AddThis: Still breaking the bargain

hI wrote last week about how AddThis has ignored significant privacy questions as it starts to harvest data for behavioral targeting. AddThis sharing widgets, installed on 1.5 million websites, now collect behavioral profiles for auction to third-party ad delivery companies.

I’m not objecting to the notion of collecting and using data through a widget. My objection is that, by failing to tell consumers and publishers about what’s going on, they are breaking the implicit bargain in the consumer data ecosystem. The “bargain” says that consumers get free content and services (like nifty sharing widgets) in exchange for their anonymous data, but data collection comes with robust notice of how data are collected and used, and a meaningful chance to opt-out.

What’s amazing is that, even after losing AOL as a partner over this issue, ClearSpring and AddThis are still breaking the bargain by hiding the ball from consumers and publishers. Here’s what I mean:

• There’s still no prominent mention of profiling in the AddThis signup process, except one buried deep in the terms of service.
• You also won’t find any announcement in the AddThis Blog, even though they could easily have cut and pasted from the extensive blog post about the program on the Clearspring blog (their separately branded portal for advertisers and ad partners). Apparently, the behavioral profiling of 1 billion users isn’t as blog-worthy as supporting the re-tweet button or Will and Charlie’s trip to the Internet Identity Workshop.
• You won’t find any announcement in the AddThis Developer Forums, although one curious developer happened to discover it on  July 21 (pre-announcement, hmmm), and was provided some special code to disable cookies. If you want his code and didn’t catch that particular forum entry, good luck finding it in the help documentation (I couldn’t). You have to email them to get it.
• You won’t even find a mention of behavioral profiles in the AddThis FAQ. There is a question, “What data does AddThis collect and why?” and the answer consists of a link to the AddThis privacy policy. Paragraph 17 of the privacy policy does discuss profile sharing. I guess it was too much trouble to provide a summary of the changes on the top of the page, or anything at all on the AddThis homepage (like “New!” next to the privacy policy link).

In this light, it’s hard to take Clearspring’s CEO seriously when he says to the Wall Street Journal that “This is very much a participatory system” for publishers.

Are they terrified that if they actually provide good disclosure, more publishers like AOL will freak out, either over privacy or uncompensated leakage of valuable profile data? Personally, I doubt that, but it’s all in how you handle it. One thing’s for sure: hiding the ball isn’t working.

Two more interesting questions to think about:

What about back-end processes? Front-end disclosure is important, but the rubber meets the road on the back-end where consumer profiles are used and shared in ways invisible to users. For AddThis, there’s a critical back-end privacy function of keeping email addresses (which are used extensively in the service) separate from behavioral profiles. If AddThis won’t invest in simple front-end disclosures, why should anyone feel assured that they are investing in robust back-end privacy processes?

Where will the NAI come out? I’ve been told that Clearspring is in the process of applying for NAI membership. Can the NAI admit Clearspring with a deeply flawed privacy framework, particularly since publisher-to-consumer disclosure is a principle that the NAI vowed to enforce more strongly in 2010? Is it consistent with NAI policies for NAI members to purchase and use Clearspring’s tainted data, as Media6Degrees apparently may already doing?

Note 8/21: AddThis appears to be responding, and has a blog post on AddThis now about the new program. Still watching for integration of prominent notice and easy opt-out for publishers and consumers, to see if they really mean it.

AddThis transitions to behavioral advertising, ignoring key privacy questions

Last week AddThis announced that data collected through their sharing widget, installed on 1.5 million websites, will now be used for behavioral advertising. According to the announcement, anonymous profile information for over 200 million users, including the pages they have visited on AddThis publisher sites, is now available to other ad delivery companies in real time bidding.

The new AddThis program is similar to Google’s transition of AdSense into an ad exchange platform (see prior posts). In both cases, tags placed on publisher sites for one purpose are now being used for different and more extensive purposes. And in both cases the companies should clarify answers to some important privacy questions.

Publisher Notice

Shouldn’t publishers be made aware of the change in how their users’ data will be handled, and provided with an opportunity to opt-out? Is it fair to assume that all sites with the widget already installed — including hospitals, schools, church groups, and government agencies with no other advertising — would choose the AddThis widget if they were aware that their user behavioral data will be sold?

For publishers signing up today, there’s no reference to behavioral data collection in the signup process for the AddThis widget. Is this deceptive?

Consumer Notice

Will the AddThis widget include a notice to consumers that tracking information is being collected on each page that serves the widget, regardless of whether the consumer interacts with it? (This kind of notice is required under the IAB’s guidelines and could be provided with something akin to the power “i”.)

Will AddThis also ensure that when the data are used to display an ad, the consumer will be notified that AddThis was the source and provide an opt-out?

Are AddThis publishers required to amend their own consumer privacy policies to provide notice of AddThis data collection, as is standard practice for compliant ad networks?

Will consumers be able to see what’s in their own AddThis profile, as they can on Google, Yahoo! and leading ad networks?

NAI Compliance

Neither AddThis nor its parent Clearspring is listed as a member of the Network Advertising Initiative, the industry organization charged with defining privacy standards and providing oversight for behavioral advertising.

The AddThis announcement says that the company “complies with the Network Advertising Initiative standards.” What does this mean, given that AddThis is not subject to NAI compliance reviews; they do not appear to follow the NAI’s requirement that publishers pass through disclosure in their privacy policies; and they lack NAI-required privacy disclosure as to data retention?

Why wasn’t NAI membership considered a prerequisite to launching the new program?

Conclusion

Hopefully AddThis will move quickly to remedy the privacy shortcomings in their new program. How they approach this will tell us not only about their own commitment to privacy and self-regulation, but also the commitment of any partners and advertising customers who continue to participate.

Which companies collect user information on government websites?

Yesterday and today many smart people have been gathered for the Gov2.0 conference to discuss bringing our government into the 21st century, Web-wise. One important topic is the integration of public and private Web services, particularly how government sites can leverage privately-provided social networking, site analytics and communications tools.

The privacychoice system provides a glimpse into how this integration is progressing. By sampling pages on top websites, the privacychoice system maps which tracking networks we find on those sites in order to create a Network Privacy Profile. This Profile gathers in one place the summaries and excerpts for the relevant third-party privacy policies. This provides a composite of the privacy practices citizens sign up to now when using government sites. Click through from this list to see the individual profiles for top-traffic government sites we have scanned.

Of the top several dozen dot-gov sites in our system, here’s the breakdown of how many of them have integrated third-party-served content or services:

50%     AddThis/Clearspring
34%    Google Analytics
26%    CrazyEgg
24%    WebTrends
5%       YouTube

(No other companies were found on more than a one or two government sites and were less than 5%.)

From a privacy point of view, it’s concerning to see AddThis with such a high share, given their relatively weak approach to privacy issues. Also, although it’s no surprise to see Google Analytics making inroads (it’s a great, free service), this comes despite ambiguities in Google’s formal policies as to how user data is handled (more on that in a future post). CrazyEgg and Webtrends present the least concern, since their policies expressly disavow sharing information other than with the site where collected (thus no cross-site profiles are created).

AddThis update: 12 days, zero progress

It has been about 12 days since the first of a couple of posts (here and here) outlining the privacy issues in how AddThis (a subsidiary of Clearspring) is implemented on government sites like usa.gov.

It is an important topic. As the government embraces social tools, companies like AddThis must commit to the highest levels of transparency and care when it comes to the collection of information about citizens using government sites.

Unfortunately, there has been no progress.  In tests this morning, AddThis is writing not only Flash cookies, but also regular browser cookies on machines of visitors to usa.gov who click on the AddThis tool. This is despite the language of their contract with the GSA, which says,

“AddThis agrees not to serve any cookies
on domains that end with .gov or .mil.”

I did hear from the AddThis team last week, first saying they couldn’t reproduce the issue. Then they acknowledged the issue but made the point that serving cookies from the AddThis or ClearSpring domain is permitted; and that the contract only prohibits them only from serving cookies from the usa.gov domain and not their own. This of course is technical nonsense (only the government can serve cookies from their domain) and clearly not what was intended in the contract. AddThis also said that fixing this problem is a priority, and they would work to push a fix early this week.

Nothing so far.

Having successfully interacted in private with over a dozen ad networks on how to improve their privacy and opt-out practices, I don’t come to these topics with skepticism. I have no doubt that the cookie issue was inadvertent. The problem is that the inaction and dissembling from AddThis comes in the context of one of the most poorly executed privacy and opt-out processes I’ve seen.

On that score, I’m still waiting for any comment on the other questions posed about the AddThis implementation:

1. Their disclosures are inadequate as to if and how information is shared with third parties.
2. Their opt-out process is weak.
3. They use Flash cookies and do not clearly explain how this relates to their tracking opt-out.

More on AddThis — looking at the GSA contract

A quick follow up on last week’s post outlining questions about the privacy practices of AddThis when installed on government websites. As a result of a FOIA request by the Electronic Privacy Information Center, the General Services Administration has now released its contract with AddThis. As EPIC points out, this contract is one of the few disclosed contracts to provide that persistent cookies will not be used on .gov sites.

Here’s the problem: As you can see from the screen grab, as of the time of this post, AddThis is indeed writing cookies — Flash cookies no less — on usa.gov, doing so upon interaction with the AddThis widget. (Note: Clearspring is the parent company of AddThis and the formal party to the GSA contract.)

Hopefully AddThis will move quickly to resolve this issue and also to shore up their relatively weak privacy disclosures and opt-out processes.

Citizen privacy: three questions for AddThis

While reviewing a new opt-out process that Add This implemented a few weeks back, I came across an interesting statement:  “The White House, FBI, and Navy trust and use AddThis.” Not a surprise, since the AddThis service is useful and user friendly, and the Obama administration has made it a priority to bring government sites into Web 2.0.

At the same time, the issue of data collection by the government on official websites has been in the news lately, and even the subject of a recent NY Times editorial. Obviously when the government is collecting data, it raises special concerns. But what are the rules when, in the course of providing a useful service for a government site, advertising companies are enabled to collect user information from citizens?

After taking a look at the network privacy profile for usa.gov and other top government sites (stay tuned for more on that effort), I confirmed that AddThis is indeed coded into quite a few government sites. But on none of the government sites I reviewed was there any direct reference to the AddThis data collection practices, privacy policy or opt-out process. Also I found no reference to any special policies applicable to operation of the AddThis service on government websites versus other commercial sites.

This proposition shouldn’t be controversial: When private companies collect data on government sites, they should comply with best industry privacy practices for disclosure and choice.

With that in mind, here are three questions that should be addressed by AddThis and any other companies seeking to collect user information on government websites.

1. Is information about citizen activities shared with third parties?

The answer to this should obviously be “no,” particularly insofar as AddThis is installed on government sites that may touch sensitive areas like health (hhs.gov or fda.gov). But that answer is not clearly confirmed by a reading of the AddThis privacy policy:

We may share the following information with third parties, including, but not limited to, vendors that support the operation of our website and Services, and entities involved in the delivery of advertisements: Log Data collected on both our websites and Services, as well as aggregated anonymous information resulting from the analysis of such Log Data for a variety of purposes, including, but not limited to, usage patterns, behavioral patterns, traffic and demographic analysis, and enabling web publishers to deliver to advertisers audience segments that are appropriate for their products or services. (Emphasis added.)

It is clear enough that directly identifiable information like name and email address may not be shared. But the implication remains that Log Data (which includes pages accessed, IP address and “other statistics”), at at individual level, may be shared with other companies  for the purpose of ad targeting. For example, could they share with a health-related advertisers the fact a computer at my IP address researched a particular malady on fda.gov and emailed a family member? I don’t expect that there is any conscious effort to do this, but the policy statement should clearly address and resolve the point.

2. Is your opt-out process the best it can be?

Like nearly 100 other companies who collect user information across sites, AddThis provides an opt-out process using browser cookies. But their implementation falls short of best practices in important ways. (For more detail on best practices, see a full list.) Here are the issues:

• Since consumers may come looking for the opt-out, why not include a reference to the opt-out feature on your top page, like other companies?  Why bury the link in the middle of your privacy policy?

• Why require users to take the separate step of checking a box? (Out of all of the opt-out processes we track, only a handful require such a step.)

• Why write an unique opt-out cookie, when it destroys any semblance of anonymity for the user? (The vast majority of companies with opt-out cookies write non-unique cookies, to eliminate any possibility that the opt-out cookie itself can be used for tracking a unique user.)

• Is the effect of opting out adequately explained in your policy? Here’s how the privacy policy reads:

Cookie opt-out option

If you prefer not to receive interest based content and advertisements enabled by AddThis data, you can always opt-out by clicking on our “Opt-Out” link click here. Note that if Flash is not installed in your browser, this marketing preference is not applicable.

After you opt-out, you will not receive interest based content and targeted advertisements enabled by AddThis data. Please note that opting-out does not turn off other advertisements. Also, if you change your computer, change your internet browser (e.g. from Internet Explorer to Firefox), or delete all your cookies, you will need to renew your preferences.

The foregoing opt-out does not cover the collection of Log Data (though no ads are sent to you in connection with such services).

• If I opt-out, does that mean that my activities across different AddThis-enabled sites (including government sites) are not logged and associated as those of a single (anonymous) user? Or are they still logged and filed, but just not used for advertising purposes?

• What is meant by the reference to Flash in the first paragraph? Why would the normal cookie opt-out only apply if Flash is present? Was this sentence intended to be included in the section about Flash cookies (see below)?

3. Why do you use Flash cookies and how does it relate to the opt-out process?

The AddThis privacy policy acknowledges the use of of Flash cookies:

In addition, we use Flash cookies in connection with our Services. Similar to browser cookies, Flash cookies are used to remember settings, preferences and usage, but are managed through a different interface than the one provided by your web browser. If you want to delete Flash cookies, please access your Flash Player settings management tool available on Adobe’s web site. However, if you do not accept cookies (whether browser or Flash cookies), you may not be able to use all portions of our website or all functionality of the Services.

As noted in an earlier post , Flash cookies (“local shared objects” set and managed by the Flash player) are particularly troublesome because browsers provide no native means for users to delete or control them. Many consumers believe they have cleared cookies with browser controls when, in fact, Flash cookies persist.

A quick check confirmed that Flash cookies are being written by AddThis on usa.gov once you first interact with the AddThis widget. This prompts me to ask:

• Are Flash cookies really necessary to your delivery of the service in ways that regular browser cookies cannot fulfill?

• Why don’t you at least provide a link to the Adobe page where users can delete and manage Flash cookies?

• When I opt-out via normal browser cookies, do you delete all information associated with the Flash cookie?

* * *

The public/private cooperation pioneered by companies like AddThis is, in my opinion, a very good thing for both government and the Web. But this opportunity entails responsibility to provide effective privacy disclosure and choices for citizen users. For companies like AddThis, this means bringing their disclosures and processes into line with industry best practices (or better). For government agencies, this means a closer review not only of how they directly gather and handle citizen data, but also how their private-company partners do so.