Forums

WordPress › Support » Requests and Feedback

Hypocrisy of the plugin hosting terms (25 posts)

  1. Callum Macdonald
    Member
    Posted 7 months ago #

    Having just read the plugin hosting guidelines, I couldn't help but balk at the blatant hypocrisy of the terms.

    No phoning home without explicit consent. WordPress phones home without any consent, without even an option to disable it (short of using a plugin).

    No "powered by" links, yet these exist in the WordPress default them without even a filter to disable the link.

    I support both of those ideals, in plugins AND in WordPress itself. Consider this in the "criticism" category.

    Let me finish by saying WordPress is, on the whole, great software. It's a shame that it's let down at the edges by the likes of this.

  2. esmi
    Theme Diva & Forum Moderator
    Posted 7 months ago #

    The link in the default theme can be removed.

  3. Callum Macdonald
    Member
    Posted 7 months ago #

    As I read the code, there is no option, no filter, or no other mechanism to remove the footer. @esmi: Would you care to be any more specific?

    Obviously, it's possible to remove the footer with a sub-theme, a different theme, or indeed by WordPress, it is GPL after all. But to the "average" user, without editing code, installing a theme or plugin, I know of no way to remove the credit. Have I missed something?

  4. Ipstenu (Mika Epstein)
    Half-Elf Support Rogue & Mod
    Posted 7 months ago #

    Themes are not plugins. Themes are permitted to have a phone-home link like that, plugins are not. :) The reason being is that you onl;y have one theme at a time, but you may have a hundred plugins. Having all of those show powered by is (a) ugly and (b) spamariffic.

    No phoning home without explicit consent. WordPress phones home without any consent, without even an option to disable it (short of using a plugin).

    WP phones home to provide upgrade notifications, it's a feature, and while it could be more explicently explained, that's all it is.

    The 'no phone home' in plugins is because we don't want them to collect your personal information without your consent. WP just checks to make sure you can upgrade, plugins have been known to do this to spam you, sell your data, etc etc. We actually do allow a phone home, but it's all opt-in.

  5. Callum Macdonald
    Member
    Posted 7 months ago #

    The plugin Ts&Cs doesn't say "no capturing of personal information", it says no phoning home. Which is precisely what WP does, although we're told that WordPress doesn't store our details. Nonetheless, it does include a uniquely identifiable string, so WP.org can count how many installations are out there.

    To say "it's a feature", that's all it is, doesn't change anything. Some companies describe DRM as a feature, while others describe it as a cancer.

    In my opinion, the pertinent point is that WordPress phones home, without permission or consent, and uniquely identifies each installation when it does so. Yet plugins are explicitly forbidden from doing the same.

  6. esmi
    Theme Diva & Forum Moderator
    Posted 7 months ago #

    Yet plugins are explicitly forbidden from doing the same.

    Correct but, as explained previously, this is for the protection of users.

    Why exactly is this a problem for you? Have you had a plugin rejected becuase it was phoning home?

  7. Callum Macdonald
    Member
    Posted 7 months ago #

    You say "this is for the protection of users" like that was somehow related. It sounds like those signs "You are under surveillance for your protection!

    I think WordPress should hold itself to the same standard to which plugins are held. I think the "Powered by" link should be at least filterable in the default theme, and preferably disabled with an option. I also think the phoning home should be opt-in, as is required for plugins.

  8. Ipstenu (Mika Epstein)
    Half-Elf Support Rogue & Mod
    Posted 7 months ago #

    You're hitting multiple separate topics here, though you dont' seem to realize it.

    1) Themes and Plugins do not phone home. Period. None of them do. A 'powered by' link is not a phone home, per sey, it's a link. I should have been more clear. My bad. ETA: Exception. If a plugin is acting as a service, it's permitted to phone home to provide the aforementioned service.

    2) Themes are permitted to have one public facing 'Powered by' link. Plugins are not unless you opt-in.

    3) WordPress core does transmit data back to home, but that's in order to y'know, let you upgrade themes, plugins, and core, from within core.

    So as you see, there are three separate points here. If you're complaining about the third, I shall quote Otto from 2 years ago:

    The WordPress version is included in case the response format changes, so it can send back the right responses to the right WP versions.

    The locale you are using is sent to send the correct language data back.

    The versions of PHP and mysql you are using are used to create aggregate data information about how many installs use PHP5, etc. For example, they've said that about 11% of users still use PHP4. This info tells the developers which versions of the software they need to support in the future.

    The blog url is a unique identifier for each site, so that the statistical information can be correct. Otherwise you wouldn't be able to get accurate percentages, since some sites might check more often than others.

    All the plugin information is sent so the server can determine which plugins you have that have updates available for them. Sending just plugin name and version number is not enough, the plugin name and version and description and such can all change, there's no unique identifier. So the update server uses a fuzzy match method, to try to figure out what plugins you're asking about compared with the plugins it knows about. Ditto themes.

    All this data is covered under the Privacy Policy.

