Support » Plugin: Yoast SEO » Ongoing privacy issue

  • Resolved Ate Up With Motor

    (@ate-up-with-motor)


    Eighteen months ago, I posted on this support forum regarding a privacy issue with the Yoast SEO plugin:

    https://wordpress.org/support/topic/privacy-badger-listing-yoast-as-a-potential-tracker-on-admin-page/

    To briefly recap, the dashboard widget the Yoast SEO plugin uses, which allows users to display the latest posts from the Yoast SEO blog on the dashboard, is configured in such a way that it is sending a server call to Yoast.com even when the plugin is disabled. This means that the plugin is collecting and transmitting to Yoast personal information (IP address) and potentially personally identifying information (user agent and http-referer data) on logged-in users while allowing no way to opt out.

    I recognize that from a technical standpoint, a dashboard widget that retrieves remote content necessarily must communicate with the server of that content, which necessarily transmits the IP address and header information of the request. My concern is that it continues to do so when the widget is turned off and there’s no way to prevent it from doing so short of hacking the plugin or using a third-party browser add-on to block it.

    Since I originally broached this issue 18 months ago, the plugin has been updated a number of times, but this issue has never been addressed. Given the growing number of GDPR-style online privacy laws like the California Consumer Privacy Act, this is troublesome, and Yoast’s disinterest in the problem does not inspire confidence.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support amboutwe

    (@amboutwe)

    I installed EFF’s Privacy Badger browser extension (Chrome) and opened an empty local install with Yoast SEO 13.3 being the only installed plugin and using the Twenty Twenty theme. The browser extension showed ‘No trackers detected. Hooray for privacy!’ on the WordPress dashboard regardless of whether the widget was shown or hidden.

    Screenshot: https://pasteboard.co/IZJOOCP.png

    I tried changing setting in Privacy Badger but was unable to get it to show a tracker. Are you using Yoast SEO 13.3 or a different version? Are you using a different browser? Can you elaborate more on this issue? In short, how can I reproduce the issue in my local environment?

    Additionally, this code snippet removes the box entirely. Does that remove the tracker you see?

    Ate Up With Motor

    (@ate-up-with-motor)

    Thanks for following up. To your questions: I have always been using only the most recent version of Yoast SEO (currently 13.3, which I installed as soon as it became available). I only access my administrative dashboards via Firefox, on which I have installed, inter alia, EFF’s Privacy Badger (currently v.2020.2.19) and NoScript (currently v11.0.18).

    I have three WordPress sites all running Yoast SEO 13.3. For all three of them, whenever I access the main administrative dashboard, Privacy Badger indicates yoast.com as a tracker, which I have set it to block. NoScript also indicates the presence of yoast.com scripts, which I have also blocked. So far as I can tell, the yoast.com warning doesn’t generally appear on other administrative pages, but it’s flagged on the dashboard. Again, this is true on all three sites.

    With regard to Privacy Badger, it’s important to recognize the way the add-on functions, which requires special consideration. Unlike some other privacy and ad-block add-ons, such as uBlock Origin (which I also use), Privacy Badger is heuristic rather than list-based; it’s designed to “learn” whether certain components are trackers based on their behavior. This makes the add-on more flexible (it can potentially detect a wider range of trackers than list-based blockers — uBlock Origin, for instance, doesn’t identify or block Yoast content at all), but it can also complicate troubleshooting because a fresh Privacy Badger installation will detect fewer trackers than an installation that’s been running for a while, simply because the fresh installation hasn’t yet “seen” certain trackers engaging in tracking behaviors often enough to meet the detection criteria. I don’t have any good suggestions for dealing with that, as it comes down to the way the add-on operates (which may also be somewhat different in Chrome than in Firefox); that might be a better question to put to the EFF development team.

    If I use View Page Source when the Privacy Badger and NoScript warnings appear, the only thing I can see that’s associated with Yoast is this:

    <script>
    var wpseoDashboardWidgetL10n = {"feed_header":"Latest blog posts on Yoast.com","feed_footer":"Read more like this on our SEO blog","wp_version":"5.3-0","php_version":"7.3"};
    var wpseoYoastJSL10n = {"yoast-components":null,"wordpress-seo":null};
    </script>

    This appears to be the Yoast SEO dashboard widget, which suggests that disabling that widget hides it rather actually turning it off.

    I’ll try your code snippet and respond again shortly. Thanks!

    Ate Up With Motor

    (@ate-up-with-motor)

    Okay, I installed that function on one of the three sites, and Privacy Badger and NoScript no longer flag the presence of yoast.com scripts on that site’s dashboard. The script snippet noted above is still present, but, if Privacy Badger and NoScript are to be believed, the script it’s trying to run seems to now be deactivated rather than simply hidden.

    I then installed the function on the other two sites, with similar results. That would appear to fix the problem, but you probably should consider a more comprehensive fix for future plugin updates as well.

    Thanks

    Plugin Support amboutwe

    (@amboutwe)

    A GitHub issue was processed by our team for a request to remove these calls when the widget is disabled (unchecked). View it here (no account required to view issues): https://github.com/Yoast/wordpress-seo/issues/12359

    What’s next?
    Our product team has assessed the severity of this problem in relation to other open bug reports and new features. Based on their assessment, the severity is currently set to minor which means it will likely not be fixed in the short term.

    We always encourage our users to contribute to our plugin, not just by submitting issues, but also by submitting patches (GitHub account required). If you (or someone else) decide(s) to write a patch for this issue, we’ll gladly include it after some code review.

    If you have any further information that may affect the prioritization or help our development team solve this bug, please leave a comment or subscribe to the GitHub report to get updates on the issue (account required).

    If you do not have a GitHub account, you can reply to this forum topic with the understanding that our development team isn’t very active in the forums and may not see the information. I have already commented on the GitHub request with links to these topics.

    Ate Up With Motor

    (@ate-up-with-motor)

    Okay, thank you for that.

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.