The other day a good friend of mine suggested I implement Gravatar on my website, so I started checking how it works and found it was incredibly easy. All I'd have to do use put an img element with a link to an md5 hash of the commenter's email. Like this: <img src="http://www.gravatar.com/avatar/205e460b479e2e5b48aec07710c08d50" />

MD5's can be Sensitive Information

There are 2 issues with this:

• Without figuring out the email, you can still find other user's posts on other sites. Indeed, all you need is to search for the MD5 hash. Perhaps the Gravatar user is okay with this maybe not in every case (more later).
• If you are the administrator of a large user database, you can search for MD5 hashes and easily find out what your user database has been posting.

Other Issues

• Non Gravatar user's can be tracked on the web too

  Even if you are not a Gravatar user, many websites will submit your email's MD5 hash to Gravatar and show that hash to the visitor. This means that even non-Gravatar users are now Gravatar users. There is nothing stopping Gravatar from storing this and nothing stopping people you know from finding your posts. Yes, anyone you know can go insane (like many employers who demand your social media credentials) and search the web for your email's md5 hash.

• Gravatar can haz your blog statistics

  Every time someone visits a Gravatar enabled website, Gravatar gets some of the website's user statistics: visitor's IP, browser/OS and the page visited.

• Gravatar Knows Where You Have Been

  Of course, because of the above, Gravatar can know about all the posts made by their users on Gravatar enabled sites. Maybe they don't gather that info, but technically it's totally possible.

• Websites that use Gravatar deliver content from third party sources

  This can be a problem when your website uses HTTPS, using Gravatar means some of your content is no longer encrypted, unless you use Gravatar's https version. But using Gravatars HTTPS version means asking your visitors to trust their SSL certificate, which is issued by GoDaddy !

  I know it is a very common practice to have many bits of websites hosted behind many different URLs, but it's always good to limit that where possible. For example, embedding a Youtube video is understandable as it is actual content and generally users can see where this comes from. Pulling avatars, icons and such from all over the web isn't so cool.

  It also means losing control over what parts of your site are actually getting delivered to your visitors and how they are getting delivered. You cannot know if your visitor's connection to Gravatar is broken or altered.

  On a non-privacy insane perspective there could be performance issues, don't forget visitors now have yet another domain name to resolve. Reducing the amount of DNS queries can help what they call "the user experience".

How can we Fix This ?

• Give your commenter the choice of using Gravatar's service

  Instead of just hashing everyone's email "de force", why not let the commenter chose to have their email hash posted on the Internet first ? Perhaps even a Gravatar user may want to make a comment without linking it to their Gravatar profile ?

  I'll stress this a tiny bit more just because so many sites use Gravatar but don't even inform their users in the slightest way. If you would want to use Gravatar for every comment, why not, but you should at least inform your users.

• Not show the email's MD5 hash in the first place

  Why not just make the request to the Gravatar avatar from the website and then deliver that to the visitors ?

  The technical howto in a nutshell is to replace the Gravatar image link with a script and pass a get variable to it, like the comment id. The script then figures out the md5 hash (if the user agreed), requests an image from Gravatar and shows that to the visitor.

  This also helps reduce the amount of DNS queries your visitors will make, instead your website/webserver will do all the work. And your webserver should probably have better bandwidth than your average visitor.

I think this probably extends to many more services than just Gravatar. And Gravatar are probably nice people with pure intentions... . It's not the end of the world, but it would be nice if webmasters put more thought into this sort of thing. The Interweb is still an experimental place, we should still be actively thinking about how we build it not just lazily and passively do things the way they've always been done.

Gravatar Enabled

Starting today, on this website, if you post a comment you can chose to have your email's md5 submitted to Gravatar to see if you have an avatar there I can use. Your email's MD5 hash will not be visible to other users.

This is what the img element that displays the G/avatars looks like on this website:

<img src="/blah/modules/gravatar/gravatar_img.php?id=1" />

Many ISPs or other Internet services in these current days will often voluntarily co-operate with the authorities without requiring warrants and such. Some will be even working directly with the MPAA/RIAA. However there are some people out there, like Nick Merrill who are are totally not like that.

Today he is raising money to start a non-profit ISP and mobile phone service that will be designed to resist surveillance, with things like encryption, minimal logging and mostly by challenging requests by the authorities that are abusive and/or illegal and/or unconstitutional.

So if you do live in the U.S.A. and more precisely NY for now, you could be very interested in checking out Calyx Institute and perhaps donating via Indiegogo or via their Paypal form.

Also, check out the people on the advisory board.

The UK would like to implement a new system (originally brought up by the Labour party) that would oblige Internet access providers to monitor all electronic communications. The ISPs would have to store logs of all communications, though they say the actual content of emails wouldn't be recorded without a warrant.

They will most likely forge email providers certificates in order to intercept encrypted traffic, because most browser by default trust just about any certificate emitted by a "company" most users wont even notice.

