Great plugin, bigger privacy issues :(

  • patrykcm

    (@patrykcm)


    7 years, 4 months ago

    The plugin is great. But there is some problems avout privacy and “not comfortable” reviews pointing this are vanishing.

    1) plugin prevents itself from deactivation – (tested on versions from 1.0.10 up to .14) clicking “deactivate” button should deactivate plugin like it does on any other plugin, instezad of asking me why i am deactivating it.
    2) usage data sent “by default” to plugin creator, also registration on plugin author page is required to use almost half features of plugin and unspecified data is sent and processed by author.
    The fact is that this data could be served WITHOUT registration or processed on client side and data which is sent should be exactly specified.
    3) don’t like that authors are moving everything to api and processed on their side (account can be supsended, servers can die etc)

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    7 years, 4 months ago

    WELP! You’ve got my attention. I’m not with this plugin or the plugin team, just a forum moderator who looks too much at the reviews.

    1 – As long as you can still opt-out and deactivate without that hoop then that should be OK. Can you confirm that’s the case?

    2 – That’s not good. Can you please elaborate?

    3 – That one should be OK as long as the service side is really a service. Just saying a plugin is Software as a Service (SaaS and it gives me headaches) isn’t enough.

    Thread Starter patrykcm

    (@patrykcm)

    7 years, 4 months ago

    Thanks for approving.
    1) yes i can deactivate plugin but when i click deactivate expected function of this button is to deactivate plugin, NOT showing an intrusive interstitial. Thats how 99,9% of plugins work after clicking deactivate button
    2) Sure i can elaborate:
    I may be biased towards privacy because i work for company where every outgoing connection from wordpress is blocked, laptops have disabled usb storage devices and etc.
    Here problem is that part of data is diagnostic data and information about this data is clearly stated on privacy policy page – and with this i am ok. But… registration is required when using the API of the plugin, like in the SEO Analysis [and this analysis i mentioned in point 3 on other plugins is done on client side in plugin itself] – there is absolutely no information how this part of data is processed and what is stored and how it is analysed. They say registration is for preventing api abuse – i say to collect data and get email adress. If i wanted to abuse Api – i’d go to stackoverflow and get fist script which can register multiple accounts and query api with proxies so this argument is just stupid explanation.
    3) The problem in this point is, that plugin is not an saas [this acronym have more correct name and it is Software As An extort Scam – and gives me headache like hit with a police baton – don’t ask]. Plugin is definitely not an saas but have some functions available by their api. Functions that other seo plugins do on client side (and also this plugin is not a “front for service” like in some plugins where services was created first and later they developed plugins for different cms)

    4) also – few updates ago there was unpleasant suprise where plugin made “whole WP broken” suprise – sure, it was avoidable by cleaning server cache (like nginx cache) but still – big change, unexpected problems.

    • This reply was modified 7 years, 4 months ago by patrykcm.
    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    7 years, 4 months ago

    Item 1 is OK as long as it’s not mandatory. I think it’s annoying but it’s not disallowed if it does not interfere with actually deactivating the plugin. It’s subjective and if they had, just for talking, 10 prompts before you can deactivate the plugin then the plugins team would tap the author on the shoulder and ask them to dial it down.

    Item 2. Ha! Yes, I know of those types or restrictions. 🤣

    If the plugin is using their site as a service, and it sounds from what you’ve written it is, then that’s allowed if it is a requirement for using their API. You can always choose not to use their service or plugin if that’s the case.

    That they may do other things with that information… well that’s why users should educate themselves as you have done.

    Item 3. Debatable if the work is done on their servers. I’m not a fan of many SaaS plugins but I do use some of them such as Akismet and Jetpack and I’m OK with that in that case. Your mileage may vary. You’re aware of this and can always choose to walk away from this plugin as you have done.

    Item 4. I don’t attribute malice or ill will to what’s most likely human error or “Oh, THAT wasn’t supposed to happen!” Sometimes plugins have problems and I’ve never seen any author intentionally hurt their users that way. I know you’re not saying it was intentional, I’m just being complete.

    Thread Starter patrykcm

    (@patrykcm)

    7 years, 4 months ago

    About restrictions – implementing “features” like this is like eating garlic or pizza with pineapple on it in public transport – not restricted but shows lack of taste and you shouldn’t do this.
    And about item 4 – Error not error, but there are testers who hasn’t caught it and pushing untesed software to production is a bit dangerous for reputation – i personally am a bit afraid.

