Is Gravatar a privacy risk?

Question

I ran across the comment below at http://onemansblog.com/2007/02/02/protect-your-privacy-delete-internet-usage-tracks/#comment-58200 about Gravatar. I'm particularly curious of Meta Stack Overflow's opinions on points 4 and 6, though the others may be of interest too. Are these concerns real, and if so, what defensive measures might be used?

Comment by AL 2009-02-18 00:03:55

I’m a lawyer specialising in internet and privacy issues at a Fortune 100 company and I personally think that Gravatar is easily the worst service available in terms of your data security and privacy. I generally don’t comment on any blogs that are Gravatar-enabled (this being an exception), for the following reasons:

The entire reason Gravatar offers their service is to collect internet usage data across multiple sites. It is not offered free out of the goodness of their heart. The entire purpose of the service is to analyse the way YOU navigate the internet.

Gravatar has clear plans to monetise this data. Whether they are successful or not is another story.

It is unlikely that Gravatar would ever disclose individual user’s personal information, but it is not impossible. The Chinese government has often requested to these kind of information aggregators to disclose data for the prosecution of political dissidents – and very often these requests are met resulting in bloggers being jailed (see Yahoo!’s experiences in China). For example, if I leave a number of comments promoting democracy criticising the PRC government on various blogs, it is entirely possible that the Chinese government could use legal authority to request the holder of information to disclose that to them. By retaining this information and preventing you from stoppping it’s collection, Gravatar is putting both bloggers and commenters at risk. This is not just in China. The Patriot Act and many other new pieces of post-9/11 legislation in Western countries convey similar powers to government.

The most egregious part of Gravatar’s service is the inability to stop them from collecting your data. I have in the past tried to cancel a Gravatar registration. Gravatar does not allow this and will continue to track your e-mail address for the rest of time.

Gravatar does not provide any details about how they use your personal information and does not respond to any queries relating to privacy issues.

I do not believe Gravatar is an opt-in service. Obviously they will not display an avator unless you register, but if a blog is Gravatar-enabled, every time you comment on it, your e-mail address is sent to Gravatar. Even if they do not retain this address (and it is quite possible that they do – their Privacy Policy is silent on this point and they have not responded to any of my enquiries on this point), it is VERY likely that your internet usage is still tracked in an anonymous fashion. That is, if I use the same e-mail address to comment on 5 different blogs, even if I am not a registered Gravatar user the fact that a user has accessed those 5 blogs is very likely retained by Gravatar.

Much is made of facebook and Google Chrome’s use of personal information, but Gravatar is far and away the worst popular internet service I have encountered in terms of user (and non-user) personal information.

As a lawyer, I strongly urge all blog authors and users who are concerned about their privacy to avoid Gravatar.

Related: Is using Gravatar a security risk?

See also some thoughts on privacy at meta.stackexchange.com/questions/4553/non-gravatar-avatar/… — Arjan, Commented Mar 31, 2010 at 17:04
@Arjan: the other talked mainly (only?) about ways for a malicious user to obtain our email addresses from the MD5 hash. This talks about gravatar itself being evil. — Andreas Bonini, Commented Mar 31, 2010 at 17:12
As for 3), that's really bad. On many sites I could use any email address when leaving a comment, even addresses that are not mine at all. I'd rather have some government act on that. :-( (More on that Yahoo! incident at news.bbc.co.uk/2/hi/4221538.stm) — Arjan, Commented Mar 31, 2010 at 17:22
Not to minimize the problem, but using the internet is a privacy risk. — tvanfosson, Commented Mar 31, 2010 at 17:30
#6 is wrong. Gravatar only gets an MD5 digest of your email address. — Brad Gilbert, Commented Mar 31, 2010 at 17:31
@mmyers if you are an unregistered user changing the email, yes. — perbert, Commented Mar 31, 2010 at 17:56
Beware of following that link to onemansblog. My antivirus blocked a trojan horse there called JS:Redirector-MA[Trj] — DOK, Commented Apr 23, 2012 at 21:09
Seems the issue is far worse now than it was when this question was posted originally. arstechnica.com/security/2013/07/… — GordonM, Commented Aug 1, 2013 at 12:43
to summarize the Arstechnica article "Got an account on a site like Github? Hackers may know your e-mail address" found by @GordonM, above: It's getting easier and easier to extract a person's email address from their Gravatar hash (45% from one forum in a day or so). If having your email address known is risky for you, then Gravatar is risky. — matt wilkie, Commented Aug 2, 2013 at 19:40
For Firefox users, RequestPolicy is a great way to catch sites like this one globally. — mirabilos, Commented Apr 4, 2016 at 7:43
True gravatar story. Used in in wordpress. An employee must have had an account because her picture came up (not a default) on our site. I really wasn't expecting people to use it as it was an internal site. Anyways... she had a face pic. So she leaves company. Couple years later new girl is hired with same name. Since there was a gap and other girl was gone... same email. She started using the site, old girl's pic on there. She's like that's not me... I am like I don't run gravatar... — blankip, Commented Feb 14, 2022 at 22:55

