WordPress.org

Make WordPress Core

Opened 5 years ago

Last modified 13 months ago

#14682 reopened defect (bug)

Privacy leakage: gravatars leak identity information

Reported by: jmdh Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 3.0.1
Component: Comments Keywords: close
Focuses: Cc:

Description (last modified by Denis-de-Bernardy)

If a commenter on a blog leaves a comment without having a log in to the site, and the "Comment author must fill out name and e-mail" preference is enabled for the blog, the author must provide an email address. The form for this says "Mail (will not be published) (required)"

It's true that the email address itself is not published, but if the site has gravatars enabled, the persistent identity of the commenter is nonetheless revealed. Together with inspection of other posts where the commenter has chosen to reveal their identity, on the same blog or other blogs, or a brute-force approach taking a known email address to find postings attributed to them (using a global search engine) this results in a complete loss of anonymity.

At the bare minimum, the user should be aware of this, so that they can choose not to comment; preferably, the software should be changed so that gravatars are not used for these sorts of posts (or made configurable, in combination with the user being made aware).

Change History (31)

comment:1 @jmdh5 years ago

  • Cc jmdh added

comment:2 @Denis-de-Bernardy5 years ago

Provocatively said Eric Smith: "Online anonymity is going to die, because governments will demand it. Get over it."

comment:3 follow-ups: @jane5 years ago

  • Description modified (diff)
  • Type changed from defect (bug) to feature request
  1. If someone really wants to remain anonymous, they shouldn't enter their real email into any web form, regardless of whether it will be published or not, because the site owner will always have access to it and there have been plenty of cases where an unscrupulous author has published a commenter's email address.
  1. The site owner chooses whether to enable gravatar or not.
  1. The theme decides whether gravatars will be shown or not.

I think the scenario you outline is a case where the burden of anonymity should fall on the commenter; if they don't want their identity to be findable, they shouldn't be using their real identity to leave comments. Will some site owners kill those comments b/c they don't seem to have a real person behind them? Sure. But it's up to the site owner: WordPress puts the power in the site owner's hands. Someone unwilling to let their identity be known may have valid reasons for wanting to hide, but that edge case shouldn't be determining functionality.

"the software should be changed so that gravatars are not used for these sorts of posts" << what sorts of posts? the software should not be changed. And the text that is displayed about it can be left to the theme.

comment:4 in reply to: ↑ 3 @jane5 years ago

Replying to jane:

plenty of cases where an unscrupulous author has published a commenter's email address.

Sorry, I meant unscrupulous site owners.

comment:5 in reply to: ↑ 3 ; follow-up: @jmdh5 years ago

Firstly - is it customary on this trac instance to edit the description with commentary? Since there is no built-in attribution it might confuse other people reviewing the bug.

Replying to jane:

  1. If someone really wants to remain anonymous, they shouldn't enter their real email into any web form, regardless of whether it will be published or not, because the site owner will always have access to it and there have been plenty of cases where an unscrupulous author has published a commenter's email address.

I disagree with this assertion. Clearly there are degrees of anonymity, and providing an email address with the promise that it won't be published is different to publishing it. I agree that you cannot necessarily trust a third party site owner to renege on this promise, but the software itself should not!

  1. The site owner chooses whether to enable gravatar or not.

Yes, it's true that the site owner does have the ability to turn off gravatars, and I will be recommending this to my users as a matter of course in the absence of other fixes to this problem. However that's a shame, because it means that gravatars aren't available where the user doesn't mind being identified in that way.

This doesn't have any bearing on the basic validity of the defect, however.

  1. The theme decides whether gravatars will be shown or not.

In that case, please consider my bug report as including the default themes shipped with Wordpress.

I think the scenario you outline is a case where the burden of anonymity should fall on the commenter; if they don't want their identity to be findable, they shouldn't be using their real identity to leave comments. Will some site owners kill those comments b/c they don't seem to have a real person behind them? Sure. But it's up to the site owner: WordPress puts the power in the site owner's hands. Someone unwilling to let their identity be known may have valid reasons for wanting to hide, but that edge case shouldn't be determining functionality.

Again, there are degrees of anonymity. If wordpress as a system isn't willing to even support its promise not to publish the email identity of the commenter, it should not make that promise.

"the software should be changed so that gravatars are not used for these sorts of posts" << what sorts of posts?

The sort of comments which are made by non-authenticated parties (I mistakenly used the term posts rather comments previously).

the software should not be changed.

I hope I've managed to clarify why I disagree with this statement.

And the text that is displayed about it can be left to the theme.

