The biz short film Quibi, the airline JetBlue, the shopping site Wish and several other companies have disclosed millions of email addresses to advertising tracking and analytics companies via HTTP request headers, they say.
According to results Published on Wednesday by Zach Edwards, of the digital strategy firm Victory Medium, these companies have communicated these contact details to advertising networks and others in recent years. Among the websites identified by Edwards – a group that also includes Mailchimp, The Washington Post, NGPVan.com, KongHQ and GrowingChild.com – some quickly changed their websites when they learned of the problem, but others did not. .
And while this disclosure of email addresses to third parties can be covered in high-level terms buried in corporate privacy policies, it is a reminder of the ease with which websites can pass your personal information on. a wink. without realizing it.
People using web browsers that prioritize defenses against tracking ads, such as Brave, Firefox, and Safari, or who have installed appropriate privacy extensions in other browsers, may have avoided their email address be diverted.
How’s it going
When someone tries to visit a page on a website – for example, by clicking a link or button – their browser creates a HTTP request for this page, and sends it to the website. This request contains a URL address for the page, and that URL may contain information relevant to the request. The HTTP request can also contain something called a referent header, which specifies the URL of the web page you just visited.
Quibi, the recently launched short video sharing app, is doing just that, said Edwards. When a new user signed up with an email address, that person received an email with an account creation confirmation link. By clicking on this link, the user accessed a web page with the following URL, which contained the email address for their account:
JetBlue is also said to have disclosed email addresses from a registration web page and was alerted to the deficiency in March. “After being informed of the leak, JetBlue said they would never do what they do because it would be against the law,” said Edwards in his report.
In the past two years, Wish.com has transmitted millions of email addresses, in base64 encoding, which is not encryption, we are told.
“From July 2018 to January 2020, when this research was originally shared with Wish.com, Wish forwarded user emails to at least Google, Facebook, Pinterest, Criteo, PayPal and Stripe, and potentially to other companies, “said Edwards. Several thousand of these messages have apparently been cached by search engines such as URLscan.io.
You got a job, Cupertino: Apple’s smart tracking protection actually gets tracking protection
Glenn Lehrman, veep and communications manager at Wish.com, said The register the company considers data protection and user trust to be a top priority. He said that after receiving the Edwards report earlier this year, the biz made a few changes, including adding encryption to protect the email addresses of users in transit.
Lehrman said he did not agree with Edwards’ findings, noting that the websites receiving the email addresses acted as service providers, performing advertising and business support functions.
“Zach disputes the specific way in which the data from the web referrer was encoded (in a chain that is not human-readable) and supposes that the large service providers could theoretically have first ingested and then taken measures to decode this data” said Lehrmann. “We have no reason to believe that this happened. Certainly, these companies had no reason to do so, and in any event, it is certainly not a” violation “to provide service provider of such coded information. “
E-mail addresses are considered personally identifiable information under the general European data protection regulations, said Edwards. The register. Exposing this data could pose problems for companies operating in Europe.
The California Consumer Privacy Act is less clear. “This is why Wish said that all of its ad tech partners are” service providers “- it’s the one who opens in the ACCP to be able to share data this way,” he added.
Despite this, Edwards believes that none of the organizations he identified has made this data sharing clear enough in their privacy policies.
Edwards said he doubts the leaks were accidental. “It is certainly not an accident when most organizations do,” he said, noting that the practice is a widely known and widely used “growth hack”.
“It improves retargeting opportunities and improves attribution in analytics systems,” he said. “Ad technology companies like Adroll had a” shotgun “that would retrieve emails from URls for years and that’s a known strategy. Liveramp has a user graph with huge amounts of email and tons of ad networks have email correspondence like Facebook Custom Audience. Being pushed to ad networks is almost always deliberate and it’s profitable for the people who do it. “®
Office 365 client-to-client migration tips