Avatars from gravatar.com are great, but they come with certain privacy implications. You as site admin may already know this, but your visitors and users probably don't. Avatar Privacy can help to improve the privacy situation by making some subtle changes to the way avatars are displayed on your site.
The plugin works without changing your theme files if you use a modern theme, and it does support (simple) multisite installations. It requires at least PHP 5.2.4 and WordPress 3.2. For the plugin to do anything for you, you need to visit the discussion settings page in the WordPress admin area and save the new settings. Please note that the plugin does not provide an options page of its own, it rather adds to the existing discussion settings page.
The plugin's features summed up. See following sections for longer explanations:
- Don't publish encrypted E-Mail addresses for non-members of gravatar.com.
- Let users and commenters opt in or out of using Gravatars.
- Use default avatar images hosted on your server rather than gravatar.com.
The plugin is currently available in these languages:
- English (by Ammaletu)
- German (by Ammaletu)
Contact me if you want to provide translations for other languages.
In what way are avatars a privacy risk?
To display an avatar image, you publish an encrypted version (MD5) of the E-Mail address in the gravatar's image URL. Gravatar.com then decides if there is an avatar image to deliver, otherwise the default image is delivered. The default image's address is also part of the overall gravatar image URL. Normally, both the avatar image and the default image are requested from gravatar.com servers. This process has the following problems:
- MD5 is theoretically secure, but research has shown that it is possible to guess the E-Mail address from the MD5 token in the gravatar URL: Gravatars: why publishing your email's hash is not a good idea. So there is a chance that you make your commenter's E-Mail addresses public.
- The published avatar URL ties all comments made with the same (privately entered) E-Mail address together (publicly). The user might use different pseudonyms and web addresses with the comment, they even might want to stay anonym. But if the web site admin enables gravatars, even at a later point, all this user's comments can be recognized as being made by the same person. Creating such a comment profile for an E-Mail address is easiest for gravatar.com, they just have to look into their log files from where a particular image was requested (request header). That works for everyone, not only gravatar.com registered users. And of course, anybody else can program a bot to find occurences of a particular avatar URL throughout the web. The commenter most likely does not know what entering an E-Mail address means, usually is not told and has no control over whether a gravatar is displayed for his address or not.
- Whenever someone visits the page, the avatar images are loaded from the gravatar.com servers into the visitor's browser. By doing so, gravatar.com gets all kind of data, e.g. the visitor's IP address, the browser version, and the URL of the page containing the avatar images. Since gravatars are used on many websites, if the visitor visits a lot of blogs while using the same IP address, the gravatar.com log files show exactly where the person using this IP address went.
- If somebody wants to create fake comments using someone else's identity, this looks all the better with the matching gravatar image next to it. If you know the E-Mail address used for the comment, great. If not just create a new gravatar acount and upload the same picture.
How does Avatar Privacy help with these problems?
The plugin offers some measures to deal with these problems. It's not perfect or a complete solution, but some of the above points can be addressed sufficiently:
- If you want gravatars, you don't really have a choice but to publish the MD5 tokens of the E-Mail adresses. If you want to have dynamic default images like the identicons, you also don't have a choice but to publish the MD5 tokens of all users, not only the users who actually signed up with gravatar.com (because the images are generated out of the E-Mail addresses). For gravatar.com users, you could of course request the images server-side and then cache them, but in my opinion that is a bit overkill. If somebody signs up with gravatar.com, they probably know that this means their E-Mail adresses will be published in encrypted form. The bad part is that this happens for everyone, even users who haven't ever heard of gravatar.com. That is an aspect that this plugin fixes with the 'Don't publish encrypted E-Mail addresses for non-members of gravatar.com' option. Why is this optional? The additional calls to gravatar.com from your server could in theory stress your server or make the page loading too slow. Please check this on a page with many comments.
- The problem of tying comments throughout the web together is addressed by the plugin in two ways: You can let commenters opt in or out of using gravatars with their E-Mail address. Aditionally, you can use a local default image and display the default image directly instead of as a redirect. This way the page optically looks identical, but comments of users who didn't sign up with gravatar.com are not linked through a unique avatar image URL anymore. For users who did sign up with gravatar.com, you should display a short message to the user somwhere around the comment form.
- That gravatar.com is able to create profiles of what websites you visited is something that the plugin can't fix. Personally, I trust Auttomatic not to misuse this kind of data. I'm not even saying that they do create profiles, but technically they could. The profiles would be anonym unless they are connected with other data, like a provider's data who used a certain IP address at a certain point in time. Unfortunately, there is nothing that the plugin can really do about it, apart from complete caching solutions. This particular problem needs to be addressed by concerned visitors on their side, e.g. by using a TOR server to go online. Also, the whole modern web works this way, it's not a problem specific to gravatar.com. ;-)
- The plugin does nothing against the fake identity problem. It's questionable if any countermeasures would even be possible without changing the way that gravatar.com works. Stealing identities is always possible, you can do it with a comment form without gravatars just as well. So that's not really the focus of this plugin.
The plugin is still quite new. Please use it with caution and report any problems. You can use the contact form on my code site or create a forum topic on forum.wordpress.org with the tag [avatar-privacy]. I'll see these pop up in my feed reader and hopefully will reply shortly. ;-) You can contact me in German or English.