WordPress.com Stats trojan horse for Quantcast tracking
Suppose you’re a blogger who values website performance and online privacy. You may have ditched Google Analytics because you think the do-no-evilers do not have to know who is on your site. Maybe you removed AddtoAny because of the 3rd party tracking code that slows down your site ever oh so slightly. And you don’t want the omnipresent Facebook Like widget for all the above reasons. No, the only 3rd party javascript you allow is the one pushed by the WordPress.com Stats plugin; one javascript-file and one pixel and you get some nice stats in return. And come on, WordPress, those are the good guys, right?
Well, apparently not. While performing a test on for example webpagetest.org, you’ll see two requests to the quantserve.com domain;
http://edge.quantserve.com/quant.js
http://pixel.quantserve.com/pixel;r=705640318;fpan=1;fpa=P0-450352291-1292419712624;ns=0;url=http%3A%2F%2Fblog.futtta.be%2F;ref=;ce=1;je=1;sr=1024x768x32;enc=n;ogl=;dst=1;et=1292419712624;tzo=300;a=p-18-mFEk4J448M;labels=type.wporg
Ouch, that hurts! But surely Quantcast aren’t in the same league as AddtoAny’s media6degrees, who do behavioral advertising based on data captured all across the web? Well … Quantcast might be better known, but they do exactly the same thing; collecting user information and providing that info for targeted advertising. And just so you know, Quantcast is one of the companies that is on trial for restoring deleted cookies using Flash (“zombie cookies”). So no, I’m not comfortable with Quantcast collecting data on my blog’s visitors.
Now I know that I opted in on user-tracking by WordPress (or rather Automattic). And I can live with them knowing who visits my blog, I can live with the small performance-impact that the stats-plugin has on my site that way. But I did not sign up for 3rd party tracking, the plugin-page conveniantly fails to mention the extra tracking, there’s no opt-out mechanism in the plugin and there’s no info to be found on how to disable Quantcast tracking users on my own blog. I am not a happy WordPress-blogger!
So Automattic; please fess up and at least provide instructions on how to disable 3rd party tracking, just like AddtoAny’s Pat gracefully did?
Update 20 january 2011; Automattic seems unwilling to acknowledge there is a problem, the thread on wordpress.org forums where this was discussed has been closed. I created a small WordPress plugin, DoNotTrack, to stop Quantcast tracking. you can download it here. Possibly related twitterless twaddle:
frank
15 Dec 10 at 22:09
There’s a thread on the wordpress.org support forums about this issue, feel free to weigh in on the discussion there!
Gazouteast
16 Dec 10 at 19:38
Hi Frank – good to see more people weighing in on this topic. I feel this is WordPress taking things too far, and from comments seen, I also feel this is another of Matt’s personal preferences bypassing the community review system that is supposed to ensure development transparency for open source products (according to the Free Software Foundation).
This quantcast tracking is just the latest in a series of closed-door policies this year – including the capital_P_dangit fiasco, banning all the link cloaker plugins to cause favour for wp.me (which is also part of the wp-stats plugin), and so on.
The community needs to shout long and hard on these topics, and get Mullenweg back-tracking on this behaviour – especially now that he’s relinquished ownership of the WordPress name to the the WordPress Foundation, legally now, it’s no longer his pet project and plaything.
frank
20 Dec 10 at 11:31
the problem is that unless this becomes more visible, with people blogging/ (re-)tweeting about this and ideally some webzines picking up on it, automattic will not be inclined to revert to a “3rd party tracking”-free version of wordpress stats. so how do we create that buzz?
Rechtswidrig: Wordpress.com-Stats Plugin als Trojaner für Werbetracker | SCHWENKE & DRAMBURG
2 Feb 11 at 09:12
[...] “futtta’s blog”, fand ich doch noch eine Lösung. Der Verfasser hat ein kleines Plugin namens [...]
WordPress.com Stats telefoniert mit Dritten | perun.net
2 Feb 11 at 15:19
[...] In diesem Artikel findet man zusätzliche rechtliche Informationen und ein Link zu einem weiteren WordPress-Plugin, der diese rechtlich gefährliche Kommunikation von WordPress.com Stats [...]
Perun
2 Feb 11 at 16:44
Hi Frank,
if i activate DoNotTrack my Quicktags in html-editor stops to work. If i deactivate DoNotTrack everything is fine.
