If you are a WordPress user and you use the plug-in “Twitme” to automatically post any new blog entries to your WordPress account, then there is something you need to know.

It is unwritten law that if you are going to collect someone’s personal information through an application, or web application that you will notify them accordingly.

Unfortunately, not everyone follows this unwritten law, which is now standard and considered a moral obligation of website, and application authors and publishers. Here we take a look at one good example of this standard being ignored from a popular plug-in for WordPress, “Twitme”.

Typically the user can expect to be notified in a license up front before utilizing the application which will collect his information. It is expected as an author or publisher that you make the user aware of such collection of data and inform them to read through a privacy policy for the exact details about

• what information is collected
• why it is collected
• what it is used for
• who has access to that data
• on what conditions that data is shared
• how the user may opt-out of such data collection, or on what conditions they may stop having their data collected (ie. discontinuing use of the service to avoid data collection).

That said, again it is an item of trust that if you are going to collect information from someone, that they need to clearly be made aware upfront that their information is going to be collected, and on what conditions. The end-users expect to be informed clearly of this, and they expect nothing less. It is the responsibility of the publishers of the applications to make this information easily accessible, and to present it upfront so that the user is consciously aware of their privacy policy before any information is collected in the first place.

Please note that the actual motives of the author/publisher of this plug-in with regards to the purpose of data collection are beyond the scope of this article. Whatever they may be is irrelevant, as the scope of this article is purely focusing on the hard facts that 1. Twitme does in fact collect both private, and publicly made available (but still may be considered sensitive and private none the less) information, and that 2. Twitme does not make it known to the end user either before or during installation in such a manner that the end user is obviously and clearly conscious of the fact that this information is being collected during utilization of this plugin.

So if you are ready to look into the raw and untouched file contents of this plug-in and see the actual code which is transmitting your personal information without notification, we will dig into one file in particular of the installation of the Twitme plugin for WordPress.

You will find the intrusive and uninvited code on lines 66 through 70 in the file

TwitmeUpdates.php

of the folder “Twitme”.

As you can see, your personal email address, your server’s IP address, Domain Name (or host name), WordPress version, Twitme plug-in version are all transmitted back to the website of the author. Again, to what end this information is being utilized, is beyond the scope of this article.

With a little creativity, you can easily send the author of this plugin a few kind messages expressing your thanks for him collecting your private information (such as the blog admin email address you’ve never posted or given anyone permission to take). Feel free to modify the fields using the following as an example. Make sure to format it correctly, placing the quotation marks around the content where appropriate.

For a recommended fool-proof edit, simply copy and paste from below into your file, and then edit within the quotation marks.

Please note that these modifications will not be able to prevent the author’s http server from logging the connecting IP address, time, and date every time this function runs and posts data to his server, as typically the Apache web server that this client is using will log this information by default. At least however, this information will not be posted to the author’s database through the php page which is called by the function built into Twitme.

As always, choose wisely what applications you utilize. You never know who is watching.

This article was written in reference to Twitme 1.6.9.7, the most recent version of Twitme at the time of writing.

WordPress Twitme Plugin homepage on the Author’s site – http://www.phpvrouwen.nl/twitme/
WordPress Twitme Plugin page – http://wordpress.org/extend/plugins/twitme/