Michael Eriksson's Blog

A Swede in Germany

A review of the new WordPress/Automattic Privacy Policy

with 2 comments

A few days ago, I received an email that WordPress (more correctly, Automattic) was changing its Privacy Policy*. Fearing the worst, in the light of the unconscionable behavior of e.g. Facebook, I decided to review it. The results were depressing, although I have not investigated what was already present and what has changed for the worse: While it is not as bad as what Facebook does, it still leaves the user with minimal protections and reliant on WordPress/Automattic not engaging in abuse.

*I use initial caps for consistency with the (spurious) use in the analyzed text.

Below I will quote some selected parts (in the original order) and offer some analysis*:

*The policy can be found under https://automattic.com/privacy at the moment; however, these contents can naturally change over time. The policy is under the Creative Commons Sharealike 4.0 License, making re-use unproblematic; however, I see my use as covered under “Fair Use” and similar principles, and do not “copy-left” this post under that license. Some change of formatting and typography might have taken place.

This is our updated Privacy Policy going into effect on January 3, 2018.

(Provided for identification purposes only.)

Your privacy is critically important to us. At Automattic, we have a few fundamental principles:

We are thoughtful about the personal information we ask you to provide and the personal information that we collect about you through the operation of our services.
We store personal information for only as long as we have a reason to keep it.
We aim to make it as simple as possible for you to control what information on your website is shared publicly (or kept private), indexed by search engines, and permanently deleted.
We help protect you from overreaching government demands for your personal information.
We aim for full transparency on how we gather, use, and share your personal information.

A very promising start and a laudable attitude, provided that they actually adhere to it. Now, I raise no accusation concerning the actual use, here or below, for the simple reason that I do not know what actually happens with the data. However, in the continuation Automattic gives it self far-going rights that are not compatible with these principles, which raises considerable doubt as to the adherence—if they do not use these far-going rights, why collect them? Even without such rights, there is considerable reason to be cautious: Words are cheap and all-too-many websites abuse customer data in an inexcusable manner. The strength of a Privacy Policy, or e.g. a set of laws, must not be measured under the assumption of good intent and high competence.

Throughout this Privacy Policy we’ll refer to our website, mobile applications and other products and services collectively as “Services.”

(Given for interpretation only.)

Please note that this Privacy Policy does not apply to any of our products or services that have a separate privacy policy.

This is largely understandable, but it is opens a large opportunity for abuse, through simply smuggling in a more specific and less acceptable Privacy Policy while hoping that the users consider themselves under the general Privacy Policy. Even deliberate abuse aside, it makes it harder for the users to know what rules apply for any given service. (Giving a universal rule for how to handle this is impossible, seeing that there is virtually no limit to the constellations to consider; however, a basic guide-line would be to keep the general everywhere and to amend it as needed for the specific service under adherence to the “fundamental principles” stated above.)

We only collect information about you if we have a reason to do so—for example, to provide our Services, to communicate with you, or to make our Services better.

Looks good, but is an almost empty promise: “to make our Services better” alone is enough of an excuse for many service providers to gather any and all data they can get their hands on. At the same time, “to communicate with you”, in my personal experience, is usually code for “to spam you”.

We collect information in three ways: if and when you provide information to us, automatically through operating our services, and from outside sources.

These items are all too vague. For instance, does “you provide” include just what is entered in (in my case) the WordPress account or can it include data gathered from email communications? The “automatically through operating our services” is to some degree unavoidable, but can at the same time be abused in absurd ways, e.g. to build irrelevant and unethical profiles, including e.g. sleeping habits. The part about “outside sources” opens a limitless room for abuse. Combine these three claims, and we are not far from Facebook.

In the continuation the Privacy Policy provides a number of examples of what data can be collected and how. If these examples were exhaustive, it would alleviate the risk of abuse somewhat—but they are not. There are also enough examples remaining that range from slightly dubious to highly problematic.

