Enter your email address to subscribe to Irregular Times and receive notifications of new posts by email.

Join 252 other subscribers

Irregular Times Newsletters

Click here to subscribe to any or all of our six topical e-mail newsletters:
  1. Social Movement Actions,
  2. Credulity and Faith,
  3. Election News,
  4. This Week in Congress,
  5. Tech Dispatch and
  6. our latest Political Stickers and Such

Contact Us

We can be contacted via retorts@irregulartimes.com

Are Automattic and WordPress Purposefully Sneaking Skimlinks Trackers Into Jetpack For Self-Hosted Users?

Early this morning, our writer Peregrin Wood uploaded an article about the way that TechCruch uses secret tracking software even as it writes articles about the value of sites that don’t inflict secret tracking software on their readers. In a double twist of irony, one of our own most valued readers pointed out that Irregular Times appeared to be using a couple of pieces of outside tracking software: Adknowledge and Skimlinks.

This was news to us, as we have never activated Adknowledge or Skimlinks for this web site. Yet, when we looked at Irregular Times using the Ghostery Firefox plugin, which enables people to see and then turn off tracking software being used secretly by web sites, we saw that the tracking software identified by Bill was in fact present and active.

The first tracker, Adknowledge, was placed on Irregular Times as a part of a plugin called Yet Another Related Posts Plugin. This plugin created links within Irregular Times to related articles. If we wrote an article about orange juice, for example, the plugin would create a list of links to articles about other orange subjects, or juicy subjects. It also has a second feature, however, that could have enabled the automatic creation of related links to commercial sites outside of Irregular Times. Although we never activated this second feature, the plugin nonetheless created an invisible beacon within our articles to transmit information to a company called Adknowledge.

Although Adknowledge swears it would never use information it gathers about who is reading Irregular Times articles without our permission, we have deactivated the Yet Another Related Posts Plugin, just to be on the safe side. The people at Yet Another Related Posts Plugin are fairly open about using Adknowledge. It’s just that we had never taken the time to examine the details of how the plugin worked – a mistake we won’t repeat in the future.

skimlinks jetpack wordpress spyWhere did the SkimLinks tracking software come from, though?

It took a while for me to track SkimLinks down, because I started out looking for signs of a hacker, with a plugin installed without our permission. I found the SkimLinks code in the last place I looked for it: In the most trusted plugin we to support the Irregular Times blog: Jetpack.

Jetpack is so fundamental to using WordPress blogging software that it comes pre-activated as part of new WordPress installations and updated. It’s got a wide range of features, from statistics packages that allow authors to see which articles have been read most often to spam filters that prevent garbage comments sent out by scambots.

Jetpack is useful, but it’s also become a secret conduit for SkimLinks. It was only when I turned off the Jetpack plugin that the SkimLinks tracking software was turned off on Irregular Times. SkimLinks is a money-making piece of software that “enables publishers to easily monetize online content in two ways – by converting normal product links into their equivalent affiliate links, and picking up product references in content and turning those into relevant, useful affiliate links too.” In other words, SkimLinks takes ordinary links created by writers, and, when those links lead to products for sale, automatically inserts code so that the link generates income in somebody’s affiliate link program. SkimLinks also is capable of creating links of its own in articles published on sites where its software is active – links that generate more affiliate link income.

Never, in all the time that we have used Jetpack, have we received any notification that using Jetpack would result in the activation of SkimLinks, or any other affiliate or advertising program. When I discovered this morning that Jetpack had activated the SkimLink software on Irregular Times, I searched the Jetpack web site, the SkimLinks web site, the WordPress websites, and the website for Automattic, the company that runs WordPress. There is no privacy notification or terms of service message on any of these web sites that tells people that when they use Jetpack, they will activate SkimLinks software that exploits links to generate money for third parties, gathering web traffic data along the way.

