Disable Gravatar Pictures

I’m just curious why they are a problem as when people create a gravatar profile they know image will be used. I use this also so wondering

Well, why on german websites people need to check an agreement that the website owner is allowed to process teir data/submission allthough they wantto get in contact with u first.

I’m also wondering – but we need to follow the laws, the chance of paying fees is just to high ??

Hmmm. That worse than the US. Now we will have GDPR Police and Polizei

This is the first time we see that Gravatar is not compatible with GDPR. I still have doubts. In any case, you can disable Gravatar in WordPress Discussions settings page ( Dashboard > Settings > Discussions.
As a good alternative, I’d recommend replace Gravatar with First Latter avatars. Just install WP First Letter Avatar plugin, it’ll replace all avatars with nice letter avatars. Your comment area will look better for sure.

You can also look at Avatar Privacy which makes Gravatar opt-in and serves default avatars locally.

Can someone indicate specifically what is the EU GDPR regulatory section that suggests Gravatars cannot be presented/accepted by website owners?

Our understanding is that as long as the website has a GDPR-compliant Cookie Policy and Privacy Policy in place – and makes it public – there should be no issue, especially if one or the other clearly state that the website uses Gravatars (and refers the user to Gravatar’s Privacy Policy and Cookies Opt-Out procedure).

Adding more plug-ins to WordPress is not the best route. Having GDRP-compliant policies is.

As far as I’m concernced: As soon you put your email in a blog comment, this email will be send to gravatar servers in the u.s. Doesn’t matter if the email is hashed or not.

The thing with the gdpr is, you’re not allowed to send any data to the u.s. without a proper dpa (data processing agreement).You’re simply not allowed to send peoples data to others.

Also people’s email which comment without using gravatar, will be checked if they have a profile picture on gravatar services.

• This reply was modified 6 years, 5 months ago by WutHirsch.

Doesn’t matter if the email is hashed or not.

Email is 32 bit hashed and sent as 32 bit string. Where we can read a proof that the hashed 32 bit string is a personal data? I think the hashed 32 bit string is no longer personal data, it contains nothing so there is no any issue here with GDPR. This is a one way hash, there is no way to un-hash it. it just used to compare with another 32 bit hash string in Gravatar database. So, please provide some legal article where we can see that 32 bit hashed string is still personal data.

you’re not allowed to send any data

Not “any data”, I think this is related to personal data, not just “any data”.

• This reply was modified 6 years, 5 months ago by gVectors Team.

@wuthirsch That and every site visitor loads the resources from a third party (with all the tracking possibilities that offers).

Even if you could argue with “legitimate interest” (I’m not sure that argument holds, but one can make it), I don’t want my (public facing) website to rely on third parties. The repository guidelines forbid plugins from loading third-party resources without explicit admin consent (opt-in), so why should Core be different?

• This reply was modified 6 years, 5 months ago by pepe. Reason: Reply made explicit

@gvectors-team The hash is unsalted, it can be used to identify you. IMHO (but IANAL) it still falls under “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, […]”.

Furthermore, it is relatively easy now to reverse engineer mail addresses from Gravatar MD5 hashes (viz. https://www.wordfence.com/blog/2016/12/gravatar-advisory-protect-email-address-identity/).

I don’t think this is a simple md5 of email address. Are you sure this is it? if so this is an issue when you send it to 3rd party.

• This reply was modified 6 years, 5 months ago by gVectors Team.

The gravatar hash? Yes, it is.

Gravatars needs to find another way to make one way hashing.
If user is registered in Gravatar, he/she already accepted the privacy policy that he/she will be identified by Gravatar when he/she use email address on other websites. So the website owner can relax here.

if a user is not registered in Gravatar, his.her hashed identifier will not be identified because Gravatar doesn’t have such hashed code. And the hashed code will not be un-hashed. So in this case there will not be any issue as well.

In any case, this is a general issue and should be addressed to WordPress and Gravatar, not to wpDiscuz. wpDiscuz uses WordPress avatar functions and it’ll be automatically changed once some change is added in WordPress avatar system.

@pepe named it @gvectors Team. And you’re right I mean personal data ??
But since it’s easy to reverse the hashs, this data neeeds to be protected. This problem is already known since 2013 as far as I know.

Almost every website hosted in Germany, deactivated gravatar on their wordpress-installations. Actually the best solution would be to ask visitors if they want to use gravatar (opt-in) and only allow the email-adress to check with gravatar service afterwards.

Allthough I wouldn’t say it’s 100% safe as well.

So maybe just a recommendation: Maybe put a feature like Avatar Privacy in it.
https://www.ads-software.com/plugins/avatar-privacy/

Ahh pepe already linked it.
Thank you for your answer though ??

• This reply was modified 6 years, 5 months ago by WutHirsch.
• This reply was modified 6 years, 5 months ago by WutHirsch.

I’t put it again. In any case, this is a general issue and should be addressed to WordPress and Gravatar, not to wpDiscuz. wpDiscuz uses WordPress avatar functions and it’ll be automatically changed once some change is added in WordPress avatar system.