Rea­sons for Us­ing Avatar Pri­va­cy

In what way are avatars a pri­va­cy risk?

To dis­play an avatar im­age, you pub­lish an en­crypt­ed ver­sion (MD5) of the e-​mail ad­dress in the gravatar’s im­age URL. Gra​vatar​.com then de­cides if there is an avatar im­age to de­liv­er, oth­er­wise the de­fault im­age is de­liv­ered. The de­fault image’s ad­dress is al­so part of the over­all gra­vatar im­age URL. Nor­mal­ly, both the avatar im­age and the de­fault im­age are re­quest­ed from Gra​vatar​.com servers. This process has the fol­low­ing prob­lems:

  1. MD5 is the­o­ret­i­cal­ly se­cure, but re­search has shown that it is pos­si­ble to guess the e-​mail ad­dress from the MD5 to­ken in the gra­vatar URL: gra­vatars: why pub­lish­ing your email’s hash is not a good idea. So there is a chance that you make your commenter’s e-​mail ad­dress­es pub­lic.
  2. The pub­lished avatar URL ties all com­ments made with the same (pri­vate­ly en­tered) e-​mail ad­dress to­geth­er (pub­licly). The user might use dif­fer­ent pseu­do­nyms and web ad­dress­es with the com­ment, they even might want to stay anony­mous. But if the web site ad­min en­ables gra­vatars, even at a lat­er point, all this user’s com­ments can be rec­og­nized as be­ing made by the same per­son. Cre­at­ing such a com­ment pro­file for an e-​mail ad­dress is eas­i­est for Gra​vatar​.com, they just have to look in­to their log files from where a par­tic­u­lar im­age was re­quest­ed (re­quest head­er). That works for every­one, not on­ly Gra​vatar​.com reg­is­tered users. And of course, any­body else can pro­gram a bot to find oc­cur­rences of a par­tic­u­lar avatar URL through­out the web. The com­menter most like­ly does not know what en­ter­ing an e-​mail ad­dress means, usu­al­ly is not told and has no con­trol over whether a gra­vatar is dis­played for his ad­dress or not.
  3. When­ev­er some­one vis­its the page, the avatar im­ages are loaded from the Gra​vatar​.com servers in­to the visitor’s brows­er. By do­ing so, Gra​vatar​.com gets all kind of da­ta, e.g. the visitor’s IP ad­dress, the brows­er ver­sion, and the URL of the page con­tain­ing the avatar im­ages. Since gra­vatars are used on many web­sites, if the vis­i­tor vis­its a lot of blogs while us­ing the same IP ad­dress, the Gra​vatar​.com log files show ex­act­ly where the per­son us­ing this IP ad­dress went.
  4. If some­body wants to cre­ate fake com­ments us­ing some­one else’s iden­ti­ty, this looks all the bet­ter with the match­ing gra­vatar im­age next to it. If you know the e-​mail ad­dress used for the com­ment, great. If not just cre­ate a new gra­vatar ac­count and up­load the same pic­ture.

How does Avatar Pri­va­cy help with these prob­lems?

The plu­g­in of­fers some mea­sures to deal with these prob­lems. It’s not per­fect or a com­plete so­lu­tion, but some of the above points can be ad­dressed suf­fi­cient­ly:

  1. All de­fault im­ages are host­ed or gen­er­at­ed on your serv­er in­stead of at Gra​vatar​.com.
  2. On­ly for users and com­menters who ex­plic­it­ly give their con­sent will Gra​vatar​.com be con­tact­ed to get their avatar im­age. This shares the MD5 hash of their e-​mail ad­dress with Gra​vatar​.com.
  3. To pre­vent Gra​vatar​.com from track­ing your site’s vis­i­tors, these gra­vatars will be cached lo­cal­ly and the on­ly IP ad­dress sent to Gra​vatar​.com will be that of your serv­er.
  4. In­stead of MD5, Avatar Pri­va­cy us­es a salt­ed SHA256 hash for iden­ti­fy­ing avatars. This means that the pub­lished hash­es can­not be used to track peo­ple across the web. (It al­so means that gen­er­at­ed avatars will be dif­fer­ent be­tween web­sites.)
  5. The plu­g­in does noth­ing against the fake iden­ti­ty prob­lem. It’s ques­tion­able if any coun­ter­mea­sures would even be pos­si­ble with­out chang­ing the way that Gra​vatar​.com works. Steal­ing iden­ti­ties is al­ways pos­si­ble, you can do it with a com­ment form with­out gra­vatars just as well. So that’s not re­al­ly the fo­cus of this plu­g­in.