Support » Requests and Feedback » Remove jetpack from the plugin repository

  • Resolved AliceWonderFull

    (@alicewonderfull)


    jetpack is basically spyware, and it violates the spirit of open source.

    First the open source issue – the point of open source is that anyone can fork it without needing to reverse engineer. But a dozen or so of the jetpack features use the wordpress.com cloud which is not open source – but would have to be reverse engineered in order to use an alternative.

    Thus jetpack is not really open source.

    What they do with data that passes through their cloud is anyone’s guess, as it is not open source we have no way of really knowing.

    Now there’s the spyware issue.

    By default when jetpack is installed, subscriptions to the blog go through wordpress.com – leaking the email address of the user to wordpress.com in violation of the stated privacy policy many sites have that e-mail address will not be shared with third parties.

    For a user to manage their subscriptions they then have to get a wordpress.com account – which I for one have no intention of ever doing.

    And the jetpack plugin doesn’t ask the user if their e-mail address can be shared with wordpress.com – it just does it. User leaves a comment, checks the box saying they want updates – just like they would do in a WordPress blog that doesn’t use jetpack – and their e-mail address is shared with wordpress.com allowing automattic to track the activities of that e-mail and know where that user has been (especially if they take the md5sum of the e-mail and look for any gravatars that use it)

    The user gets an e-mail from wordpress.com to confirm but it is already too late to object to their e-mail being shared with wordpress.com because that already took place without the user approving it.

    jetpack needs to be removed because it is not really open source and it leaks data to a third party without asking the end user, and any other plugins by automattic need to be carefully scrutinized. Jetpack is malware.

Viewing 15 replies - 1 through 15 (of 18 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    Disclaimer: I am not an Automattic employee but I recently did have an opportunity to meet some of the people who work on Jetpack in person. They’re good people and I like them.

    jetpack is basically spyware, and it violates the spirit of open source.

    I’m really sorry your feel that way, but the Jetpack plugin like many plugins is an interface to a service. That makes it software as a service which while that sometimes gives me headaches is allowed and does not violate the GPL or the guidelines in this repository. That includes the spirit of the GPL.

    https://wordpress.org/about/gpl/

    What they do with data that passes through their cloud is anyone’s guess, as it is not open source we have no way of really knowing.

    Now THAT’S a good point and a fair question.

    I’ll ping someone, but the Jetpack team is working on a page that clearly explains what data is used, how it’s collected, why etc. That page may already be in place and I just don’t know the URL.

    For example the related posts functionality and Omnisearch means that they need to download all of your posts and data. It’s the only way to get good results for those features.

    Jetpack is not installed by default, it doesn’t ship with WordPress and installing it is 100% optional. So is the part where you create a WordPress.COM account. Virtually all of the functionality is available in other plugins from other authors.

    Jetpack and WordPress.COM do collect data and is the Swiss Army Knife of plugins. But intentions count and calling Jetpack spyware and malware really isn’t justified.

    Spyware by definition is something that collects data without disclosing it for nefarious reasons. While the data collected should be more transparent as well as what/where it goes and how it’s used I will bookmark that information when I find it and share it here.

    The malware label is also uncalled for; if it were malware then it would not be so easy to remove from your installation. Intentions count for a lot and the intentions of the Jetpack team are good.

    The user gets an e-mail from wordpress.com to confirm but it is already too late to object to their e-mail being shared with wordpress.com because that already took place without the user approving it.

    The email is used to send a confirmation. That’s called double-opt in and how would that confirmation get sent without having the email address? Also some (really reasonable) countries require that confirmation by law. It’s a good idea to ensure that people are not subscribing via some third party without their consent.

    I do recommend that if you are not comfortable with it, just remove the plugin. Don’t install it or use it, that’s always been the user’s choice.

    That’s the point – a blog that uses jetpack doesn’t ask me if it can share my e-mail address with wordpress.com – it just does, and I would say no if it did ask me because I don’t want that to happen, I would rather not subscribe to the blog than have my e-mail shared.

    And a lot of the sites have privacy policies stating they don’t share my e-mail address, yet if they enable jetpack that is exactly what they are doing probably without even thinking about it.

    Since the plugin itself doesn’t inform me the e-mail address is going to be shared with a third party, any blog with a privacy policy stating they don’t share my e-mail address is lying to me (unintentionally but still) if they enable jetpack and my e-mail gets shared with a third party.

    Oh – and what they are doing with the data that passes through their cloud doesn’t matter, justified spying is still spying and if they don’t have the consent to look at the data from me, the user, it is spyware.

    It’s just like with phones, if I don’t consent to have my conversation specifically listened to, it is illegal wire tapping if a third party listens. Both parties have to be aware that the conversation is being monitored.

    If I am interacting with a blog, there is an expectation that a third party is not listening in on the interaction.

    Now what is publicly posted is fair game, but connecting it with my e-mail address which is presumed to be private (especially since the blog reply form says it is not public) is a violation of my privacy even if their intentions are noble.

    “Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems…a variety of forms of hostile or intrusive software.”
    http://en.wikipedia.org/wiki/Malware

    By conscious choice, and for my own reasons, I am neither a fan nor a user of JetPack. However, I do still believe “malware” is neither fair nor accurate when describing it any more than it would be fair or accurate to call any of many completely-free plugins “malware” just because a given author has assumed or presumed something that is ultimately not liked or appreciated by each and every potential user.

    https://wordpress.org/plugins/slimjetpack/ is one plugin making it possible for users to make at least partial use of JetPack without ever having to activate it, and there are other plugins also that do similarly:

    https://wordpress.org/plugins/carousel-without-jetpack/
    https://wordpress.org/plugins/jetpack-lite/
    https://wordpress.org/plugins/tiled-gallery-carousel-without-jetpack/
    https://wordpress.org/plugins/manual-control/
    https://wordpress.org/plugins/slimjetpack/

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    That’s the point – a blog that uses jetpack doesn’t ask me if it can share my e-mail address with wordpress.com – it just does, and I would say no if it did ask me because I don’t want that to happen, I would rather not subscribe to the blog than have my e-mail shared.

    *Drinks coffee*

    Just out of curiosity, how would any service perform a double-opt in without sending the recipient address an email first? Sending that email for verification is not the same as sharing an email address or using it for nefarious purposes.

    If you don’t want your email out there (and that’s fine and I 100% support your decision) then don’t share it with anyone. But please do not ascribe bad intentions for double-opt in. Double-opt in is a good thing and if the user doesn’t confirm then then address is not used.

    *Finishes 2nd cup, gets more coffee*

    😉

    It’s the weekend so let’s wait for a reply from someone from Jetpack for that statement. People even volunteers take the weekend off sometimes.

    Javascript popup asking the user if it is okay to share their e-mail address with wordpress.com.

    If the user clicks cancel, then nothing is sent and the user is not subscribed to the blog.

    It’s not that difficult of a concept to ask a user before sharing their private information with a third party, and it is easy to do.

    In fact it is super easy to do. Attach the JavaScript to the submit event – the way that works, the JS intercepts the submit. User presses cancel and the script returns false and the form does not submit.

    That’s JS 101

    Firstly, I am no fan of JetPack. However ….

    Is it spyware? Sort of. But so is WordPress itself since it includes externally hosted files and an API which phones home. If you don’t like this sort of tracking, then you are probably using the wrong platform.

    It is malware? No. It doesn’t do anything malicious. It does what it says it does. I suspect what you call “malicious”, the rest of us call “features”.

    And aside from all of this, the JetPack folks are a really nice bunch. If it were doing something “bad” then I’m confident they’d stop it.

    Really nice bunch -have any of you ever heard of social engineering?

    Kevin Mitnick – he wasn’t really a code hacker, he was a social engineer, a really nice guy.

    Ross Ulbricht – the evidence against him is incredible yet everyone describes him as a really nice guy.

    Features don’t have to share data with a third party without the users consent. That’s what jetpack is doing.

    Oh – as far as things like external resources, a VPN or an anonymous proxy protects against that if you need, but they don’t protect against my e-mail address being shared with wordpress.com without my consent because I commented on a blog that stated my e-mail address would not be made public.

    What jetpack is doing is spyware, and what they are doing with the data they gather – we can only speculate, we have no way of knowing – hence why it should be removed from the wordpress.org plugin repository.

    Jeremy Herve

    (@jeherve)

    Jetpack Mechanic

    Hey AliceWonderFull,

    I work on the Jetpack team, and I wanted to answer a few of the questions you had here.

    First, and probably the most important concern you had: as far as I know, Jetpack doesn’t violate any of the plugin guidelines defined here:
    https://wordpress.org/plugins/about/guidelines/

    If you disagree, it would probably be best to let the plugin review team know about your concerns, as forum volunteers can’t remove a plugin from the repo for you. You can contact the plugin review team by emailing plugins at this domain.

    a dozen or so of the jetpack features use the wordpress.com cloud which is not open source – but would have to be reverse engineered in order to use an alternative.

