Bring “Trackers Transparency” to #WordPress Plugin Repository


This post is a fundamental yet humble statement to make awareness and asking for an action in order to bring transparency to the “Trackers” that are being installed in WordPress sites along with the plugins that are available in WordPress.org plugin repository.

Background:

In this post the term  “Trackers” addresses the “tracking codes”, it means the codes and/or scripts that collect certain information about activities, functions and behaviour of a website, its users and  visitors. Codes for the  Stat Counters are most common types of the “trackers”. I need to clarify not all the trackers are harmful, suspicious, unwanted or hidden.

Few weeks back I installed WordPress directly on a web-server to make only one page for a showcase purpose.  Right after the installation  I activated only 2 plugins; 1. Akismet 2. A sharing button plugin ¹.

As usual after activating the plugins, I returned to the front-end to see if everything is alright, then I noticed Ghostery² notifications show thirteen trackers. I check the list of trackers provided by Ghostery and double checked the list by using “Built With” browser add-on³ . There were five trackers not related to any social network included in sharing buttons, and I never heard about three of the trackers. Having a fresh install of WordPress, the default theme and Akismet as the only other plugin, puts the  existence of all the trackers on the sharing plugin’s account.

Finding these trackers which are sending data to some advertising systems made me try some other plugins, and I’m a bit shocked by the result. There are many trackers that use WordPress plugins as a carrier to collect information from the sites using those plugins.

Why the trackers create an important concern?

There are a plenty of reasons and risks that should make us cautious about the trackers. Here are some of the reasons and vulnerabilities:

- Activities of these trackers are clearly against WordPress Plugin guidelines.  The clause 7 states: “No “phoning home” without user’s informed consent” and “No unauthorized collection of user data”. These trackers can also be subject to clause 9: “The plugin must not do anything illegal, or be morally offensive.”

- WordPress now and only a decade after creation is the world’s number one CMS with tens of millions of users including: developers, designers, webmasters, editors, authors and bloggers. Everyday WordPress powered sites and applications are visited and viewed billions of times by all the internet users. Allowing the hidden trackers to function in WordPress atmosphere is a social privacy issue in a global scale.

- Many of the users who install and work with WordPress are non-technical people. They are using WordPress because of the trust, flexibility and amazing features offered by WordPress and its rich plugins. Yet these  people might be unable to detect threats or risks that trackers may cause. WordPress must hold on its principles and protect these users from being used with no consent and awareness.

- Even if the hidden trackers cause no risk a user has the absolute right to decide whether to allow or disallow data collection by an advertising platform or any other third-party.

- There was a time when a few voices were alerting about the massive surveillance through the internet giants such as Google, Microsoft and Facebook. Most of us did not want to listen, some of us even called those voices illusionistic and took their message as “conspiracy theories”, It was only after Edvard Snowden’s story and  NSA leaks that many of us faced the truth.

We never know; if we don’t stop the unwanted and hidden trackers now, When we might face the unwanted consequences.

- WordPress name is fairly bonded with Open Source, GPL, Freedom of Software,  Community Development, Defending Freedom of Internet, Liberalising Publishing and so on. How on the earth we shall allow such the innocent brand, fame and respectable values be possibly undermined because of the trackers!

- There are countless of decent and professional developers who contributed their talent and skills to the world by sharing their priceless plugins on WordPress repository. My memory and limits of a blog post don’t allow me to mention their names and their great softwares, yet as an example I would like to highlight  the professionalism of Joost de Valk(Yoast) a developer that  his  WordPress Plugins have been downloaded 13,928,900 times by the time I’m writing this post. About a year back when Yoast needed to collect usage data via his famous SEO plugin. He simply released an update and made the plugin asks for users permission. I’m sure many of the users accepted, and his plugin has evolved greatly by including latest “Social SEO” features. Keeping silence against trackers is helping no one it stops the productivity, and it’s certainly unfair to the decent developers and harmful to the whole community.

How to Bring Transparency?

It’s not  about stopping the current trackers via the plugin repository What we need is the transparency not a ban. Trackers are useful in many cases, and we have to use them unless a tracker is harmful.

If someone asks Can transparency hurt the popularity of the plugins?

The answer is: Not at all, The highest level of transparency is the “Open Source” itself. Can we imagine where WordPress would be now if it was not an Open Source platform? First Step is to believe that in many ways transparency is helpful for all of us.

The whole WP ecosystem including paid plugins and themes should be transparent about the trackers, as well.

