#48108 closed defect (bug) (invalid)
Major privacy issues with Freemius-based plugins
Reported by: | menathor | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | major | Version: | |
Component: | Privacy | Keywords: | close |
Focuses: | Cc: |
Description
Hi all,
Apologies if this isn't the right place to be posting this. I’ve discovered some major privacy issues regarding Freemius-licensed plugins. The option to “skip” (i.e. opt-out) of telemetry collection / marketing including:
*name
*email address
*a list of all other plugins and themes installed on the site
*activation and deactivation events of plugins and themes
*php and wp version info
*marketing messages
…is only available on the free versions of the plugins hosted on wp.org. Screenshot here: https://imgur.com/a/ycAwS4w
If a user upgrades to the pro (i.e. commercial) version of a plugin there is no way to opt out. Since the upsell and payment is done from the wp-admin dashboard by the free versions hosted here, I think this is very relevant for the community.
See this screenshot of a wp.org plugin that’s been upgraded to the “pro” version (including the list of telemetry collected and lack of opt-out options): https://imgur.com/a/Sxf81r4
Not allowing users to opt out of this is a major privacy issue with all kinds of security and GDPR implications as well. I don’t think Freemius-based plugins should be allowed in the wp.org repo until they allow all users (free and paid) to opt-out of telemetry tracking. Otherwise wp.org is enabling / endorsing this kind of business practice.
Would value your thoughts and opinions on this!
Cheers
Change History (7)
#1
@
5 years ago
- Keywords needs-privacy-review removed
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from assigned to closed
#2
@
5 years ago
@johnbillion Thanks for the reply. My issue is the fact that the upsell and switch to "can't opt out" (which is morally dubious and definitely not GDPR compliant) is being done by the free plugins hosted here, all from the wp-admin dashboard.
It seems odd to me that the community would be ok with that considering: https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/#9-developers-and-their-plugins-must-not-do-anything-illegal-dishonest-or-morally-offensive
Jan on the forums suggested I should contact the plugins team. Would that be the best way forward? I'd like to connect with someone on the WordPress side who makes decisions re: whether something is breaching these guidelines.
Cheers
#3
@
5 years ago
@menathor
You could write to plugins@… about this, but I'm not sure their options of solving this may be limited.
Perhaps a more versatile approach in your case might be to create a Slack account via make.wordpress.org/chat and then join #core-privacy where you might discuss this a bit in more details, in order to formulate a reasonable way forward with regards to this topic.
#5
@
5 years ago
Hi @menathor,
This is Vova from Freemius. First of all, I want to highlight that we are taking privacy very seriously and follow all modern privacy & security best practices. Since this is not the place to discuss it let's move the conversation to https://www.facebook.com/groups/freemius/ or [support AT freemius DOT com] if you prefer to make it private, and I will happily explain to you why a connection to our API and the collected data are essential for the paid product, as well as why your allegation about GDPR compliance is invalid.
#6
@
5 years ago
- Keywords close added
I don't think this is something that really is handled by WordPress or the core teams and the best place to discuss is with freemius directly or with the plugins that use this - but again talking to them directly, not here via trac.
Thanks to @svovaf for stopping on by and offering some insights I am sure that if discussions need to continue they can do so through the contacts that he provided.
I recommend closing this ticket as it's not something I think that we handle here in our project. Use of freemius in all themes and plugins hosted here on wordpress.org complies with various guidelines we have.
#7
@
5 years ago
Thanks for raising the discussion @menathor a resolution can be pursued with Freemius (thanks for chiming in @svovaf ).
If you have further concerns or want to discuss privacy and GDPR implications you're always welcome to come join us in office hours. We have them every Wednesday (today too) at 19:00 UTC in #core-privacy on Slack.
Thanks for your report @menathor but this isn't the correct place. Please report this directly to the authors of the Freemius framework.