In that case, please consider my bug report as including the default themes shipped with Wordpress.

comment:6 follow-up: @jmdh5 years ago

  • Type changed from feature request to defect (bug)

For the record, please note that I filed this ticket as "defect", not "feature request". trac does not make it obvious that the status was changed by a third party.

comment:7 in reply to: ↑ 6 @jmdh5 years ago

Replying to jmdh:

For the record, please note that I filed this ticket as "defect", not "feature request". trac does not make it obvious that the status was changed by a third party.

Argh. And that I did not actually intend to revert the change, only record it.

comment:8 in reply to: ↑ 5 ; follow-ups: @Denis-de-Bernardy5 years ago

  • Component changed from Security to Comments
  • Description modified (diff)
  • Type changed from defect (bug) to feature request

Replying to jmdh:

Firstly - is it customary on this trac instance to edit the description with commentary? Since there is no built-in attribution it might confuse other people reviewing the bug.

The close keyword should have been added instead.

Leaving this as a feature request, since nothing is technically dysfunctional.

I'm itching to close the ticket. It seems to me that highlighting the problem to the end user (a notice in the comment form, explaining that entering an email will reveal the avatar attached to it), and implementing the workaround (aka a "Show my Avatar" checkbox in the comment form), can (should) both be done in a plugin or in the theme. There's a get_avatar hook in get_avatar(), and comments can have a meta field.

comment:9 in reply to: ↑ 8 ; follow-up: @nacin5 years ago

Replying to Denis-de-Bernardy:

Replying to jmdh:

Firstly - is it customary on this trac instance to edit the description with commentary? Since there is no built-in attribution it might confuse other people reviewing the bug.

The close keyword should have been added instead.

(If I had to guess, the line was accidentally added to the end of the description field instead of the comment field. I've done it before.)

comment:10 in reply to: ↑ 9 ; follow-up: @wpmuguru5 years ago

Replying to nacin:

(If I had to guess, the line was accidentally added to the end of the description field instead of the comment field. I've done it before.)

I have as well.

I'm in favor of wontfix this one. If someone is concerned about their email address being discovered, they can get a free anonymous email from any number email services. From my perspective, the whole point of a globally recognized avatar (gravatar) is global recognition and that the gravatar.com landing and registration pages make clear that is what the service is for.

comment:11 in reply to: ↑ 10 @jmdh5 years ago

Replying to wpmuguru:

I'm in favor of wontfix this one. If someone is concerned about their email address being discovered, they can get a free anonymous email from any number email services.

The user is not in a position to know that their identity will be leaked by the system. This is the fundamental point I am trying to make.

From my perspective, the whole point of a globally recognized avatar (gravatar) is global recognition and that the gravatar.com landing and registration pages make clear that is what the service is for.

Firstly, registering on gravatar.com should not mean that you should expect your identity to be disclosed even when the site you are talking to says that it won't.

Secondly, the user doesn't even have to have heard about gravatar.com for this problem to arise; the information disclosure occurs whether or not they have registered, via the image URL which appears next to the comment, containing the hash of their email address.

comment:12 in reply to: ↑ 8 ; follow-up: @jmdh5 years ago

Replying to Denis-de-Bernardy:

Leaving this as a feature request, since nothing is technically dysfunctional.

I'm itching to close the ticket. It seems to me that highlighting the problem to the end user (a notice in the comment form, explaining that entering an email will reveal the avatar attached to it), and implementing the workaround (aka a "Show my Avatar" checkbox in the comment form), can (should) both be done in a plugin or in the theme. There's a get_avatar hook in get_avatar(), and comments can have a meta field.

Well, I'm really very surprised that this seems to be the prevailing attitude, but this is my first serious look at Wordpress so maybe I'm misjudging the sort of things that are important to the Wordpress team. I don't really feel that my points are being seriously considered at all in any of the responses on this ticket. The fact that you have said nothing is technically dysfunctional, and in the next sentence refer to the problems, and (technical) workarounds (suggesting that you agree that there is a problem) is itself puzzling.

If there are any aspects of the problem that you think I haven't made clear then do point them out and I'll try and explain better.

comment:13 @ryan5 years ago

The avenues of address are to never show gravatars, weigh down the form with privacy policy tedium and explanations of baroque things such as md5 hashes, provide some sort of gravatar opt-in in the form which would have to be stored per comment, or simply remove the "will not be published" parenthetical. All of these seem unfriendly overkill for what is a willful and deliberate leak at the source. "Mail (will not be published)" does what it says. Plain text email addresses are not published so that they cannot be scraped by spammers. Deriving other privacy assertions beyond that is highly speculative on the part of a commenter who is giving away his email address (not to mention his IP) to a third party.

comment:14 in reply to: ↑ 12 @Denis-de-Bernardy5 years ago

Replying to jmdh:

If there are any aspects of the problem that you think I haven't made clear then do point them out and I'll try and explain better.