The solution should be according to WordPress policy that encourages developing plugins with a minimum hassle and avoids complex regulations.

The Solution should also be scalable, considering  the volume of the job for the review team.

There are more than 28000 plugins in the repository, and I guess the number grows about 20% per year. We need to include updates too, It all shows asking the plugin review team to be more detailed about the trackers is not a productive approach.

The solution must come from the community and get done by the community.

The ground is only ready if people at the WordPress Foundation and Automattic acknowledge the trackers transparency is a priority. Then they have both experience and skill to offer a suitable solution.

“Trackers Transparency” Pyramid:

It’s a sample roadmap to deploy trackers transparency through out the whole WordPress Ecosystem.

Trackers Transparency pyramid in WP Ecosystem

Trackers Transparency pyramid through the whole WP Ecosystem

After WordPress heads recognized to give a high priority to this issue and upon publishing a few blog posts by the major influencers, The community interactions will create awareness and ignite an online brainstorming to figure out the best approaches and practices.

Hopefully, The final goal of transparency is to encourage all WordPress Users ( Webmasters) to publicly announce all the trackers and cookies of their sites to the public ( visitors and viewers of WordPress Sites).

On the repository stage, maybe a simple badge system encourages plugin developers to list down the trackers included in their plugins somewhere along with plugins information. FAQ and “Other Notes” tabs provide a plenty of space for publishing a small list.

That’s all I had to say, I’ve started from this blog and here you can find the list of trackers. I hope this issue get the attention it deserves through the whole community and specially by the WordPress icons and influencers.

Footnotes:

1. I do not intend to reveal “the sharing button” plugin that made me to address the trackers issue. But it’s easy to try, install a WordPress site and add some plugins and find out the trackers they inject into your site without your consent.

2. Ghostery is an app installable of all the major web-browsers to identify and block the trackers that are active on the websites you visit. More Info: http://www.ghostery.com/

3. “BuiltWith” is a company that tracks technology trends with very sophisticated tools. Luckily they still offer a free browser add-on. More Info: Builtwith.com

disclaimer: This Weblog  does not contain any type of promotional content and/or affiliation links. The information I share  is based on my best knowledge and honest opinions, Please feel free to share your feedbacks and show that you like the independent and non-commercialized blogging by sharing this post.

*WordPress Icon Credit at the featured image: Mike Koeng

27 thoughts on “Bring “Trackers Transparency” to #WordPress Plugin Repository

  1. So, let me just check your reasoning here.. You installed “a sharing button plugin”, and then that somehow gave you 13 “trackers”.

    Now, you don’t mention what these “trackers” are, or indeed, what your methodology considers to be a “tracker” in the first place. Indeed, you post is seemingly intentionally vague when it comes to this sort of thing.

    So to answer you, I’ll be extremely clear and specific in my reply. Let’s use Facebook as the most handy example.

    Installing a “sharing plugin” that allows people to share to Facebook, by necessity, includes Javascript code from Facebook’s servers. That’s how the sharing system they’ve implemented works. The Facebook javascript creates the “share” button on your page and shows possibly a counter. It knows who the viewer is, if they’re logged into Facebook. It pops up an inline frame to do the “sharing” if it is clicked.

    This most certainly would qualify as a “tracker” under your definition. It’s telling a third party who’s viewing the site.

    However, it is not done without the consent of the site owner. The WordPress software does not contain Facebook sharing functionality. That comes from the plugin, which is implementing the freely available and well known Facebook share button.

    If somebody takes affirmative steps to install a plugin to put Facebook share buttons on their site, then it is *extremely obvious* that it is going to send data to Facebook. That is, in fact, the entire point of the plugin.

    The WordPress plugin directory does not allow “tracking” as you suggest, with only two real exceptions:
    - If the tracking is “opt-in” and the owner of the site must explicitly “turn it on”, then it is okay.
    - If the tracking is extremely obvious, such a Facebook plugin using Facebook code and Facebook APIs, then that is acceptable as well.

    Our primary concern in this regard would be plugins that do things without the consent or without the knowledge of the website owner. If a plugin is doing those things, then a simple email to plugins@wordpress.org will be sufficient to notify our plugin team of the problem. They can take a look, and take appropriate action. Such actions may be to contact the plugin author and have the plugin changed, or to remove the plugin from the listing entirely, or in extreme cases to modify the plugin ourselves and forcibly remove the bad code.

