design marketing security

Identity theft, exploitation, and Gravatar

There’s a growing problem right now with Facebook Connect: it can silently log you in to websites that you *don’t want* to share your private data with. I saw a funny example last month where a porn website had integrated Facebook Connect … so when you visit the site, one miss-click and you’ll broadcast to all your work colleagues your embarassing love of HardCoreGrannies.

But there’s another example right now that may be worse, and is definitely food for thought. Facebook doesn’t broadcast your data – not to protect your privacy, but to prevent competitors getting access to data they are currently making money out of themselves. By contrast, there’s Gravatar: these guys take your private data and give it away to everyone – and they refuse to stop doing it (I’ve asked, directly, and they refused. They had no reason to refuse – they knew my identity, they knew my request was valid, and I believe under UK / Europe law it would be *illegal* for them to refuse. But … they’re American, and I guess all they care about is money).

So, for instance, I just had one of my online identities ruined by Gravatar. A website that I rarely use recently “upgraded” and implemented the gravatar system – and immediately took a private account and publically broadcast that I was the owner. They didn’t ask me, they just went ahead and did it. Like many web developers, I’m sure they had no idea what they were doing – few seem to be aware of the scam that underlies Gravatar.

Fortunately, I’m not going to lose something massively important, like my job / marriage / life (c.f. the news stories when Google Wave launched), but the website owners had no way of knowing that. They’ve just unleashed this upon their hundreds of thousands of users; what are the chances that one of them will be affected?

(incidentally, if you’re a website owner, I strongly recommend you think twice before adding Gravatar (or any of the clones) to your own site. I don’t know if anyone’s been sued for it yet, but I’m sure it’ll happen eventually)

There are two halves to the problem. Gravatar is fundamentally a violation of privacy: they take your data and give it to *everyone* without you knowing. So what? That’s the whole point of the service! Yes, the Gravatar author is a little incompetent (c.f. OpenID for how he *should* have implemented it), but otherwise there’s no problem, is there? In theory … if you voluntarily sign-up for it, it’s all OK. Isn’t it?

Well … maybe not. They won’t let you (the user / owner) control that flow of data. What happens if you change your mind – can you delete their data? Nope. Why? I’m not sure, but I would guess: If you did that, you’d undermine their ability to make $$$ out of you. You can (theoretically) set your pictures back to empty. But …

…But there’s a second half to this. I believe most people are on Gravatar because WordPress “gave” the user’s private data to Gravatar. That’s a nasty mess right there; what does WordPress’s privacy policy say? Again, when they acquired Gravatar, they apparently didn’t ask their users what they wanted, they just forced this privacy violation on them. Back then, it didn’t have much effect (Gravatar itself was relatively unknown / little used), but as Gravatar gets used more widely, the problem becomes more acute.

And here’s the rub: Gravatar’s staff refuse to adhere to privacy requests because (precising / summarising): “you have to use your account”. What if you don’t have one? “you must have had one in the past and we won’t help you. Go away, and stop bothering us”.

Meanwhile, WordPress refuses to send password details to anyone, ever. A wise security decision in some ways (e.g. many people use the same password on multiple sites. Doh!). Your only choice is to delete the password and recreate it.

Is that a problem? Sadly, yes. Because (due to some very short-sighted / stupid marketing decisions by the WP folks) there are lots of admin systems – e.g. anti-spam – that are run off people’s WordPress accounts. So far as I can tell, no reason exists for this *except* to harvest email addresses and try and lure people onto paid plans. Further, WordPress uses an archaic password-based system (instead of e.g. Yahoo’s permission-based API – which, again, is how WP should have implemented this) – so if you change your password, all those websites will break.


These services are a nice idea in theory, but when you get terrible implementations like Gravatar, combined with lazy / stupid staff, the user does pretty badly. They get screwed, they get patronised (just look at the FAQ; they’ve cleaned it up in the last 12 months, it’s no longer so actively offensive as it used to be, but it’s still pretty bad), and many times they don’t even know about it until the violation is widespread.

And, ultimately, any website that uses this system is in danger of losing badly if it goes to a court-case. I’m not a lawyer, but when there are industry standards for user-controlled privacy (OpenID), and specific laws demanding that Gravatar honour the requests it currently refuses (UK Data Protection Act, for instance), I suspect a court is unlikely to look favourably on a website claiming innocence. Ignorance isn’t generally a valid legal defence.

But how much damage do these systems do to themselves? If Automattic were a little less greedy, or a little less selfish, would a lot more people embrace the idea of sharing their identity openly? Will OpenID provide a gravatar-replacement that doesn’t shaft the user, and will that take off much bigger than the original?

Personally, I look at recent events like Google Wave, and Blizzard’s “forum identity = credit-card name” – and the s***storm of angry users in both cases – and I suspect these privacy issues are much more damaging than corporates expect. Which is good news: the world appears to be slowly waking-up to the abuses inflicted upon them in the digital world, and the importance of keeping certain things (passwords, email addresses – and now, finally: identity) sacrosanct. And that is definitely a good thing…

7 replies on “Identity theft, exploitation, and Gravatar”

What was the Google Wave ‘event’ that you speak of? I don’t recall any privacy concerns with Wave.

Do you mean Google Buzz?

It may have been precisely due to a feeling of social responsibility that Blizzard wanted to use ‘Real names’ on their forum communities. They may have been unable to anticipate the size of the popular response to the announcement, but to their credit Blizzard’s employees would have been held to the same standard and with significantly more visibility.

I don’t know too much about it, but it might have been Google Buzz that had privacy concerns, like when people accused the deputy chief technology officer of the White House of lack of transparency when he used Buzz to ask Google employees if there was any way to control the recipients of a Buzz so it could be an effective replacement for email.

If the purpose of Gravatar is provide a simple service without extra effort, it sounds like it would be WordPress’s problem entirely. Gravatar mentions that a hash that resolves to an image will not always resolve to a profile too, so it does seem that they are trying to give users control over the information, regardless of what WordPress’s intentions may be

Thanks, Alastair.

I am a total idiot :). Yes, I meant Buzz.

(Buzz? Wave? Ah, wahtever – they’re all stupid non-names. You couldn’t trademark any of them…)


Initially, I had no problems with Gravatar. Seemed like a nice idea. Philosophically, from a Security Engineering perspective it did seem a little lazy and/or incompetent in the design/implementation, but *shrug* whatever; that’s Web 2.0 all over :).

However, over time, their extreme anti-human, anti-privacy stance has gradually irritated me more and more. They apparently care *nothing* for the damage they do to real people. That’s both irresponsible and immoral :(.

…and I think they’re merely one of the first of what will be *many* examples.

I’d rather look at the general landscape than focus too much on this one example.

But the huge scale of it – and the increasing adoption across websites – makes it an interesting case-study. Also, it’s a lot more focussed case-study than Facebook, which has flirted with this problem repeatedly over the past few years.

Well, considering that one of the primary objections to Blizzard’s use of real names was that “But my Facebook page with my phone number and address is on the first page of Google if you search for my name!”, I’m not sure how to approach what some people imagine privacy to be :p..

but I’m not a web developer so!

Yeah. My tone was hopeful, but we’re (collectively) starting from a *very* backwards position.

c.f. Alice Taylor (commisioning editor at Channel4) and the efforts she’s gone to, just to try and get the majority of teenagers / children to receive a *basic* education in these areas. e.g. with SixToStart on Smokescreen.

There’s hope, but there’s also a very long trek ahead of us…

Comments are closed.