Support » Requests and Feedback » Hypocrisy of the plugin hosting terms

  • Having just read the plugin hosting guidelines, I couldn’t help but balk at the blatant hypocrisy of the terms.

    No phoning home without explicit consent. WordPress phones home without any consent, without even an option to disable it (short of using a plugin).

    No “powered by” links, yet these exist in the WordPress default them without even a filter to disable the link.

    I support both of those ideals, in plugins AND in WordPress itself. Consider this in the “criticism” category.

    Let me finish by saying WordPress is, on the whole, great software. It’s a shame that it’s let down at the edges by the likes of this.

Viewing 15 replies - 1 through 15 (of 24 total)
  • esmi

    (@esmi)

    Forum Moderator

    The link in the default theme can be removed.

    As I read the code, there is no option, no filter, or no other mechanism to remove the footer. @esmi: Would you care to be any more specific?

    Obviously, it’s possible to remove the footer with a sub-theme, a different theme, or indeed by WordPress, it is GPL after all. But to the “average” user, without editing code, installing a theme or plugin, I know of no way to remove the credit. Have I missed something?

    Themes are not plugins. Themes are permitted to have a phone-home link like that, plugins are not. 🙂 The reason being is that you onl;y have one theme at a time, but you may have a hundred plugins. Having all of those show powered by is (a) ugly and (b) spamariffic.

    No phoning home without explicit consent. WordPress phones home without any consent, without even an option to disable it (short of using a plugin).

    WP phones home to provide upgrade notifications, it’s a feature, and while it could be more explicently explained, that’s all it is.

    The ‘no phone home’ in plugins is because we don’t want them to collect your personal information without your consent. WP just checks to make sure you can upgrade, plugins have been known to do this to spam you, sell your data, etc etc. We actually do allow a phone home, but it’s all opt-in.

    The plugin Ts&Cs doesn’t say “no capturing of personal information”, it says no phoning home. Which is precisely what WP does, although we’re told that WordPress doesn’t store our details. Nonetheless, it does include a uniquely identifiable string, so WP.org can count how many installations are out there.

    To say “it’s a feature”, that’s all it is, doesn’t change anything. Some companies describe DRM as a feature, while others describe it as a cancer.

    In my opinion, the pertinent point is that WordPress phones home, without permission or consent, and uniquely identifies each installation when it does so. Yet plugins are explicitly forbidden from doing the same.

    esmi

    (@esmi)

    Forum Moderator

    Yet plugins are explicitly forbidden from doing the same.

    Correct but, as explained previously, this is for the protection of users.

    Why exactly is this a problem for you? Have you had a plugin rejected becuase it was phoning home?

    You say “this is for the protection of users” like that was somehow related. It sounds like those signs “You are under surveillance for your protection!

    I think WordPress should hold itself to the same standard to which plugins are held. I think the “Powered by” link should be at least filterable in the default theme, and preferably disabled with an option. I also think the phoning home should be opt-in, as is required for plugins.

    You’re hitting multiple separate topics here, though you dont’ seem to realize it.

    1) Themes and Plugins do not phone home. Period. None of them do. A ‘powered by’ link is not a phone home, per sey, it’s a link. I should have been more clear. My bad. ETA: Exception. If a plugin is acting as a service, it’s permitted to phone home to provide the aforementioned service.

    2) Themes are permitted to have one public facing ‘Powered by’ link. Plugins are not unless you opt-in.

    3) WordPress core does transmit data back to home, but that’s in order to y’know, let you upgrade themes, plugins, and core, from within core.

    So as you see, there are three separate points here. If you’re complaining about the third, I shall quote Otto from 2 years ago:

    The WordPress version is included in case the response format changes, so it can send back the right responses to the right WP versions.

    The locale you are using is sent to send the correct language data back.

    The versions of PHP and mysql you are using are used to create aggregate data information about how many installs use PHP5, etc. For example, they’ve said that about 11% of users still use PHP4. This info tells the developers which versions of the software they need to support in the future.

    The blog url is a unique identifier for each site, so that the statistical information can be correct. Otherwise you wouldn’t be able to get accurate percentages, since some sites might check more often than others.

    All the plugin information is sent so the server can determine which plugins you have that have updates available for them. Sending just plugin name and version number is not enough, the plugin name and version and description and such can all change, there’s no unique identifier. So the update server uses a fuzzy match method, to try to figure out what plugins you’re asking about compared with the plugins it knows about. Ditto themes.

