Are Automattic and WordPress Purposefully Sneaking Skimlinks Trackers Into Jetpack For Self-Hosted Users?
Early this morning, our writer Peregrin Wood uploaded an article about the way that TechCruch uses secret tracking software even as it writes articles about the value of sites that don’t inflict secret tracking software on their readers. In a double twist of irony, one of our own most valued readers pointed out that Irregular Times appeared to be using a couple of pieces of outside tracking software: Adknowledge and Skimlinks.
This was news to us, as we have never activated Adknowledge or Skimlinks for this web site. Yet, when we looked at Irregular Times using the Ghostery Firefox plugin, which enables people to see and then turn off tracking software being used secretly by web sites, we saw that the tracking software identified by Bill was in fact present and active.
The first tracker, Adknowledge, was placed on Irregular Times as a part of a plugin called Yet Another Related Posts Plugin. This plugin created links within Irregular Times to related articles. If we wrote an article about orange juice, for example, the plugin would create a list of links to articles about other orange subjects, or juicy subjects. It also has a second feature, however, that could have enabled the automatic creation of related links to commercial sites outside of Irregular Times. Although we never activated this second feature, the plugin nonetheless created an invisible beacon within our articles to transmit information to a company called Adknowledge.
Although Adknowledge swears it would never use information it gathers about who is reading Irregular Times articles without our permission, we have deactivated the Yet Another Related Posts Plugin, just to be on the safe side. The people at Yet Another Related Posts Plugin are fairly open about using Adknowledge. It’s just that we had never taken the time to examine the details of how the plugin worked – a mistake we won’t repeat in the future.
Where did the SkimLinks tracking software come from, though?
It took a while for me to track SkimLinks down, because I started out looking for signs of a hacker, with a plugin installed without our permission. I found the SkimLinks code in the last place I looked for it: In the most trusted plugin we to support the Irregular Times blog: Jetpack.
Jetpack is so fundamental to using WordPress blogging software that it comes pre-activated as part of new WordPress installations and updated. It’s got a wide range of features, from statistics packages that allow authors to see which articles have been read most often to spam filters that prevent garbage comments sent out by scambots.
Jetpack is useful, but it’s also become a secret conduit for SkimLinks. It was only when I turned off the Jetpack plugin that the SkimLinks tracking software was turned off on Irregular Times. SkimLinks is a money-making piece of software that “enables publishers to easily monetize online content in two ways – by converting normal product links into their equivalent affiliate links, and picking up product references in content and turning those into relevant, useful affiliate links too.” In other words, SkimLinks takes ordinary links created by writers, and, when those links lead to products for sale, automatically inserts code so that the link generates income in somebody’s affiliate link program. SkimLinks also is capable of creating links of its own in articles published on sites where its software is active – links that generate more affiliate link income.
Never, in all the time that we have used Jetpack, have we received any notification that using Jetpack would result in the activation of SkimLinks, or any other affiliate or advertising program. When I discovered this morning that Jetpack had activated the SkimLink software on Irregular Times, I searched the Jetpack web site, the SkimLinks web site, the WordPress websites, and the website for Automattic, the company that runs WordPress. There is no privacy notification or terms of service message on any of these web sites that tells people that when they use Jetpack, they will activate SkimLinks software that exploits links to generate money for third parties, gathering web traffic data along the way.
WordPress is the most widely used blogging software on the Internet, but it seems that, thanks to the attention of our reader, we here at Irregular Times are the first to discover that the standard WordPress software, installed on bloggers’ own domains separate from the WordPress.com web site, is currently tracking reader activity and secretly creating invisible changes to bloggers’ articles in order to generate financial income for an unknown company or individual.
What we don’t know is how this SkimLinks software got slipped into the WordPress Jetpack plugin. A clue is given us by a brief discussion at a WordPress support forum six months ago. Two WordPress users noticed back then that SkimLinks had been activated through their web sites’ Jetpack software. In response, Jeremy Herve, a “happiness engineer” at WordPress, responded that the whole thing had been an honest mistake, and had been corrected. “This script was meant to be loaded on WordPress.com sites only, but made its way into the Jetpack Comment form iFrame by mistake. We’ve fixed the bug as soon as we realized our mistake a few days ago,” Herve wrote.
Here we are, half a year later, and “the bug” is active again. I’ve been using Ghostery for many weeks now, and can tell you that the last time I checked Ghostery Irregular Times for tracking software before today, there SkimLinks was not active. So, the re-insertion of SkimLinks into Jetpack appears to be fairly recent. My best guess is that it coincides with the most recent WordPress update, created in response to the Heartbleed Internet security disaster.
There are three possibilities for how SkimLinks affiliate program software found its way back into the WordPress Jetpack plugin:
1. As Herve says, it was a mistake for SkimLinks to be placed in Jetpack for self-hosted blogs. The same mistake that caused the “bug” six months ago was repeated more recently. If this is the case, WordPress programming is sloppy.
2. Perhaps a mysterious individual has somehow hacked into WordPress, and inserted SkimLinks without the knowledge of WordPress programmers. If that’s the case, WordPress security is seriously flawed.
3. It’s possible that WordPress deliberately inserted SkimLinks into Jetpack, in order to make money from other people’s web sites without their permission. If this is the case, WordPress cannot be trusted by online writers and editors, whom it seeks to exploit.
Writers and readers of web sites that use WordPress need to know which one of these flaws has led to the introduction of SkimLinks into JetPack. We need for the problem to be fixed, and to gain assurance that steps are being taken to prevent a repetition of the problem.
I will be logging in to the support forum at WordPress and providing a link to this article, so that WordPress insiders can become aware of the problem, and have the opportunity to address it. I’ll update Irregular Times readers about whatever response is made.
If you now look at Irregular Times using the Ghostery Firefox plugin, you’ll see that we use no tracking software at all. We’ve cleaned our site of SkimLinks and Adknowledge, though doing so has reduced the ease with which we manage Irregular Times. We’ve done that because we believe that the readers of Irregular Times need to know that, although they don’t pay for Irregular Times content (we are quite irregular after all), we won’t abuse their trust by using secretive software to invisibly spy on them or redirect them surreptitiously in exchange for money.
This basic vision of trust is starkly different from the definiton of trust that’s active over at SkimLinks, which tells web site owners that their readers can continue to trust them even as they use SkimLinks because SkimLinks is good at hiding its tracks so that readers never know that they’re being redirected into systems of afilliate spam. “Your links look normal,” SkimLinks writes, so “your readers can see and trust exactly where they are going.”
The way we see it, trust that relies on concealing the truth about what’s really going on is not trust at all. That’s why we urge WordPress to distance their software from the likes of SkimLinks, and honestly explain how the two became entangled in the first place.