Here’s a really simple golden rule for anyone thinking of adding auto update to their products – never ever include any user identifiable information_._ There’s simply no reason you need to know who is checking for updates, you only need to know what version they have. Given the infrastructure of the internet you will wind up getting their IP address, your policy should be that these aren’t stored.

It comes as no surprise to me that the WordPress mob broke this rule with their new auto update – they always seemed shifty to me. Tell me why exactly you need the URL of the blog to determine if a new version is available? Exactly what use to you is blog.ephox.intra going to be? Oh well, I’m already removing all the pointless blog entries they spam the dashboard with and those weird technorati partner parameters so I guess I’ll be asking for updates from wordpress.com or something too….

UPDATE: I posted this before the inflammatory and completely wrong slashdot article. I’m aware it only sends your blog URL and I’ve already patched my version so it doesn’t. Of course they can still identify me by the static IP and the replacement string I put in instead of my blog URL but it’s the principal of the matter more than anything, at least it’s clear that I don’t agree with deliberately adding personally identifiable information to an update check.