5 revs, 5 users 63% · Accepted Answer · 2014-12-22 16:04:21Z

69

Is gravatar a privacy risk?

Yes.

Is it as great a risk as DoubleClick/Google?

No. Notably these sites use Google Analytics. Just like Gravatar, they don't have access to personally identifiable information (that is, the email is hashed before they get their hot mitts on it).

Is it a small risk?

Yes. If you don't like someone noting that an unidentifiable user (that's you) visited two different websites - well, they have that information now. That aggregate data can, in theory, be mined (as was the "anonymous" AOL search data of yore) to identify you.

Should we give up on the gravatar service?

No. It's a useful service for many people, and many of them accept the cost for this "free" service.

Who is laughing at us right now?

The Amish.

Actually, no, they ~~don't even~~ care.

edited Dec 22, 2014 at 16:04

community wiki

5 revs, 5 users 63%
Adam Davis

10

I'm not sure wether this is up to date but gravatar used to hash the email simply by md5(mail) or md5(md5(mail)). There are many leaks of lists of email addresses and rainbowtables that allow recovering the original string of such simple hash.
– Daniel W.
Commented Jul 31, 2014 at 12:38
2

@DanFromGermany I don't think you understand how secure md5 is. There is no "complete" rainbow table for it, and getting an email address from an md5 hash is far from trivial, involving a lot of guessing. I could create an email address you would never be able to recover from the gravatar hash of it.
– Pollyanna
Commented Jul 31, 2014 at 15:26
12

md5 is not secure. Many collisions have been found since 2005. Of course it is not a quick lookup, reverting a hash to something like [email protected]. But who does this? 99.9% of all people use their main eMail when posting a comment. There are lists of billions of known mail addresses. Main Mail Accounts have also mostly a known pattern like <firstname>.<lastname>@<top 100 recent mail service domains>. It's really not that hard to revert like 80% of all gravatar hashes.
– Daniel W.
Commented Jul 31, 2014 at 15:50
3

@lightswitch05 imgur images are auto deleted after a month or so, we have image upload here on Stack Exchange exactly for this purpose of keeping images and preventing image rot.
– Shadow Wizard
Commented Dec 22, 2014 at 16:05
2

Is the gravatar's algorithm public? If yes, can't SE do the job itself (i.e., generate the image itself and host it here, like SE does with user-set avatars)?
– yo'
Commented Dec 22, 2014 at 20:14
4

Apparently you are underestimating the capacity that gravatar.com has to monitor the Internet usage of any web users, not just users who have a gravatar account...
– dolmen
Commented Jun 10, 2015 at 13:30
@Adam Davis: "never" is a concept, until someone breaks it. "never say never" ;)
– machineaddict
Commented Jul 15, 2015 at 9:50
i'd be curious what the entropy of an average email address is. i wouldn't be surprised if guessing an email address would be pretty easy for most users, given the low cost of checking a hash (EDIT: nevermind, someone else actually substantiated this in the answer directly below)
– user371366
Commented Sep 27, 2017 at 18:01
what do the amish care for again? 🤣 i have no idea what i'm taking about, just that i would love to "seek" and visit the amish sooner than later.
– cregox
Commented Oct 3, 2020 at 1:46

Add a comment |

6 revs, 2 users 55% unknown · Accepted Answer · 2017-03-20 10:30:04Z

44

In December 2009, somebody tested getting email addresses from some of the Stack Overflow users, by assuming the display name might be related to an email account at some of the major providers. According to Gravatars: why publishing your email's hash is not a good idea that assumption is true for about 10% of the SO users:

Running my program on a list of 80871 users I was able to extract 8597 email addresses, associated to their users. This means that for a bit more than 10% of the users, the username and the gravatar URL are enough to deduce the email address they used to register to the website.

