AddToAny removed-from-here


Update 02-2015: the information below does not reflect the way AddToAny works now and as such only has historical value, read this comment by the developer for more info.
When looking at my blog’s performance in Google Webmaster Tools I saw Google complained of multiple dns-lookups. I knew about stats.wordpress.com, google-analytics.com (well, yeah …) and gravatar.com, but one domain in the list didn’t make sense to me at all; media6degrees.com, so I started to investigate a bit. Grepping the wordpress-, theme- and plugin-code on my server didn’t reveal anything, so I went into Firebug to see what was happening in javascript.
Apparently the AddToAny WordPress-plugin was initiating the call:

  1. add-to-any requests http://static.addtoany.com/menu/page.js (which is rather big but gzipped & cache-able)
  2. page.js in turn contains tracking (near the end of the file), by requesting an 1X1 pixel image at http://map.media6degrees.com/orbserv/hbpix?pixId=2869&curl=<encoded URL of page>
  3. media6degrees then sends the pixel and … sets multiple cookies in the process

And what’s media6degrees business you ask? Maybe they’re just providing the add-to-any author with statistics? Well, not exactly. This is what media6degrees writes on their website: “We deliver scalable custom audiences to major marketers by utilizing the online connections of their consumers.” So by using AddToAny, you’re providing media6degrees with data about your site’s visitors, which they can use to sell targeted communication to their customers.
If visitors of small-time blogs like mine would be the only ones affected by this, the damage would be limited. But AddToAny is also implemented on large local news-outlets such as deredactie.be or De Standaard Online and no doubt on some big international sites as well. Somehow I doubt those organizations know they’re feeding their visitors to media6degrees and I bet some of them would even strongly disagree.
I’m not happy about this, that much is clear. AddToAny offers great functionality, but:

  • it adds unneeded requests to my page, causing the page to finish loading later (dns-request + http-request)
  • it enrolls my site visitors in a targeted communication platform without anyone knowing (or agreeing)
  • none of this is communicated on the AddToAny website or on the AddToAny WordPress plugin page

I mailed the author about this earlier this week (when i didn’t even know about media6degrees tracking cookies yet), but got no feedback up until now and I logged an issue on the wordpress.org support forum as well. And I decided to pull the plug on AddToAny off course, replacing it with sociable, making my blog render yet another millisecond faster, while at the same time protecting my visitors from this sneaky behavioral tracking by AddToAny and media6degrees.

36 thoughts on “AddToAny removed-from-here”

  1. Great digging Frank. In this era of increasing openness, I find hiding a tracking mechanism this way a bad mistake. It’s enough for me to loose my confidence in them and to look for alternatives.

    Reply
    • the post linked to above has been updated after the author was contacted by pat of a2a. the midway-conclusion now reads:

      “However, having been in contact with AddToAny, I don’t believe they are the ones who are being dishonest, in spite of the coincidences implicating their button code, or other services it uses.”

      so the hijacking is not addtoany-related after all.

      Reply
  2. Free is NEVER free :). Thanks for this post. I noticed the media6degress link in the safari activity window as well and decided to go digging. Though I don’t mind the tracking as much as not being upfront about it. Track all you want, share etc….but the added weight to the page really bothers me. Its a handy widget, I’ll keep it for now, any thoughts on “share this”?

    Reply
    • As far as the weight goes, I opted out of the tracking with the no_3p param and that handled it. It was just over 3 seconds and this cut it down to 125 milliseconds. I do agree that not being up front about this is a hell of a turn off– not to mention (except I am mentioning it) you have to have some understanding of javascript to opt out of the tracking.

      Reply
  3. Man, thanks for sharing this. I’ve been wondering why my page loads so slow. I when I look at the bottom of the page, I see map.media6degrees loading. I didn’t know that it was the add to any button that was requesting it until I read this blog post. Damn!

    Reply
  4. Let me start off by saying thank you for this nice blog post.
    I am piss off to no end about this!!
    I found this out the same way you did with “Google Webmaster Tools, performance”
    I’m like WTH is this o_0
    then I looked more into the matter & found your blog post.
    I see no where on the plugin or on there website saying anything about media6degrees.
    I have Deactivated the plugins & may just uninstall them for I do not see them changing anything any time soon.
    I did looked into seeing if there was an easy way to remove that bit out of the code but I say F it
    I will find something better or use nothing at all.

    Reply
  5. Thanks for sharing your findings… like you I went looking at Google’s site performance information and was initially stumped by the reference to media6degrees until I found your post.
    Cheers!

    Reply
  6. I recently did a major overhaul of my site, and removed the AddToAny plugin in the process. I replaced it with Shareaholic, which I like much better. Unfortunately, I am STILL seeing my site hit map.media6degrees.com! I thank you for writing this article to help me find out the reason for this hit, now I just need to figure out why these jerks are still tracking my site without my permission.
    Of course, if anyone reading this has run into, and solved, this problem, I would love to hear about that as well!

    Reply
    • the culprit seems to be sexybookmarks (i.e. shareaholic); jquery.shareaholic-publishers-sb.min.js seems to be the file that initiates the call to media6degrees. you might be better of with add2any, which can at least be configured not to do 3rd party tracking.

      Reply
      • Looks like I got out of the frying pan and into the fire…completely unintentionally. I thank you for your superior knowledge of how to find which javascript is doing what, and I’ll now set about disabling media6degrees’ tracking on all of my blogs. Many thanks!

        Reply
      • Thanks this helped me. I switched back to AddToAny and used the code from your other post. I’m happy with it. I think it’s a better plugin than “sexy”.

        Reply
  7. I MISTAKENLY tried out the AddToAny share widget for Blogger, I clicked on the link that automatically installs the code for the share widget below each post. How do I completely remove the code for this from my Blogger HTML???? I can’t find their code anywhere!!! HELP!!!

    Reply
    • hi liz; I just tested this out myself, the addtoany code is added as a gadget. to change/ remove, go to “design”, it should be visible in the right hand ‘gadget’-column. click on “edit”, then “remove” in the popup and confirm by clicking “ok”. hope this helps!

      Reply
  8. AddToAny has been acquired by lockerz.com, a social/$/rewards site for people age 18-30. Adding the opt-out code does not prevent a lockerz script from showing up when you have NoScript installed. If you don’t want your users to have NS block this script (it will show in the NoScript options tab in the status bar as “Allow lockerz.com” – then you should uninstall AddToAny and use something else.

    Reply

Leave a Reply to E-TARD Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.