[openstreetmap-website] Disable automatic gravatar opt-in, as it violates the privacy policy (#519)
apmon
notifications at github.com
Wed Oct 30 18:24:38 UTC 2013
With an unsalted md5 of the email address, it is trivial to verify that two different accounts e.g. on osm.org and blagabc.com are using the same email address. It is also as woodpeck points out trivial to verify that someone indeed used a specific email address. E.g. I could verify that Pawel uses the same email address in github as he did on the public osm mailinglists.
But simply with brute force, being able to identify about 70% of all emails sounds about right, as many email addresses will be in the range around 10 character + a standard domain, which is well within reach of brute forcing.
So, yes, that pretty much does reveal the email address. And I hadn't even considered previously that it reveals the email address to the public at large and not only to a third party company like gravatar. So I stand by my claim that it is a violation of the privacy terms.
---
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/519#issuecomment-27423311
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20131030/ff904f69/attachment.html>
More information about the rails-dev
mailing list