In 2013, folks reversed the MD5 hashes of email addresses in a data dump to recover the email addresses of users of Startups.SE, after it closed, as a way to reboot the community. Also, in 2013 someone else used a similar technique to recover 45% of email addresses at a large forum, by exploiting this weakness in Gravatar (the ability to reverse MD5 hashes of email addresses). This is more evidence that email addresses can be recovered despite the use of the hash.

(Apart from this, I also dislike the web bug nature of Gravatar and the like.)

edited Mar 20, 2017 at 10:30

community wiki

6 revs, 2 users 55%
unknown

3

I don't think that Gravitar had much impact there. The bigger issue is that the username for an account was identical to the username used for another site. You could easily test if I had a valid yahoo|google|hotmail account and skip the md5 verification against gravitar step. I would bet you would find far more email accounts by just sending email to any single word username.
– Zoredache
Commented Feb 18, 2011 at 20:43
@Zoredache, to me spam is not related to privacy (unless it's very personally targeted spam, maybe).
– Arjan
Commented Feb 18, 2011 at 20:47
1

Still I am not sure I understand the point. If I can guess that you have [email protected], and I want to test it, why wouldn't I just send you a message? I could learn the same information by sending a message as I can learn by trying a md5([email protected]).
– Zoredache
Commented Feb 18, 2011 at 20:53
1

Good point, @Zoredache. It would leave some trail when sending the messages, or kind of warn the user(s) if the email was delivered, or might have a slightly lower success rate if arjan@gmail is not actually me (and it isn't). But for many/most hits that wouldn't matter a lot indeed.
– Arjan
Commented Feb 18, 2011 at 21:07
1

Anyway, the article is valid, I just don't think it really means much. If I use zoredache as an accout name someone can easily guess that I may use zoredache everywhere. The gravitar thing just lets a person test that without having to creating a fake email account to test from.
– Zoredache
Commented Feb 18, 2011 at 21:11
7

An update: this attack was recently used in Sweden, where the attackers managed to de-anonymize 45% of accounts based solely upon this weakness in Gravatar.
– D.W.
Commented Dec 13, 2013 at 8:54
(Very nice finds, @D.W.)
– Arjan
Commented Jun 6, 2014 at 16:37
2

The major privacy issue is not that gravatar.com can track places where your gravatar image is displayed. The privacy issue is that it is able to track any browser that queries gravatar.com to display any gravatar image.
– dolmen
Commented Jun 10, 2015 at 14:06

Add a comment |

2 revs · Accepted Answer · 2010-04-01 00:12:05Z

30

IMO sites need to use gravatar sensibly.

If you say you don't publish your users' email addresses, that should mean you don't publish an MD5sum of their email addresses either. Hashing sensitive data without a salt is a schoolboy error: web developers should know better. Publishing the hash of some private data is a breach of privacy if the data is subject to a dictionary attack, which email addresses are.

Just replace address@domain with address+salt@domain.

SO in effect allows you to do this manually, by setting the email address for your account. It doesn't use the address for anything other than gravatar unless you ask it to, so it doesn't have to really be your email address.

I'm pretty sure this is an accident, though, not a security feature, since SO also uses your IP address in the absence of an email address. IP addresses are even more subject to dictionary attack than email addresses.

Of course for the salt to be effective in preventing gravatar tracking you across sites, gravatar has to not know the email address behind it (since if it did know, it could merge the records of address+*@domain). This means that (a) you must live with a random icon, and therefore (b) the user should be able to specify whether they want the salt added or not. If your email provider doesn't support +salt, and you want the site to be able to send you email without publishing the hash of your email address, then you're generally out of luck: you can have one or the other.