    So, having a “badge” system for something that isn’t allowed in the first place doesn’t really make a whole lot of sense to me.

    While systems like Ghostery may consider social-network sharing systems to be “tracking” devices, possibly with good reason, our concern is not to disallow it, but to make certain that users of the plugins are aware of what is going on and have informed choice. We consider our users to be relatively intelligent people. If you install a sharing plugin, it must necessarily communicate to those sharing services. If you install a stats gathering plugin, it must necessarily send stats to some service to gather those stats. Obvious cases do not need to be extremely explicit, because they are obvious to a reasonable person.

    Just my 2 cents.

    • Hi Otto,
      At the first I appreciate your time, concern and attention very much.
      The fact is that if I install sharing plugin, The scripts will naturally communicate with the related social networks is obviously not an issue, as far as the user ( Webmaster) is concerned.
      But What iب I install ش sharing plugin and it communicates with an advertising platform to assist an ad campaign which I’m not aware of, retarget my visitors?
      We certainly can’t have a logical reasoning and say because I accepted “Facebook Scripts” and Facebook Accepted the Ads Platform and the users are intelligent then collecting data of my visitors to retarget them somewhere else is fine, reasonable or negligible.
      I don’t mention that particular plugin because I have not tried all the sharing plugins, and it’s not fair to defame one plugin that’s accidentally found problematic, while among 28000 plugins I’m sure there much more doing the same or worse.
      I believe the rule of “No Phoning Home” is set before popularity of the social sharing and the related trackers.
      My point here is to encourage the developers declare the trackers whether these trackers are useful and relevant or irrelevant and harmful.
      With a pragmatic approach, What’s the loss or disadvantage if the developers being asked to “voluntarily” list all the trackers in a way that people with zero knowledge or a one digit IQ also be able to see who’s collecting what from them?

  2. But What is I install sharing plugin and it communicates with an advertising platform to assist an ad campaign which I’m not aware of, retarget my visitors?

    Then that would not be allowed. If you reported the plugin doing this, then it would likely be removed from the WordPress.org repository.

    You say that there are much more doing the same or worse, but in my experience, that is not the case. If I found a plugin doing that, then the plugin would be de-listed, the author contacted, and the plugin either fixed or gone for good.

    **We don’t allow the type of thing you’re suggesting.**

    However, the Plugin Team can only act on information received. Have you reported these plugins you found? Have you told anybody about them? I just find it weird to be reading a complaint about a practice that we clearly do not allow in the first place.

    Report the plugins that do this to plugins@wordpress.org. They will get fixed or removed. Simple. Keeping this information to yourself helps nobody else.

    • I will do get more similar cases and will send you the showcases in a short while, but we should not ignore people the last chain of this process who are the site visitors, We need to bring this issue up because sooner or later people will have more privacy concerns, and we will see more laws like the EU cookies law.
      For both WP “users and visitors” this matter needs transparency. And a “voluntarily” declaration brings more trust to WordPress sites and causes no harm whatsoever.

      • Yes, fine, but transparency and declaration about… what, exactly?

        Are you suggesting that every site which has a Facebook sharing button on it must present a notification saying “this website communicates with Facebook”? I don’t think that is likely to happen.

        What could a plugin page say that you would consider to be transparent? If it’s a sharing plugin, then it is clearly going to state what networks it can share with. That’s pretty darned transparent, in my mind. What more does it need to say?

        Must a sharing plugin present the privacy policy of every service it can share with right up front? That seems like a lot of effort for little gain.

  3. Pingback: Matt Mullenweg Liked the Trackers Transparency Idea | Pooriast
  4. Maybe we can call it transparent when a list of all trackers that collect User/Visitor Data ( distinctively or anonymously) be published both in plugin details and on the websites.

    • But a plugin author probably doesn’t know that information. They’re just implementing, say, the Facebook share button. They know it talks to Facebook, and that’s it. What more is there for them to disclose?

      And website owners likely don’t care, and very much do not want it displayed on their websites. Like it or not, the EU cookie law does not apply to me as I do not live in the EU, and I would definitely not disclose to my site’s viewers what my site does or how it works.

      And viewers of sites, for the most part, don’t care either. If somebody has a problem with Facebook tracking, then they install a browser extension to block it or similar. Having to click through irrelevant privacy information on sites is an annoyance.

      This disclosure idea doesn’t work from any angle. There are legitimate privacy concerns about this sort of thing, but turning those concerns into “annoyances” is not a solution that will work. People will reject it.