Greetings
frank
2 Feb 11 at 18:04
weird, i’ll look into this!
frank
3 Feb 11 at 13:46
ok, Quicktags should work with the new version (0.1.1), you can download it on the same URL (http://futtta.be/donottrack.zip). let me now if this works for you!
Perun
3 Feb 11 at 13:53
@Frank,
thank you!
Noch mal Datenschutz: Wordpress Kommentare und Statistiken « Drop the thought
2 Feb 11 at 21:16
[...] d.h. es könnten Abmahnungen, Klagen und Bußgelder drohen. Abhilfe bietet erst einmal das Plugin Do not Track. Eine dauerhafte Lösung ist das aber nicht, mit jeder neuen Pluginversion könnte der Schutz hin [...]
WP-Stats-Plugin rechtlich bedenklich? : Jörn Schaars feine Seite
3 Feb 11 at 12:32
[...] sich freuen, dass man auch auf Perun.net weitergelesen hat. Dort wird nämlich das Plugin “DoNotTrack” verlinkt. Also die Erklärung, das Plugin selbst ist auf der Seite eher schwierig zu finden. [...]
wordpress.com Stats Plugin nun mit Trojaner || Plugin, WordPress, Blog, Tracker, Stats, Erweiterung || thingybob.de
3 Feb 11 at 15:14
[...] Sie mit der überraschenden Erweiterung um diesen Trojaner nicht wirklich einverstanden sind. Im Futtta Blog gibt es dazu einen Eintrag, hier findet man auch ein AntiPlugi Plugin ‘donottrack’ (unter [...]
WordPress: DoNotTrack in neuer Version | perun.net
3 Feb 11 at 15:30
[...] seit neuestem zu beobachten ist berichtet. Um das Plugin datenschutzrechtlich zu entschärfen, hat ein belgischer Blogger-Kollege ein Plugin [...]
WordPress.com Stats telefoniert mit Dritten | Serpent embrace's Blog
3 Feb 11 at 21:50
[...] In diesem Artikel findet man zusätzliche rechtliche Informationen und ein Link zu einem weiteren WordPress-Plugin, der diese rechtlich gefährliche Kommunikation von WordPress.com Stats [...]
Nutzerstatistik vs. Datenschutz
7 Feb 11 at 13:44
[...] Daten bei ominösen Drittanbietern zu sammeln und zu verwerten (siehe Beiträge auf perun.net und frutta.be), finde ich bedenklich. Genauer gesagt: nicht akzeptabel. Und schon überhaupt nicht so heimlich [...]
Wordpress Plugin Stats trackt User und sammelt Daten für Werbedienstleister « darmstädterFiltrat
7 Feb 11 at 17:01
[...] zurück zum WordPress.com Stats Plugin. Wie Futta in einem Blog-Beitrag unter dem Titel “WordPress.com Stats trojan horse for Quantcast tracking” darlegt ist WordPress und Quantserve in diesem Fall alles andere als harmlos. Quantserve, so [...]
Traumsterne » Verstoß gegen das Datenschutzrecht
7 Feb 11 at 22:56
[...] aber gleichzeitig das Stats Plugin trotzdem weiter nutzen will, der kann sich ganz einfach dieses kleine WP-Plugin installieren und schon werden die heimlich eingeschleusten Tracker geblockt. Wer sich [...]
web-crap » Post Topic » WordPress Statistik Trojaner blocken
12 Feb 11 at 12:39
[...] gefunden weitere Hintergründe und das Plugin GD Star [...]
Themenfreund » Wie E. T.: Nach Hause telefonieren
17 Feb 11 at 11:30
[...] und sich auf die (rechts)sichere Seite begeben möchte, kann das mit einem weiteren Plugin tun. DoNotTrack stopft dieses neu entstandene [...]
Spion vs. Spion: Mit Ghostery Spione entdecken (Firefox Addon) | KenntWas.de - Technische Tips
22 Feb 11 at 01:15
[...] ermitteln.Wer mag, kann auch den Script-Code untersuchen.Für WP-Stats gibt es übrigens ein Plugin, welches das Einbinden von Quantcat unterbindet.Code von WP-Stat (Quantcast bzw. quantserve wird am [...]
Was ist eigentlich quant.js bzw. pixel.quantserve.com – WordPress » Allgemein, Datenschutz, Neu, Plugins, Problembehebung, Wordpress
8 Mar 11 at 17:00
[...] entscheiden sollte der kann einfach bei flutta´s Blog vorbeischauen. Das Plugin nennt sich DoNotTrack und kann kostenlos heruntergelanden [...]
WordPress.com Stats and Quantcast
18 Mar 11 at 18:02
[...] and Quantcast How did I miss this? http://wordpress.org/support/topic/p…ipt?replies=18 http://blog.futtta.be/2010/12/15/wor…cast-tracking/ http://www.keptlight.com/index.php/2…st-connection/ The WordPress.com Stats (and therefore, I [...]
Anthony
21 Mar 11 at 13:38
just blogged about this blatant security risk, thanks for raising my awareness about this plugin, have managed to install your plugin perfectly and it also works with W3 total cache too!
i wonder if its worth making this plugin available on wordpress.org so that people can more easily install this through there own WP sites
frank
22 Mar 11 at 10:02
Hi Anthony. Thanks for your blogpost, this indeed is an important topic the community should not allow Automattic to ignore. I guess Jetpack is the name of the exiting new features they were talking about. Looks like they’ll force wp.com stats users to “upgrade” to Jetpack at some point in time, too bad if you don’t want your blog in Automattic’s network.
As far as DoNotTrack is concerned; I guess it should indeed be made available in the wp.org plugin repository, but;
it’s still a bit of an ugly hack (got a patch from someone to make it function error-free in https-blogs as well)
i’m not sure automattic would be happy allowing it on what is to some extent their “app market”
Anthony
22 Mar 11 at 15:19
i just installed jetpack and your plugin still works with it and as far as i can see i am not losing any data being recorded yet
i have seen much more ugly hacks in the plugin repository to not complain, it does exactly what it needs to do and exactly what it says it does
whether they are not happy with it or not, its an opensource platform and the moment they start rejecting plugins because it stops there plugins doing things they shouldnt without the users consent is the moment wordpress in my eyes is no longer transparent and i would be recommending all future clients used other platforms that dont have this kind of issue
Is your Wordpress site embedding tracking code without your knowledge?
21 Mar 11 at 13:43
[...] full info is available at http://www.techairlines.com/2010/12/30/wordpress-stats-quantcast/ or at http://blog.futtta.be/2010/12/15/wordpress-com-stats-trojan-horse-for-quantcast-tracking/The WordPress Stats plugin now includes a call to the quantserve sites for “planned extra [...]
webnik.dk | WordPress spy on its users via stats tool!
22 Mar 11 at 10:12
[...] WordPress.com Stats trojan horse for Quantcast tracking He has made a plugin to block tracking but may be better to just not install. As he also points out there are no problems with delivering data to WordPress/Automattic, says on the box so no surprise and besides that is the whole idea with tracking. Data IS used by someone for something. Problem is their attitude and even if they somehow came around any timeline of this 3rd party inclusion will make them look like web gangsters
The timeline thingy is again why no popular WordPress sites find this little incident interesting. Pretty much show Automattic as being incompetent or incompetent with questionable motives!, neither is wanted. Category: WordPress – Tags: crap [...]
blog speed | Views on Life
16 Apr 11 at 22:17
[...] No quantcast crap; luckilly cfr futtta – WP Trojan horse [...]
Coming Out meiner Plugins – Teil 2 | Sylvis Blog
26 Apr 11 at 21:36
[...] Do not Track [...]
Wem gehören die Userdaten? : www.who-owns-the-world.org
13 Sep 11 at 14:14
[...] futtta empört sich zurecht: Hinterrücks hat sich ein Drittauswerter von Daten eingeschlichen: Quantcast. WordPress.com, über deren Plugin Quantcast mitloggt, lässt sich nicht sensibilisieren. Also muss ein Meta-Plugin abhilfe schaffen… E-MailFacebookTeilenRedditDiggStumbleUpon Print This Post [...]
Respecting User Privacy in Wordpress | Technology, Thoughts, and Trinkets
23 Dec 11 at 21:06
[...] the problems that Automattic is responsible for. Last December he released his donottrack plugin in response to Automattic’s unwillingness to either remove or make optional Quantcast tracking. Months after he released his [...]