In fact I'd say that ideally sites should default to just generating a random "md5sum" for each user, and only use the email address to generate a gravatar URL with permission. For users with no interest in uploading an image to gravatar, there's no earthly reason why any site should use a gravatar URL based on supposedly-private data. Unless you count ignorance of basic security principles as a "reason" ;-)

edited Apr 1, 2010 at 0:12

community wiki

2 revs
Steve Jessop

3

ideally sites should default to just generating a random "md5sum" -- nice! Maybe a less secure alternative, as a quick workaround, might be to automatically add a well-known salt (like +stackoverflow) and then tell users to use an email provider that supports plus-addressing (en.wikipedia.org/wiki/E-mail_address#Sub-addressing) and then register a Gravatar for that "salted" address, if they want to customize the avatar. Not perfect, but no need for database and interface changes.
– Arjan
Commented Apr 1, 2010 at 9:06
Still, the third-party avatar site can track any visitor's whereabouts (which is not the same as user activity) on sites that use their avatar (though Gravatar tells a browser to use a 5 minute cache, so currently won't find fine-grained data in their logs).
– Arjan
Commented Apr 1, 2010 at 9:11
2

@Arjan: Sure, it's still a web bug, just with salt it's harder to deduce links across sites, and impossible to reverse. Any out-of-site content is a web bug: twitter feed widgets, advertising content, etc. If a user wants to avoid the bugging, they can block image loading from that site or redirect it through TOR. Maybe sites which say or imply as part of their privacy T&C that they won't sell their weblogs to the highest bidder, should asterisk that with a note that they effectively give all their weblogs to gravatar for free via icons.
– Steve Jessop
Commented Apr 1, 2010 at 11:20
Somebody who has enough reputation to do so, please up-vote this answer. It speaks directly to one of the core questions and suggests a reasonable counter-measure (albeit only applicable to web developers). Thanks. :)
– matt wilkie
Commented Apr 4, 2010 at 5:07
3

Using a salt here would serve no purpose at all. In order for the gravatar "service" to work, the identifier it gets needs to be the same from all of the various sites on the net, so the same salt would have to be used in each case, and it could hardly be kept a secret from gravatar.com, or for that matter the NSA or the chinese.
– mc0e
Commented Sep 25, 2013 at 1:28
2

@mc0e: that's not correct. Gravatar is used for two distinct but related purposes: (1) to generate pseudo-random avatars, (2) to use the same avatar across multiple sites. For sites that respect their users' privacy, the first is sufficient until the user requests otherwise. That is why I say "For users with no interest in uploading an image to gravatar, there's no earthly reason why any site should use a gravatar URL based on supposedly-private data."
– Steve Jessop
Commented Sep 25, 2013 at 11:23
1

@Steve Jessop: Point taken, but in that case why use the email address at all in constructing the identifier string for gravatar?
– mc0e
Commented Sep 30, 2013 at 6:28
3

@mc0e: why indeed? This is why my answer says, "In fact I'd say that ideally sites should default to just generating a random "md5sum" for each user, and only use the email address to generate a gravatar URL with permission"
– Steve Jessop
Commented Sep 30, 2013 at 18:22
If the salt gets in the wrong hands you'd need to change every avatar or leave yourself vulnerable. Nice answer, though. I've decided to just MD5 the user's ID, since it's public anyway. It gives them a fancy and unique avatar, and their ID is the one thing they cannot change (unlike email and username).
– rybo111
Commented Mar 14, 2016 at 22:47
If it's a FIXED number for all users, it is NOT a "salt".
– curiousguy
Commented Jun 27, 2018 at 4:38

Add a comment |

balpha · Accepted Answer · 2010-03-31 17:40:15Z

22

As someone who provides a similar service (however on a scale that's a tiny bit smaller), I have to say that I myself am sometimes concerned what kind of information I could pull from the access logs if I wanted to.

On the other hand, whenever I comment on some blog, join a forum or whatever, it's my own choice to provide my personal email address. If I'm concerned about that, I can either a) not join at all, b) not provide an email address (if the site allows that, as SO does), or c) create an extra email address for this purpose.

So my view is: It's no bigger or smaller problem than any other privacy concerns resulting from data collection, be it PayPal knowing where you shop, myOpenId knowing where you log in, or Google knowing... well, everything.