Consider e.g.:

  1. Content Information: Depending on the Services you use, you may also provide us with information about you in the draft and published content for your website. For example, if you write a blog post that includes biographic information about you, we will have that information, and so will anyone with access to the Internet, if you choose to publish the post publicly.

    Depending on what is intended this is either trivial or harmless—or a sign that there is intention to make automatic evaluations. This might be OK for the actually published* content, but hardly for drafts. Indeed, even if they do have the technical ability to access drafts, they should be ethically or even legally forbidden from doing so**. Note that drafts can contain things that are simply not intended to reach third-parties, be it at all or at the current time. (Consider e.g. a whistle-blower intending to get out of harms way and then to publish a series of posts; or a homosexual having already written a draft with a “coming out” statement, which is waiting for a known-to-disapprove grand-parent to pass away.) Also note that even non-malicious access can increase the risk of inadvertently leaking information to other third parties, e.g. through a security hole or a lack of care***.

    *However, even here there should be some type of restriction, equivalent at least to the restrictions websites can state (but not enforce) through the Robots exclusion standard.

    **Except to the degree that an access is in the immediate service of the user, e.g. to allow him to edit the draft. (A general problem with the analyzed text is that it does not clearly differ between widely separate purposes, e.g. access and storage by the user through the service vs. access by the service provider independent of the user. This limits the analysis somewhat.)

    ***There have e.g. been a number of occurrences of confidential data being accidentally uploaded to servers freely accessible on the Internet without authentication and encryption. (Or possibly servers being accidentally made accessible post-upload—the result is the same.)

  2. Credentials: Depending on the Services you use, you may provide us with credentials for your website (like SSH, FTP, and SFTP username and password). For example, Jetpack and VaultPress users may provide us with these credentials in order to use our one-click restore feature if there is a problem with their site, or to allow us to troubleshoot problems on their site more quickly.

    With reservations for rare special cases, is is a horrifyingly bad idea to hand out such data to third-parties. Requiring such data, including providing services that require such data, is unethical; a user who complies is negligent.

  3. Log Information: Like most online service providers, we collect information that web browsers, mobile devices, and servers typically make available, such as the browser type, IP address, unique device identifiers, language preference, referring site, the date and time of access, operating system, and mobile network information. We collect log information when you use our Services—for example, when you create or make changes to your website on WordPress.com.

    The extent of data collected is too large, violating the principle of parsimony in data collection and bringing no or little legitimate benefit. Even browser information is highly dubious, seeing that a good site should work equally well with any browser; operating system is simply non of their business (and a correctly configured browser should hide such information anyway). Parts can be outright illegal in some countries*.

    *For instance, saving a non-anonymized IP address in Germany.

  4. Usage Information: We collect information about your usage of our Services. For example, we collect information about the actions that site administrators and users perform on a site—in other words, who did what, when and to what thing on a site (e.g., [WordPress.com username] deleted “” at [time/date]). We also collect information about what happens when you use our Services (e.g., page views, support document searches at en.support.wordpress.com, button clicks) along with information about your device (e.g., mobile screen size, name of cellular network, and mobile device manufacturer). We use this information to, for example, provide our Services to you, as well as get insights on how people use our Services, so we can make our Services better.

    Location Information: We may determine the approximate location of your device from your IP address. We collect and use this information to, for example, calculate how many people visit our Services from certain geographic regions. We may also collect information about your precise location via our mobile apps (when, for example, you post a photograph with location information) if you allow us to do so through your mobile device operating system’s permissions.

    Similar objections apply: Parts can be acceptable; others are definitely not so.

  5. Stored Information: We may access information stored on your mobile device via our mobile app. […]

    This is utterly and entirely unacceptable and grossly unethical. I do not use mobile apps (hardly mobile devices, for that matter), but if I did, this would be an immediate call for me to purge my devices of any and all apps underlying this Privacy Policy. I urge the readers to do the same.

