WordPress.org

Make WordPress Core

Opened 4 years ago

Last modified 3 months ago

#14682 reopened defect (bug)

Privacy leakage: gravatars leak identity information — at Version 3

Reported by: jmdh Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 3.0.1
Component: Comments Keywords: close
Focuses: Cc:

Description (last modified by jane)

If a commenter on a blog leaves a comment without having a log in to the site, and the "Comment author must fill out name and e-mail" preference is enabled for the blog, the author must provide an email address. The form for this says "Mail (will not be published) (required)"

It's true that the email address itself is not published, but if the site has gravatars enabled, the persistent identity of the commenter is nonetheless revealed. Together with inspection of other posts where the commenter has chosen to reveal their identity, on the same blog or other blogs, or a brute-force approach taking a known email address to find postings attributed to them (using a global search engine) this results in a complete loss of anonymity.

At the bare minimum, the user should be aware of this, so that they can choose not to comment; preferably, the software should be changed so that gravatars are not used for these sorts of posts (or made configurable, in combination with the user being made aware).

I would suggest closing as wontfix.

Change History (3)

comment:1 jmdh4 years ago

  • Cc jmdh added

comment:2 Denis-de-Bernardy4 years ago

Provocatively said Eric Smith: "Online anonymity is going to die, because governments will demand it. Get over it."

comment:3 jane4 years ago

  • Description modified (diff)
  • Type changed from defect (bug) to feature request
  1. If someone really wants to remain anonymous, they shouldn't enter their real email into any web form, regardless of whether it will be published or not, because the site owner will always have access to it and there have been plenty of cases where an unscrupulous author has published a commenter's email address.
  1. The site owner chooses whether to enable gravatar or not.
  1. The theme decides whether gravatars will be shown or not.

I think the scenario you outline is a case where the burden of anonymity should fall on the commenter; if they don't want their identity to be findable, they shouldn't be using their real identity to leave comments. Will some site owners kill those comments b/c they don't seem to have a real person behind them? Sure. But it's up to the site owner: WordPress puts the power in the site owner's hands. Someone unwilling to let their identity be known may have valid reasons for wanting to hide, but that edge case shouldn't be determining functionality.

"the software should be changed so that gravatars are not used for these sorts of posts" << what sorts of posts? the software should not be changed. And the text that is displayed about it can be left to the theme.

Note: See TracTickets for help on using tickets.