If you are a UK citizen you can sign this petition. You can also check out ORG who follow these issues very closely (the only thing they do wrong is that they use bitly links!).

This came out yesterday, yet it's not an April fools joke..

Read more:

• Phone and email records to be stored in new spy plan - telegraph.co.uk
• Backlash over email and web monitoring plan - bbc.co.uk
• Stop the government snooping on every email and Facebook message - action.openrightsgroup.org
• Scrap Plans to Monitor all Emails and Web Usage - epetitions.direct.gov.uk

Yesterday (or still today in certain time zones) was Data Privacy Day.. I was made aware of this by a doodle on DuckDuckGo.

Of course I opened a new tab and rushed to see what the search engine that I used to use before they became evil had drawn for the event... And well, funny story, Google has totally avoided the subject and instead put up a doodle celebrating the 125th birthday of the biggest recorded snowflake.. p.s. please install Chrome.. Like WTF right ?

As you may know, if you have a Gaccount (Google account), Google has changed their terms of service so that now everything "G" is unified, and what you do in Youtube directly impacts the adverts in your emails, and things you search for.. . etc etc.. And all this with the magic wandish words like "simple", "easy" and "yada yada".

So why has Google omitted Data Privacy Day ? Maybe because data privacy is irrelevant in a system where your personal data lives across over 60 different services.. .. Perhaps I am wrong and it is just an innocent obsession with snowflakes..

BTW, this does not affect you if you do not have any account with Google, so for those rare people out there, bravo. : ]

O2, a UK phone operator, seems to be sending along in the HTTP headers of their clients http requests the user's mobile phone number! Lewis Peckover has discovered this and set up a test page for people to see what information their mobile ISP is actually sending to websites.

To test, disable your mobile phone's Wifi and visit this page. There you should see the usual stuff, user-agent, IP, languages, etc.. If you see other things like your mobile phone number you might want to ask your ISP for explanations.

Another thing that Lewis notes is that O2 modifies content, he claims they downgrade images and insert JavaScript links. If true, this is really really bad, this is basically tampering and altering private communications. It's just like if the post office opened your letters, made reduced photocopies so your letters are lighter and then passed that on to you.

I am guessing this shouldn't work using HTTPS, however I would like to ask Lewis what is the deal on this as I do not have a mobile phone and hence cannot test this at all. I also don't have a Twitter account so... . If you do, ask him. Khtxbye : ]

Update: I found this old thread about the same sort of thing affecting other customers on other mobile networks. This is really not new and this is not an 02 issue but rather a mobile phone ISP issue.

Today I would like to talk/rant about URL shorteners, these things that take a good old link and turn it into something short and obscure.

One day people realised that sending long links over some mediums such as email or instant messaging could be a pain as the link would sometimes be cut up into pieces, and lose clickability. One of the reasons (IMHO) was that in those days fancy clean URLs were not so common so it would be easy to come across some of those crazy long links.

Then came the tweeting days, when the Internet decided it was time that everybody published content, and because most people have difficulties with literary expectations that exceed one sentence they came up with the brilliant 140 character limit (also to be compatible with SMS). In this situation even a normal optimised pretty link looked super fat, it's like putting a normal healthy human being next to Kate Moss..

This was already becoming a problem but then people took it to the next level, links nowadays get shortened even when posted on websites.. It makes absolutely no sense.. .

So what is wrong anyway ?

• It hides the destination of the link
• It adds a layer of failability, now you depend on the url shortening service, if they go down or moderate/filter your link.. .
• There is a major leak of privacy
• The clicker generates statistics at the URL shortener's service
• The statistics are linked with the person who generated the URL and all the others that have followed the link

These statistics are available to whoever creates the link (you need to create an account generally for this function), there could be more things done with them. I am sure it can be quite interesting to see how a link gets propagated especially if you include IPs, User-Agents and most interesting maybe: the referrer (the site where the link was posted). I am sure with this kind of information you could map a viral movement of clicks a la Hans Rosling.. But as we all know, the Internet is power tool for marketing and the knowledge gained from these services will not benefit science nor the general public, au contraire.

So why ? Why do people use such things ? Even on those Twitter/Identi.ca type things I found that most links can actually fit and with room for a short description. I've even seen some privacy rights organisations who cannot restrain themselves from the urge to use such links, in emails and on their websites. Hello, it's like a vegetarian protesting in leather boots !

I am surprised to be writing this in 2010, I thought this obsession with having the shortest URL would have passed a few years ago.. . What next, maybe The Pirate Bay will start using Bit.ly as well ?

If you are in the petition signing mood today OR you just do not feel very comfortable with the idea with the government reading every email (the ones they actually can read of course) as well as all facebook transmissions (for those still using it) and other online communications (where possible).. . OR if you just feel like the money could be better spent on other matters.. then sign the Open Rights Groups petition.