    No hypocrisy going on. There's a lot of information going on, and it's easy to miss one thing in the mix, but really, we're not contradicting here :)

  9. Callum Macdonald
    Member
    Posted 7 months ago #

    I feel like we're somewhat going round in circles.

    Yes, WordPress phones home, it does so without permission, without an opt-out, and it includes the site url. Plugins are forbidden from doing the same. That's fairly simple, and it's fairly obviously a hypocrisy.

  10. esmi
    Theme Diva & Forum Moderator
    Posted 7 months ago #

    WordPress phones home because it needs to. Plugins are forbidden from doing so because they don't need to.

  11. Ipstenu (Mika Epstein)
    Half-Elf Support Rogue & Mod
    Posted 7 months ago #

    Yes, WordPress phones home, it does so without permission, without an opt-out,

    That is correct, however it's not hypocritical (from our end) because this is disclosed in the privacy policy, and this is actually what we do permit plugins to do! It's called acting as a service, and as long as it's disclosed clearly (see privacy policy), it's permitted. Plugins have to put it in the readme, is all.

    Examples? Akismet, Disqus, IntenseDebate, Google Analytics plugins, Twitter plugins...

    and it includes the site url.

    Incorrect. The THEME does this. Not WordPress. I know what you're saying, and I know it sounds like I'm splitting hairs, but you're just getting this part wrong. And themes are permitted to do this. Plugins are not. Not hypocritical at all. All themes are governed by this one rule.

    Plugins (and themes) are 100% permitted to put links back to their sites on the admin dashboard, by the way, just as WP does. :) We just ask they not do so in a spammy way, and only on pages where their plugin is in use.

  12. Callum Macdonald
    Member
    Posted 7 months ago #

    Ok, I take your point on the themes. You're right, if other themes are allowed the same, fair enough.

    If you're saying that my plugin can include a privacy section in the readme and then phone home, that's the same as WordPress. That is not how I read the Ts&Cs though. Is that how you understood it? My understanding was that a specific opt-in was required.

    @esmi: Your point about WordPress needing to and plugins not is patently wrong. There's any number of situations where a plugin needs to phone home. WordPress only needs to phone home IF I want update notifications (which personally, I don't).

  13. esmi
    Theme Diva & Forum Moderator
    Posted 7 months ago #

    There's any number of situations where a plugin needs to phone home.

    And. as explained above, this is allowed providing it is clearly disclosed & justified. But doing so silently isn't.

  14. Ipstenu (Mika Epstein)
    Half-Elf Support Rogue & Mod
    Posted 7 months ago #

    If you're saying that my plugin can include a privacy section in the readme and then phone home, that's the same as WordPress. That is not how I read the Ts&Cs though. Is that how you understood it? My understanding was that a specific opt-in was required.

    If you're providing a service, it's permitted. I'm beating that dead horse cause it matters ;)

    If you just want to phone home to collect stats on who's installing your plugin, no. But if you want people to connect to your server to generate content (like a weather app), then yeah. WP is providing you the upgrade service.

  15. esmi
    Theme Diva & Forum Moderator
    Posted 7 months ago #

    I think the key term here is "justified". You'd need effectively need to persuade the plugin review team that you really do have a very good reason for phoning home. For example, there are plugins that allow user sites to connect to a 3rd party service. That's a justifiable reason because no "phone home" == "no service".

  16. Callum Macdonald
    Member
    Posted 7 months ago #

    It seems like these are the relevant sections:

    No "phoning home" without user's informed consent. This seemingly simple rule actually covers several different aspects:

    If the plugin does require that data is loaded from an external site (such as blocklists) this should be made clear in the plugin's admin screens or description. The point is that the user must be informed of what information is being sent where.

    As I read these, WordPress does not meet the same requirement. I can't find a privacy policy anywhere as part of a WordPress installation. Further, as I read this privacy policy, it makes only passing mention of WordPress phoning home for updates:

    For instance, WordPress.org may reveal how many downloads a particular version got, or say which plugins are most popular based on checks from api.wordpress.org, a web service used by WordPress installations to check for new versions of WordPress and plugins.

    So back to my original point (I do concede that I was mistaken on themes), WordPress phones home, collects personally identifiable information, and does not disclose that to users or provide any kind of opt-out, never mind opt-in.

    I do understand that WP / Automattic feel like the update service "creates value" for users, and I accept that for the greatest majority of users it does. However, it's 100% possible to provide exactly the same service without collecting personally identifiable data. The site url is only included because it helps WP to gather better statistics, it serves absolutely no purpose to the user.

  17. esmi
    Theme Diva & Forum Moderator
    Posted 7 months ago #

    Why exactly is this a problem for you? Have you had a plugin rejected because it was phoning home?

  18. Callum Macdonald
    Member
    Posted 7 months ago #

    @esmi: Is that relevant to the discussion? To answer your question, no, I haven't had a plugin rejected.

  19. esmi
    Theme Diva & Forum Moderator
    Posted 7 months ago #

    I think it is. I'm trying to understand why you have such a problem with this.