WordPress is the most widely used blogging software on the Internet, but it seems that, thanks to the attention of our reader, we here at Irregular Times are the first to discover that the standard WordPress software, installed on bloggers’ own domains separate from the WordPress.com web site, is currently tracking reader activity and secretly creating invisible changes to bloggers’ articles in order to generate financial income for an unknown company or individual.

What we don’t know is how this SkimLinks software got slipped into the WordPress Jetpack plugin. A clue is given us by a brief discussion at a WordPress support forum six months ago. Two WordPress users noticed back then that SkimLinks had been activated through their web sites’ Jetpack software. In response, Jeremy Herve, a “happiness engineer” at WordPress, responded that the whole thing had been an honest mistake, and had been corrected. “This script was meant to be loaded on WordPress.com sites only, but made its way into the Jetpack Comment form iFrame by mistake. We’ve fixed the bug as soon as we realized our mistake a few days ago,” Herve wrote.

Here we are, half a year later, and “the bug” is active again. I’ve been using Ghostery for many weeks now, and can tell you that the last time I checked Ghostery Irregular Times for tracking software before today, there SkimLinks was not active. So, the re-insertion of SkimLinks into Jetpack appears to be fairly recent. My best guess is that it coincides with the most recent WordPress update, created in response to the Heartbleed Internet security disaster.

There are three possibilities for how SkimLinks affiliate program software found its way back into the WordPress Jetpack plugin:

1. As Herve says, it was a mistake for SkimLinks to be placed in Jetpack for self-hosted blogs. The same mistake that caused the “bug” six months ago was repeated more recently. If this is the case, WordPress programming is sloppy.

2. Perhaps a mysterious individual has somehow hacked into WordPress, and inserted SkimLinks without the knowledge of WordPress programmers. If that’s the case, WordPress security is seriously flawed.

3. It’s possible that WordPress deliberately inserted SkimLinks into Jetpack, in order to make money from other people’s web sites without their permission. If this is the case, WordPress cannot be trusted by online writers and editors, whom it seeks to exploit.

Writers and readers of web sites that use WordPress need to know which one of these flaws has led to the introduction of SkimLinks into JetPack. We need for the problem to be fixed, and to gain assurance that steps are being taken to prevent a repetition of the problem.

I will be logging in to the support forum at WordPress and providing a link to this article, so that WordPress insiders can become aware of the problem, and have the opportunity to address it. I’ll update Irregular Times readers about whatever response is made.

If you now look at Irregular Times using the Ghostery Firefox plugin, you’ll see that we use no tracking software at all. We’ve cleaned our site of SkimLinks and Adknowledge, though doing so has reduced the ease with which we manage Irregular Times. We’ve done that because we believe that the readers of Irregular Times need to know that, although they don’t pay for Irregular Times content (we are quite irregular after all), we won’t abuse their trust by using secretive software to invisibly spy on them or redirect them surreptitiously in exchange for money.

This basic vision of trust is starkly different from the definiton of trust that’s active over at SkimLinks, which tells web site owners that their readers can continue to trust them even as they use SkimLinks because SkimLinks is good at hiding its tracks so that readers never know that they’re being redirected into systems of afilliate spam. “Your links look normal,” SkimLinks writes, so “your readers can see and trust exactly where they are going.”

The way we see it, trust that relies on concealing the truth about what’s really going on is not trust at all. That’s why we urge WordPress to distance their software from the likes of SkimLinks, and honestly explain how the two became entangled in the first place.

30 comments to Are Automattic and WordPress Purposefully Sneaking Skimlinks Trackers Into Jetpack For Self-Hosted Users?

  • Bill

    Thanks so much for chasing this down, J. Calling this matter out on the support forum at WordPress is a great first step, but, of course, support forums are where important issues go to die (as this incident itself demonstrates). I would encourage you to also consider dropping a line to:
    1. Ars Technica (select “Contact the Editorial Team” from the drop-down box on the contact page).
    2. Wired (mail@wired.com is where Letters to the Editor should go, according to this page).
    3. Pro Publica (suggestions@propublica.org)
    Additional opportunities to raise the profile of this issue are limited only by your imagination….

