language support for your WordPress installation.

Plugins/Themes Update Check
The Plugins and Themes update version checks send Non-Personal Information to api.wordpress.org, including the version of WordPress you are using, names, versions, authors, author URLs, and descriptions of the plugins/themes you have installed. Note: for custom plugins/themes that are installed, the name, version, author, author URL, and description may be considered Potentially Personal Information.

This information is used by api.wordpress.org to determine if an updated version of a plugin or theme is available.

Data Retention and Aggregation
The WordPress and Plugin/Theme update check sends Non-Personal Information to api.wordpress.org, including the version of WordPress you are using, your server's PHP version and MySQL version, and Theme/Plugin information (name, version, author, description). This feature also sends Potentially Personal Information to api.wordpress.org, including your blog URL, blog locale setting, and information (name, version, author, description) for any custom Plugins/Themes installed on your blog.

This information is sent to api.wordpress.org each time WordPress performs the update check function, and only the information sent in the most recent update check is retained by api.wordpress.org. Historical data are kept as aggregated data only.

This information is used by api.wordpress.org to understand the usage patterns of WordPress users, to improve WordPress products and services, and to support decision making regarding feature planning and development support (e.g. PHP4/PHP5).

No Personal Information is transmitted to or collected by api.wordpress.org, and the raw information obtained from these features is never disclosed to the public. Reports containing Aggregate Data may be released so that our global community can make better product and design decisions.

To prevent api.wordpress.org from obtaining this information, various plugins may be available for disabling this feature.

Plugin/Theme Features
Part of the flexibility of WordPress is the ability for you to install plugins and themes to WordPress, thereby creating a custom application that fits your needs. Plugins and Themes can be installed manually, or through the WordPress admin interface, using the "Add New Plugin" and "Add New Themes" functionality.

Add New Plugin/Theme Feature
This feature allows the user to search for and install new plugins and themes directly through the WordPress admin interface. This feature is accessible through the admin interface menu, in the Plugins and Appearance sub-menus. This feature contacts api.wordpress.org to obtain information about available plugins and themes. No Personal, Potentially Personal, or Non-Personal Information is sent to api.wordpress.org as part of this feature.

Please review and comment, and offer corrections/suggestions/improvements.

Not sure what the next step would be - I guess throw it up on Trac?

EDIT #1:

Changed

1. Changed title of section 2, per Ryan's comments
2. Changed section 2 references to "web servers" to "web applications", per Elpie's comments
3. Added clarification for server configuration disclosure, per Elpie's comments
4. Removed "Like most web servers", per Ryan's/Elpie's comments
5. Added Author URL to list of plugin information, per Elpie's comments
6. Changed "various plugins may be available for disabling this feature", per Ryan's comments
7. Corrected spelling error, per Ryan

Not Changed

1. Thus far, leaving in the "Types of Information" and "Add New Plugin/Theme" sections
2. Thus far, not worrying about capitalization suggestions (will address in final draft)

[Elpie]

It's nice but inaccurate. Personal information such as names and Author URL's, IP addresses and any personal information contained within theme or plugin descriptions (which may contain job titles, phone numbers and email addresses) is all sent back to api.wordpress.org.

This part is misleading: "Like most web servers, WordPress sends information to visitors to your website". WordPress is not a web server and does not send "information" to visitors of a web site. It delivers the content a site admin makes publicly available.
Things like server IP's have nothing to do with having WordPress running. In a well-configured server information such as Apache, PHP, MySQL versions etc are not disclosed to any site visitor.

I fail to see how anyone can write a privacy statement without knowing what WordPress and Automattic do with the data, how it is stored, what is retained and for how long. For all we know it may be getting combined with all other data to create a storehouse of knowledge about a user. Only they know what use they make of it.

[Ryan]

The bits in grey are things I've removed.
The bits in red are things I've added.

I haven't looked through it as thoroughly as I could. But the first thing I thought when I saw it was that it was too long. Short, sharp and sweet would be better IMO. I don't think you need to define "non-personal information" etc. as long as you explicitly specify what information is sent.

I wasn't sure how the last paragraph fitted in with it being a privacy policy for WordPress.org so I removed it.