      • Your reasons that people rejecting the transparency are exactly same as the reason that those who opposed “Open Source” used to say. As I mentioned via the post: “Open Source itself is the highest level of Transparency”. I believe in WordPress Community, I believe in it not only based on hunches or emotions but based on the greatness that this community has earned. Who would believed that people spend hours of time here and there answering each others questions for solving the technical issues? At the first sight do you think it looks rational to spend precious time writing codes or help articles for the sake of strangers with no compensation and in many cases without even recognition?
        The WordPress community has done many things that can’t be considered as reasonable or even rational at the first sight. But it happened. and it is happening, Now with the current growth rate of WordPress, and based on the current market share, we can divide the web to WP Web and Non-WP web. I make this highlight to say, in my opinion WordPress is where it is now because of its intellectual values and WordPress will be WordPress only by respecting the values. I’m sure in principle you think exactly the same, and in practice you have contributed to this community a thousand time more than me. In compare with you I consider myself an outsider, but sometimes an outsiders view might be correct and practical as well.
        Because of the same reasons that this community accepted many contributions voluntarily, The community that it is will participate in a voluntarily transparency too. Basically, this idea is to provide a clear view in front of the visitors ( the very end users of WP). We can do a big deal of difference when we initiate this movement in WordPress. If announcing the “Trackers” become a trend then many people will follow it even those who have no belief in such ethics. Just like the GPL, it is a trend now, and I don’t want to mix this issue with Matt’s opposition to ThemeForest, but certainly Themefoest has no believe in GPL, they don’t follow GPL but still they want to be a part of the trend. This is false on one hand, but on the other hand it shows the power, influence and values of WordPress.
        If We make awareness and see the long term benefits, People will follow, at least in WordPress community I’ve no doubt that with relying on the community many things are possible.

  5. In this conversation, I want to make it clear that I don’t necessarily disagree with you, but at the same time, I cannot figure out exactly what it is that you want to make into an actionable item here.

    First, I’m still very unclear on your concept of “trackers”. So that doesn’t help. Most things I can think of that you would consider “trackers” would not be allowed, or would only be allowed for the extremely-obvious and opt-in cases I stated previously.

    Now, in both of those cases, there is nothing more to disclose. If it’s obvious, then that is disclosure. If it’s opt-in, then the webmaster has to explicitly decide to turn it on. Either way, the webmaster has full knowledge, or at least has the opportunity to obtain knowledge before enabling the code.

    As far as disclosure to site-visitors goes, that falls into the realm of content. We explicitly disallow plugins from adding content to sites without webmaster consent. An example would be footer-credits, such as “this site runs X plugin”. So that falls afoul of that sort of requirement. The content of a site should be entirely determined by the webmaster specifically. It’s their site, they decide what goes on it.

    So I’m hard-pressed to determine what voluntary action you believe should be taken in this case, specifically from the WordPress.org side of things. What does “announcing the trackers” mean, specifically? What would we add to facilitate this? I have made Facebook, Twitter, and Google plugins and have had them in the directory in the past, and I have no idea what form such “announcements” should necessarily take or indeed what more I could announce. They connect to Facebook, Twitter, or Google and do things there. What more should I be disclosing that isn’t apparent from the actual plugin itself?

    • Let me give some examples, from first stages of tracking till latest methods, then we see what is tracking in my word and what are the users rights;
      A site statistics logs contain IP, Web Browsers, Operating System etc. Then we have tracking codes such as Google analytics and all it collects(not concludes) What I think is the rights of the users and visitors to know is the data that being collected and the party which collects those data. So Google analytics collects referring URL, time on site etc. At a more advanced level social networks come into the picture, The also collect same data as GA plus social interactions, Then heat-maps like Crazyegg are collecting a set of visitor behavior data. If a visitor fill up a form, probably some other information such as more detailed geolocation data are likely to be collected. These are the information that being tracked on most of the sites, and while for tech guys these things look so obvious and normal for most of the users better to say perhaps a great majority of the internet users collection of this data is strange.
      So at very end user side, We shall act responsibility and provide the awareness. But before that or at a higher level, Many WordPress users lacking tech knowledge, We can’t blame them, WordPress is made and day by day evolved more into a system allowing someone without enough knowledge to use MS Office, launching a blog, CMS and recently lots of sophisticated applications. They can’t realize what’s going on whether for hidden and harmful phoning homes or even for the activity of some obvious trackers, So only by adding something that’s obvious for technical people We give a fresh view to non-tech people. on the other hand if can provide a solid legal base to take very serious actions against the developers who possibly do something illegal. Because when you warn a developer to fix his plugin or it will be removed, usually he fixes it, and the story ends, Now imagine the plugin had done something illegal, Taking legal action even in very serious cases needs a lot of evidence and expertise to convince the judge or jury that the developer had done something harmful intentionally. But if at the first place the developer declare a false statement, punishing him is much easier because false declaration is a stand alone criminal offense. It dose’nt mean if someone forgot to mention he is using GA we shall send him to jail, but in worse case scenario, that for the review team or offended parties the illegal and harmful activity of a plugin is obvious, having a false statement is a legal shortcut to punish the responsible party.
      We shall start it at the plugin repository, many honest people will participate, it will be come a trend and hopefully another valuable movement initiates from within the WP community.

