Support » Fixing WordPress » Plugins changing ownership without process / warning

  • Hello.

    Not sure if anyone else has come across this – but increasingly finding plugins are being brought out and pushing commercial services instead.

    Most recently being the Members plugin – which it took me a while to notice until they added an admin nag that couldn’t be dismissed.

    Have no problem with ‘pro’ versions of plugins and developers covering their time investment. But do think it would be good to have some notification in place that plugin ownership has changed – perhaps on the plugin upgrade screen and on the plugin page on wordpress.org. Really dislike that a plugin I’ve trusted in the past, mainly due to the developer – seamlessly changes with little oversight or notification.

    Suspect it will only be a matter of time until this happens with a more malicious intent that merely commercial.

    If the plugin is gathering data there’s also surely some privacy implications here.

    Anyone else come across this?

    Thanks,

    Ian.

    • This topic was modified 3 months, 1 week ago by ianatkins.
Viewing 7 replies - 1 through 7 (of 7 total)
  • Well, I would not say that there are direct privacy implications. All plugins are required to ask for explicit opt-in consent to send any info to the developer – regardless of who owns the plugin. If you opted-in to allowing data collection, you’d need to consult the privacy policy that was applicable at the time.
    If you find any plugins that do not follow the guidelines, please do report them.

    The Plugins team do review transfers of ownership.
    That having been said, things do sometimes go wrong occasionally and if it does it is dealt with.

    I think some of the security plugins may have a functionality to inform you of a change of ownership.

    Thread Starter ianatkins

    (@ianatkins)

    Good to hear there is some review process in place. Are there guidelines as for what you look for? Just think that as an end user the process just isn’t very transparent / obvious.

    Re the privacy implications – not sure that relying on retrospectively noticing a change in ownership is really sufficient when it comes to GDPR. Think this is made more complex if the transfer of ownership changes from an EU entity to a non EU entity.

    Also my clients tend to communicate who are data processors in their privacy statements – so when this changes ( via plugin ownership change ) – this would also need to be updated.

    Or are you saying a change in plugin ownership trigger a requirement to revalidate consent for processing?

    Whilst the members plugin doesn’t look to be doing anything malicious – think in the future another developer could chose to do – or change the privacy scope of the plugin.

    Reviewing their privacy policy – I have noticed something that makes me uncomfortable – so will look for an alternative. Namely:
    “If, however, we are going to use visitors’ personally identifiable information in a manner different from that stated at the time of collection we will notify users by posting a notice on our web site for 30 days.” – Given how little i’d be checking the developers website that’s a fairly broad caveat.

    Thanks.

    Ian

    • This reply was modified 3 months, 1 week ago by ianatkins.

    You can read more about what the Plugins Team looks at here: https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/

    I should add that it is possible for the plugin to add a new committer and remove themselves at some point.

    If we come back to privacy, no one on these Forums can give you legal advice.
    Please consult an experienced legal professional within the relevant jurisdiction.

    I will try to explain how it works from a WordPress team perspective.

    – A plugin or theme needs to explicitly ask for your permission to send any data off-site. That would include “Help us to improve our plugin by allowing us to collect non-sensitive data about your site” sort of stuff. That having been said, non-sensitive doesn’t have a standard definition and I have seen it include personally identifiable information.

    – SaaS (Software as a Service) (sorry if you already know this, but others may find this thread in the future) works a little differently.
    If the purpose of the plugin is, for example, to share your posts on social media accounts, then sharing information with those social media platforms is inherent to the functioning of the plugin.

    I do not see anything in the plugin’s Readme that leads me to believe that there is SaaS involved, but it is not a plugin that I use and I have not investigated their code, so please do rely on your own best judgement.

    If you (or a client) are ever going to give a plugin or theme permission to send data, or make use of a plugin that provides SaaS functionality, you will need to read the plugin or theme’s privacy policy carefully.

    I believe that the line you quoted from their privacy policy may apply to visitors to their website, but again, this is something that would be your responsibility to determine.
    It would be unusual for a plugin (other than for SaaS applications that allow social sharing and such) to collect information on your site’s visitors.
    It is a good idea to ask for clarification from the plugin author in such a case. (Nicely please! 😀 )

    Thread Starter ianatkins

    (@ianatkins)

    Hi Carike,

    Thanks for the reply and the guidelines.

    Think the privacy is a side point, think my main pain point was the lack of notification or transparency.

    Personally puts me at ease that you are indeed reviewing the change of ownership – although I note there’s nothing specific in your guidelines about that. Just think it would be great that users are notified. Then they can review how that impacts them in terms of security, privacy or other concerns they may have.

    Think for me – two things would address this easily.

    1. A notification on the wordpress.org plugin page that the plugin has indeed changed ownership. I found it hard to even identify that – and with 100s of plugins over 100s of websites it’s a bit of an ask for developers to maintain a database of plugin ownership and track changes.

    2. A notification on the plugin upgrade screen, and/or an admin notification.

    Would imagine both of those would need to be a policy change and be issued in a the next new release of the plugin, under the new ownership.

    Ultimately then – users are informed and can make informed decisions before it’s too late.

    Also, lastly, not that my gripe is with this plugin specifically – but not sure how the new developer is not violating your guidelines, with an feedback nag that keeps popping back, a ‘Payments’ and ‘Addons’ screen that just push for the premium version and a addition to the Gutenberg editor that’s an non dismissible upgrade prompt. ( Some of those links also have UTM tracking tags ).

    Guess moderation is nuanced, so perhaps still falls under the guidelines, don’t envy you guys having to draw the line somewhere!

    Thanks.

    Ian.

    If you would like to see a banner of some sort as part of the plugin repository, you would need to create a ticket for that here:
    https://meta.trac.wordpress.org/newticket

    In terms of a notification in /wp-admin/ itself, you would need to create a ticket here:
    https://core.trac.wordpress.org/newticket

    Unfortunately, it sometimes takes a very long time to implement initiatives if they are accepted by a developer, so looking for a security plugin that notifies you of any changes in ownership is probably your best bet realistically.

    @ianatkins Paul from the Members team here. First I’d like to thank you for brining this up, it’s a great idea to have an official process in place for handling ownership changes in the WP plugin repository and notifying the plugin’s users.

    In an effort to be transparent, Justin did initially make a post on his site. He also posted it to his followers on social media.
    We also publicly announced it on our blog, social media, and our email list.

    Lastly, I would just like to address the privacy concerns. We certainly do not, nor will we ever use Members as a vehicle for farming information. Our interest in Members is that it’s a nice compliment to and a means to make more people aware of our premium product and we wanted to ensure its longevity given Justin was looking to be done with it. We use it heavily in our own business and are fully committed to maintaining it. It will remain open-source and freely available to all…in fact we’ve already rolled Justin’s premium add-ons into the free plugin and simplified the UI into a single menu item to help make it easier to manage.

    Thread Starter ianatkins

    (@ianatkins)

    @cartpauj Don’t doubt there were good intentions, but was still left in the dark this side regardless of your efforts to communicate the change. Hence the idea to flag this – so some notification happens within the eco system. Good luck with the plugin moving forward.

    @carike Thanks for the note on meta – have logged a ticket and putting it here for future reference if people stumble across this.
    https://meta.trac.wordpress.org/ticket/5509

Viewing 7 replies - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.