WordPress.com Stats trojan horse for Quantcast tracking

Suppose you’re a blogger who values website performance and online privacy. You may have ditched Google Analytics because you think the do-no-evilers do not have to know who is on your site. Maybe you removed AddtoAny because of the 3rd party tracking code that slows down your site ever oh so slightly. And you don’t want the omnipresent Facebook Like widget for all the above reasons. No, the only 3rd party javascript you allow is the one pushed by the WordPress.com Stats plugin; one javascript-file  and one pixel and you get some nice stats in return. And come on, WordPress, those are the good guys, right?

Well, apparently not. While performing a test on for example webpagetest.org, you’ll see two requests to the quantserve.com domain;

http://edge.quantserve.com/quant.js
http://pixel.quantserve.com/pixel;r=705640318;fpan=1;fpa=P0-450352291-1292419712624;ns=0;url=http%3A%2F%2Fblog.futtta.be%2F;ref=;ce=1;je=1;sr=1024x768x32;enc=n;ogl=;dst=1;et=1292419712624;tzo=300;a=p-18-mFEk4J448M;labels=type.wporg

Ouch, that hurts! But surely Quantcast aren’t in the same league as AddtoAny’s media6degrees, who do behavioral advertising based on data captured all across the web? Well … Quantcast might be better known, but they do exactly the same thing; collecting user information and providing that info for targeted advertising. And just so you know, Quantcast is one of the companies that is on trial for restoring deleted cookies using Flash (“zombie cookies”). So no, I’m not comfortable with Quantcast collecting data on my blog’s visitors.

Now I know that I opted in on user-tracking by WordPress (or rather Automattic). And I can live with them knowing who visits my blog, I can live with the small performance-impact that the stats-plugin has on my site that way. But I did not sign up for 3rd party tracking, the plugin-page conveniantly fails to mention the extra tracking, there’s no opt-out mechanism in the plugin and there’s no info to be found on how to disable Quantcast tracking users on my own blog. I am not a happy WordPress-blogger!

So Automattic; please fess up and at least provide instructions on how to disable 3rd party tracking, just like AddtoAny’s Pat gracefully did?


Update 20 january 2011; Automattic seems unwilling to acknowledge there is a problem, the thread on wordpress.org forums where this was discussed has been closed. I created a small WordPress plugin, DoNotTrack, to stop Quantcast tracking. you can download it here.

31 thoughts on “WordPress.com Stats trojan horse for Quantcast tracking

  1. Gazouteast

    Hi Frank – good to see more people weighing in on this topic. I feel this is WordPress taking things too far, and from comments seen, I also feel this is another of Matt’s personal preferences bypassing the community review system that is supposed to ensure development transparency for open source products (according to the Free Software Foundation).

    This quantcast tracking is just the latest in a series of closed-door policies this year – including the capital_P_dangit fiasco, banning all the link cloaker plugins to cause favour for wp.me (which is also part of the wp-stats plugin), and so on.

    The community needs to shout long and hard on these topics, and get Mullenweg back-tracking on this behaviour – especially now that he’s relinquished ownership of the WordPress name to the the WordPress Foundation, legally now, it’s no longer his pet project and plaything.

    Reply
    1. frank Post author

      the problem is that unless this becomes more visible, with people blogging/ (re-)tweeting about this and ideally some webzines picking up on it, automattic will not be inclined to revert to a “3rd party tracking”-free version of wordpress stats. so how do we create that buzz?

      Reply
  2. Pingback: Rechtswidrig: Wordpress.com-Stats Plugin als Trojaner für Werbetracker | SCHWENKE & DRAMBURG

  3. Pingback: WordPress.com Stats telefoniert mit Dritten | perun.net

  4. Perun

    Hi Frank,

    if i activate DoNotTrack my Quicktags in html-editor stops to work. If i deactivate DoNotTrack everything is fine.

    Greetings

    Reply
  5. Pingback: Noch mal Datenschutz: Wordpress Kommentare und Statistiken « Drop the thought

  6. Pingback: WP-Stats-Plugin rechtlich bedenklich? : Jörn Schaars feine Seite

  7. Pingback: wordpress.com Stats Plugin nun mit Trojaner || Plugin, WordPress, Blog, Tracker, Stats, Erweiterung || thingybob.de

  8. Pingback: WordPress: DoNotTrack in neuer Version | perun.net

  9. Pingback: WordPress.com Stats telefoniert mit Dritten | Serpent embrace's Blog

  10. Pingback: Nutzerstatistik vs. Datenschutz

  11. Pingback: Wordpress Plugin Stats trackt User und sammelt Daten für Werbedienstleister « darmstädterFiltrat

  12. Pingback: Traumsterne » Verstoß gegen das Datenschutzrecht

  13. Pingback: web-crap » Post Topic » WordPress Statistik Trojaner blocken

  14. Pingback: Themenfreund » Wie E. T.: Nach Hause telefonieren

  15. Pingback: Spion vs. Spion: Mit Ghostery Spione entdecken (Firefox Addon) | KenntWas.de - Technische Tips

  16. Pingback: Was ist eigentlich quant.js bzw. pixel.quantserve.com – WordPress » Allgemein, Datenschutz, Neu, Plugins, Problembehebung, Wordpress

  17. Pingback: WordPress.com Stats and Quantcast

  18. Anthony

    just blogged about this blatant security risk, thanks for raising my awareness about this plugin, have managed to install your plugin perfectly and it also works with W3 total cache too!

    i wonder if its worth making this plugin available on wordpress.org so that people can more easily install this through there own WP sites

    Reply
    1. frank Post author

      Hi Anthony. Thanks for your blogpost, this indeed is an important topic the community should not allow Automattic to ignore. I guess Jetpack is the name of the exiting new features they were talking about. Looks like they’ll force wp.com stats users to “upgrade” to Jetpack at some point in time, too bad if you don’t want your blog in Automattic’s network.

      As far as DoNotTrack is concerned; I guess it should indeed be made available in the wp.org plugin repository, but;

      it’s still a bit of an ugly hack (got a patch from someone to make it function error-free in https-blogs as well)
      i’m not sure automattic would be happy allowing it on what is to some extent their “app market”

      Reply
      1. Anthony

        i just installed jetpack and your plugin still works with it and as far as i can see i am not losing any data being recorded yet

        i have seen much more ugly hacks in the plugin repository to not complain, it does exactly what it needs to do and exactly what it says it does

        whether they are not happy with it or not, its an opensource platform and the moment they start rejecting plugins because it stops there plugins doing things they shouldnt without the users consent is the moment wordpress in my eyes is no longer transparent and i would be recommending all future clients used other platforms that dont have this kind of issue

  19. Pingback: Is your Wordpress site embedding tracking code without your knowledge?

  20. Pingback: webnik.dk | WordPress spy on its users via stats tool!

  21. Pingback: blog speed | Views on Life

  22. Pingback: Coming Out meiner Plugins – Teil 2 | Sylvis Blog

  23. Pingback: Wem gehören die Userdaten? : www.who-owns-the-world.org

  24. Pingback: Respecting User Privacy in Wordpress | Technology, Thoughts, and Trinkets

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>