It has been about 12 days since the first of a couple of posts (here and here) outlining the privacy issues in how AddThis (a subsidiary of Clearspring) is implemented on government sites like usa.gov.
It is an important topic. As the government embraces social tools, companies like AddThis must commit to the highest levels of transparency and care when it comes to the collection of information about citizens using government sites.
Unfortunately, there has been no progress. In tests this morning, AddThis is writing not only Flash cookies, but also regular browser cookies on machines of visitors to usa.gov who click on the AddThis tool. This is despite the language of their contract with the GSA, which says,
“AddThis agrees not to serve any cookies
on domains that end with .gov or .mil.”
I did hear from the AddThis team last week, first saying they couldn’t reproduce the issue. Then they acknowledged the issue but made the point that serving cookies from the AddThis or ClearSpring domain is permitted; and that the contract only prohibits them only from serving cookies from the usa.gov domain and not their own. This of course is technical nonsense (only the government can serve cookies from their domain) and clearly not what was intended in the contract. AddThis also said that fixing this problem is a priority, and they would work to push a fix early this week.
Nothing so far.
Having successfully interacted in private with over a dozen ad networks on how to improve their privacy and opt-out practices, I don’t come to these topics with skepticism. I have no doubt that the cookie issue was inadvertent. The problem is that the inaction and dissembling from AddThis comes in the context of one of the most poorly executed privacy and opt-out processes I’ve seen.
On that score, I’m still waiting for any comment on the other questions posed about the AddThis implementation:
- Their disclosures are inadequate as to if and how information is shared with third parties.
- Their opt-out process is weak.
- They use Flash cookies and do not clearly explain how this relates to their tracking opt-out.