New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable Gravatar by default #14212

Open
JoshuaLuckers opened this Issue Dec 23, 2018 · 9 comments

Comments

Projects
None yet
6 participants
@JoshuaLuckers
Copy link
Collaborator

JoshuaLuckers commented Dec 23, 2018

Feature request

Summary

Gravatar should be disabled by default for new installations.

Why is it needed?

Gravatar is a third party service used to show a profile image when a user has not uploaded a profile picture. In default installations enable_gravatar is true by default.

Information is collected automatically when using Gravatar as described in their Privacy Policy. This means when installing MODX the first admin user that logs in is almost certain of being tracked by a third party service.

Suggested solution(s)

Disable Gravatar by default for new installations or make it possible to enable/disable it in the setup UI.

Related issue(s)/PR(s)

None.

@JoshuaLuckers

This comment has been minimized.

Copy link
Collaborator

JoshuaLuckers commented Dec 24, 2018

I do not actually see the problem. Users who have a Gravatar photo setup, also agreed on this privacy policy when they did. So there is no problem to be solved i think?

@gerbenvandekraats it’s better to talk about it here in the issue and keep the PR for technical discussions ☺️.
The problem is that is enabled by default. Even if a user doesn’t have a Gravatar the request is still made. The third party receives information about this user like his/her email address, IP etc. Therefore it should be opt-in instead of opt-out.

@gerbenvandekraats

This comment has been minimized.

Copy link

gerbenvandekraats commented Dec 24, 2018

Sorry, my mistake. Let's talk here ;)

I didn't think about the request from non-existing Gravatar users. You're right. Disable by default is indeed the way to go then. Thanks for explaining.

@sottwell

This comment has been minimized.

Copy link
Contributor

sottwell commented Dec 24, 2018

Just to weigh in with my $.02 worth. Disabling the Gravatar is the first thing I have done on every new site since the beginning. Well... sometimes I create my not-found resource first.

@Mark-H

This comment has been minimized.

Copy link
Collaborator

Mark-H commented Dec 29, 2018

I wonder if a gravatar proxy would do away with the privacy concerns?

@JoshuaLuckers

This comment has been minimized.

Copy link
Collaborator

JoshuaLuckers commented Dec 29, 2018

The email address of the user is still send to Gravatar (as md5 hash). In Europe it might also cause some GDPR issues.

@philipwhiuk

This comment has been minimized.

Copy link

philipwhiuk commented Jan 9, 2019

Is there a strong argument why Gravatar functionality is in the minimal core rather than as a plugin (which could be optionally bundled but not enabled/installed)?

@OptimusCrime

This comment has been minimized.

Copy link
Contributor

OptimusCrime commented Jan 9, 2019

@JoshuaLuckers If you consider md5 hashes as one way hashing (not considering the weak type of hashing it is, and how rainbow tables might make it possible to find the original email from a md5 hash), then no, this is not a GDPR issue.

GDPR says nothing about anonymous collection of statistics. As long as the information can not identify one particular user or person, then it does not violate GDPR.

@JoshuaLuckers

This comment has been minimized.

Copy link
Collaborator

JoshuaLuckers commented Jan 9, 2019

When Gravatar is enabled it loads an image hosted by Gravatar. Even if the email address is hashed they still log information automatically about the user when the image is loaded. The information they log is not anonymous.

@JoshuaLuckers

This comment has been minimized.

Copy link
Collaborator

JoshuaLuckers commented Jan 9, 2019

And the hashed email address can be used to identify a particular user if the account exists.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment