Support » Everything else WordPress » Major privacy issues with Freemius-based plugins

  • menathor

    (@menathor)


    EDIT: I’ve opened a ticket here as well: https://core.trac.wordpress.org/ticket/48108

    Hi guys,

    Could I get some guidance on which forum I should post this on / who I should contact about this issue?

    I’ve discovered some major privacy issues regarding Freemius-licensed plugins. The option to “skip” (i.e. opt-out) of telemetry collection / marketing including:

    *name
    *email address
    *a list of all other plugins and themes installed on the site
    *activation and deactivation events of plugins and themes
    *php and wp version info
    *marketing messages

    …is only available on the free versions of the plugins hosted on wp.org. Screenshot here: https://imgur.com/a/ycAwS4w

    If a user upgrades to the pro (i.e. commercial) version of a plugin there is no way to opt out. Since the upsell and payment is done from the wp-admin dashboard by the free versions hosted here, I think this is very relevant for the community.

    See this screenshot of a wp.org plugin that’s been upgraded to the “pro” version (including the list of telemetry collected and lack of opt-out options): https://imgur.com/a/Sxf81r4

    Not allowing users to opt out of this is a major privacy issue with all kinds of security and GDPR implications as well. I don’t think Freemius-based plugins should be allowed in the wp.org repo until they allow all users (free and paid) to opt-out of telemetry tracking. Otherwise wp.org is enabling / endorsing this kind of business practice.

    Would value the community’s thoughts and opinions on this

    • This topic was modified 4 months ago by menathor.
    • This topic was modified 4 months ago by menathor.
    • This topic was modified 4 months ago by menathor.
Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    NOTE: I don’t like Freemius either but my likes or dislikes don’t matter. It’s all about compliance with the forum and plugin guidelines.

    Could I get some guidance on which forum I should post this on / who I should contact about this issue?

    Not here.

    *Drinks coffee*

    I’m not being facetious (geez, I use that word way too often but it fits) but this isn’t a support topic. It’s a blog post because you do not like, an accepted by the plugins team, code and service.

    Here’s how I know that.

    I don’t think freemius-based plugins should be allowed in the wp.org repository until they allow all users (free and paid) to opt-out of telemetry tracking. Otherwise the wp.org repo is enabling all of to happen right from the wp-admin dashboard.

    That’s belongs in a blog post, not here. These are support forums. Something breaks or did not work as you expected, you ask for support in a support topic. This topic is not that, you’re offering your opinion and soliciting others for the same.

    That’s not how the support forums work here.

    When you activate a Freemius based plugin, you must opt-in for them to collect any data. That is 100% voluntary and optional. You do not have to do that if you do not want to.

    If you do opt-in and cannot opt-out then that is a matter to report to the plugins team via plugins[at]wordpress.org for that plugin. Do not report the Freemius service to them, focus on the plugin that you have a problem with.

    Not being able to opt-out is a plugin guidelines issue.

    https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/#9-developers-and-their-plugins-must-not-do-anything-illegal-dishonest-or-morally-offensive

    Yes, #9 is ambiguous and it may not be the correct one. Not being able to unsubscribe is morally offensive or at least I think so. In some places that may even be against regulation, the not being able to unsubscribe part.

    Please do not flood the plugins team with a list of all plugins that use Freemius. Really, do not. That’s just make work. Focus on the plugin that you are having a problem with and go from there.

    Also if a plugin does not work unless you sign-up with Freemius then report that too. Sign ups like that have to be opt-in.

    • This reply was modified 4 months ago by Jan Dembowski. Reason: Silly typo
    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    EDIT: I’ve opened a ticket here as well: https://core.trac.wordpress.org/ticket/48108

    That’s not a core issue.

    menathor

    (@menathor)

    Thanks Jan, appreciate the feedback. Will send an email to the plugins team.

    I’ve opened a privacy-related ticket as well: https://core.trac.wordpress.org/ticket/48108 as this issue affects multiple plugins and therefore has broader legal and moral implications.

    Yes, when you activate the plugin you can opt out, but the fact remains that the process which leads to a purchase and switch to “can’t opt out” is all done / facilitated by the free plugins hosted here. In addition to the moral issues, it’s definitely not GDPR-compliant. I’m sure there are many developers installing plugins on clients’ sites who are unaware that their clients’ data is being collected by Freemius too.

    I suppose it’s always on the end user to read the fine print and figure these things out for themselves. But the question is whether that’s in line with the “spirit” of what the plugins team want hosted here. As a developer, I know that there’s no reason to collect any of this additional info to perform license activations and checks. So bundling it all together with no way of opting out is an intentional business decision on Freemius’ part.

    Anyway, will send an email to the team and go from there.

    Thanks again

    • This reply was modified 4 months ago by menathor.
    menathor

    (@menathor)

    @jdembowski Just saw your second post after I replied. No worries, will just send it to the plugins team then. Cheers

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.