WordPress.org

Make WordPress Core

Opened 3 months ago

Last modified 3 weeks ago

#40794 assigned enhancement

WordPress needs a privacy policy

Reported by: johnbillion Owned by: pento
Milestone: 4.9 Priority: normal
Severity: normal Version:
Component: Help/About Keywords: has-patch i18n-change
Focuses: Cc:

Description

It's been many years since an installation of WordPress operated in isolation. The software sends data to various endpoints on api.wordpress.org, most visibly for update checks, but also for fetching translations, checking browser compatibility, and (since 4.8) determining the user's location and fetching nearby WordPress events.

WordPress needs a privacy policy which covers data that gets sent to wordpress.org. The wordpress.org website has a privacy policy, and it may be sufficient to link to this, or it may be required to extend this with information specifically regarding the data that installations of WordPress send to api.wordpress.org. I recommend the addition of a new Privacy tab on the About WordPress screen.

It's worth noting that the pending EU GDPR affects everyone because it covers the export of data outside of the EU.

Adding to the 4.8 milestone as the WordPress Events and News dashboard widget is a particularly visible example of data collection in WordPress.

Related: Long-running discussion on #16778.

Attachments (5)

privacy.diff (3.9 KB) - added by swissspidy 3 months ago.
Early patch for the about page as an inspiration
40794.2.diff (3.6 KB) - added by jnylen0 4 weeks ago.
Patch suitable for 4.8.1 (no new file)
40794.3.diff (3.7 KB) - added by jnylen0 4 weeks ago.
Minor string update
40794.3.trunk.diff (3.9 KB) - added by jnylen0 4 weeks ago.
40794.4.diff (3.6 KB) - added by jnylen0 4 weeks ago.
Remove TODO comment - no longer necessary now that we are using a separate patch for trunk / 4.9.

Download all attachments as: .zip

Change History (38)

@swissspidy
3 months ago

Early patch for the about page as an inspiration

#1 @swissspidy
3 months ago

Also related in terms of data collection: #38418

Too bad previous efforts for such a privacy policy on the about screen were kinda ignored (see https://make.wordpress.org/core/2017/02/24/dev-chat-summary-february-22nd-4-7-3-week-4/). @mattyrob and I even shared mockups and a patch there. Attaching this patch now here for further discussion.

#2 @SergeyBiryukov
3 months ago

  • Component changed from General to Help/About

This ticket was mentioned in Slack in #core by jeffpaul. View the logs.


3 months ago

#4 @jbpaul17
3 months ago

  • Milestone changed from 4.8 to 4.8.1

Punting to 4.8.1 per discussion in today's 4.8 rc1 bug scrub in #core.

#5 follow-up: @netweb
3 months ago

If WordPress 4.8 is going to ship with a new data collection feature I think it should include a privacy policy in 4.8, not 4.8.1, privacy should not be considered an afterthought by the project, it should be front and centre IMHO.

#6 in reply to: ↑ 5 @mikeschroder
3 months ago

Replying to netweb:

If WordPress 4.8 is going to ship with a new data collection feature I think it should include a privacy policy in 4.8, not 4.8.1, privacy should not be considered an afterthought by the project, it should be front and centre IMHO.

Agreed.

This ticket was mentioned in Slack in #core by iandunn. View the logs.


3 months ago

This ticket was mentioned in Slack in #core by jeffpaul. View the logs.


5 weeks ago

This ticket was mentioned in Slack in #core by jeffpaul. View the logs.


4 weeks ago

#11 @netweb
4 weeks ago

Here's the privacy.diff in action with /trunk, I'm all for the approach taken here in adding a new tab here:

  • https://cldup.com/F0rskG2Kxc.png

Looking at the current WordPress.org policy https://wordpress.org/about/privacy/ it explicitly mentions WordPress.org throughout the document, changing these references to WordPress and WordPress.org where applicable would be a good start to then cover both WordPress and WordPress.org.

#12 @Clorith
4 weeks ago

I like this addition, simple to understand. I also don't think we need to change the policy page on WordPress.org, as the patch mentions that's where we are transferring data, so anything covering .org would be covered by the data we transmit.

This ticket was mentioned in Slack in #core by jeffpaul. View the logs.


4 weeks ago

@jnylen0
4 weeks ago

Patch suitable for 4.8.1 (no new file)

#14 @jnylen0
4 weeks ago

  • Keywords has-patch added; needs-patch removed
  • Owner set to jnylen0
  • Status changed from new to assigned

This is long overdue. Let's do it in 4.8.1.

The attached patch moves the privacy text to freedoms.php temporarily because we can't add a new file in a minor release.

I'd like to see a blurb about the events widget too, but I think this is a good start.

#15 @Clorith
4 weeks ago

Looks good, but I'd suggest a slight string change:

Your WordPress site may send anonymous data including the list of installed plugins and themes to WordPress.org when requesting updates.

Let's make this a bit more "vague" if you will, so that we're not painting our selves into a corner:

Your WordPress site may send anonymous data including, but not limited to, the list of installed plugins and themes to WordPress.org when requesting updates.

@jnylen0
4 weeks ago

Minor string update

#16 @jnylen0
4 weeks ago

@Clorith done in 40794.3.diff.

The events widget collects and sends a "network ID" value based on the IP address. In order to write the privacy text about this value, we need to know what the WP.org servers do with it. So it looks like we should just go with 40794.3.diff for the upcoming 4.8.1 beta release.

Last edited 4 weeks ago by jnylen0 (previous) (diff)

#17 @swissspidy
4 weeks ago

By the way, MattyRob should get props for privacy.diff as well. The patch came together after his initial patch/idea.

