[Osmf-talk] hosting in the UK and "anti-terror legislation"

Kai Krueger kakrueger at gmail.com
Mon Sep 9 15:36:05 UTC 2013

On 09/09/2013 08:41 AM, Martin Koppenhoefer wrote:
> There should also be more clarity in the paragraph "Email", which
> currently reads: "The registered email address for an OSM user account,
> will never intentionally be published on the internet anywhere, shared
> with third party organisations, or revealed directly to other logged in
> users.

Is the use of gravatar.com a violation of this policy?

At the moment for every logged-in user the website generates a plain
http request to gravatar with the registered email contained in the URL.
Including for all users who don't use gravatar. So there isn't even an
opt-out in place.

It uses an unsalted single iteration md5 hash to encode the email
address. As without the domain name which is a known (few) constant in
most cases, email addresses are typically on the order of 10 characters,
bruteforcing the email out of those md5 hashes isn't overly difficult
even for a normal person, let alone a intelligence service with access
to super computers.

Furthermore, it allows gravatar to gather statistics about users thanks
to this unique identifier and cross reference usage patterns with any
other site that uses gravatar.


More information about the osmf-talk mailing list