[development] WordPress 2.3 Spies On Users

Angela Byron drupal-devel at webchick.net
Tue Sep 25 19:16:54 UTC 2007 

On 25-Sep-07, at 3:04 PM, Steven Peck wrote:

> On 9/25/07, Angela Byron <drupal-devel at webchick.net> wrote:
>>
>> On 25-Sep-07, at 2:00 PM, Gerhard Killesreiter wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Khalid Baheyeldin schrieb:
>>>> The drupal module in 5.x sends a subset of this (site name, URI,
>>>> IIRC).
>>>> The new update module in 6.x supersedes that, but I am not up to  
>>>> date
>>>> on the details. It includes installed modules too.
>>>>
>>>> I think the data is in the DB of drupal.org.
>>>>
>>>> Is it a big deal if the that info is sent? The highest rated
>>>> comments so far
>>>> downplay that it is an issue at all.
>>>
>>> I think the main issue (and a serious one) is that this is done
>>> without
>>> asking the user and without the possibility to switch it off without
>>> extra work. Drupal's phone home feature has always been "opt in".
>>
>> It's true that it always has been, but as of the code in HEAD right
>> now, it's (currently) not.
>>
>> a) update.module is enabled by default, making this "opt-out" rather
>> than "opt-in."
>> b) It sends off an md5 hash of the site URL and a private key
>> variable with each request, the frequency of which is determined by a
>> setting (defaults to daily). There is no personally identifiable
>> information in this md5 string, and it is used as a key for checking
>> update status.
>> c) It is possible to "opt-out" of this behaviour, but the only way is
>> to disable update.module altogether. The option in the 5.x update
>> status module was removed for the core inclusion, per Dries.
>>
>> I think due to this being a security tool, it makes complete sense
>> for this to be opt-out, rather than opt-in. Is the lack of ability to
>> prevent sending the md5 hash enough to get us in trouble with privacy
>> watchdogs? I'm not sure.
>>
>> -Angie
>>
>
> Wait.... are we talking update module that checks for updated software
> versions or the Drupal module that actively sends information on
> installed software back to d.o. ?

Update module. Drupal module hasn't changed, so there's nothing new  
there; the statistics gathering portion of it is still opt-in, and it  
still sends personally identifiable information (and lots of it).

Update module is the thing that's changed in Drupal 6, and is  
analogous to the WordPress functionality that's being so hotly  
debated in that slashdot thread.

-Angie

More information about the development mailing list