That's not to say it's something that can be ignored, but I don't think Gravatar is a special case.

answered Mar 31, 2010 at 17:40

community wiki

balpha

5

For PayPal and OpenID one explicitly chooses to use it; I don't think there's any PayPal or OpenID-enabled site that sends hashed information about its users when just viewing a page. But indeed for Google Analytics et al such details are sent without explicit consent. However, for Gravatar et al, a web site owner can decide any moment to start using it, and then send hashed details of existing and new users (not necessarily the current visitor) to that third party...
– Arjan
Commented Mar 31, 2010 at 18:35
@balpha - You're just trying to get SOFU to switch to your service! Consulting - If you're not part of the solution, there's a great deal of money to be made prolonging the problem.
– Pollyanna
Commented Apr 1, 2010 at 1:34
Hmmm, so you teamed up with Jeff et al to get more data today? How's the quota at Google Apps doing today? ;-)
– Arjan
Commented Apr 1, 2010 at 6:57
14

"it's my own choice to provide my personal email address." The problem is that you make that choice with an insufficient data basis. Many websites claim that your email will never be published, but still use gravatar.
– CodesInChaos
Commented Mar 9, 2012 at 12:00
1

"It's no bigger or smaller problem than any other privacy concerns resulting from data collection", except for Stack Exchange making the list of MD5 hashes public in the data dump. Which, according to an answer on "Someone contacted me by email but my email is not public", might only take 3 days to get all email addresses with 10 or less characters from major email providers.
– Arjan
Commented Dec 21, 2013 at 10:45
@Arjan That is true (and is something we've recently started addressing), but isn't related to the topic of this very question.
– balpha StaffMod
Commented Dec 21, 2013 at 11:51
True, Balpha, and thanks for that reference.
– Arjan
Commented Dec 21, 2013 at 11:59
1

The major privacy issue is not that gravatar.com can track places where your gravatar image is displayed. The privacy issue is that it is able to track any browser that queries gravatar.com to display any gravatar image.
– dolmen
Commented Jun 10, 2015 at 14:05

Add a comment |

3 revs, 2 users 58% · Accepted Answer · 2014-03-02 13:25:56Z

Gravataring an email address (MD5 hashing) is effectively making a single ID that identifies you publicly. Even if you never signed up with Gravatar, they're still tracking your ID that comes in - and the site using Gravatar is providing that ID to all users. This ID can be found on other sites, so if someone does a full transitive search across all public Internet forums, they could see what the same ID has posted. Where privacy breaks down is that if all of these sites know your real email address, and has publicly given everyone your Gravatar ID, then the Chinese government (for example) could harass not just a single entity, but ANY one of those websites that published your Gravatar ID.

What makes more sense to me is if Gravatar simply "GAVE OUT" an identifier (to you) if you sign up. And when you want to use your Gravatar, you simply give that same ID to sites that use Gravatar.

Sites that use Gravatar without your consent are the ones to blame. Gravatar's user base grows because of this principle (it's their business model - people that want a picture associated with their latest post).

I wish people would try to understand this concept first. Another poster here is generally correct in that if someone REALLY wanted to find out your real identity, they probably could, but Grav IDs make it even easier. You'll see when the equivalent of rainbow tables comes along for Grav IDs (like a site that lets you enter a gravid and it will tell you all URLs that use that GravID.)

I just thought of another way to secure gravatars- they could have used PKI rather than hashing. With PKI with some time based or per-instance/site salt, the ID would not be normalizable to an outsider. In fact, shame on Gravatar for not thinking of this. They're going to claim it has something to do with access to encryption APIs in the languages they are supporting, but I'm pre-emptively calling bullshit right now.

Even if the hash was different for every site, the image would be the same. Feed that image to Google and it'll find other instances on other sites. — rybo111, Commented Mar 17, 2016 at 9:17
wait, isn't the trade off "convenience for privacy" a common knowledge among free services? 🤔 this can get off topic very quickly, but i'm curious to understand why you're so annoyed by that... because the "privacy bubble" is a huge topic to me cregox.net/privacy - (disclaimer: i personally use gravar because i literally couldn't care less for the worries everyone have about privacy. please, don't even try to convince me otherwise on this 🙂). — cregox, Commented Oct 3, 2020 at 0:45

4 revs, 2 users 63% · Accepted Answer · 2014-03-02 13:06:48Z

16

One problem with Gravatar isn't solved by blocking the server.

The website you use publishes the hash of your email address. At a minimum, this makes it possible to find other websites where you used the same email address.