    WordPress has made a huge miscalculation here. It pretty much owns the blogging software business, not merely because it is pretty good software but, more importantly, because people trust it implicitly. That’s a huge business asset, squandered for a handful of silver. Dumb, dumb, dumb. Unlike operating systems and search engines, blogging software isn’t exactly rocket surgery; if WordPress alienates its customers by violating their trust, another enterprising company can and will step in and eat their lunch. A quick “oops, our bad — there, we fixed it” won’t be enough this time (or, at least, shouldn’t be allowed to be). WordPress’s feet need to be held to the fire on this one, and some rock-solid promises of future fidelity to customers’ confidence in them must be extracted.

    Just this month, Automattic raised a $160 million investment, pegging its corporate valuation at $1.2 billion. Will bloggers around the world soon be saying “I loved their early work, before they sold out”? Maybe we should ask Automattic’s CEO, Matt Mullenweg (perhaps on his personal blog’s contact page, http://ma.tt/contact/

  • Bill

    By the way, Ghostery isn’t just for FireFox anymore. Also works in the Chrome browser (ironically enough).

  • J Clifford

    Is it possible for Ghostery to fully work in the Chrome browser? Isn’t the Chrome browser explicitly built in order to funnel private data to Google?

    • Bill

      What Ghostery does is to suppress calls to hidden links and javascript routines embedded in web pages that are known to go out to known external trackers. It seems to do this every bit as well in Chrome as in FireFox (although, of course, fully testing this is beyond my resources).

      What Chrome itself, and subsequently Google, does with your browsing information is quite another thing…I would assume those bits of skullduggery are beyond Ghostery’s reach.

      My point being only that Ghostery does what it promises to do in FireFox and Chrome alike.

  • Hi there,

    My name is Jeremy, and I work on the Jetpack team.

    After reading your post I checked our most recent changes to the WordPress.com comment form, and it seems that the bug we fixed 6 months made his way back to Jetpack Comments. We’ll get this fixed as soon as possible, and I’ll comment again here once the problem is solved.

  • We’ve now fixed the issue, and we’ve added extra checks to ensure it doesn’t happen again.

    Sorry for the inconvenience.

    In the future, and if you experience issues with Jetpack again, do not hesitate to send us an email!

    • J Clifford

      Jeremy, how have you fixed the issue?

      What was the issue?

      What are the “extra checks” WordPress added to ensure it doesn’t happen again. How does a “bug” that directs money through affiliate programs into the Automattic bank accounts simply make its way back into the programming? This isn’t a real “bug” that can just crawl from one set of coding into another, Jeremy.

      You said the problem was fixed before. What’s different this time?

    • Bill

      As stated above, “A quick ‘oops, our bad — there, we fixed it’ won’t be enough this time.”

      Jeremy, we have as yet no solid reason to conclude that Automattic does this willfully, repeatedly trying to sneak new revenue opportunities for itself in under users’ radar. But, instead, Occam’s Razor would seem to suggest that at a minimum Automattic places low or no priority on getting privacy and trust issues right the first time…or even the second time.

      So, aside from improving its change control processes to stop repeatedly recycling known buggy code, what does Automattic propose to do to begin meaningfully managing trust and privacy issues? And to systematically identify and correct the doubtless other lurking privacy bugs that users haven’t caught you out on yet?

      Like I said, “oops, our bad — there, we fixed it” doesn’t cut it anymore, and certainly won’t cut it if repeated ad infinitum. Or is Automattic trying to prepare its corporate culture for its assimilation by Microsoft?

      • J Clifford

        Here’s what Jeremy posted at the WordPress.org support forums:

        “We’ve recently made some changes on WordPress.com, and it caused SkimLinks to be added back to Jetpack Comments. We’ll need to correct the code that blocked SkimLinks from being added to Jetpack Comments until now.”

        I appreciate Jeremy getting to work on this problem, and his attention in communicating about it, especially on Mother’s Day weekend.