    All this data is covered under the Privacy Policy.

    No hypocrisy going on. There’s a lot of information going on, and it’s easy to miss one thing in the mix, but really, we’re not contradicting here 🙂

    I feel like we’re somewhat going round in circles.

    Yes, WordPress phones home, it does so without permission, without an opt-out, and it includes the site url. Plugins are forbidden from doing the same. That’s fairly simple, and it’s fairly obviously a hypocrisy.

    esmi

    (@esmi)

    Forum Moderator

    WordPress phones home because it needs to. Plugins are forbidden from doing so because they don’t need to.

    Yes, WordPress phones home, it does so without permission, without an opt-out,

    That is correct, however it’s not hypocritical (from our end) because this is disclosed in the privacy policy, and this is actually what we do permit plugins to do! It’s called acting as a service, and as long as it’s disclosed clearly (see privacy policy), it’s permitted. Plugins have to put it in the readme, is all.

    Examples? Akismet, Disqus, IntenseDebate, Google Analytics plugins, Twitter plugins…

    and it includes the site url.

    Incorrect. The THEME does this. Not WordPress. I know what you’re saying, and I know it sounds like I’m splitting hairs, but you’re just getting this part wrong. And themes are permitted to do this. Plugins are not. Not hypocritical at all. All themes are governed by this one rule.

    Plugins (and themes) are 100% permitted to put links back to their sites on the admin dashboard, by the way, just as WP does. 🙂 We just ask they not do so in a spammy way, and only on pages where their plugin is in use.

    Ok, I take your point on the themes. You’re right, if other themes are allowed the same, fair enough.

    If you’re saying that my plugin can include a privacy section in the readme and then phone home, that’s the same as WordPress. That is not how I read the Ts&Cs though. Is that how you understood it? My understanding was that a specific opt-in was required.

    @esmi: Your point about WordPress needing to and plugins not is patently wrong. There’s any number of situations where a plugin needs to phone home. WordPress only needs to phone home IF I want update notifications (which personally, I don’t).

    esmi

    (@esmi)

    Forum Moderator

    There’s any number of situations where a plugin needs to phone home.

    And. as explained above, this is allowed providing it is clearly disclosed & justified. But doing so silently isn’t.

    If you’re saying that my plugin can include a privacy section in the readme and then phone home, that’s the same as WordPress. That is not how I read the Ts&Cs though. Is that how you understood it? My understanding was that a specific opt-in was required.

    If you’re providing a service, it’s permitted. I’m beating that dead horse cause it matters 😉

    If you just want to phone home to collect stats on who’s installing your plugin, no. But if you want people to connect to your server to generate content (like a weather app), then yeah. WP is providing you the upgrade service.

    esmi

    (@esmi)

    Forum Moderator

    I think the key term here is “justified”. You’d need effectively need to persuade the plugin review team that you really do have a very good reason for phoning home. For example, there are plugins that allow user sites to connect to a 3rd party service. That’s a justifiable reason because no “phone home” == “no service”.

    It seems like these are the relevant sections:

    No “phoning home” without user’s informed consent. This seemingly simple rule actually covers several different aspects:

    If the plugin does require that data is loaded from an external site (such as blocklists) this should be made clear in the plugin’s admin screens or description. The point is that the user must be informed of what information is being sent where.

    As I read these, WordPress does not meet the same requirement. I can’t find a privacy policy anywhere as part of a WordPress installation. Further, as I read this privacy policy, it makes only passing mention of WordPress phoning home for updates:

    For instance, WordPress.org may reveal how many downloads a particular version got, or say which plugins are most popular based on checks from api.wordpress.org, a web service used by WordPress installations to check for new versions of WordPress and plugins.

    So back to my original point (I do concede that I was mistaken on themes), WordPress phones home, collects personally identifiable information, and does not disclose that to users or provide any kind of opt-out, never mind opt-in.

    I do understand that WP / Automattic feel like the update service “creates value” for users, and I accept that for the greatest majority of users it does. However, it’s 100% possible to provide exactly the same service without collecting personally identifiable data. The site url is only included because it helps WP to gather better statistics, it serves absolutely no purpose to the user.

Viewing 15 replies - 1 through 15 (of 24 total)
  • The topic ‘Hypocrisy of the plugin hosting terms’ is closed to new replies.