revans0636ParticipantMay 25, 2018 at 2:40 amPost count: 60
Working on site updates, getting around to the localhost dev sites and have a question regarding the patch updates. Privacy Info bar on the page (~/wp-admin/admin.php?page=avada-fusion-patcher) displays the URL is being encrypted and sent with the request…
This is copy/paste from the info bar:
Following data is sent to a ThemeFusion server located in the US to ensure that patches are compatible with your install.
Apache/2.4.27 (Win64) PHP/7.2.5
Encrypted Site URL:
We will never collect any confidential data such as IP, email addresses or usernames.
Why does the patch update script need to phone home with the URL? My valid Envato token installed on the site should provide all of the credentials I need to get the patch. Sending the installed theme version would make sense (and TBH, I thought it did, as patches for previous theme versions don’t display, only patches that apply to the currently installed version of the theme, FC & FB plugins) but that’s not listed?
Is this just an error in the message, similar to the notice we get when the update server is busy, or is this correct?AristeidesSpectatorMay 25, 2018 at 9:19 amPost count: 23
Hey there @revans, I hope you’re well today!
Your website’s URL is not personal data since it’s publicly accessible, but even in the extreme cases where you might consider it “personal”, it actually never gets transmitted. It gets encrypted/hashed, and that hash is then sent to our server along with the request.
These hashes are stored on our server for 7 days and after that period they get deleted.
The purpose of that particular string it to allow us to get an average of the PHP versions used by Avada installations. This way we know that PHP 5.2 usage is around 0.2% and we know when it’s time to drop support for an old – and deprecated – PHP version so that the rest 99.8% of our customers can enjoy the benefits of the newer PHP versions they are using, including better performance.
We don’t collect site-URLs.
Even if we wanted to, reverse-engineering the hash to get your site’s URL would be almost impossible – especially if you take into account the volume of requests we get on our server for these patches, and the short lifetime these hashes have on our server.
See Recital 156 from the GDPR:
The further processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is to be carried out when the controller has assessed the feasibility to fulfil those purposes by processing data which do not permit or no longer permit the identification of data subjects, provided that appropriate safeguards exist (such as, for instance, pseudonymisation of the data).revans0636ParticipantMay 25, 2018 at 1:36 pmPost count: 60
@Aristeides – The publicly accessible part is what tripped me… as it’s a localhost Dev site running on my Windows 10 desktop. No problem with your collecting statistical data to improve the theme; my concern is the info bar says it’s sending MY URL and as it’s encrypted I can’t tell if it’s the URL for my workstation inside my LAN (127.0.0.15) or my public IP assigned by my ISP.
Thanks for your reply (and your patience).AristeidesSpectatorMay 25, 2018 at 1:40 pmPost count: 23
If the URL for your localhost is for example
http://local.wordpress.test/(which is what I have for example on my VVV environment), then we take that, anonymize/hash it, and that’s what is used.
If the home address for your localhost website is 127.0.0.1, then that’s what will get hashed. 🙂
- You must be logged in to reply to this topic.