Photo by Jason Dent on Unsplash
Stop using Gravatar! It's a Privacy mess!
Don't just give your email and profile photo!
5 min read
Gravatar is a globally recognized avatar. It can be used to represent you on all the websites that support it.
Gravatar was created in 2007 by programmer John Barger and has been run as a side project for over 10 years. It is now owned by Automattic, who also own WordPress and other popular web services.
Gravatar is an easy way to create a profile photo for your blog or website so that your readers can find you more easily.
Sounds great right!?
Yeah, well..... not anymore. I love Gravatar, well loved! When it was created by John back in 2007 I guess he was not thinking about on how to monetize this.
And I guess you are thinking... how can you possibly monetize this.
How does Gravatar Work
When browsing all different sorts of web sites, you may notice that many users have a picture next to their name. These pictures are called “avatars.”
Automatic, owner of Gravatar and creator of Wordpress uses WordPress sites to show specific type of avatar called (well can you guess?) “Gravatars“–short for “Globally Recognized Avatar.”
Unlike standard avatars, Gravatars follow you around the web and automatically appear when you post a comment on a WordPress site.
WordPress integrates Gravatars into every WordPress site. EVERY WORDPRESS SITE !!
According to W3Techs, in 2021 around 41.2% of all websites on the web use WordPress.
As there are about 1.3 billion total websites on the web, more than 455 million sites use WordPress.
But, that's not where Gravatar ends!! No! Anybody can use the POWER of Gravatar on his site. Either Wordpress or Jekyll or Drupal or well any site, app or environment.
Once registered with Gravatar, the service matches your WordPress profile information to the email address registered with Gravatar and displays your custom Gravatar image next to comments and (optionally) elsewhere on Gravatar supported sites.
Privacy and Gravatar
So, if you are like me, you will give of gave Gravatar all your email addresses and occasionally give Gravatar some new profile photo's!
From that moment every site that uses Gravatar can automatically display my Profile photo when I commented on an article.
Yay!!! That is great!
Yes, it's a great Privacy violation!!!
So how is this Privacy sensitive? I'll explain.
When you comment on a site that has a Gravatar connection, Gravatar tracks your comment to that site. So Gravatar knows that you have visited that site. So Gravatar knows every site you have commented on.
And when you visit a site that has Gravatars on it, Gravatar will track YOUR IP ADDRESS, the browser version your have, and the URL of the page containing the avatar images.
Gravatar will log your IP address when placing one comment, two comments, three comments, and as you probably use the same internet connection a lot, Gravatar will have a pretty good Idea what IP address belongs to you. Now every time you just visit a site that has Gravatars, BINGO! They will know you have been there!!
Your email address used to connect your profile photo to that site is hashed with a MD5 cryptographic hashing function.
So the MD5 hash for firstname.lastname@example.org is: 4F0E3D220AA6A2434A312481F6931E7F
The MD5 encryption method has been broken and hacked for a long time now. So as it seems unreadable, if you have the encrypted token "4F0E3D220AA6A2434A312481F6931E7F" it is very easy to decrypt it and make your email visible.
So everybody that can look into those tokens will be able to revert it to email addresses. And they can do any thing with it. Us it for scam, spam and well things you do not want. (oh by the way, the above mail address is not a working email address).
Delete your Gravatar account! Use A VPN!
Well, there is very very very bad news! You cannot delete your Gravatar account!
There is a little good news, you can delete part of your account, and delete all if you are willing to also delete your Wordpress account! (does not delete your own hosted site)
- Log into your Gravatar Account
- Under “My Profile”, remove all entries (only the display name can not be changed, here you can enter anything)
- Goto “My Gravatars”. First delete the account image, if you already assigned one. Then delete as well the image itself in the area below.
- To remove the connection to your own mail address you have to trick a bit. Search for a provider of so called “one way email” or “disposable email” and create in best case a really long nonsense mail address and enter it into the “Add a new email” field in your Gravatar account. You will receive a confirmation mail to your disposable mailbox that you confirm and your new mail will be available in the Gravatar account.
- Select it and click on “Make primary”.
- Now you can delete your precious real email address, because only the primary mail is undeletable.
- As a last step you find under “My Profile” in the left menu at the top “View Profile” where you can select “Hide my profile”.
Disable your account by following these steps:
- Make sure you are logged in to your WordPress.com account.
- Go to the Disable My Gravatar page.
- Click Disable My Gravatar to confirm you want to disable your account.
Disabling your account deletes your Gravatar data and removes access to Gravatar's settings. You can re-enable your account at any time.
If you wish to permanently close your account, you can do so by closing your WordPress.com account.
You are completely done when you see
So, now there is one last step to do! Take a VPN. VPN will secure your websites visits so they can not track you, al least not by your own IP address.
I've been using privateinternetaccess.com
Did you find this article valuable?
Support Theo van der Sluijs by becoming a sponsor. Any amount is appreciated!