        However, these explanations aren’t fully reassuring.

        They don’t really explain what’s been going on at WordPress that allows the insertion of SkimLinks codes into the blogs of independent web sites that install WordPress software onto their servers.

        I understand that there may be some limit to what people from WordPress are able to tell us about the code that integrates SkimLinks into blogs over at WordPress.com, and how that relates to the functioning of WordPress at independent web sites such as IrregularTimes.com. Purposes of anti-hacker security, reasons of maintaining proprietary information, and perhaps even limitations related to routes of government surveillance could prevent people like Jeremy from sharing with us the entire picture of what’s going on with SkimLinks.

        What we can infer from what Jeremy has written about the arrangement between SkimLinks and WordPress is that there is not a strong boundary between 1) Blogs at WordPress.com, which are free and hosted by WordPress with the understanding that some spammy advertising and tracking things may take place and those blogs; and 2) Blogs that are hosted at web sites that are independent of WordPress.com, using WordPress software, but with no agreement at all that WordPress software will secretly insert spammy advertising and tracking bots behind the scenes.

        It sounds as if the people at Automattic are integrating these two systems somehow, with something equivalent to gates between the systems that can be opened and shut to allow the advertising spammy bots from WordPress.com to flood over into independent web sites.

        That arrangement makes it all-too-easy for SkimLinks affiliate program software to leak, purposefully or accidentally, through these gates. The fact that this has happened twice so far within the last year – that we know of – is a sign that the “gates” that prevent unauthorized affiliate codes from WordPress and SkimLinks are weakly designed, or that the management process that ensures those gates remained closed is itself flawed in some way.

        We have no evidence that these underlying problems are actually solved. They weren’t solved the last time the “bug” was fixed.

        So, we have to wonder, what else is leaking through those shoddy “gates” into the blogs of unsuspecting writers?

        This incident serves as a warning to bloggers and to blog readers of the importance of installing software like Ghostery that makes visible the vast number of online tracking plugins that otherwise would remain hidden, gathering and profiting from our data.

        • Hi everyone.

          My name is Egill, and I’m a member of the Ads team at Automattic. I think it would be best to hear this from me, since I’m the person responsible for the mistake behind this mess. I hope this explains what the issue was, how it got there and how it’s been fixed (for good).

          First, let me stress that at Automattic we open source (We’re big believers in open source) everything except our passwords, we’re all for transparency (http://transparency.automattic.com), our mission is to democratize publishing, and we fight for free speech (https://www.eff.org/issues/cda230/successes/wordpress).

          We did not get to where we are today, by deceiving users or doing anything shady. What we have is far more important than so, that we would jeopardize it by deliberately injecting 3rd party ads on anyones site – as suggested in your article and/or comments. And as you can imagine we would not get $160M in funding by sneaking anything in, anywhere.

          Before I explain what exactly happened, please realize that WordPress.com is the worlds largest WordPress install, with tens of millions of sites. We run this from a single codebase, and that includes jetpack.wordpress.com, a site used for example to serve the Jetpack comments.

          From day one, ads on WordPress.com have been one of our revenue streams – keeping the service free for those who want to use it (See our Terms of Service: http://en.wordpress.com/tos/, Advertising: http://en.support.wordpress.com/advertising/ and About these ads: http://en.wordpress.com/about-these-ads/). We also share that revenue with some of our users (those who have applied and been accepted into our WordAds program (http://wordads.co)).

