tea.mathoverflow.net - Discussion Feed (Is an alternative to Gravatar possible?)

theojf comments on "Is an alternative to Gravatar possible?" (16788)

2011-10-31T13:44:04-07:00

I was unaware of Gravatar's terrible terms of service. (Aside: I don't remember ever particularly "signing up" to use Gravatar. But I do use it, on many websites, and had never thought much of it.) I agree with Dmitri that in a better world we would use (or, rather, allow to use) some other service. Dmitri: as you understand the issues better, I vote that you leave the desired change requests with SO.

(There are, of course, other security things to also dislike. E.g. it would be great to allow to use https. Can MO weigh on SE to fix these things?)

Dmitri Pavlov comments on "Is an alternative to Gravatar possible?" (16787)

2011-10-31T13:37:41-07:00

@Scott: True, but this is somewhat inconvenient.

Also, if somebody wants to use an avatar and does not like Gravatar's crazy license, he is stuck.

Can we put in some JavaScript code that will rewrite avatar urls for some users?

Scott Morrison comments on "Is an alternative to Gravatar possible?" (16776)

2011-10-30T18:29:18-07:00

You could create a new email account, that would never be discovered by looking for md5 collisions, and set it to forward to your standard account.

Dmitri Pavlov comments on "Is an alternative to Gravatar possible?" (16767)

2011-10-30T09:25:20-07:00

>Put your email address in your public profile, and clear the email address field.

If I understand everything correctly, the software will then use my ip address to generate the url for the identicon, which is even worse.

>Mine has been prominently displayed on my web page in plain text for many years, and essentially no spam reaches my inbox.

If you have such a powerful spam filter, then perhaps also some non-spam emails don't reach your mailbox? :-)

Scott Morrison comments on "Is an alternative to Gravatar possible?" (16764)

2011-10-30T08:33:23-07:00

Essentially the answer is "no, we can't do this, because we have no access to the software".

Options include:

proposing such changes on meta.stackoverflow.com, or on the metas of SE 2.0 sites where you're active, hoping that SE implements this, then hope that we migrate to 2.0.
wishing that we had our own software.

One can of course opt out. Put your email address in your public profile, and clear the email address field. (Is keeping email addresses secret really a relevant concern these days? Mine has been prominently displayed on my web page in plain text for many years, and essentially no spam reaches my inbox.)

Dmitri Pavlov comments on "Is an alternative to Gravatar possible?" (16763)

2011-10-30T05:48:55-07:00

Currently MathOverflow uses Gravatar, a commercial service, for its avatars.
I see at least two problems with this.

1) User's email address is disclosed.
Even though Gravatar uses md5 hashes instead of the actual email addresses,
this does not protect them well because there is only a limited number of email user names and domains.
http://www.developer.it/post/gravatars-why-publishing-your-email-s-hash-is-not-a-good-idea
This means that eventually spambots will harvest md5 hashes from gravatar
and recover email addresses from them.
Perhaps somebody already did that.

What I find particularly disturbing is that there is no way to opt out of this,
unless one is willing to delete one's email address from the profile,
which is not a very good idea because MO moderators need email addresses to communicate with users privately.

We have a similar problem with disclosing IP addresses, which are used to generate identicons.
In this case the problem is much more severe, because there are only 2^32 ip addresses,
and one can easily cycle through all of them and determine the exact ip address of a supposedly
anonymous user.

2) Gravatar's terms of service are also very disturbing (I emphasize the most problematic parts):

More specifically, you hereby do and shall grant to Automattic a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to **sublicense**) right to perform the Services (e.g., to use, **modify**, reproduce, distribute, **prepare derivative works of**, display, perform, and otherwise fully exercise and exploit all intellectual property, publicity, and moral rights with respect to any User Submissions, and to allow others to do so).

I would be fine with distributing my avatars using
Creative Commons Attribution-NonCommercial-NoDerivs license,
but Gravatar simply asks too much.

This serves as a motivation for the following two questions:
1) Can we allow users to opt out from disclosing their email addresses to Gravatar,
while still allowing moderators to communicate with them?
2) Can we allow users to host their avatars on other sites?
This can be implemented by adding an additional field (a link to the avatar) to the user's profile.