Requesting Private Information of WordPress.com Users
Our users place their trust in us to keep them safe, and, in some cases, anonymous. We view safeguarding that trust and protecting our users’ private information as vital to what we do.
Automattic receives requests for information about WordPress.com users, sites, and accounts from government agencies, law enforcement, private parties, and individuals or corporations involved in civil lawsuits. Before revealing any non-public information about a site, an account, or a user, we require a valid subpoena, search warrant, or court order. The only exception is when we have a good faith belief that there is an emergency involving imminent danger of death or serious physical injury. We require any subpoena, search warrant, or court order to be issued by a US authority in compliance with the United States Federal Rules of Criminal Procedure, the Federal Rules of Civil Procedure, and/or California state law. Throughout these Legal Guidelines, wherever we talk about a subpoena, search warrant, or court order, this is what we are referring to.
More information about our procedures is below.
WordPress.com vs. WordPress.org
Before making a request for information to WordPress.com, check to see if the site you are inquiring about uses WordPress.com (which is supported by us) or WordPress.org (which is not). The WordPress.org software, which is not hosted by us, can be downloaded and installed on any web host. If you’re inquiring about a site that says it has been “built using WordPress” or mentions that it is “Powered by WordPress,” please note that this means the site is using the WordPress.org software, and you should contact the host of that particular site. There are various free resources online for determining the host of a site.
You can learn more about the difference between WordPress.com and WordPress.org here.
What Information Do We Have?
WordPress.com has certain information relating to users, sites, and commenters. WordPress.com accounts contain various information that is provided at a user’s discretion and is unverified. The following is a summary of the information that we may collect and store.
- Basic account information, such as:
- Email address
- Phone number
- Transaction and/or billing information (if upgrades have been purchased).
We will generally retain transaction and/or billing information until changed or removed by the user (if it’s possible to do so). We also collect log data, which may include a user’s IP address, browser type, and operating system. We keep this information for up to 30 days as a matter of course, absent a valid preservation request. You can read more about how we handle preservation requests under “Preservation Requests for WordPress.com Sites” below.
- Site creation, posting, and revision history information, such as:
- The date and time (UTC) at which a site was created
- The IP address from which a site was created
- IP address and user agent for a post or revision
We may retain the above information, even if a site or post is deleted. Deleted posts remain in a user’s trash folder for 30 days, after which point our servers may retain a backup for an additional 60 days.
- Information on commenters on WordPress.com sites.
We retain commenter information unless the owner of the site on which the comment appears deletes the comment.
- Contact information associated with a domain registration (if a user has registered a custom domain).
If a user has registered a custom domain on WordPress.com (e.g., yourgroovydomain.com rather than yourgroovysite.wordpress.com), we may have the contact information the user provided for the domain registration.
Requests from Government Agencies/Law Enforcement
We do not voluntarily provide governments with access to data about users for any reason, including for the purposes of law enforcement, intelligence gathering, or other surveillance. As noted above, we only provide information to third parties after receiving a valid subpoena, search warrant, or court order, in each case issued by a US authority in compliance with the United States Federal Rules of Criminal Procedure, the Federal Rules of Civil Procedure, and/or California state law. The only exception is for emergency requests by law enforcement where we have a good faith belief that the information is necessary to prevent imminent danger of death or serious physical injury.
In response to a valid subpoena issued by a US authority, we can provide the following information, when it is available:
- First and last names
- Phone number
- Email address currently assigned to a site owner
- Date/time stamped IP address from which a site was created
- Physical address provided by the user
- PayPal transaction information
We require a specific court order or search warrant before providing additional IP address data or information relating to a specific post or a specific comment.
Emergency Requests from Government Agencies/Law Enforcement
As permitted by US law, we may disclose user information to government or law enforcement agencies – without a subpoena, search warrant, or court order – if we have a good faith belief that an emergency involving imminent danger of death or serious physical injury requires disclosure of information related to the emergency without delay. If you are an officer of a government or law enforcement agency and have an emergency request, please submit your request by following these steps.
Requests in Civil Cases
In a civil matter, it is our policy to turn over private user information only upon receipt of either (1) a valid order from a court in the US; or (2) a subpoena served from a court in the US as part of an existing lawsuit, which complies with Rule 45 of the Federal Rules of Civil Procedure and/or the California Discovery Act. Litigants should ensure that any such requests comply with the US SPEECH Act, 28 U.S.C. 4101 et seq. We will not provide any user content information in response to civil orders or subpoenas under the Electronic Communications Privacy Act (18 U.S.C. § 2510 et seq. and § 2701 et seq.).
Requests must identify the specific information sought. Any request for specific post or comment information must include the specific URL of each post or comment.
Please note that we charge an administrative fee of USD $125/hour for compliance with validly issued and served civil subpoenas and court orders. We will bill for and collect this fee prior to furnishing information in response.
Notification to WordPress.com Users and Transparency
We aim for total transparency with our users when legal requests for information or complaints affect their sites, accounts, or information. It is our policy to notify users and provide them with a copy of any legal requests regarding their account or site, unless we are prohibited from doing so by a court order issued in the US. When the prohibition from notifying users expires, we will notify users and provide them with a copy of the legal process at that time.
If a request for information is validly issued, as described above in these Legal Guidelines, we will preserve the necessary information before informing the user of the request. In most cases, upon notification to the user of the request for information, that user will be provided with either 7 days or the amount of time before the information is due, whichever is later, during which time the user may attempt to quash or legally challenge the request. If, prior to the deadline, we receive notice from the user that he or she intends to challenge a request for information, we will not deliver any information until that process concludes. We also review the information requests received and may lodge our own challenge to the scope or validity of legal process received, on behalf of a user, whether or not the user pursues his/her own legal challenge.
Preservation Requests for WordPress.com Sites by Government and Law Enforcement Agencies
It is our policy to notify users and provide them with a copy of any legal requests regarding their account or site, unless we are prohibited from doing so by a valid court order issued in the US, as described in the sections below. Our policy of notifying users about requests to preserve their information is meant to protect user privacy and promote transparency, while also avoiding interference with legitimate investigations of criminal activity.
Preservation requests may only be submitted by government and law enforcement agencies conducting a criminal investigation in which the information sought is relevant. We will preserve records for 90 days in response to a valid request, which the government or law enforcement agency can extend upon request.
Preservation Requests from US Governmental and Law Enforcement Agencies
When a government or law enforcement agency from within the US asks that a request to preserve data remain confidential from the affected user, we keep it confidential for 45 days, with the expectation that the agency will be serving a valid US subpoena or search warrant that includes the required certification (18 U.S.C. § 2705(b)) or court-issued nondisclosure order. If a nondisclosure order is provided along with a subpoena or search warrant, we will continue to keep the preservation request(s) confidential under the same conditions as the nondisclosure order for the subsequent subpoena/search warrant. If, after 45 days, law enforcement has not served a subpoena or search warrant with the required 18 U.S.C. § 2705(b)) court-issued nondisclosure order, and has not withdrawn the request for continued preservation, we will then inform the user of the preservation request. In light of the October 19, 2017, Department of Justice guidance on nondisclosure orders, we ask that the agency include a specific end date for the nondisclosure period in any proposed order to the court, and that any period or extensions of time last no longer than a combined total of one year.
Preservation Requests from Non-US Law Enforcement Agencies
Law enforcement agencies from outside the US may request that we preserve information while the agency obtains a valid subpoena, search warrant, or court order from a court in the US, through the Mutual Legal Assistance Treaty (MLAT) process. The MLAT is a mechanism by which a foreign law enforcement agency can obtain a US court order for information pursuant to a criminal investigation, as outlined in 28 U.S.C. § 1782 and 18 U.S.C. § 3512. While we may preserve information in response to requests from non-US law enforcement agencies pending the MLAT process, we will not turn over any actual user or account information until we receive a United States subpoena, search warrant, or court order. If, after 90 days from the date of requesting preservation, the non-US law enforcement agency has not provided documentation to us confirming that it has initiated the MLAT process, we will stop preserving the data.
If the non-US law enforcement agency requests that we keep the preservation request confidential from the affected user, we may do so at our discretion.We will only consider such requests if the agency’s request meets our criteria for authenticity, necessity, and timeliness, and only for the period of time necessary for the agency to obtain a court-issued nondisclosure order through the MLAT process described above.
If a legal request is formally withdrawn before we provide user information in response to a valid subpoena, search warrant, or court order, we will not notify the user if requested to keep the withdrawn legal process confidential.
Wrongdoing Against Automattic
If we receive information indicating that someone is using WordPress.com or any of our services to engage in crime against Automattic or its subsidiaries, where we are the victim, we will not inspect a user’s non-public content ourselves. Instead, we may report the matter to the appropriate authorities.
Serving Process on WordPress.com and Making Inquiries
Any request for user information must include a valid email address for us to return the information or contact with questions. We are unable to process overly broad or vague requests for information. To request information for a site hosted on WordPress.com, the request must specifically include identifying information such as the relevant URL, IP address, email address, or username at issue. To obtain information for a specific post or comment, the URL of that post or comment must be included in the request.
WordPress.com communicates only via email.
Where permitted, we accept service via email to firstname.lastname@example.org.
Legal process can also be served by mail to:
60 29th Street #343
San Francisco, CA 94110
If you need to serve us personally, you can do so at:
C T Corporation System
818 West Seventh Street – Suite 930
Los Angeles, California 90017
General inquiries regarding our policies can be sent via email to email@example.com.
Requests for Takedown of Content
WordPress.com strongly believes in freedom of speech. We have a vast audience spread across many cultures, countries, and backgrounds with varying values, and our service is designed to let users freely express themselves. When we receive a request to takedown content, we review those complaints very carefully.
Reporting Terms of Service Violations
If you believe that a site is violating our Terms of Service, please refer to the information on this page to submit a report, and we will take action as appropriate. Regardless of whether or not we take action, we may forward a copy of the complaint to the site owner.
We do not remove content based on disputes over the content on a site or in a comment, unless the information sought to be removed is subject to an order issued by a court in the United States. We are not in a position to determine if something posted on a WordPress.com site is defamatory or not. If we receive such a complaint, we defer to the judgment of a court in the United States.
If your inquiry or request brings to our attention a violation of our policies or Terms of Service, we will address it per our usual procedure. This may or may not include contacting the user, removing content, or suspending the site entirely.
Who Is Liable for Content Hosted on WordPress.com?
WordPress.com, as a United States-based internet service provider, is protected by the safe harbor provisions of §230(c) of the United States Communications Decency Act, which states that internet service providers cannot be held liable for the contents (including allegedly harassing, defamatory, inaccurate, or offensive content) posted to our service by our users.
WordPress.com does not and will not exercise editorial oversight over the sites hosted on our service. Nor are we considered the author, editor, or publisher of that content in any way.
Requests for Takedown of Copyrighted Content
WordPress.com complies with properly formatted notices sent in accordance with the Digital Millennium Copyright Act. More information about our process and a DMCA takedown notice submission form can be found here.
Enforcing Protection Orders Against WordPress.com Users
WordPress.com is not responsible for enforcing protection orders that apply to users on our service. If you have an active protection order that may apply to a WordPress.com user, or if you represent a client who does, please contact the appropriate court or law enforcement agency for assistance.
User Information Management
Users who wish to stop using WordPress.com can empty their site by following these steps or contacting us. Users can remove profile information they provided by visiting the following URLs:
- https://mysite.wordpress.com/wp-admin/users.php?page=grofiles-editor (replacing “mysite.wordpress.com” with your site’s URL)
More information is available in our Help Center.
Users who are concerned about maintaining their anonymity when using our services may want to consider logging in and interacting with WordPress.com through a VPN. More information is available here.
A Note on Back Doors and Encryption
We furnish user information to third parties via the processes described in these Legal Guidelines. We do not provide access to user data through “back doors” in our systems. Similarly, we support and promote encryption of user data. We encrypt all traffic (serve over SSL) for all WordPress.com sites, by default.
Some governments have recently sought to weaken encryption in the name of law enforcement. We disagree with these suggestions and do not believe that it is feasible to include any deliberate security weaknesses or other back doors in encryption technologies, even if “only” for the benefit of law enforcement. As a wise man said, “there is no such thing as a vulnerability in technology that can only be used by nice people doing the right thing in accord with the rule of law.” We agree wholeheartedly.