What’s new in core-privacy

Below is a summary of the discussion from this week’s #core-privacy chat. You can read the chat in its entirety in Slack. This summary highlights current work and also provides a view into how this relatively new team is working together to further privacy awareness following the success of its V1 GDPR-specific focus.

Ticketticket Created for both bug reports and feature development on the bug tracker. milestone changes

As a result of 4.9.9 being removed from the schedule in favor of a GutenbergGutenberg The Gutenberg project is the new Editor Interface for WordPress. The editor improves the process and experience of creating new content, making writing rich content much simpler. It uses ‘blocks’ to add richness rather than shortcodes, custom HTML etc. https://wordpress.org/gutenberg/ only 5.0 release, 25 coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress.-privacy tickets scheduled for 4.9.9 have been punted to either 5.0.1, 5.1, or Future Release. These included some which were already committed to trunk and backported to 4.9.9, as well as some marked commit which will not be shipped with 5.0. Each ticket will be reviewed and evaluated for release with either 5.0.1 or 5.1. Each ticket can be re-milestoned when the scopes and timelines of these releases become more clear.

Impacted tickets include #44038, #44044, #44051, #44081, #44084, #44135, #44175, #44179, #44267, #44314, #44550, #44621, #44644, #44669, #44674, #44677, #44707, #44723, #44761, #44822, #44833, #44901, #43438, #44233, and #44236.

The component’s focus until post-Gutenberg will shift to the (currently) 31 bug tickets, with a goal of marking at least 75% of them as ready for commit.

@allendav and @desrosj will also use the feature and enhancementenhancement Enhancements are simple improvements to WordPress, such as the addition of a hook, a new feature, or an improvement to an existing feature. freeze to address #43895, which aims to properly organize the privacy code introduced in 4.9.6 within the codebase.

A full list of privacy tickets can be found in Trac.

Bug scrubs are led by @desrosj every Monday. The next one will be held October 15, 2018 at 15:00 UTC in the #core-privacy room on Slack.

Future major releasemajor release A release, identified by the first two numbers (3.6), which is the focus of a full release cycle and feature development. WordPress uses decimaling count for major release versions, so 2.8, 2.9, 3.0, and 3.1 are sequential and comparable in scope.

There was agreement that advocating for Privacy to be a focus for a future major release (possibly 5.2) would be very helpful to land the features outlined in the V2 roadmap. The timing of two pieces of legislation of particular interest would potentially coincide with that release schedule, allowing those features to be shipped prior to the effective dates.


The V2 roadmap moves beyond the enhancements and fixes to the V1 GDPR privacy tools to address general areas of privacy and data protection outside legal requirements. Its scope includes:

  • Core privacy features
    • GravatarGravatar Is an acronym for Globally Recognized Avatar. It is the avatar system managed by WordPress.com, and used within the WordPress software. https://gravatar.com/. privacy controls
    • Embed privacy controls
  • PluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party privacy
    • For administrators
    • For developers
  • Consent and logging
  • WP-CLIWP-CLI WP-CLI is the Command Line Interface for WordPress, used to do administrative and development tasks in a programmatic way. The project page is http://wp-cli.org/ https://make.wordpress.org/cli/ support
  • Multisitemultisite Used to describe a WordPress installation with a network of multiple blogs, grouped by sites. This installation type has shared users tables, and creates separate database tables for each blog (wp_posts becomes wp_0_posts). See also network, blog, site support

This week, those in attendance agreed to add two upcoming privacy issues within legal requirements – the US California Consumer Privacy Act (CCPA), and the EU ePrivacy Directive overhaul – to the roadmap. It is anticipated that these two pieces of privacy legislation will create the most obligations for WordPress site administrators in 2019. Team members will continue to monitor each law carefully. Once the specific requirements are announced by each respective government, a discussion of what functionality may need to be created to allow site administrators to meet their requirements well ahead of compliance deadlines will be had.

@idea15 is the lead for monitoring and evaluation of privacy legislation. @idea15 and @riankinney are working on an analysis of CCPA.

They are also monitoring other privacy legislation, including individual US state requirements as well as that of countries like Brazil, to anticipate possible future work.

Gutenberg review

@allendav is reviewing Gutenberg for any potential privacy issues stemming from CDNs, telemetry, or other issues, and will document his findings. Please make him aware of any concerns. He also welcomes privacy evaluations of Gutenberg from non-Automattic testers for transparency’s sake.

#45057 is currently the only Gutenberg blockerblocker A bug which is so severe that it blocks a release. from a Privacy standpoint.

Cross-platform privacy working group

At Drupal Europe, @idea15 and Chris Teitzel from the Drupal core privacy team gained enthusiastic support from Dries Buytaert for a proposed cross-platform privacy working group. This group would create a forum for the core privacy teams from all major open sourceOpen Source Open Source denotes software for which the original source code is made freely available and may be redistributed and modified. Open Source **must be** delivered via a licensing model, see GPL. CMS projects (WordPress, Drupal, Joomla, Typo3, etc), to engage, share resources, compare experiences, and periodically meet in person to discuss privacy issues on the social, legal, and code levels. The group, which would be run through the Drupal community structure, may receive some funding. @idea15 will update the WordPress core privacy team in the next fortnight with news.

Group metaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. issues

  • Our current weekly office hours time of 1500 UTC on Wednesdays does not work for most participants. If you are interested in attending the weekly office hour meetings, please fill out this Doodle poll to identify a better time.
  • The component will be more diligent about posting agendas and meeting summaries on the Make core blogblog (versus network, site). New contributors are encouraged to volunteer, as this is a great way to get involved. @desrosj, @idea15, and @allendav will ensure these are posted when there are no volunteers for that week.
  • The team will discuss and choose team reps, in response to a discussion during the weekly Core dev chat of whether the core-privacy group is a team in addition to a component and focus.
  • @allendav will research more privacy-conscious document and collaboration tools outside Google docs.

Next Meeting

The next office hours will be held on October 17, 2018 at 15:00 UTC in the #core-privacy room on Slack.