Looking at the Jan 2011 Stack Exchange data dump:

105k unique Gravatar hashes
10k are IPv4 based, the IP address can be trivially found
At least 27k of these are so simple they can be guessed. This does not require a relation between nick and address, but just that the email address is built using a common pattern, such as [email protected].
Stack Exchange does not validate email addresses, so some of them are invalid. Since fake addresses are harder to guess (gdsfgsdf.sdfadf.com etc.), I assume that if we use valid addresses as a basis, the percentage of guessable addresses is even larger.

All of this applies even to users who have not registered an account with Gravatar.

Many websites (including Stack Overflow) promise to not publish your email address, but at the same time use Gravatar and thus leak information about about the email address they promised to keep secret. If websites insist on using Gravatar, they should at least tell the user that the email address gets published, instead of lying to their users.

edited Mar 2, 2014 at 13:06

community wiki

4 revs, 2 users 63%
CodesInChaos

Like referenced in my answer: 10% of Stack Overflow email addresses could be harvested (or be validated to be correct), if the user name is related to the email address.
– Arjan
Commented Mar 25, 2011 at 10:10
You can also try combinations of two words and some other dictionary attacks. With that you get more than 10%.
– CodesInChaos
Commented Mar 25, 2011 at 13:04
4

IP-based gravatars are now salted, so that's one problem resolved.
– Jeremy
Commented Mar 9, 2012 at 19:39
1

Care you extend a bit on the 27k [email protected] users? Like: are those people who use Firstname Lastname as their display name here, and happen to have a matching email address? Or was the *.*@gmail.com pattern enough to get that 27k addresses from the hashes? (In the first case, a spammer probably wouldn't even care to validate if the address matches the hash, but just assume the address exists, but that's not about privacy of course. I'm still happy I'm not arjan@gmail... And: nice overview, thanks!)
– Arjan
Commented Mar 9, 2012 at 20:07
3

I tried several patterns using different wordlists, lists of common first-/surnames, the SO usernames, random characters, numbers, and combinations thereof on common email providers. And obviously all IPv4 addresses. Getting the first 20k is pretty easy, after that there is a lot of overlap to emails found earlier, and search becomes increasingly expensive.
– CodesInChaos
Commented Mar 9, 2012 at 20:18
2

One interesting tidbit: <gmane.org> doesn't expose the hashes; it uses an opaque URL (with a rather small numeric component) on gmane.org itself, rather than using anything that embeds the gravitar hash. (Granted, the images weren't actually working last I checked, but that's just an implementation problem.)
– SamB
Commented Mar 10, 2012 at 19:52

Add a comment |

2 revs · Accepted Answer · 2017-04-13 12:57:24Z

Reproduced from https://webapps.stackexchange.com/a/30605/11058

Don't give your email and portrait to Gravatar. Regardless of whether you trust Gravatar Corp, it's easy for site owners to carelessly betray the identity of users posting under pseudonyms. A cautionary tale:

Hashim in Saudi Arabia secretly reads an American blog about homosexuality. One time, the blog discusses the Middle East, so Hashim comments describing his own experience. He is careful to give a false name 'bin Elton' to protect his identity. However the blog software, Wordpress, also demands an email address. The software promises 'your email address will not be published'. Hashim trusts the blog owner and thinks nothing of typing his email address. There's no risk, his email doesn't even contain his real name.

Two years later, Hashim signs up for Stack Overflow under his real name. He gives Gravatar his email and portrait.

Unbeknownst to Hashim , in 2011 Wordpress decided to install Gravatar on their platform, to make it 'more social'. Portraits are added to new comments, but also to millions of archived comments. (Wordpress didn't consider this a privacy issue, because email addresses remain secret). As a consequence, Hashim's portrait is now publicly displayed next to bin Elton's story.

