Support » Requests and Feedback » Privacy concerns with WordPress serving dashboard widgets from s.w.org

  • I use EFF’s Privacy Badger browser extension, and I recently noticed that when I access the WordPress administrative dashboard, Privacy Badger flags “s.w.org” as a “potential tracker.”

    It appears the reason is that the Browser Nag dashboard widget serves the browser icon from s.w.org rather than locally, and that widget seems to preload even if it’s hidden or turned off in the Dashboard Screen Options.

    The reason privacy extensions for browsers flag this sort of thing is that serving the icons remotely exposes the user’s IP address and user agent information to the remote server, which can be used (whether it currently is or not) to track individual users.

    Since this widget is on the administrative dashboard, it could be used to track who uses and/or administers WordPress sites. There’s no way to opt out of that, since even hiding the widget apparently doesn’t prevent it from loading in the background. This is concerning from a privacy and GDPR compliance standpoint.

    For that reason, I would really like to see WordPress take a different approach to this functionality (and in general to reduce its reliance on remotely served fonts and scripts, for similar reasons).

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Support Volunteer

    I’ve just been through the wordpress.org privacy policy and ends with

    “Please contact us if you have any questions about our privacy policy or information we hold about you by emailing dpo@wordcamp.org.”

    I think that would be a good place to start because it might lead to a revision of the policy to answer your question(s).

    Also, yoursite.com//wp-admin/freedoms.php?privacy-notice says

    From time to time, your WordPress site may send data to WordPress.org — including, but not limited to — the version of WordPress you are using, and a list of installed plugins and themes.

    This data is used to provide general enhancements to WordPress, which includes helping to protect your site by finding and automatically installing new updates. It is also used to calculate statistics, such as those shown on the WordPress.org stats page.

    We take privacy and transparency very seriously. To learn more about what data we collect, and how we use it, please visit WordPress.org/about/privacy.

    Finally, see https://core.trac.wordpress.org/ticket/40794 where changes to the privacy policy are being discussed.

    I tried emailing and got a bounce saying “Mailbox is full / Blocks limit exceeded.”

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.