  6. Information from Cookies & Other Technologies: [simplistic descriptions of cookies et al.] Automattic uses cookies and other technologies like pixel tags to help us identify and track visitors, usage, and access preferences for our Services, as well as track and understand e-mail campaign effectiveness and to deliver targeted ads. […]

    The use it self is highly disputable; email campaigns (aka spam) are unethical; targeted* ads at best ethically dubious and requiring unethical profile building.

    *In today’s Internet, the use of advertising in general might be called into question: The excesses of amount and intrusion have reached a point where an ad blocker and/or a blanket ban on images/Flash/JavaScript/whatnot per browser setting is a necessity. When it comes to advertising-driven “free” content, I apply the German phrase “Geschenkt ist noch zu teuer”—“Too expensive, even when gifted”.

  7. We may also get information about you from other sources. For example, if you create or log into your WordPress.com account through another service (like Google) or if you connect your website or account to a social media service (like Twitter) through our Publicize feature, we will receive information from that service (such as your username, basic profile information, and friends list) via the authorization procedures used by that service. The information we receive depends on which services you authorize and any options that are available.

    This is another unethical, Facebook-style, idiocy. The disclaimer about “The information we receive depends on which services you authorize and any options that are available.” might be OK if sufficient options are available and presented to the users in a reasonable manner (and/or default to “no sharing”)—but will they be? Worse, these controls are with yet another party, and now the user has to trust several parties to be both honest and competent… I urge all readers to turn any such settings off and to never engage in such “cross-site” activities. (I use a whole separate computer account for WordPress, e.g.)

  8. We may also get information from third party services about individuals who are not yet our users (…but we hope will be!), which we may use, for example, for marketing and advertising purposes.

    Doubly unethical: Firstly, this implies that individuals who have had no opportunity to read and accept/decline this Privacy Policy are affected by it. Secondly, the intended use at best amounts to ethically dubious advertising—at worst to outright spam.

A following section on (alleged) use is mostly OK, but contains:

To communicate with you about offers and promotions offered by Automattic and others we think will be of interest to you, solicit your feedback, or keep you up to date on Automattic and our products; and To personalize your experience using our Services, provide content recommendations and serve relevant advertisements.

The first amounts to spam; the second is again in the area of ethically dubious advertising. To boot, looking at WordPress (and almost any other service or software tool I have ever used), automatic personalization has no place and does/would do more harm than good: By all means, provide new options and ways of doing things—but let the user be in complete control of the choice whether to use them.

The following section on information sharing is, again, mostly OK, even if some of the talk of third-parties is on the vague side*; however, it contains at least two problematic items:

*The applicable use cases are reasonable and the third parties are required to adhere to the same rules as Automattic, but there is uncomfortably much room for third-party involvement. Note that the more parties are involved, the greater the risk that data are maliciously used, carelessly exposed to the public, or stolen through a security hole.

Aggregated and De-Identified Information: We may share information that has been aggregated or reasonably de-identified, so that the information could not reasonably be used to identify you. For instance, we may publish aggregate statistics about the use of our Services.

The given example is OK, as is, likely, aggregation in general; however, the “reasonably de-identified” is not: This allows handing out data in a per-user manner, and what is considered de-identified by Automattic need not actually be so. It is, in fact, very hard to remove the possibility to track back a non-trivial amount of data to a single individual. (I have no references at my hand, but I point more generally to discussions around the Germany census of 2011 for more information.) To illustrate the problems (without necessarily saying that this scenario would occur with Automattic) assume that I was blogging anonymously and had never made much mention of personal details, except that I was Swedish. Combine this with an IP address coming from Wuppertal, Germany, and this alone could be enough to nail me down. At any rate, there would be no more than a handful of potential candidates, and just one or two pieces of additional data would be enough to clear the others. So, OK, my being Swedish makes me more vulnerable than a German, but, critically, not by much: This amounts to a game of “twenty questions” and where two questions was enough above, a German posting from Germany might have been identified with, possibly, another five to ten*… Correspondingly, non-trivial amounts of non-aggregated data simply should not be exposed to third-parties.

