Which of my blog and personal data is being transfered when WordPress automatically checks for updates?

2 comments

1. This does not answer the question in specific, but those are some resources regarding the question (feel free to add stuff).

   Blog Articles and Discussions

   • Who is WordPress talking to? (Interconnect IT, 07 March 2011)
   • What Data Does WordPress Send Back to the Mothership (Lynne Pope; 14 Dec 2009)
   • Is WordPress Spyware? (Jeff Chandler; 10 Dec 2009)
   • WordPress Tavern Forums: WordPress and phone home (Started 7 Dec 2009)
   • wp-hackers Mailinglist: Revisiting phone home and privacy (Started 7 Dec 2009)
   • WordPress 2.3 Does Not Spy On Users [UPDATED] (Slashdot; 25 Sep 2007)

   • WP, phone home (24 Sep 2007)

   • wp-hackers Mailinglist: Plugin update & security / privacy Options (Started 23 Sep 2007)

   WP core resources and Trac Tickets

   1. WordPress.org Privacy Policy
   2. Trac tickets
      • Ticket #16818 – Akismet should suggest user to check current legal situation regarding data protection
      • Ticket #16778 – wordpress is leaking user/blog information during wp_version_check()
      • Ticket #12672 – Provide Multisite stats to api.wordpress.org
      • Ticket #5066 – Anonymize update checking
      • Ticket #5065 – Unify User-Agent strings
   3. Core code snippets
      • trunk/wp-includes/update.php

   Code Stubs

   • Mark Jaquith’s demo-plugin how to exclude a plugin from API version check (15 Dec 2009)

   Questions regarding Akismet, Facebook and other Add-Ons alike that deal with personal data

   • Blogs making use of third-party tools should check the current legal situation regarding data protection while making a third-party dealing with user-input.
   • Can you as a blog owner ensure that you can fulfill your blogs users rights on their data? Like document to whom you sent their data and how to deal with deletion requests on your behalf?

   International/Country specific Resources and Pointers

   • DE: Rechtswidrig: WordPress.com-Stats Plugin als Trojaner für Werbetracker
   • DE: WordPress.com-Stats (Plugin/Jetpack/Blogs) datenschutzkonform nutzen (mit Muster der Datenschutzerklärung)

   Log in to Reply

2. Calls from core to api.wordpress.org (wp 3.2.1)

   ---

   From the phpDoc blocks:

   Inside head of wp_update_themes(): “A list of all themes installed in sent to WP.“

   ---

   1. Themes
      /wp-includes/update.php > line 261-267, called on line 280 [1].

   2. Plugins /wp-includes/update.php > line 166-172, called on line 184

   3. Core /wp-includes/update.php > starting on line 22 [3]

   ---

   [1]

   $options = array(
       'timeout' => ( ( defined('DOING_CRON') && DOING_CRON ) ? 30 : 3),
       'body'          => array( 'themes' => serialize( $themes ) ),
       'user-agent'    => 'WordPress/' . $wp_version . '; ' . get_bloginfo( 'url' )
   );
   $raw_response = wp_remote_post( 'http://api.wordpress.org/themes/update-check/1.0/', $options );
   set_site_transient( 'update_themes', $new_update );
   

   [2]

   $options = array(
       'timeout' => ( ( defined('DOING_CRON') && DOING_CRON ) ? 30 : 3),
       'body' => array( 'plugins' => serialize( $to_send ) ),
       'user-agent' => 'WordPress/' . $wp_version . '; ' . get_bloginfo( 'url' )
   );
   
   $raw_response = wp_remote_post('http://api.wordpress.org/plugins/update-check/1.0/', $options);
   

   [3]

   $options = array(
       'timeout' => ( ( defined('DOING_CRON') && DOING_CRON ) ? 30 : 3 ),
       'user-agent' => 'WordPress/' . $wp_version . '; ' . home_url( '/' ),
       'headers' => array(
           'wp_install' => $wp_install,
           'wp_blog' => home_url( '/' )
       )
   );
   
   $response = wp_remote_get($url, $options);
   

   Log in to Reply