Update 02-2015: the information below does not reflect the way AddToAny works now and as such only has historical value, read this comment by the developer for more info.
When looking at my blog’s performance in Google Webmaster Tools I saw Google complained of multiple dns-lookups. I knew about stats.wordpress.com, google-analytics.com (well, yeah …) and gravatar.com, but one domain in the list didn’t make sense to me at all; media6degrees.com, so I started to investigate a bit. Grepping the wordpress-, theme- and plugin-code on my server didn’t reveal anything, so I went into Firebug to see what was happening in javascript.
Apparently the AddToAny WordPress-plugin was initiating the call:
- add-to-any requests http://static.addtoany.com/menu/page.js (which is rather big but gzipped & cache-able)
- page.js in turn contains tracking (near the end of the file), by requesting an 1X1 pixel image at http://map.media6degrees.com/orbserv/hbpix?pixId=2869&curl=<encoded URL of page>
- media6degrees then sends the pixel and … sets multiple cookies in the process
And what’s media6degrees business you ask? Maybe they’re just providing the add-to-any author with statistics? Well, not exactly. This is what media6degrees writes on their website: “We deliver scalable custom audiences to major marketers by utilizing the online connections of their consumers.” So by using AddToAny, you’re providing media6degrees with data about your site’s visitors, which they can use to sell targeted communication to their customers.
If visitors of small-time blogs like mine would be the only ones affected by this, the damage would be limited. But AddToAny is also implemented on large local news-outlets such as deredactie.be or De Standaard Online and no doubt on some big international sites as well. Somehow I doubt those organizations know they’re feeding their visitors to media6degrees and I bet some of them would even strongly disagree.
I’m not happy about this, that much is clear. AddToAny offers great functionality, but:
- it adds unneeded requests to my page, causing the page to finish loading later (dns-request + http-request)
- it enrolls my site visitors in a targeted communication platform without anyone knowing (or agreeing)
- none of this is communicated on the AddToAny website or on the AddToAny WordPress plugin page
I mailed the author about this earlier this week (when i didn’t even know about media6degrees tracking cookies yet), but got no feedback up until now and I logged an issue on the wordpress.org support forum as well. And I decided to pull the plug on AddToAny off course, replacing it with sociable, making my blog render yet another millisecond faster, while at the same time protecting my visitors from this sneaky behavioral tracking by AddToAny and media6degrees.
Thanks for this useful information. I always built the “share”-section-code by hand and included that code in the sites I built. No surprises..
add-to-any’s developer mailed me yesterday; there’ll be an opt-out mechanism for publishers, documentation should be up on the add-to-any site next week?
Great digging Frank. In this era of increasing openness, I find hiding a tracking mechanism this way a bad mistake. It’s enough for me to loose my confidence in them and to look for alternatives.
AddToAny now has an option in the javascript api to disable 3rd party tracking, see http://blog.futtta.be/2010/02/15/addtoany-removing-the-spy-from-the-share-ware/
Another interesting thread about AddtoAny’s sneaky tactics, this time regarding a rogue Google Adsense publisher ID being swapped with that of a website owner.
Have a look:
http://tinyurl.com/25mc3d7
the post linked to above has been updated after the author was contacted by pat of a2a. the midway-conclusion now reads:
so the hijacking is not addtoany-related after all.
Free is NEVER free :). Thanks for this post. I noticed the media6degress link in the safari activity window as well and decided to go digging. Though I don’t mind the tracking as much as not being upfront about it. Track all you want, share etc….but the added weight to the page really bothers me. Its a handy widget, I’ll keep it for now, any thoughts on “share this”?
As far as the weight goes, I opted out of the tracking with the no_3p param and that handled it. It was just over 3 seconds and this cut it down to 125 milliseconds. I do agree that not being up front about this is a hell of a turn off– not to mention (except I am mentioning it) you have to have some understanding of javascript to opt out of the tracking.
Man, thanks for sharing this. I’ve been wondering why my page loads so slow. I when I look at the bottom of the page, I see map.media6degrees loading. I didn’t know that it was the add to any button that was requesting it until I read this blog post. Damn!
I noticed the media6degress link in the safari activity window as well and decided to go digging.
AddtoAny…deleted permanently from my site. Unbelievably corrupt practice. Never will use anything they offer again. Thank you so much for pointing this out…
Let me start off by saying thank you for this nice blog post.
I am piss off to no end about this!!
I found this out the same way you did with “Google Webmaster Tools, performance”
I’m like WTH is this o_0
then I looked more into the matter & found your blog post.
I see no where on the plugin or on there website saying anything about media6degrees.
I have Deactivated the plugins & may just uninstall them for I do not see them changing anything any time soon.
I did looked into seeing if there was an easy way to remove that bit out of the code but I say F it
I will find something better or use nothing at all.
“AddToAny removed-from-here”
I am going the same road. Off AddToAny, probably to SexyBookmarks.
Thanks for sharing your findings… like you I went looking at Google’s site performance information and was initially stumped by the reference to media6degrees until I found your post.
Cheers!
I’ve been trying to remove this addtoany widget from my blogger blog but I can’t find it in my html.
maybe the instructions on how to add addtoany to blogger can be used to find and delete the code as well? 🙂 good luck!
Amazing. You could be a web detective. Thank you!
I recently did a major overhaul of my site, and removed the AddToAny plugin in the process. I replaced it with Shareaholic, which I like much better. Unfortunately, I am STILL seeing my site hit map.media6degrees.com! I thank you for writing this article to help me find out the reason for this hit, now I just need to figure out why these jerks are still tracking my site without my permission.
Of course, if anyone reading this has run into, and solved, this problem, I would love to hear about that as well!
the culprit seems to be sexybookmarks (i.e. shareaholic); jquery.shareaholic-publishers-sb.min.js seems to be the file that initiates the call to media6degrees. you might be better of with add2any, which can at least be configured not to do 3rd party tracking.
Looks like I got out of the frying pan and into the fire…completely unintentionally. I thank you for your superior knowledge of how to find which javascript is doing what, and I’ll now set about disabling media6degrees’ tracking on all of my blogs. Many thanks!
Thanks this helped me. I switched back to AddToAny and used the code from your other post. I’m happy with it. I think it’s a better plugin than “sexy”.
I MISTAKENLY tried out the AddToAny share widget for Blogger, I clicked on the link that automatically installs the code for the share widget below each post. How do I completely remove the code for this from my Blogger HTML???? I can’t find their code anywhere!!! HELP!!!
hi liz; I just tested this out myself, the addtoany code is added as a gadget. to change/ remove, go to “design”, it should be visible in the right hand ‘gadget’-column. click on “edit”, then “remove” in the popup and confirm by clicking “ok”. hope this helps!
Totally agree with you man, I was just trying to find out why the page.js loads so slow. Thanks for the explanation regarding the tracking thing.
Great digging Frank. In this era of increasing openness, I find hiding a tracking mechanism this way a bad mistake.
AddToAny has been acquired by lockerz.com, a social/$/rewards site for people age 18-30. Adding the opt-out code does not prevent a lockerz script from showing up when you have NoScript installed. If you don’t want your users to have NS block this script (it will show in the NoScript options tab in the status bar as “Allow lockerz.com” – then you should uninstall AddToAny and use something else.
that is very interesting info, i’ll follow up on this and include lockerz in the default wp donottrack blacklist as well. thanks runbei!
Your post just answer may big question about addtoany error in my website : page.js not found.