Privacy Badger listing Yoast as a potential tracker on admin page

At Yoast, we have always aimed to store as little personal details as possible. Our plugin itself stores no personal data, only website data. You can refer to this article about the GDPR to learn more — https://kb.yoast.com/kb/gdpr/

That’s commendable, and I appreciate the link, but it doesn’t address my question here.

Privacy Badger flags Yoast.com as a “potential tracker” on the WordPress administrative dashboard. This typically means there’s some object or script that is either sending data to Yoast or (probably more likely) there is some content that is being served by Yoast.com rather than locally, which would allow the Yoast servers to receive some personal data about the device/browser that loads the content. (For instance, if an image is hosted remotely, the server that provides that image probably gets the IP address and user agent of each device that loads the image.)

If I go to the Dashboard and view the source, the only thing it shows me coming from Yoast.com is this script:

<script type='text/javascript'>
/* <![CDATA[ */
var wpseoDashboardWidgetL10n = {"feed_header":"Latest blog posts on Yoast.com","feed_footer":"Read more like this on our SEO blog","ryte_header":"Indexability check by Ryte","ryte_fetch":"Fetch the current status","ryte_analyze":"Analyze entire site","ryte_fetch_url":"\/wp-admin\/index.php?wpseo-redo-onpage=1#wpseo-dashboard-overview","ryte_landing_url":"https:\/\/yoa.st\/rytelp?php_version=XXX&platform=wordpress&platform_version=4.9.8&software=free&software_version=8.1.2&role=administrator&days_active=XXX"};
var wpseoYoastJSL10n = {"yoast-components":null,"wordpress-seo":null};
/* ]]> */
</script>

(The “XXX” is data I’ve sanitized here.)

What it looks like is happening is that the Yoast SEO dashboard widget — the one that displays SEO blog posts — is pulling feed content from Yoast.com in a way that exposes my device/browser information even when that Dashboard box is turned off, which Privacy Badger is flagging (and in this case blocking).

The reason Privacy Badger is flagging it is because setting up the widget in this way would potentially allow Yoast to use the widget to track plugin users (whether you’re actively seeking to do so or not).

Yoast SEO doesn’t track anything on a site, nor it sends data outside of the WordPress dashboard.

That said the code you have provided looks like is related to the Latest blog posts on Yoast.com widget that appears on the dashboard which shows the latest blog posts from Yoast.com. In order to show the latest blog posts, it sends a request to Yoast.com to fetch the recent blog posts and that’s it.

That’s my point, though — by sending that request (which it does even if the widget is turned off), it creates a condition where Yoast is gathering potentially personally identifying information (logged-in administrative users’ IP addresses and user agent information) and does not provide any way to turn that off or otherwise opt out.

Hi @ate-up-with-motor,

Thanks for following up, that sounds like a great feature request. Please submit it on GitHub and our development team will look into it.

We are looking forward to hearing from you.

I’m not a GitHub user. I would settle for a filter I can add to functions.php to cause the feed to return a blank line instead of the remote URL.

Given that Yoast BV is, if I understand correctly, based in Europe and subject to the GDPR, I feel like the approach to privacy with stuff like this is distressingly casual. This is clearly a GDPR-implicating issue, but users wouldn’t even know that unless they do an audit of the administrative dashboard or use third-party add-ons like Privacy Badger.

We’re actively using the bug tracking on our GitHub repository so your best next step would be to create a new feature request for our developers at https://github.com/Yoast/wordpress-seo/issues/new.

You will need an account to create one. Please feel free to create a new issue to submit your feature request so our developers will be able to check on your request and provide feedback and create a filter if that’s what they deem to be the best option for this. Please don’t forget to include the URL to this conversation in your feature request.

Telling me I need to join GitHub before your developers might consider addressing a significant GDPR privacy issue is, in a word, infuriating, especially given the foot-dragging response Yoast has had to past user requests/complaints.

Hi,

We’ve notified the appropriate team members to further check on this thread. We’ll keep you posted.