    WordPress does not hide the fact that it phones home any more than any other piece of software or OS that checks for updates (do Apple provide a route to allow users to stop its various OS from phoning home yet?). Collection of IP addresses is covered extensively in http://wordpress.org/about/privacy/ Even the collation of statistics is covered:

    [...]For instance, WordPress.org may reveal how many downloads a particular version got, or say which plugins are most popular based on checks from api.wordpress.org, a web service used by WordPress installations to check for new versions of WordPress and plugins.

    IP addressees are needed to stop less scrupulous plugin/theme developers from gaming the system - a system that is then used to provide valuable information to users looking for themes and/or plugins. Do you also disallow pinging from your site? That sends out urls. Ditto if you allow update notices to pingomatic.com. Once you have a url, it's 10 second job to locate the ip address of the site. So what additional sensitive information is really being disclosed here? None that I can see.

    There's really nothing underhand going on and everything is being done as transparently as possible. You can even turn the phone home off if you want:

    http://wordpress.org/extend/plugins/disable-wordpress-updates/

    Maybe, instead of shouting about hypocrisy, you could offer some practical suggestions as to how the phone home - or the privacy policy - could be improved?

  20. Ipstenu (Mika Epstein)
    Half-Elf Support Rogue & Mod
    Posted 7 months ago #

    The only reason that plugins have to have it in the readme, is that is the only way they can edit the forward facing part of their plugin display (I.e. we don't let them edit .org pages). WP core uses the normal privacy page. That IS disclosure.

    As for not permitting you to opt out, you can use a plugin, though you are correct, WP doesn't let you easily do it, it's not an option, and it's not a requirement that they do so. Any plugin that provides a service doesn't have to let you opt out, because to opt out means to not use the service. Google Anayltics phones home, no opt out, and that's okay :) you opted in by choosing to use it. Ditto WP's phone home. It's documented, people just tend to gloss over it.

    At any rate, the rules for plugins are different than themes, and both are different from core for a reason. Core is controlled. Plugins and themes are anyone's game. If you don't trust .org with your data, you won't be using WP, most likely.

  21. Callum Macdonald
    Member
    Posted 7 months ago #

    @esmi: Nowhere on the privacy page does it tell me that by installing WordPress, it is going to phone home. It makes only passing reference to "a web service used by WordPress installations to check for new versions of WordPress and plugins."

    I offered practical suggestions about how the phone home could be improved at the time, when it was being introduced. Now, years later, when I discover that WordPress is yet again holding itself to a different standard, I choose to bring it to people's attention. (Let's not get into how much of WP.com is not GPL, despite Matt's campaign that all plugins / themes need be GPL!)

    @Ipstenu: Strictly speaking, it's not possible opt-out 100% with a plugin, because in order to activate the plugin, one needs to log into the admin, by which time, WP has already phoned home once. :-(

    You mention that the phoning home behaviour is documented. May I ask which documentation you're thinking of? I'm guessing it's covered somewhere on the codex, but I wasn't aware that users were made aware of this behaviour anywhere during the download / install process. Perhaps I'm mistaken.

  22. Ipstenu (Mika Epstein)
    Half-Elf Support Rogue & Mod
    Posted 7 months ago #

    I'm on my ipad traveling right now so I can pull up the link I keep handy, but I will mention this at the upcoming summit. That WP phones home for updates should be more clearly noted.

    That said, in all likelyhood it would be this ..

    "By installing and activating WordPress, you agree to send pertinent data back to our servers. In order to use WordPress's built in features, it will occasionally transmit data back to the WordPress.org servers via our secure API, in order to determine if there are available upgrades to WordPress, its themes or plugins. Our privacy guidelines regarding your personal information can be found at [Link to http://wordpress.org/about/privacy/ ]."

    And you could opt out pre install by using an mu-plugin, but then again, opt out is always after the fact. See Apple and their ad policy :/

  23. Callum Macdonald
    Member
    Posted 7 months ago #

    @ipstenu: I think it's one of these things that only a small minority care about. I think that WordPress holds itself to a higher standard than most, which is a wonderful thing. So anything we can do to further that is a step forward.

    Your proposed paragraph sounds like a positive step forward. It's not an all out opt-in, but I'd say it's definitely better than at present. :-)

  24. Ipstenu (Mika Epstein)
    Half-Elf Support Rogue & Mod
    Posted 6 months ago #

    Minority or not, I feel you're right that it could be better stated!

    FWIW, part of today we went over the .org pages and that they need work :) Some ideas in the works.

  25. Callum Macdonald
    Member
    Posted 6 months ago #

    @Ipstenu: Awesome, glad to hear something positive has come out of the discussion. I look forward to checking out the changes.

    In fairness to WordPress and Automattic in general, the few times I've flagged up inconsistencies have generally been met with a positive response and on occasion, positive change. There were still big parts of the code running wp.com / other WP sites that weren't GPL last I checked, but I dare say it's a work in progress... :-)

Reply

You must log in to post.

About this Topic

Tags