    That’s correct, as that’s the idea behind the Jetpack plugin: it allows you to use features of the WordPress.com cloud on your self-hosted WordPress site.

    That’s allowed in the plugin repository. See section 6 here, about “Serviceware” plugins.

    That’s also very common in the plugin repository: there are quite a few plugins allowing you to add Google Analytics or other stat services, you’ll also find plugins managing Stats or Related Posts, and calculating these on third-party servers, and it’s hard to count how many plugins help you add iFrames from other services to your site (e.g. Facebook / Twitter sharing buttons).

    For a user to manage their subscriptions they then have to get a wordpress.com account – which I for one have no intention of ever doing.

    No, you do not need a WordPress.com account to manage your subscriptions. You can add, edit, and remove subscriptions to WordPress.com and Jetpack sites without having a WordPress.com account.
    You can access your subscription settings here:
    http://subscribe.wordpress.com/

    the jetpack plugin doesn’t ask the user if their e-mail address can be shared with wordpress.com – it just does it. User leaves a comment, checks the box saying they want updates – just like they would do in a WordPress blog that doesn’t use jetpack – and their e-mail address is shared with wordpress.com

    That’s indeed how Jetpack Subscriptions work, and it’s important to mention that we won’t send you any emails or do anything with your email address until you confirm your subscription by clicking the link in the confirmation email you receive. That’s how double opt-in works, and why it’s important.

    That’s also how most of the other subscription services I know work today. Most of the other subscription plugins in the repository use the same methods, so you’d get a similar behaviour if you were to look at how Feedburner, Mailchimp, and other subscription services. I wouldn’t remove any of these plugins from the repository, though.

    Javascript popup asking the user if it is okay to share their e-mail address with wordpress.com.
    If the user clicks cancel, then nothing is sent and the user is not subscribed to the blog.
    It’s not that difficult of a concept to ask a user before sharing their private information with a third party, and it is easy to do.

    That’s an idea, and something that could be described as “triple opt-in”, I guess. It’s a nice idea, and would help site owners provide absolute transparency about what they do with their readers’ data.

    I’ve never seen that implemented anywhere, though. That’s most likely because one more step would probably turn potential subscribers away.

    Instead, site owners concerned about absolute transparency on their sites (either for personal or for legal reasons) have either stopped using third-party services, or provide a warning to let their readers know about the different tools used to track them on the site. They can do so via small popups (there are quite a few plugins that do that in the repo), or by creating a specific page on your site listing the different third-party services in use on the site.

    You could also warn your readers in the subscription form, like so:
    http://i.wpne.ws/Yr3e

    Or you could add a notice above or below the comment form to let your users know exactly what will happen if they check that subscription box.

    I’m sure there are other alternatives I didn’t think of. It might be worth getting in touch with some German site owners if you are looking for other alternatives, as German laws require a lot of transparency about these things.

    What jetpack is doing is spyware

    I wouldn’t call that spyware. This very page includes services that are collecting data about me without my consent. Here is what I could gather from looking at the page source:

    • Google Analytics gets data about my location, browser, OS, where I came from, …
    • Quantcast, like Google Analytics, collects data about me to help media agencies deliver ads tailored to me.
    • Since I’m logged in to my Facebook and Twitter account, the 2 buttons below track my visit to this page. Since I’m logged in, it’s not really without my consent, though; I did accept the terms and conditions when I signed up, after all. Let’s scratch these 2 from my list.

    Would I call that spyware? No.
    Do I blame WordPress.org, or Google Analytics, or Quantcast? No.
    Can I do something about it if that bothers me? Yes, I can install browser extensions like Ghostery that will help me choose what information I give away when browsing the web.

    I hope that answers some of your questions. I don’t aim to convince you about anything, and if you still think that plugins collecting data about your readers without their consent shouldn’t be allowed in the repository, I can only encourage you to make a list of such plugins, and send an email about it to the plugin review team.

    If you have questions about Jetpack, do not hesitate to post in the Jetpack support forums, or send us an email!

    That’s an idea, and something that could be described as “triple opt-in”, I guess. It’s a nice idea, and would help site owners provide absolute transparency about what they do with their readers’ data.

    I’ve never seen that implemented anywhere, though. That’s most likely because one more step would probably turn potential subscribers away.