          Anyway, back to our issue with Jetpack. A while back users noticed that Skimlinks was being injected into the Jetpack Comments iframe. That turned out to be a sideeffect from our shared codebase, and was fixed by adding a single line of code to the Jetpack plugin running on WordPress.com

          remove_action( 'wp_footer', 'skimlinks_footer_js' );

          On April 24th, at 18:57:21 (GMT+0), I made a change to prevent a Skimlinks plugin from interfering with a syntax highlighting plugin (Something that happened after we updated our syntax highlighting), from:

          add_action( 'wp_footer', 'skimlinks_footer_js' );

          to:

          add_action( 'wp_footer', 'skimlinks_footer_js', 20 );

          Now, here’s where it gets interesting. On jetpack.wordpress.com we run this function to stop Skimlinks from injecting anything to that site (A change we made 6 months ago, to prevent this from happening again – yes, how ironic).

          remove_action( 'wp_footer', 'skimlinks_footer_js' );

          For those familiar with hooks in WordPress may know that in order to remove one, both the ‘function_to_be_removed’ and ‘priority’ arguments must match when the hook was added. In order for the Skimlinks code to be removed, the line should have been:

          remove_action( 'wp_footer', 'skimlinks_footer_js', 20 );

          I made the mistake of only checking if the hook was removed, and did not make sure it was the same priority. What happens then? The original hook stays in place, and voila, Skimlinks is added to that very site.

          It’s unfortunate that I/we did not notice this unfortunate sideeffect, and we’re thankful for you bringing this to our attention.

          As far as I am aware, there are no plans on monetizing the Jetpack plugin.

          This was an unfortunate human error, my error. I’m proud of the fact that we’re allowed to be human at Automattic. One of the first articles every Automattician (we, the employees of Automattic, refer to ourselves as Automatticians) is named “Made a Mistake? It’s OK — We’re Human, Too”. It also says: “Every failure is an opportunity to learn — you have a chance to start new habits with a motivation that will be difficult to recreate, so if anything you should start committing more than ever. Or find a proofreading buddy. Or a better task manager. You get the idea.
          It happens. We’re human, we understand.”

          In the spirit of learning, I spent the day studying how our jetpack.wordpress.com site works. As a result I’ve now inserted 3 safeguards to make sure that this does not happen again:

          1. I labelled the site making sure that Skimlinks does not run on it (Using 2 different methods).
          2. I made changes to the Skimlinks plugin to make sure that it does not run on jetpack.wordpress.com
          3. I made changes to the Jetpack plugin running on WordPress.com, making sure that it removes Skimlinks code, if for some reason it has been added.

          I hope this sheds some light on why this happened.

          Have a great Mother’s day!
          Egill R. Erlendsson
          Automattic / WordPress.com

          • I’d like to add, in case it’s not obvious from my comment, I’m deeply sorry for any concerns this may have caused you. Again, this was a human error (mine) and I’m more than happy to answer any questions if you have further concerns regarding this.

            • Bill

              Well, high marks for responsiveness. Thanks, Egill.

            • Jim Cook

              This is good to hear. I’m grateful to hear this thorough communication. J. Clifford, what do you think?

              • J Clifford

                I am grateful to Egill for the extra work in addressing this problem and explaining it in detail here. This effort restores enough trust to continue using WordPress and other Automattic software.

                I write “enough trust”, because this event has triggered a realization for me: That distrust is now the default when it comes to working online.

                As the result of a series of events – nickle and diming at CafePress, increasing data mining at Facebook, snooping by the NSA, etc., I’ve learned to regard assertions of goodwill and trustworthiness from large web sites with more than a grain of salt. Automattic may assert that “We did not get to where we are today, by deceiving users or doing anything shady,” but we can also remember that Google began with the ethic of “Do no evil”. When it comes to online interactions, we’ve gone far beyond the threshold of once bitten twice shy.

                Associating with operations like SkimLinks continues to taint the reputation of WordPress. Automattic may have agreements with writers who use WordPress.com, but readers who visit WordPress.com blogs have no way of knowing when they visit a WordPress.com blog that the links there have been modified by WordPress.com and SkimLinks in order to chain readers into an affiliate marketing scheme. There are no advisories on WordPress.com blogs, and SkimLinks goes so far as to purposefully disguise the fact that the modified links it creates are part of any affiliate marketing. The way that this operates behind the scenes may be regarded by Internet marketers as standard operating procedure these days, but that attitude in itself is troubling.

