An odd controversy has recently taken up the spotlight in the WordPress plugin developer community, the removal of the Active Install Growth chart from the Advanced View page for plugins in the WordPress Plugin Directory. That chart showed the growth of installs of a plugin over time. This is what that looked like:

When this was done, the only explanation provided was:

Plugin Directory: Remove active install growth chart from advanced view due to insufficient data obfuscation.

What need would there to be to obfuscate data like that? Since it only is only the data on the installs of the plugin, it shouldn’t contain any sensitive data.

Dan Knauss provides a good overview of the situation over at the Post Status. In that he notes that the “Executive Director of the WordPress project” Josepha Haden Chomphosy provided this explanation that the obfuscation is of the install count:

the active install growth could be (was being?) used to determine near exact numbers, making the intended obfuscation pointless.

So far, there hasn’t been a good reason given for why that obfuscation is needed. More of the public discussion of that can be found here. In that discussion, is the claim that the company Automattic has access to more accurate stats:

@joostdevalk recently suggested that Automattic has an unfair competitive advantage because they have access to more accurate stats. I will go one step farther and say, that if a goal with any data is to be fair to each other with it, that includes a responsibility to serve up the same data with the same interface to everyone, and to prevent people from accessing it in anyway that is unintended or unfair.

For those not familiar, Automattic is the company run by the head of WordPress, Matt Mullenweg. The lines between Automattic and WordPress are blurry enough that journalists sometimes believe that WordPress is part of Automattic. It is easy enough to understand the confusion since, among other things, the previously mentioned “Executive Director of the WordPress project”, is, despite the title, an employee of Automattic, not of the WordPress Foundation.

Automattic’s control over WordPress is enough of an issue, that the second question in the FAQ for the WordPress Plugin Directory claims to address their connection to it:

Does the review team work for Automattic?

No. The review team is made up of 100% volunteers. Some are compensated by their full-time employers, but no one is hired by WordPress.org, Automattic, or WordPress.com

If team members are being paid by their employers, then they are not really volunteers. More problematic is that the answer seems intentionally misleading. One person is the head of all three entities, WordPress.org, Automattic, and WordPress.com, that are mentioned. That person is Matt Mullenweg. Matt Mullenweg also has an entity named Audrey Capital. Two of the four members of the team, Sam “Otto” Wood, and Scott “coffee2code” Reilly, are employees of Audrey Capital.

So it is technically true that no members of the team work for Automattic (or WordPress.org or WordPress.com), but that seems to be a distinction without a difference. Their boss is not only the person in charge of all three, but they seem to be closer connected to the head of Automattic than many employees of the company would be.

That has some important implications for the security of WordPress plugins, since parts of Automattic’s business conflict with improving the security situation with WordPress plugins. Automattic’s plugin/service Jetpack is heavily marketed as security solution, so improving plugin security would lessen the value of that. Also, WordPress refuses to warn people about plugins the know to contained unfixed vulnerabilities, while Automattic sells access to that data on those (though rather incomplete and inaccurate data).

Where that gets back around to the original issue discussed is that Scott Reilly is the one that made the change to remove the Active Install Count chart.