I think quite a few more chunks could be removed too. I just don't have the time right now. In particular, you could say that everything in the stylesheet headers, readme.txt file of themes/plugins etc. is sent ... which would cover one of Elpie's concerns above.

WordPress Privacy Policy


Types of Information

WordPress sends certain information to third-party servers. This information falls into the following categories:

“Personal Information” is information that you provide (e.g. in your User Profile) that personally identifies you, such as your name or email address. WordPress does not disclose this information to third-party servers.

“Non-Personal Information” is information that cannot be directly associated with a specific person or entity. Non-Personal Information includes but is not limited to your server's configuration (PHP/MySQL version), the version of WordPress you have installed, and the version of any plugins or themes you have installed.

“Potentially Personal Information” is information that is Non-Personal Information in and of itself but that could be used in conjunction with other information to personally identify you. For example, Uniform Resource Locators (“URLs”) (the addresses of web pages) and Internet Protocol (“IP”) addresses (the addresses of computers on the internet), which are Non-Personal Information in and of themselves, could be Personal Information when combined with internet service provider (“ISP”) records.

“Aggregate Data” is information that is recorded about users and collected into groups so that it no longer reflects or references an individually identifiable user.

Information WordPress sends to Visitors To Your Website your site visitors

Like most web servers, WordPress sends information to visitors to your website, including (1) non-personal information of the type that web servers typically make available, such as server configuration information, and (2) potentially personal information such as the IP address of your server. This information may be logged by the browsers that visit your website. What information is logged and how that information is used depends on the setup of the browsers that visit your website.

Interactive Product Features

Automated Update Service
The WordPress automatic update feature periodically checks to see if updated versions of WordPress and installed plugins and themes are available from api.wordpress.org.

WordPress Update Check
This feature sends Non-Personal information to api.wordpress.org, including the version of WordPress you are using, your server's PHP version and MySQL version. This feature also sends potentially personal information to api.wordpress.org, including locale setting.

This information is used by api.wordpress.org to determine if an updated version of WordPress is available, and to provide the proper language support for your WordPress installation.

Plugins/Themes Update Check
The Plugins and Themes update version checks send non-personal information to api.wordpress.org, including the version of WordPress you are using, names, versions, authors, and descriptions of the plugins/themes you have installed. Note: for custom plugins/themes that are installed, the name, version, author, and description may be considered Potentially Personal Information.

This information is used by api.wordpress.org to determine if an updated version of a plugin or theme is available.

Data Retention and Aggregation
The WordPress and Plugin/Theme update check sends Non-Personal information to api.wordpress.org, including the version of WordPress you are using, your server's PHP version and MySQL version, and Theme/Plugin information (name, version, author, description). This feature also sends Potentially Personal Information to api.wordpress.org, including your blog URL, blog locale setting, and information (name, version, author, description) for any custom Plugins/Themes installed on your blog.

This information is sent to api.wordpress.org each time WordPress performs the update check function, and only the information sent in the most recent update check is retained by api.wordpress.org. Historical data are kept as aggregated data only.

This information is used by api.wordpress.org to understand the usage patterns of WordPress users, to improve WordPress products and services, and to support decision making regarding feature planning and development support (e.g. PHP4/PHP5).

No personal information is transmitted to or collected by api.wordpress.org, and the raw information obtained from these features is never disclosed to the public. Reports containing Aggregate Data may be released so that our global community can make better product and design decisions.

To prevent api.wordpress.org from obtaining this information, various plugins may (or may not) be available.

Plugin/Theme Features
Part of the flexibility of WordPress is the ability for you to install plugins and themes to WordPress, thereby creating a custom application that fits your needs. Plugins and Themes can be installed manually, or through the WordPress admin interface, using the "Add New Plugin" and "Add New Themes" functionality.

Add New Plugin/Theme Feature
This feature allows the user to search for and install new plugins and themes directly through the WordPress admin interface. This feature is accessible through the admin interface menu, in the Plugins and Appearance sub-menus. This feature contacts api.wordpress.org to obtain information about available plugins and themes. No Personal, Potentially Personal, or Non-Personal Information is sent to api.wordpress.org as part of this feature.

[chipbennett]

It's nice but inaccurate.

The inaccuracies are exactly what I'd like to have pointed out, and resolved.

Personal information such as names and Author URL's, IP addresses and any personal information contained within theme or plugin descriptions (which may contain job titles, phone numbers and email addresses) is all sent back to api.wordpress.org.

IP addresses are correctly classified as "Potentially Personal".

"Personal", in this case, refers to the WordPress application owner. Thus, while a plugin author personally identifies the plugin author, it does not necessarily identify the WordPress owner. Therefore, I think this information, also, is properly classified as "Potentially Personal."

This part is misleading: "Like most web servers, WordPress sends information to visitors to your website". WordPress is not a web server and does not send "information" to visitors of a web site. It delivers the content a site admin makes publicly available.

I like Ryan's change here: removing "Like most web servers". Without this clause, does the sentence read more accurately?

I list server IP here, because it is the server IP that is sent to api.wordpress.org, no?

Things like server IP's have nothing to do with having WordPress running. In a well-configured server information such as Apache, PHP, MySQL versions etc are not disclosed to any site visitor.

But, they are sent by default, unless the server is configured not to send. Should I clarify, and say "unless the server is configured not to send this information"?

I fail to see how anyone can write a privacy statement without knowing what WordPress and Automattic do with the data, how it is stored, what is retained and for how long. For all we know it may be getting combined with all other data to create a storehouse of knowledge about a user. Only they know what use they make of it.

What I have included is only that which I have been able to verify through comments from Matt, Mark, and others. It is as accurate as I can get it at this point, without additional input.

[chipbennett]

The bits in grey are things I've removed.
The bits in red are things I've added.

I haven't looked through it as thoroughly as I could. But the first thing I thought when I saw it was that it was too long. Short, sharp and sweet would be better IMO. I don't think you need to define "non-personal information" etc. as long as you explicitly specify what information is sent.

I think defining the terms in the Privacy Policy is important. As you can see from the current debate, the exact nature of certain data (personal, non-personal, and potentially personal) is subject to a non-trivial degree of confusion and disagreement.

I wasn't sure how the last paragraph fitted in with it being a privacy policy for WordPress.org so I removed it.

It was included because it is functionality that contacts a third-party server. Thus, the nature of the data sent as part of this functionality should be identified.

I think quite a few more chunks could be removed too. I just don't have the time right now. In particular, you could say that everything in the stylesheet headers, readme.txt file of themes/plugins etc. is sent ... which would cover one of Elpie's concerns above.

You could say that, but not everyone will know/understand intuitively what that means. Saying theme/plugin name/version/author/description is explicit.

[Ryan]

You could say that, but not everyone will know/understand intuitively what that means. Saying theme/plugin name/version/author/description is explicit.

But from what Elpie said, it actually sends everything inserted into the top of the file, so if you are stupid enough to stick your credit card details in there then that would presumably get sent too.

[chipbennett]

But from what Elpie said, it actually sends everything inserted into the top of the file, so if you are stupid enough to stick your credit card details in there then that would presumably get sent too.

True enough - but how to explain it concisely?

I think, for the average user, the "field" name (name, version, author, description) will match what they see in the UI. Also, such a user would be very unlikely to be using a custom plugin/theme.

For the advanced user, who is using a custom plugin, no additional explanation should be necessary, I would think.

Also, does it actually send everything in the file "header", or just the four things listed? According to Mark Jacquith, it is the latter.

[Elpie]

Also, does it actually send everything in the file "header", or just the four things listed? According to Mark Jacquith, it is the latter.

Updating this with information I gathered from sniffing the transfer across HTTP.

It sends everything that is contained in these fields & gets the information directly from the database, active_plugins:

Name
Title
Plugin URI
Author Name
Author URI
Description
TextDomain
Domain Path
Plugin File Name

[chipbennett]

It sends everything that is contained in name, title, author, author URL, and description. This is essentially everything that is contained in the active_plugins data in the database.

Author URL was left out of the list Mark Jacquith gave. May have been a twitter char-len casualty?

I'll add it to the Privacy Policy.

[chipbennett]

By the way, I have a Wiki. Would it be better for this sort of collaboration? Or is there somewhere else better? Or does this work? I will try to keep the OP updated, with edit comments regarding what changes.