WordPress 2.3 Does Not Spy On Users [UPDATED]

Marilyn Miller writes "Popular open-source blogging engine WordPress has been upgraded to 2.3 — with some unexpected nasties in the mix. As of version 2.3, WordPress now periodically (every 12 hours) sends personally identifying information (blog name & URI) to the mothership, along with an alarming amount of information including $_SERVER dumps, a list of installed plugins, and your current PHP/MySQL settings. Most unfortunately, it does not provide any way of disabling this functionality, and WordPress does not have any privacy policy protecting this information. In a thread about the issue, lead developer Matt Mullenweg defends his actions and staunchly refuses to add an opt-in interface, telling users to 'fork WordPress' if they aren't willing to put up with this behavior." Update: 09/25 17:52 GMT by KD : This article is misleading enough to be called "just wrong." Matt Mullenweg writes: "As mentioned in our release announcement, the update notification sends your blog URL, plugins, and version info when it checks api.wordpress.org for new and compatible updates. It does not include $_SERVER dumps, or any settings beyond version numbers (for checking compatibility), or your blog name, or your credit card number. We do provide a way of disabling this feature; in fact I link to one of the plugins in the release announcement and in my original response to Morty's thread."

Breathless Hyperbole.

[Some+guy+named+Chris]

Read the thread. This isn't a developer admitting to spying on users. This is debate over a new feature written to help you keep from getting your blog haxored. They are collecting server and plugin data to help you to keep your software up to date.

Matt Mullenweg is being very reasonable and reasoned in dealing with a small but vocal groups paranoia. In the same breath that he mentioned forking Wordpress, he also mentioned that another option is using a plugin that disables this behavior.

The submitter should be ashamed.

What Matt wrote

[imaginaryelf]

Message-ID:
Date: Sun, 23 Sep 2007 12:35:26 -0700
From: Matt Mullenweg
To: wp-hack...@lists.automattic.com
Subject: Re: [wp-hackers] Plugin update & security / privacy
References:
In-Reply-To:

Moritz 'Morty' Strübe wrote:
> I know this will not change until Monday, but is it really necessary to
> transmit the URL?

Your blog URL and version has been sent by default for 4+ years to every
ping service in the world, including Ping-O-Matic, every time you make a
post. Of course you can turn that off, just like you can turn update
notification off, but statistically no one does.

The only new information being sent by the update checker is PHP version
and a list of plugins. If you don't like that feature, please install a
plugin to disable it:

http://wordpress.org/extend/plugins/disable-wordpress-core-update/
http://wordpress.org/extend/plugins/disable-wordpress-plugin-updates/

Of course don't forget the WP dev blog and planet RSS feeds, and most
importantly the incoming links feed which ALSO transmits your blog URL.

I would also recommend disabling the updates in Mac OS X, Firefox,
Windows, Thunderbird, Adobe Photoshop, and any other third-party
applications you have. As all of those are tied to your personal IP and
not your server IP they have far more implications for privacy.

> If that database
> gets public and you find a security bug in one of the plugins - there
> are enough - you can start a _very_ effective attack!

Such an attack would not be more effective, it would just be more
efficient. Historically, however, scripts that attack against WordPress
don't bother checking the version or if a plugin is there or not, they
just seek out every WP blog and check the specific capability or
vulnerability.

Nevertheless, we're beefing up the infrastructure and security of
WordPress.org, which Barry is working on right this instant. In 2 years
of running WordPress.com and Akismet, two extraordinarily
high-visibility targets, there has never been a problem on a server
Barry set up. The only problems we've had (once on WP.org, once on
PhotoMatt) have been things I set up, and I'm not setting up these new
ones. :)

I think this feature is actually going to dramatically improve the
security of WordPress overall. We all saw the survey that 95% of WP
blogs were vulnerable. That didn't even look a plugins. I think the
survey was flawed, but you still can't deny that for most people knowing
there is an update and actually updating just doesn't happen, and this
is a necessary first step. If the only "trade-off" is sending an ALREADY
PUBLIC blog URL to wordpress.org, then great!

I would like to remind the participants of this thread that WP.org !=
Automattic, so to be fair to the members of both please distinguish
which you're referring to.

Fork we shall

[businessnerd]

This is once again proof that the open source model is a good thing for users and protects us from unknowingly being used as pawns. The win is two fold here. First, the source was open, so that it was available for audit by anyone. This appears to be how this functionality was discovered. Someone noticed what the code was doing and raised a red flag. Now the users are aware and can make a choice in whether they will make the upgrade, not make the upgrade or turn to a new application. In the closed source world, often we are unaware of "unsavory code" while we use it for some time, all the while being subjected to its unsavory effects.

The second way that the open source model has won, is that users who disagree with the direction the application is heading in can now fork. In fact, the head developer of the project suggests it.

Matt Mullenweg defends his actions and staunchly refuses to add an opt-in interface, telling users to 'fork WordPress' if they aren't willing to put up with this behavior."

I'm pretty confident that this will happen and happen fast. Given that people "fork" (some say hack/crack) closed source software all the time to leave out all of the "evil" modules (See Kazaa > Kazaa Lite > Kazaa Lite K++; and don't forget cracked Windows XP) forking an open source project to leave out all of the "evil" modules should be pretty easy. I'm no developer, but I could see this being as simple as taking the original source, commenting out/removing the bad stuff, and then redistributing.

The Actual Quote

[michaelkpate]

Since no had actually linked the Fork comment, http://groups.google.com/group/wp-hackers/browse_thread/thread/bdced7524fa79a18/f8b5bc6efc4a4005#f8b5bc6efc4a4005

> If you don't trust wordpress.org, I suggest you do one of the following:

> 1. Use different software.
> 2. Fork WordPress.
> 3. Install one of the aforementioned plugins.

Re:Basically, go fork ourselves?

[Laebshade]

The "fork wordpress" comment by Matt is taken out of context. See the link in the summary and do a ctrl+f search for "Matt Mullenweg".

Google Cloaking

[Trillan]

For those wondering what the big deal is, I expect a lot of the reaction is fueled by memories of Mullenweg being caught google cloaking in 2005. Once someone loses your trust, you don't really want to share any data with them.

Re:YAY! This saves me work.

[thenextpresident]

Dear god, you know that your slashdot comments show your URL?!?? You'd better stop there!

Thank you Mr. Did-Not-Read-The-Fscking-Article.

Re:Surprised/

[ZaMoose]

Not true. There are two plugins that explicitly disable this functionality:
disable WordPress version check and disable plugin version check, both of which were mentioned by Matt in the thread above.

Summary Is A Troll

[bmo]

And not only is it a troll, it's tinfoil haberdashery and skating _really close_ to Libel.

Actually RTFA Matt's reasoning gives the opposite impression of the summary. Fork the submitter and Kdawson for greenlighting this.

--
BMO

Re:+1

[ZaMoose]

The thinking was (as per Matt's post):

The system was designed to keep the client side as light as possible so
the heavy lifting can be done on the server side, allowing us a lot more
flexibility and agility in adapting the service as it gets rolled out
and evolves.

For example right now nothing is done with regards to localization, but
because of the data being sent and the lightness of the client side we
could introduce that feature in the future without having to update
every install of WordPress in the world. This philosophy has worked very
well for Akismet over the past 2 years. I believe it is also the best
approach for WordPress.

Today the server does basically nothing, no logging, no analysis, no
stats, it's just designed to be as fast as possible since I don't know
what type of impact 2.3 is going to have on api.wordpress.org. In the
future, however, I think there is a lot of room to grow it, particularly
once we take updates to the next step and allow people to
upgrade/install things with one click from their dashboard.

I'm glad Matt updated us on this...

[Mr.Fork]

Canada's privacy law is pretty strict against the unauthorized sending in of personally identifiable information, especially one that sends it to an American server. There, the Patriot act allows the government to capture Matt's database. And the kicker, he is not allowed to tell you.

Up here, we (being the government) can't buy any software package that stores the data in the USA. I can only imagine the tens of millions of lost dollars in contracts because of the Patriot Act. I would of hate to have added Matt's awesome editor to that list. Rock on Matt!

Re:well

[trolltalk.com]

"> you fixed it for people running wordpress on a machine where they have root privileges. which i'm sure is a good number, but i'm not in that group. thanks anyway."

In that case: fgrep -n 1 "api.wordpress.org" *.php > lines_of_code_I_might_want_to_change.txt