2 revs, 2 users 67% · Accepted Answer · 2012-02-25 20:23:06Z

10

edited Feb 25, 2012 at 20:23

community wiki

2 revs, 2 users 67%
Jon Seigel

24

It's immaterial to me whether the poster is a lawyer or a dog. It's the statements themselves I wanted reflection on not their source.
– matt wilkie
Commented Oct 20, 2010 at 0:02
1

@mattwilkie Yaw callin' me a dawg?
– Mateen Ulhaq
Commented Jan 4, 2012 at 5:58
4

@MatB, replacing the image with an imgur.com version that lacks the copyright notice, and linking to the source, is not satisfying that copyright, I guess? (But it does make it easier for the author to find this site.) Jon, that website, mtncartoons.com, claims "Typically, $100 newsletter, $50 Web use." I guess we should delete this answer?
– Arjan
Commented Feb 26, 2012 at 6:58
Oh, that should have read: @SamB. (And the previous version, being a deep link to that site, was as easy to find for the author I guess. Still, removing the copyright notice makes things worse, I feel.)
– Arjan
Commented Mar 9, 2012 at 20:08
@Arjan: I'm not sure how this makes things worse, given that the link goes right to a page with the other version, and that the notice is no longer a prerequisite for any of the rights? Regardless, I could (try to) change it to the copy of this version of the image that is actually on the author's server (the path is pretty strange, though), or you could change it to use the other version, if that makes you feel better.
– SamB
Commented Mar 10, 2012 at 19:28

Add a comment |

2 revs, 2 users 60% · Accepted Answer · 2014-03-02 12:59:55Z

5

Note that DoubleClick (now Google) has for a very long time collected such usage data.

If this is a concern, use your browser or your hosts file to block all accesses to Gravatar's servers. This will disable their ability to follow you.

edited Mar 2, 2014 at 12:59

community wiki

2 revs, 2 users 60%
Peter Mortensen

1

If he has a Unix-like desktop or any kind of proxy he could even strip all the referrers to gravatar.com and still see the pretty pictures. en.wikipedia.org/wiki/HTTP_referrer#Referrer_hiding
– perbert
Commented Mar 31, 2010 at 17:55
1

Or replace it with the unicorns URL =) *waits for the china unicorns to knock on his door*
– Andreas Bonini
Commented Mar 31, 2010 at 18:02
@Kop - Hey, jeff followed your idea!
– Pollyanna
Commented Apr 1, 2010 at 0:16
12

How would this help? If I, as an individual user, block my computer from accessing gravatars servers, aren't they still getting my email address or hash from the website-using-gravatar that I'm leaving a comment on?
– matt wilkie
Commented Apr 4, 2010 at 5:32

Add a comment |

user136089 · Accepted Answer · 2016-04-13 08:00:15Z

5

Are these concerns real

Yes, for the reasons given in other answers on this page.

and if so, what defensive measures might be used?

Consider using the Privacy Badger browser plug-in from the Electronic Frontier Foundation (EFF), which helps defend against tracking by Gravatar and similar services.

Privacy Badger is free software.

answered Apr 13, 2016 at 8:00

community wiki

user136089

Add a comment |

2 revs, 2 users 77% · Accepted Answer · 2016-04-13 08:22:56Z

Point 6 does not apply because the websites that show Gravatars do not send the raw e-mail address. They only send a MD5 hash. Here is the API documentation. But the hash of the e-mail of a gravatar.com account can be reversed if the user made the mistake of publishing his e-mail somewhere.

Point 4 is not the major issue.

Anyway, the major privacy issue is not just for registered gravatar.com users. It is for any web user that browse sites that use gravatars. This is because gravatar.com gets HTTP query from every page you visit that display gravatars. And gravatar.com does everything to force your browser to fetch the images everytime and bypass caching. Yes, gravatar.com is evil. You can check by yourself:

$ curl -I https://secure.gravatar.com/avatar/70d9b050bfe39350c234d710fadfcd39?s=130
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 10 Jun 2015 13:40:27 GMT
Content-Type: image/jpeg
Content-Length: 6226
Connection: keep-alive
Last-Modified: Fri, 18 Mar 2011 13:20:45 GMT
Link: <https://www.gravatar.com/avatar/70d9b050bfe39350c234d710fadfcd39?s=130>; rel="canonical"
Content-Disposition: inline; filename="70d9b050bfe39350c234d710fadfcd39.jpeg"
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
X-Varnish: 500790784 498172644
Via: 1.1 varnish
Expires: Wed, 10 Jun 2015 13:45:27 GMT
Cache-Control: max-age=300
Source-Age: 592

The caching is enabled only for 5 minutes (see Expires). Do you know many users that change their gravatar more than once a year (that would be the only use case for a short caching)? I don't. The short caching is just enabled to track you.