*Consider the rapid reductions of the set of candidates that can occur through knowing not only place of residence but place of birth, alma mater, a previous employer, …

Published Support Requests: And if you send us a request (for example, via a support email or one of our feedback mechanisms), we reserve the right to publish that request in order to help us clarify or respond to your request or to help us support other users.

Such requests can contain information not suited for publication (and it would be insane to trust customer support with such decisions), and it is an unambiguous ethical duty to either collect a specific agreement for any individual such publication or to paraphrase and anonymize the text and other data to such a degree that no problems can occur*. To boot, there is a risk of outright abuse, e.g. in that someone writes a scathing complaint in anger or feigned** anger (which would be very understandable with WordPress), and that this complaint is then republished out-of-context by the service provider for revenge purposes.

*This is also recommendable because the original text can contain much that is irrelevant to the core issue and other users are helped by a corresponding filtering.

**I repeat my recommendation to take a hard line against incompetent support staff and uncooperative businesses, and to use increasingly harsher language during escalations so that it actually registers that customer dissatisfaction cannot just be shrugged off.

Various other items:

While no online service is 100% secure, we work very hard to protect information about you against unauthorized access, use, alteration, or destruction, and take reasonable measures to do so.

Specifically WordPress is known to be highly problematic from a security point of view—and to large parts for reasons that code be avoided were Automattic doing a better job. This includes a better thought-through interface with greater consistency and less useless features, less reliance on JavaScript*, and, obviously, better code. Words are cheap.

*While JavaScript is always dangerous to some degree, it can become very highly problematic when third-party content is present, even in such a trivial situation like browsing ones own blog and encountering hostile or misprogrammed comments or ads.

To enhance the security of your account, we encourage you to enable our advanced security settings, like Two Step Authentication.

In many cases, such statements contain an implicit “and if you do not, we will assume that any breach was your fault and wash our hands”. (Whether this applies to Automattic, I simply do not know; however, I note that this, and a few other statements, are not part of anything that reasonably could be called “policy”, leaving the suspicion that the true purpose is not to state policy but e.g. to reduce or shift legal culpability.)

At this time, Automattic does not respond to “do not track” signals across all of our Services. However, you can usually choose to set your browser to remove or reject browser cookies before using Automattic’s websites, with the drawback that certain features of Automattic’s websites may not function properly without the aid of cookies.

Not respecting “do not track” is weak for a service provider with so large resources. Making a complex service without cookies can be hard, but it is usually possible, and some of the uses on at least WordPress are of negative value. For instance, when I try to confirm a comment subscription not made with my WordPress account, using the provided link, WordPress steps in, matches it with my WordPress session, and refuses the confirmation, claiming that it does not know the email address used for the subscription—thereby forcing me to use another browser for such confirmations. Utterly, utterly idiotic and amateurish.

Automattic encourages visitors to frequently check this page for any changes to its Privacy Policy.

Unacceptable: People have better things to do than over and over again visiting any Privacy Policy, T & C, whatnot, that any of the multitude of online services provide. It is Automattic’s job to gather consent for any and all changes. Anything else is ridiculous and unrealistic. (But, unfortunately, this follows a current destructive trend of various businesses doing their darnedest to make consent to various conditions more-or-less automatic and actual access to said conditions as hard as possible. This even outside the Internet, where I have e.g. received notifications from banks that amount to “Our conditions have changed. The conditions are available in our offices. If you do not object to the changes by X, this is considered consent.”—utterly unconscionable, especially since the changes normally would have fit in the notification message at virtually no additional cost.)


Written by michaeleriksson

December 20, 2017 at 8:49 am

Posted in Uncategorized

Tagged with , , , ,

2 Responses

Subscribe to comments with RSS.

  1. For those who wonder: For some reason WordPress mangled the original title to “of post”. Why and how is entirely unclear to me.


    December 20, 2017 at 8:52 am

  2. […] to e.g. “Independent Contractors” and “Third Party Vendors”. Cf. also an older analysis of WordPress’ privacy policy—a very similar […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: