Google Analytics seems to be the new standard for privacy invasion. If something is as invasive or less invasive than GA then it’s seen as not a big deal.
That’s a terrible point, given that even the Samy worm was less invasive.
My request to those who care about this stuff:
Stop. Giving. Every. Service. A. Shared. Identifier.
Regardless of whether it’s gravatar or facebook or whatever - least privilege means a unique address each.
It costs ~$25 USD a year to take control of how you can be contacted by corporations.
Buying a 10yr domain on sale is ~$20USD with Gandi (I’m sure other registrars offer something similar).
Paying gandi to host a wildcard mail rule is ~$20USD/yr (again, I’m sure others also offer something).
I am shocked, shocked, that a free web service would play naughty games with my personal information. (Reprisal: the same, but without “free”.)
Normally you would be correct.
The technical issue of having a public hash of an email address on multiple services still stands. But those concerned about that are already using different emails for each service, or at least using +foo gmail style alternate emails.
https://www.libravatar.org/ tires to address this.
But the problem with services like these is centralization which is hard to tackle when nobody cares :)
Gravatar has clear plans to monetise this data. Whether they are successful or not is another story.
Wasn’t gravatar bought by Automattic in 2007?
every time you comment on it, your e-mail address is sent to Gravatar.
Technically, I believe an md5 hash of the email is sent to gravatar. Not that md5 is in any way appropriate anymore.
I wish gravatar had the option to use a better hash these days (sha-256, sha-512, etc), or even better, let the site pick from a handful of options (maybe with md5 being the default to ease backwards compat?).
None of those are really any better for this purpose. You’d need some sort of per site HMAC.
Wouldn’t that only prevent 3rd parties from tracking you by watching the requests in the middle?
Presumably, you would still have to share the key with gravatar, for them to know which image to return. Using https (which apparently gravatar apparently supports these days) seems like the more straightforward solution to avoid “email leakage”. However, I don’t recall offhand if most browsers send referer headers with https requests these days or not – if they do, then gravatar themselves would still be able to track where you have been. Sites could avoid this by using an image proxy (and stripping headers) instead of just embedding the image urls in the html though.
It would prevent correlating users across sites, which doesn’t require any kind of monitoring except visiting two different sites and looking at img tags.
That’s true. Good point.
Using a secure image proxy (camo, go-camo, imageproxy, etc), maybe with a few tweaks, could likely cover that case as well as prevent any referer leaking.
I’d rather have the cross-site user correlation visible publicly than visible only to Gravatar. I think the latter would render it more rather than less susceptible to abuse.
I guess I could see that, though I disagree. Like evil gravatar could correlate all my sites and determine I like pickles, and sell that, and then wherever I go on the web I see pickle advertisements. So that’s a certain level of bad. Alternatively I tweet something that some asshole doesn’t like, and then he tracks me down across a dozen sites to heap abuse on me. I think I’d prefer the pickle ads.
I’m more concerned about evil gravatar cooperating (or being forced to cooperate) with whatever your local version of the secret police is. If you leak some identity information to the public then hopefully the trolls with too much time on their hands who will do something relatively small that you’ll notice quickly outnumber the people with the will and capability to use the information to do you genuine harm, and keep their “source” secret until then.