So your visits on any stackexchange.com, github.com, wordpress.com (among many others) are tracked by gravatar.com and they are able to track you accross those sites in the same way as Google Ads, Google Analytics, Twitter/Facebook like buttons.

This is why Ghostery blocks Gravatar.

4 revs, 2 users 60% · Accepted Answer · 2019-03-06 17:19:58Z

3

Given the recent switch to Unicornify, I believe this question can be closed as status-completed.

edited Mar 6, 2019 at 17:19

community wiki

4 revs, 2 users 60%
Nat

Not to mention that now Google and balpha know which avatars are downloaded by which IP address...
– Arjan
Commented Apr 1, 2010 at 9:09
@Arjan: SO already has Google analytics on it, so Google already knew who hit what pages. If they wanted to know which icons were on which page, they can just scrape the pages, none of them are private. So balpha is the big winner here :-)
– Steve Jessop
Commented Apr 1, 2010 at 11:25
@Steve, no Analytics allowed here, but the sudden Unicornify got me. ;-) Too bad balpha has set the cache to one day!
– Arjan
Commented Apr 1, 2010 at 11:43
"no Analytics allowed here" - that's OK, I'm sure Google can send ninjas to break into SO's server room and steal the logs to fill in the blanks. If they ever need to know.
– Steve Jessop
Commented Apr 4, 2010 at 1:40
4

Could you please expand on how/why Unicornify, whatever that is, brings this to status-completed for SO? Also the Q is still relevant in a broader non-SO context .
– matt wilkie
Commented Apr 4, 2010 at 5:19
I tried searching for "Unicornify", but now I'm not sure exactly which site by that approximate name was intended. I figured it was the pink-and-sparkly one, but adding a link to clarify would help.
– Nat
Commented Mar 4, 2019 at 15:00
2

@Nat it's unicornify.pictures, a just-for-fun service written by one of SO most veteran developers, outside work hours. (i.e. not directly related to SE)
– Shadow Wizard
Commented Mar 4, 2019 at 15:32
3

Anyway, this is a joke answer that these days only very few people will understand, not sure we need to keep it.
– Shadow Wizard
Commented Mar 4, 2019 at 15:33
I, for one, welcome our new "PURGE ALL FUN AND HISTORY" overlords.
– Pollyanna
Commented Mar 5, 2019 at 19:41

Add a comment |

2 revs, 2 users 72% · Accepted Answer · 2014-03-02 13:17:36Z

Is Gravatar a privacy risk? WT*

I realize these posts are quite old, but I have been dismayed at the level of paranoia shown by some of the posters on this and similar threads.

Surely, in this day and age the cautious consciously obtains / maintains a few email accounts which matter little and are serviced even less... Just for all those mostly sign up and forget situations. So who cares if someone without a life and with huge amounts of computer power (and hacker software) eventually figures out an address from an hash.

If the name part of the free (probably) mail account(s) is mostly gobbledygook then that makes hash parsing / matching even harder. And if you use simple, real words, names or numbers for passwords to boot you have to accept you are really stupid.

But at the end of the day, a lot more worrisome for the paranoid (and so called "lawyers" with a bone to pick) are the plethora of form submission checks (AKA like excellent "aKismet") and general RBL access blockers / redirects used (quite rightly so) on so many web sites you won't even know about unless you are actually a spammer of various sorts.

All those rely on and receive our email addresses and IP addresses of which they wholly or in part rely on. Is an upfront service like Gravatar to be trusted less when those others could track FAR more than a few sites here and there displaying an avatar pic. I think not.

And while we're at it, get the Ghostery add-on for your browser and see just how many months it can take to get on top of (blocking) the huge amount of third-party tracking cookies we are barraged with. That's really scary too.

Discovery of a mere email address one consciously supplies has nothing on all those occurrences I mentioned, any of which if harvested can also be packaged for others at a profit. Any monetized site especially SHOULD declare it all in a readily accessed privacy declaration; does yours?

Stack Exchange Network

Is Gravatar a privacy risk?

13 Answers 13

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
discussion
gravatar
privacy
.

Linked

Hot Network Questions

Is Gravatar a privacy risk?

13 Answers 13

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged discussiongravatarprivacy.

Linked

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
discussion
gravatar
privacy
.