    MyThemeShop

    (@mythemeshop)

    7 years, 4 months ago

    Hello @patrykcm,

    Thank you for your continuous feedback with these “issues.” It is good to see that you revised your feedback to 2 stars from the 1 star you had left last time.

    First of all, sorry for the ignorance but I don’t understand you keep reviewing this plugin if you have already stopped using it and by the looks of it, will never try it again in the future. Why do you purposefully want to spread incorrect information?

    Out of 10,000+ users (currently) that we have, we did not see anyone else complaining about the extra click one needs to deactivate the plugin. Few other users even argued with you on your post about it. That seemed to have pissed you off. Sorry, we did not ask them neither do we support that behavior. Moreover, it is less than a minute thing to do for such a huge SEO plugin that we are offering for free. We can only improve upon that data. But the thing is, we have not even started collecting that yet. That will be updated on the privacy policy page when we start collecting it.

    Now, let’s come back to the facts.
    1. As we mentioned previously, one can SKIP the survey. I can understand it is one extra click and by the time someone is done with the plugin – he/she don’t even want to waste a click on Rank Math. But, please know that there are hundreds, if not thousands, of plugins doing this. It is the only way we can truly understand what’s wrong with the plugin that users are deactivating the plugin. That data is much more helpful in improving the plugin than misinforming reviews.

    2. Registration required for half the features? Could you please elaborate? Only the SEO Analysis feature needs the registration as explained before. We have to ask for registration because this feature depends on our API and we don’t want users to abuse the API as that affects other users. One only need an email address to register with us and can use one of those temp emails if they don’t want to use their own address. Just a heads up doing that, when our system catches that, it blocks the account.
    Thinking is halfway done, and you threatened us to exploit the API more than once. That is so sad and unacceptable.

    3. We are not moving EVERYTHING to the API. Or are you saying it because of the changelog? If so, then we meant to say that we are going to utilize WordPress’s REST API down the line to make the plugin more performant. This should’ve been asked via support ticket. Again, this is misinformation. Only the SEO Analysis depends on the API because we send out our bot to visit someone’s website and get a real-life feel of their website rather than doing the scan from the backend of WP where everything doesn’t work as it does on a real-life browser. Maybe with the advent of new block editor, that won’t be required in the future, but it is required for us to display correct information/results.

    With that said, I also want to ask you what exactly is the data you think we are using or abusing? Are we stealing someone’s content, because that is available publicly? Or is it the keywords we are looking at, those are also available through various tools like Ahrefs? Just for the sake of replying to your comment, if we do that – we would get removed from WP.org faster than one can say hello.

    You seem to be more or less familiar with coding. You should be able to quickly determine what type of data is being sent to us. Better yet, you can ask others on StackOverflow to vet our code, and they will tell you if any what information is being sent and if any of that data should concern your privacy. Otherwise, you can create a small plugin, which could sit on top of Rank Math and if we see people are adapting to it, we can include that code in the core. Sounds better, no? Let’s do something which helps the community as a whole rather than threatening or saying you can exploit the API.

    The ONLY data transferred to us (with one’s PERMISSION) is the RollBar data that we use to check for bugs and troubleshooting purposes. This data is governed by our and RollBar’s Privacy Policy here:
    https://mythemeshop.com/kb/wordpress-seo-plugin-rank-math/privacy-policy/
    &
    https://docs.rollbar.com/docs/privacy-policy

    Please note that one can CHOOSE NOT TO send this data to us (which is entirely private by the way and doesn’t contain anything that would compromise anyone’s privacy, but that is subjective. Even Google tracks the data, and that’s why few people prefer using other search engines, like Baidu ;P) from the plugin settings or right from the setup wizard.

    Regarding the mishap which happened a few weeks back, we did release an immediate update which fixed the issue. And we are incredibly sorry about that. We never intend to release an update like that. Our tools missed checking PHP 5.6 sites, and we will be removing the support for PHP 5.6 in the coming weeks. We will only support PHP 7+ sites in the future.

    If there is anything else, please feel free to reply. Thank you.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Great plugin, bigger privacy issues :(’ is closed to new replies.