  6. Pingback: WordPress Plugin Authors: Be Up Front and Honest With Users About Tracking
  7. You missed the biggest culprit of them all. The WordPress commenting system. If this bothers you check out this ticket: http://core.trac.wordpress.org/ticket/14682 check the comments towards bottom with the links for practical application and consequences.

    You should inform you readers that commenting on your blog enables tracking of their commenting by Gravatar even if they dont use the service volontarily. It also exposes their email so people might be able to track them down. Can also be used to track their online behavior even if they change their commenting name if they dont change their email on the sites they comment on under different names.

  8. Pingback: WPTavern: WordPress Plugin Authors: Be Up Front and Honest With Users About Tracking | A2Z Web Design Tutorial
  9. This statement is incorrect

    “disclaimer: This Weblog does not contain any type of promotional content and/or affiliation links. ”

    WordPress.com uses (or is just testing) Skimlinks, so any external link that they might happen to be able to make money on, they make money as an affiliate.

    It is also quite possible at some time they will test other ads.

    You also need to understand that it is quite possible to chain beacons together, so 1 beacon could fire 20.

    Every one of the plugins created by social sharing sites that I can remember is not intended to be used “stand alone”.

    As a user you would sign up to thier service, agree to their privacy policy, and most likely in their terms and conditions they also mention the 3rd party services they partner with… which pays for the tracking services… because that is what these companies are.

    Facebook uses your data to sell ads
    Twitter uses your data to sell ads
    Google uses your data to sell ads

    And these services also make money with data…

    You didn’t mention the company, but here are a few

    Sociable
    Share This
    Add To Any
    Add This

    They partner as far as I know with reputable data companies who conform to Ad Chocies which gives all users the option to opt-out of various forms of data collection.

    But then they will get less relevant ads.. less special offers for products they might buy from stores they actually like and visit.

    Every blog on WordPress.com should have a privacy policy to cover the adverts and tracking (not just on the root domain)

    Last time I checked Akismet it wasn’t just checking hashes… actual personally indentifiable data (email address) was being transferred, possibly internationally.

    WordPress.org should mention sharing data with 3rd partys such as Quantcast.

    Some kind of flag seems like a good idea, but it should cover every possible situation which could be harmful

  10. Pingback: How to Use Ghostery to Find Trackers Added by WordPress Plugins
  11. Pingback: WPTavern: How to Use Ghostery to Find Trackers Added by WordPress Plugins | A2Z Web Design Tutorial
  12. Pingback: MyPress Ghostery - Track the Trackers - MyPress
  13. Pingback: After 6 Years | doug --- off the record
  14. Lets begin with stating among the information about this excellent
    revolutionary weight-reduction plan capsule and metabolism
    price booster. The huge distinction between Adiphene and Adipex
    is that Adiphene is a product that uses a sequence of natural and secure to use ingredients.
    Having said that, the study has shown that just about anything that can maximize the metabolism, also can raise the weight reduction even if the human being is just resting.

  15. In order to promote the website, the web master
    must always adhere to the general rules in search engine optimization. Make sure
    that the grammar and spelling on your pages are correct.

    Asking price denotes a very high price that is beyond what traders
    are likely to pay.

  16. Not because they will be changed into adipose tissue,
    but because excess protein in your diet causes you to burn more protein and stare more fat.

    This alone offers it some credit score as a authentic contender within the eating
    regimen complement arena; at the moment oversaturated with poor high quality diet products.
    Then I took these dietary supplements and now Im again in shape.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s