Imo, your points are quite clear.

It's just that, generally, functionality which is of interest to nearly all users go in core; while the rest remains plugin material. This is to avoid feature creep in core. (There are exceptions, mind you. Matt's pet features, e.g. the capital_P_dangit() garbage or over-zealous data collection when calling home, go in regardless of what the majority of contributors think.)

Personally, I can easily picture a user changing his screen name before making a nasty comment on his favorite site, only to realize upon having posted it that his gravatar shows up because he forgot to change his email. So I do see the point in trying to prevent this. But I also think there is truth in Eric Smith's provocative comment -- anonymity is going to die.

comment:15 @nacin4 years ago

  • Keywords close added

comment:16 @nacin4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

comment:17 @hakre4 years ago

whatever@… works always

comment:18 @hakre4 years ago

was: at example.com

comment:19 @SergeyBiryukov15 months ago

#26590 was marked as a duplicate.

comment:20 follow-up: @andreasnrb15 months ago

Given latest Disqus fallout not removing Gravatar is really a strange choice.
http://www.thelocal.se/20131212/millions-of-disqus-comments-leaked-to-swedish-group

comment:21 @andreasnrb15 months ago

  • Resolution wontfix deleted
  • Status changed from closed to reopened
  • Type changed from feature request to defect (bug)

comment:22 in reply to: ↑ 20 @damst15 months ago

  • Cc mst@… added

Replying to andreasnrb:

Given latest Disqus fallout not removing Gravatar is really a strange choice.
http://www.thelocal.se/20131212/millions-of-disqus-comments-leaked-to-swedish-group

+1

comment:23 @SergeyBiryukov15 months ago

  • Milestone set to Awaiting Review

comment:24 @andreasnrb15 months ago

What can be accomplished using the Gravatar system is demonstrated in this video: http://www.youtube.com/watch?v=fdphoc3XUF8

comment:25 follow-ups: @keha7615 months ago

Why not simply add an option to disable the Gravatar system?

comment:26 in reply to: ↑ 25 @knutsp15 months ago

Replying to keha76:

Why not simply add an option to disable the Gravatar system?

There is.

comment:27 in reply to: ↑ 25 @andreasnrb15 months ago

Replying to keha76:

Why not simply add an option to disable the Gravatar system?

Problem is it being enabled by default and the privacy downside is not disclosed by WordPress. Discussing with non devs they have no clue about this issue, heck not even wp devs know about this issue to any large extent. The commentators on sites also dont know about this issue. Some WP folks has replied that users can just use fake email if it bothers them but such answers are completely useless since they do not solve the issue also only available for those that know about the Gravatar issue in the first place.

Last edited 15 months ago by andreasnrb (previous) (diff)

comment:28 follow-up: @ronalfy15 months ago

I personally think this is plugin territory. Just create a checkbox in the comment form where a user can "opt-out" of using Gravatar. Save as comment meta, then if the meta is set, just show the default avatar.

If you don't want your Gravatar shown on sites, then don't use it, or use a fake e-mail address. I don't see the point of this discussion.

comment:29 in reply to: ↑ 28 @andreasnrb14 months ago

Replying to ronalfy:

I personally think this is plugin territory. Just create a checkbox in the comment form where a user can "opt-out" of using Gravatar. Save as comment meta, then if the meta is set, just show the default avatar.

If you don't want your Gravatar shown on sites, then don't use it, or use a fake e-mail address. I don't see the point of this discussion.

And how will people know about the issue and be informed about the plugin? Saying plugin territory just shows a total lack of understanding of the main issue. That the issue is not disclosed. Not to mention possible legal ramifications in various countries by including this feature and having it enabled by default.
If you dont know about the issue how the heck can you opt out of it or inform your users? Answer that question and the discussion indeed looses its point. Assuming people do just shows a total disconnect from most users. This unfortunately seems to be the case for most WP devs giving their view on this matter.

comment:30 @Ammaletu14 months ago

Just wanted to add that such a plugin exists: http://wordpress.org/plugins/avatar-privacy/ It's not as polished as I would like it to be, but it addresses the privacy issues raised in this ticket. I agree that it is not ideal that site owners have to actively look for such a solution to benefit from it.

comment:31 @andreasnrb13 months ago

torque magazine published and excellent article concerning this matter today:
http://torquemag.io/if-you-wouldnt-say-it-in-person-would-you-say-it-online/

Note: See TracTickets for help on using tickets.