Rea­sons for Us­ing Avatar Privacy

In what way are avatars a pri­va­cy risk?

To dis­play an avatar im­age, you pub­lish an en­crypt­ed ver­sion (MD5) of the e‑mail ad­dress in the gra­vatar’s im­age URL. Gra​vatar​.com then de­cides if there is an avatar im­age to de­liv­er, oth­er­wise the de­fault im­age is de­liv­ered. The de­fault im­age’s ad­dress is al­so part of the over­all gra­vatar im­age URL. Nor­mal­ly, both the avatar im­age and the de­fault im­age are re­quest­ed from Gra​vatar​.com servers. This process has the fol­low­ing problems:

  1. MD5 is the­o­ret­i­cal­ly se­cure, but re­search has shown that it is pos­si­ble to guess the e‑mail ad­dress from the MD5 to­ken in the gra­vatar URL: gra­vatars: why pub­lish­ing your email’s hash is not a good idea. So there is a chance that you make your com­menter’s e‑mail ad­dress­es public.
  2. The pub­lished avatar URL ties all com­ments made with the same (pri­vate­ly en­tered) e‑mail ad­dress to­geth­er (pub­licly). The user might use dif­fer­ent pseu­do­nyms and web ad­dress­es with the com­ment, they even might want to stay anony­mous. But if the web site ad­min en­ables gra­vatars, even at a lat­er point, all this user’s com­ments can be rec­og­nized as be­ing made by the same per­son. Cre­at­ing such a com­ment pro­file for an e‑mail ad­dress is eas­i­est for Gra​vatar​.com, they just have to look in­to their log files from where a par­tic­u­lar im­age was re­quest­ed (re­quest head­er). That works for every­one, not on­ly Gra​vatar​.com reg­is­tered users. And of course, any­body else can pro­gram a bot to find oc­cur­rences of a par­tic­u­lar avatar URL through­out the web. The com­menter most like­ly does not know what en­ter­ing an e‑mail ad­dress means, usu­al­ly is not told and has no con­trol over whether a gra­vatar is dis­played for his ad­dress or not.
  3. When­ev­er some­one vis­its the page, the avatar im­ages are loaded from the Gra​vatar​.com servers in­to the vis­i­tor’s brows­er. By do­ing so, Gra​vatar​.com gets all kind of da­ta, e.g. the vis­i­tor’s IP ad­dress, the brows­er ver­sion, and the URL of the page con­tain­ing the avatar im­ages. Since gra­vatars are used on many web­sites, if the vis­i­tor vis­its a lot of blogs while us­ing the same IP ad­dress, the Gra​vatar​.com log files show ex­act­ly where the per­son us­ing this IP ad­dress went.
  4. If some­body wants to cre­ate fake com­ments us­ing some­one else’s iden­ti­ty, this looks all the bet­ter with the match­ing gra­vatar im­age next to it. If you know the e‑mail ad­dress used for the com­ment, great. If not just cre­ate a new gra­vatar ac­count and up­load the same picture.

How does Avatar Pri­va­cy help with these problems?

The plu­g­in of­fers some mea­sures to deal with these prob­lems. It’s not per­fect or a com­plete so­lu­tion, but some of the above points can be ad­dressed sufficiently:

  1. All de­fault im­ages are host­ed or gen­er­at­ed on your serv­er in­stead of at Gra​vatar​.com.
  2. On­ly for users and com­menters who ex­plic­it­ly give their con­sent will Gra​vatar​.com be con­tact­ed to get their avatar im­age. This shares the MD5 hash of their e‑mail ad­dress with Gra​vatar​.com.
  3. To pre­vent Gra​vatar​.com from track­ing your site’s vis­i­tors, these gra­vatars will be cached lo­cal­ly and the on­ly IP ad­dress sent to Gra​vatar​.com will be that of your server.
  4. In­stead of MD5, Avatar Pri­va­cy us­es a salt­ed SHA256 hash for iden­ti­fy­ing avatars. This means that the pub­lished hash­es can­not be used to track peo­ple across the web. (It al­so means that gen­er­at­ed avatars will be dif­fer­ent be­tween websites.)
  5. The plu­g­in does noth­ing against the fake iden­ti­ty prob­lem. It’s ques­tion­able if any coun­ter­mea­sures would even be pos­si­ble with­out chang­ing the way that Gra​vatar​.com works. Steal­ing iden­ti­ties is al­ways pos­si­ble, you can do it with a com­ment form with­out gra­vatars just as well. So that’s not re­al­ly the fo­cus of this plugin.


No Comments

    Leave a Reply

    By posting a comment you consent that we store the submitted information as well as your anonymized IP address on our servers, under the terms of our data protection policy. Your email is never shared with anyone else.

    Required fields are marked *.