    Yes it would turn potential subscribers away, subscribers like me that do not want my e-mail address shared with a third party.

    My e-mail address was shared with a third party despite the fact that the blog has a written policy stating they don’t. So jetpack – which was enabled for a different feature (blog subscriptions were working just fine without it) ended up violating their policy and sharing my e-mail address with you.

    They have since disabled jetpack.

    It may turn away some subscribers, but that’s not a valid reason not to do it. If it turns away some subscribers, it is because those subscribers do not want their e-mail address shared with you.

    To not tell them until it’s done because they might not want it – that’s called deception.

    I know exactly what your game is. Your company saw Google get rich by making all of us the product they sold to advertisers. And now you are trying the same thing – release stuff like jetpack hoping it gets data pushed through your cloud where you can track us and our interests, and with our e-mail address, even track us on blogs that don’t use jetpack because you can use the hash of our e-mail address to look at gravatar requests.

    It’s really slick but it is also really slimy, and I do not consent to being your product that you track.

    Specifically making people aware their e-mail address will be shared with your before it is shared with is the right thing to do, and just for the record, just about every web site that has a privacy policy i looked at – that policy specifically states that e-mail addresses will not be shared with third parties and you are a third party.

    So for your product to be used on those sites and not violate their policy then you MUST make the users aware the e-mail is being shared BEFORE it is shared and allow them to opt out.

    Look at your company’s history. You have snuck tracking software into updates without it being opt-in, “accidentally” started putting advertising links into jetpack – removing when caught, only to “accidentally” have it happen again six months later, etc.

    I don’t buy the slick talk – I look at your history, and it isn’t clean.

    skimlinks – those are what you snuck in, claimed was an accident, and snuck in again. And doing things in an iframe makes it easy for you to do without us being able to see the code for it in the plugin.

    And the tracking software that you snuck into an update, you snuck in with shortened URLs to try and make it less obvious.

    Can you understand why I might not want your company having my e-mail address?

    slightly off-topic – for those of you who are not aware how gravatar works, it takes an unsalted md5sum of your e-mail address and uses that to request the really well done cute gravatars from gravatar.com.

    Gravatar is owned by automattic.

    So once automattic has your e-mail address, all they have to do is take the md5sum and they can track every single website you visit that makes a gravatar from your e-mail address and build a profile of you.

    It is a really slick sneaky way for them to harvest data about you without it looking like tracking software.

    Jeremy Herve

    (@jeherve)

    Jetpack Mechanic

    It may turn away some subscribers, but that’s not a valid reason not to do it. If it turns away some subscribers, it is because those subscribers do not want their e-mail address shared with you.

    Agreed. I believe we work like this because that’s how everybody else does it. I have yet to find a subscription form that warns me about where my email address will be stored before I submit it.
    Do you have any examples that we may look at, in case we consider changing the way the subscription form works?

    skimlinks – those are what you snuck in, claimed was an accident, and snuck in again.

    It was indeed an accident (we’re only humans!), and it was fixed 6 months ago (reference). If you experience problems like that again on any Jetpack site, let us know, we’ll get it fixed!

    You can start a new thread in the Jetpack support forums here, or send us an email.

    doing things in an iframe makes it easy for you to do without us being able to see the code for it in the plugin.

    The comment form is added via an iFrame because it allows us to manage things like Social log in for comments.

    And the tracking software that you snuck into an update, you snuck in with shortened URLs to try and make it less obvious.

    I’m not sure what you’re referring to, but if you still experience issues with that, start a new thread in the Jetpack support forums and I’ll happily take a look.

    Can you understand why I might not want your company having my e-mail address?

    As I said earlier, we don’t do anything with your email address until you confirm the subscription. And even then, all we do is send you emails about the blog(s) you subscribed to.

    Still, if you don’t believe me I totally understand why you wouldn’t want to give your email address to Automattic.

    slightly off-topic – for those of you who are not aware how gravatar works, it takes an unsalted md5sum of your e-mail address and uses that to request the really well done cute gravatars from gravatar.com.

    Feel free to refer to the core trac ticket to learn more about it:
    https://core.trac.wordpress.org/ticket/14682

    For those worrying about that, you can install smartAva, developed by AliceWonderFull — thanks for offering the option to those who care!

Viewing 15 replies - 1 through 15 (of 18 total)
  • The topic ‘Remove jetpack from the plugin repository’ is closed to new replies.