#18 @jnylen0
4 weeks ago

  • Keywords commit added

Per Slack discussion, added a separate patch for trunk:

The trunk patch is very similar to privacy.diff but with the string change from @Clorith and the cleanup of a couple of things that were copied over from the Credits page.

Regarding svn and the merge of these two patches:

westonruter [11:13 PM]
For the Custom HTML widget I committed the separate file in trunk. And then for the 4.8 branch I did svn merge as normal, but before committing, I removed the newly added file and amended it on the existing file. In that way, the merge info is retained.

Last edited 4 weeks ago by jnylen0 (previous) (diff)

#19 @jnylen0
4 weeks ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 41096:

About page: Add a privacy policy.

Props MattyRob, johnbillion, swissspidy.
Fixes #40794.

#20 @jnylen0
4 weeks ago

  • Keywords fixed-major added
  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopening to get 40794.4.diff (DIFFERENT from the above commit) landed in 4.8.1.

Last edited 4 weeks ago by jnylen0 (previous) (diff)

@jnylen0
4 weeks ago

Remove TODO comment - no longer necessary now that we are using a separate patch for trunk / 4.9.

#21 @netweb
4 weeks ago

  • Keywords i18n-change added

#22 @iandunn
4 weeks ago

The most important thing to be transparent about regarding the Events Widget is the partially anonymized _client_ IP address. Usually API calls only expose the _server_ address, but this one needs to send the client so that we can geolocate their IP to get their location.

The IP is anonymized to the netblock, e.g., 50.60.70.80 becomes 50.60.70.0. That’s typically accurate enough for geolocation, but removes the ability to identify the specific user.

There are also a few other things that the Events Widget sends to api.w.org, but they might not be sensitive enough to be worth mentioning:

  • the locale for their WP user account (or site locale if user locale isn’t set)
  • the timezone from their browser (not the site timezone)
  • the value they typed in to the City field, if they chose to override the geolocated location

Core also exposes the client IP of logged-in users and front-end visitors to external sites in several situations. In those cases, it is not partially anonymized, so the specific device could be identified.

  • Requesting images/videos/etc from the w.org CDN (like wp-admin/about.php)
  • Requesting images from Gravatar (owned by Automattic) in wp-admin and on the front-end (via the default themes).
  • Requesting images from Google Fonts on the front-end (via the default themes)
  • Maybe a few others I missed

Here's a rough draft at some user-oriented language:

Your WordPress site may expose your computer's IP address, and the IP addresses of your visitors, to external websites. This happens when WordPress needs to download images, fonts, and other assets used within the Administration Panels and when browsing your site. To learn more, you can read the privacy policies for WordPress.org, Gravatar, and Google Fonts.

Your site may also send your IP address to WordPress.org, in order to determine your approximate location, so that you can be shown upcoming WordPress events in your area. WordPress.org does not use your IP address for any other purpose, and does not store it permanently.

Since the CDN requests expose the full IP, I don't think it's worth burdening the user with information about the partial anonymizing that the Events Widget does.

We should probably also add something about Akismet, like:

If you choose to enable the Akismet plugin to block spam, your WordPress site will also send data to to Akismet's API, in order to determine if the comment should be blocked. The data may include the text of the comment, and metadata about the commenter, including their IP address, name, and email address. For more details, see Akismet's privacy policy.

If you choose to install any plugins or themes that are not bundled with WordPress, they may also send additional data to external services. You can learn more by reading their respective privacy policies.

This ticket was mentioned in Slack in #core by iandunn. View the logs.


4 weeks ago

#24 @coreymckrill
4 weeks ago

Could also mention the Community Events Privacy plugin, which specifically prevents the Events Widget from sending the user's IP address:

https://wordpress.org/plugins/community-events-privacy/

#25 @pento
4 weeks ago

  • Keywords commit fixed-major removed
  • Owner changed from jnylen0 to pento
  • Status changed from reopened to assigned

The language used here needs to be reviewed by the Foundation before it can be released.

#26 follow-ups: @swissspidy
4 weeks ago

@iandunn IMHO there should be a filter the Akismet plugin would leverage. It‘s not a part of core after all.

#27 in reply to: ↑ 26 @iandunn
4 weeks ago

Replying to swissspidy:

@iandunn IMHO there should be a filter the Akismet plugin would leverage. It‘s not a part of core after all.

I don't have any objection to that. I just included it here because being bundled means that the majority of users won't realize the distinction.

This ticket was mentioned in Slack in #core by jeffpaul. View the logs.


4 weeks ago

#29 follow-up: @jbpaul17
4 weeks ago

  • Milestone changed from 4.8.1 to 4.9

Punting to 4.9 per today's bug scrub to give the Foundation time to confirm appropriate language for this.

@pento who can help shepherd this with the Foundation so that we get confirmed language to include this in 4.9?

#30 in reply to: ↑ 26 @mikeschroder
4 weeks ago

Replying to swissspidy:

@iandunn IMHO there should be a filter the Akismet plugin would leverage. It‘s not a part of core after all.

I love the idea of a filter here for plugins to add their privacy policy information to.

#31 in reply to: ↑ 29 @pento
4 weeks ago

Replying to jbpaul17:

@pento who can help shepherd this with the Foundation so that we get confirmed language to include this in 4.9?

I'm on it, chatting to folks now. :-)

#32 @jnylen0
3 weeks ago

I think adding a filter for plugins is a bit overkill, especially for the first version we ship. It also re-introduces the same issue that caused this to be punted to 4.9, where un-vetted language would be appearing on this page.

A simpler alternative would be to include some phrasing like "Third-party plugins installed on this WordPress site may also collect and send data, subject to [reference to some rules for plugins]. Refer to the privacy policies of the individual plugins for more information."

This ticket was mentioned in Slack in #meta by clorith. View the logs.


3 weeks ago

Note: See TracTickets for help on using tickets.