Privacy concerns regarding Gravatar are not new. But what exactly are they and how can you avoid your data leaking? And what is Gravatar?
Y’know when you sign up for a site or comment on one and a little image of you pops up beside your name automagically? Chances are that’s a Gravatar. Gravatar is a free service used by sites to add images and profiles to users’ posts and which can be used by individuals to manage those images and profiles. See that image at the top of this blog? That’s my Gravatar image. I didn’t do anything to put it there, it just magically appeared because the theme of this blog grabs it using the email address I used when I signed up to WordPress. Chances are that when yours appears on a webpage, you didn’t do anything extra to add it either — it was something that just showed up when you signed up somewhere or posted your comment on someone else’s site.
So what are the privacy issues? There are a couple that people have raised — in particular:
- the ease of harvesting email addresses from sites which use Gravatar
- how the data collected by Gravatar is used
You don’t need to have an account with Gravatar for this to affect you. This is the due to the way the service works. Sites that use it send a hash of your email address to Gravatar to check if you have an account — this hash is unique to your email address. In most instances, this hash is publicly available in the form of a link to Gravatar which is used on webpages to show the images.
This is going be a short series of posts focussing on point 1 above, the idea that email addresses can be harvested from sites using Gravatar. For point 2, I don’t think Automattic (the company which owns Gravatar) is particularly bad so am not going into that here.
How Gravatar works, some technical details
A more technical overview (but not terribly technical, just a bit) about what is available from Gravatar and how sites query it.
Keeping your email address safe on Gravatar enabled sites (or if you don’t know if it is or not)
Some suggestions on what to do if you want to make sure people can’t easily find out your email address from a website which uses Gravatar.
Proposed best practices for sites which use Gravatar
(not yet finished) This goes over how some large sites use Gravatar and how to use it responsibly if you’re running a self hosted WordPress site. Also you really don’t need to use it, do you? Come on. Here’s a hand waving, unfinished, don’t use this anywhere near a site in production plugin, can’t remember if it works plugin that is a start of an idea for working with Gravatar avatars if you need to.