By default gravatar is on, however, I don't think this is a good practice. Deploying a tool inside a data center for managing servers you don't necessarily expect it to be making calls an external web service, and leaking potentially confidential information to the outside world (email hashes, referrers, etc).

There's plenty of debates about the pros and cons of gravatar, including its privacy implications, for example here: http://meta.stackexchange.com/questions/44717/is-gravatar-a-privacy-risk

I tend to agree with the first post against gravatar, which is why I think it should be an opt-in feature not an opt-out feature.