                The partnership between WordPress.com and SkimLinks is not fully transparent. It does have shady elements to it. Just take a look at the name “SkimLinks”, for goodness sakes. In business, the idea of “skimming” has long been associated with sneaky, unethical behind the scenes practices such as embezzlement.

                The fact that the ethically murky arrangement between Automattic and SkimLinks has repeatedly leaked into the independent web sites that use WordPress without the permission of the web site owners, and apparently even without the knowledge of Automattic itself, remains unsettling.

                Though it’s great to see the quick response from Jeremy and Egill, I will continue to be more wary of WordPress and Automattic than I was before this weekend.

                This one violation of trust was repaired, but I’m left wondering what will happen next? What new invisible plugins will be put in place at WordPress.com without reader knowledge, and when will those new plugins spill over into web sites beyond WordPress.com?

                For that matter, how much money has Automattic made from the two-week expansion of SkimLinks, without permission, into the huge number of independent web sites using WordPress 3.9.1? Will the readers who were pulled into the SkimLinks system through this non-transparent plugin from independent web sites continue to provide affiliate income for Automattic through cookies or other tags that have been implanted on reader computers? What does Automattic plan to do with this money?

                To be honest, this event has me considering the merits of returning to basic HTML. I have trust in web sites that don’t use tracking plugins, and WordPress web sites – whether they’re on WordPress.com or not – are increasingly loaded with trackers.

                When Egill writes that “I’m deeply sorry for any concerns this may have caused you,” it’s a nice apology from an individual, but will Automattic issue a broader apology? Will Automattic inform other users of WordPress 3.9.1 about the violation of their trust, and the unauthorized siphoning of their users into an affiliate marketing program? Or, is Automattic just hoping that this grave error will remain unnoticed?

                Also, it’s not “concerns” that need to be apologized for. It’s a breach of trust – and not just between Irregular Times and WordPress, but between Irregular Times and its own readers. This incident is leading me to realize that, by integrating WordPress into our web site, we are exposing our readers’ to risk. We have to trust that programmers we have never met will not, purposefully or accidentally, introduce software capable of unethically profiting from or conducting surveillance against our readers’ private activities.

                In this age of rampant government and corporate surveillance through the Internet, that risk is not something to be sniffed at.

                I’ll be talking with other Irregular Times writers today, and deciding what to do about this concern moving forward.

            • Thanks for replying, let me clear up a few more points. (Replying to my own comment, can’t reply directly to yours J Clifford)

              1. No money was made via the Skimlinks “leak”. The Skimlinks affiliate code was injected via Jetpack’s code hosted on our end, and for that we do deeply apologize, but as the affiliate code was contained in an iframe, it didn’t generate any revenue.

              2. WordPress 3.9.1 was not affected, nor was any code in your self-hosted site. This came from something on our end.

              3. Regarding “the ethically murky arrangement between Automattic and SkimLinks,” we run advertising at WordPress.com to keep the free blogs free. Skimlinks is one of those advertisers, this is fully detailed in our Terms of Service (linked in my earlier comment), and bloggers can pay a small annual fee to remove all advertising. There’s nothing “ethically murky” about our arrangement, we don’t work with ethically murky people, and we despise them as much as you do.

              • Horatio

                Egill, I don’t think you’re taking into account what happens with the READERS. The READERS of the WordPress.com blogs don’t enter into any Terms of Service, and they are provided with no notice of what’s going on at the WordPress.com blogs. They visit the pages, and they’re given links that DECEPTIVELY appear to be normal – as detailed by SkimLinks itself – while they ACTUALLY involve the reader in a revenue-generating affiliate marketing scheme.

                YOU might not regard this practice as ethically murky, but as has been noted, the very fact that this kind of secret, invisible tagging of readers is now regarded by companies such as Automattic as non-controversial and not ethically questionable is itself cause for concern.

                If Automattic and WordPress think that SkimLinks deception is no big deal, what else are you willing to unleash upon unsuspecting readers?

  • Jim Cook

    Earlier this afternoon, