Respecting User Privacy in WordPress

5762345557_159d47408e_bAutomattic  has a poor record of respecting its users’ privacy, insofar as the company has gradually added additional surveillance mechanisms into their products without effectively notifying users. Several months ago when I updated the WordPress Stats plugin I discovered that Automattic had, without warning, integrated Quantcast tracking into their Stats plugin. Specifically, there was no notice in the update, no clear statement that data would be sent to Quantcast, nor any justification for the additional tracking other than in a web forum where their CEO stated it would let Automattic “provide some cool features around uniques and people counting.” This constituted a reprehensible decision, but one that can fortunately be mediated with a great third-party plugin.

In this post, I’m going to do a few things. First, I’m going to recount why Automattic is not respecting user privacy by including Quantcast in its Stats plugin. This will include a discussion about why reasonable users are unlikely to realize that third-party tracking is appended to the Stats plugin. I’ll conclude by discussing how you can protect your web visitors’ own privacy and security by installing a terrific plugin developed by Frank Goossens.

WordPress and Quantcast

In early 2011, after a major redesign of my website, I activated the Ghostery plugin in my web browser and navigated to my site. The tool “tracks the trackers and gives you a roll-call of the ad networks, behavioral data providers, web publishers, and other companies interested in your activity.” Visually, the plugin causes a small notification box to appear in the upper right hand corner of websites that you browse to. Contained in this box are a list of the parties that are monitoring your movements across that particular website. When navigating to my own site I had expected to see WordPress Stats and perhaps some social sharing services listed. I did not expect to see Quantcast.

Quantcast’s cookies are used to monitor individuals who visit websites, and the company uses the information they collect to provide “audience composition reports.” Such reports are meant to help target online advertising and content development, but is predicated on the notion that the website owner is responsible for integrating the tracking system for the same owner’s benefit. Prior iterations of WordPress Stats did not include Quantcast tracking, and there was no notification or warning that updating the Stats plugin meant you were also forced to accept third-party tracking. Since the initial inclusion of Quantcast, the plugin’s description in the WordPress repository has been amended to include a small notice that reads “[a]s we are considering adding great new features, this plugin also puts a Quantcast tracking script on your page.”

While Automattic’s disclaimer may count as ‘notice’, it does not clarify what the additional tracking is actually meant for. Descriptions and notices around privacy policies and statements must be clear to be meaningful, and Automattic has had over a year to ascertain what “great new features” warrant transmitting website visitors’ information to Quantcast. To date, as far as I can tell, the company has not disclosed to its user base what precisely warrants sending information to Quantcast.

While there is a warning about Quantcast if you download the plugin from the repository, the support document for WordPress Stats that was updated December 21, 2011 – over a year after public complaints over Automattic’s failure to notify plugin users about the inclusion of Quantcast – still lacks any mention that a condition of using Stats is sending your site visitors’ information to a third-party. Perhaps most significantly, Automattic has recently introduced its Jetpack service. Jetpack is a bridge between self-hosted WordPress installs and Automattic’s cloud offerings, offerings that include WordPress Stats. To use WordPress Stats today you must use Jetpack. Unfortunately, Automattic has failed to notify Jetpack users of the third-party tracking accompanying the Stats plugin, as demonstrated in the lack of information about Quantcast in the following screenshot.

No mention of Quantcast tracking

It is utterly unreasonable to expect that users of the Stats plugin will hunt for a single sentence of text that discloses the inclusion of third-party surveillance with the Stats plugin. Moreover, if an enterprising user clicks on Automattic’s privacy policy linked at the bottom of the Jetpack screen they are unlikely to divine that Quantcast is associated with Automattic or the Stats plugin.

Automattic’s Privacy Policy #Fail

Let’s briefly look into Automattic’s privacy policy to determine whether a reasonable individual could ascertain Quantcast’s involvement with self-hosted versions of the Stats plugin. First, we see that Automattic

discloses potentially personally-identifying and personally-identifying information only to those of its employees, contractors and affiliated organizations that (i) need to know that information in order to process it on Automattic’s behalf or to provide services available at Automattic’s websites, and (ii) that have agreed not to disclose it to others.

Why, exactly, is Quantcast receiving any of my visitors’ personal information? We might assume that this happens so information can be processed “on Automattic’s behalf or to provide services available at Automattic’s websites.” Unfortunately, Automattic has not publicly clarified why they need this information processed. Instead, we are left with vague statements of providing “great new features.” From the privacy policy, we see that potentially personally-identifying and definitively personally-identifying information is also disclosed “in response to a subpoena, court order or other governmental request, or when Automattic believes in good faith that disclosure is reasonably necessary to protect the property or rights of Automattic, third parties or the public at large.” No subpoena, court order, or other government request is presumably requiring the link between WordPress Stats and Quantcast, nor do the tracking systems clearly “protect the property or rights of Automattic, third parties or the public at large.”

In the ‘Cookies’ section of the privacy policy, we find that “Automattic uses cookies to help Automattic identify and track visitors, their usage of Automattic website, and their website access preferences.” A reasonable person might believe that self-hosted installations of WordPress were not considered part of the Automattic website itself. Such a person might be quite wrong, however, based on Matt Mullenweg’s (Automattic’s CEO) comment about Automattic’s network, where he stated that “the bump you see in November is when we started tracking Polldaddy, ID, Gravatar, and WordPress.com Stats users in addition to WordPress.com visitors.” His comment suggests that Automattic considers self-hosted blogs as being part of the company’s network, though I doubt that this view is shared amongst self-hosted users. I should add that I have never received notice from Automattic informing me that this site is part of their network. No reasonable person is likely to come to this conclusion unless they’ve been watching the Automattic/Quantcast issue like a hawk.

Arguably the only section of the privacy policy that is suggestive of third-party tracking taking place is in the ‘Ads’ section. It reads:

Ads appearing on any of our websites may be delivered to users by advertising partners, who may set cookies. These cookies allow the ad server to recognize your computer each time they send you an online advertisement to compile information about you or others who use your computer. This information allows ad networks to, among other things, deliver targeted advertisements that they believe will be of most interest to you.

From reading this, it initially seems to be addressing advertisements that appear on Automattic’s own web properties. It is utterly unclear that the ads that are shown online are going to be tied to Quantcast cookies linked to the Stats plugin.

Overall, the Automattic privacy policy is absolutely insufficient in notifying users of third-party surveillance. Those who install the stats program – website owners and developers – cannot be reasonably expected to know of Quantcast’s inclusion. This is important because if those same users have privacy policies on their websites – perhaps assuring visitors that only WordPress Stats is used to collect information and no other tracking party or system is used – then those users may be violating local laws by establishing a false contractual privacy agreement between themselves and their website visitors.

WP DoNotTrack to the Rescue

Frank Goossens has stepped up to fix the problems that Automattic is responsible for. Last December he released his donottrack plugin in response to Automattic’s unwillingness to either remove or make optional Quantcast tracking. Months after he released his plugin Automatic modified their Quantcast code, mandating a new release of his plugin. In response Frank has released an updated version of his plugin, now titled WP DoNotTrack, and made it available in the WordPress.org repository.

Frank outlines several reasons for installing the plugin:

  • make your WordPress blog/ site honour visitors who request not to be tracked, even if the 3rd parties you include do not (conditional privacy)
  • stop any tracking by 3rd parties (absolute privacy)
  • protect your blog from rogue plugins that dynamically add malicious external javascript to your wp-admin pages (security)
  • limit the number of external servers that are called from your blog (performance)

There are full configuration instructions on his website and information in the FAQ that can help you determine what options you want to flag. If you decide to just use the default settings you’ll successfully block Quantcast tracking. I cannot recommend this plugin highly enough. Not only will it improve the privacy, security, and performance of your website, but it will also ensure that you’re not making false privacy claims to your website visitors.

Christopher Parsons

I’m a Postdoctoral Fellow at the Citizen Lab in the Munk School of Global Affairs at the University of Toronto and a Principal at Block G Privacy and Security Consulting. My research interests focus on how privacy (particularly informational privacy, expressive privacy and accessibility privacy) is affected by digitally mediated surveillance and the normative implications that such surveillance has in (and on) contemporary Western political systems. I’m currently attending to a particular set of technologies that facilitate digitally mediated surveillance, including Deep Packet Inspection (DPI), behavioral advertising, and mobile device security. I try to think through how these technologies influence citizens in their decisions to openly express themselves or to engage in self-censoring behavior on a regular basis.