What plugins should disclose about privacy

I believe the following should be disclosed by any developer who wishes to contribute code to an official repo:

I acknowledge that these items are often an essential part of plugin functionality.
However, I firmly believe in informed consent.
Before downloading and activating a plugin from an official repo, a potential user should be made aware of any of the following:

PRIVACY MATTERS:

  • Any new chron job being registered.

Example 1:
I found a plugin that offered invaluable functionality on the WordPress official repo.
However, upon reading the plugin code, it became apparent that the plugin registers a chron job which is scheduled to run automatically on a weekly basis and which sends specific information about the site to the plugin developer.
The user is provided with the option to opt-out. However, even upon opt-out itself, certain information about the site is still being sent to the plugin developer.
This should actually be opt-in based on new privacy legislation.
Furthermore, the plugin description in the repo should contain information on exactly what information is collected and how it is used so potential users can make an informed choice BEFORE installing.

Example 2:
I have found another plugin in the official WordPress repo where a typical use case would result in sensitive customer data being available in machine readable format to search engines.
It is actually possible to take mitigating action for this typical use case, but chances of a plugin user realizing that there is a potential problem in the first place is pretty much slim to none.
Even a security expert is likely to miss it, because it isn’t a clear case of “bad code” that is un-escaped or whatever, the problem is that the typical use case will allow remote execution of a db query (which, due to the functional nature of the plugin, is highly likely to potentially contain highly sensitive customer data) without the site owner even being aware of the risk.

If a potential user’s attention is specifically drawn to each and every new chron job being registered, they can test it and take steps to make sure that the risks associated with it are in fact adequately mitigated.

  • Any JavaScript loaded from a third party website / authorization of third party cookies.

I have found a number of plugins in the official WordPress repository that do this.
I firmly believe that any plugin should disclose to potential users BEFORE installation what information it is collecting about the site and the customers of the site so the site owner can make an informed privacy choice not to use it or take adequate mitigating steps.

  • Any compulsory exit survey.

I have found more than one plugin in the official WordPress repository which contain compulsory exit surveys before before the plugin can be deactivated.
That leaves nearly all users with two unappealing choices - either share site information with the plugin developer so you can get rid of a plugin that you don’t want, or find and clean up any changes the plugin made to your db.

5 Likes

Hi ALS and welcome. Thanks for the long, thoughtful post. I know there has been some discussion on the Slack plugins channel about best practice in plugins, or more to the point “bad practices”.

The “exit survey” is one of my pet annoyances too. I haven’t yet come across one that was compulsory though.

Hi @anon71742606, welcome…

I’m a plugin developer who also feels informed consent is the best path forward. It’s pretty simple to me: if the plugin gathers any data about the user (ie, admin,) the site users, or the site itself which are not publicly available on the site, consent is required. To me, gathering the data is the same as sending the data in that it should also require informed consent. In terms of cronjobs, I don’t think there’s any need to disclose if you’re not collecting/sending data.

As for your example 1, in terms of data and privacy, nothing should be opt-out – it should always be opt-in. Hopefully, the CP plugin directory will (do its best to) enforce this.

As to example 2, leaking private data to search engines would seem to be poor design. It makes one wonder what else could possibly be exposed (or stolen) from such a plugin.

Re: compulsory exit survey… I’ve never seen a compulsory survey…only optional ones. I understand the desire to get potentially valuable information from users, but, resorting to strong-arm tactics would make me unable to trust their work or ethics.

5 Likes

I think its not just one, but several plugins that do it this way - or even use the same base / framework. VERY annoying.

NONE of my plugins have inherent “home phoning” stuff, or this nasty kind of “plugin deactivation” replacement. I’ve gathered, with add-on payment frameworks / services like Freemius, one gets stuff like this on board, too. Seems to becoming quite like a standard for “Premium” buy-in stuff. IMNSHO its another load of UA, aka User Adversarial wagenload of horse manure. Everyone wants a piece of the cake - but what happens if the cake just decides to get up and say “No more cutting folks, I’m done with you”? :slight_smile:

cu, w0lf.

4 Likes

4 posts were split to a new topic: Is someone spamming the forums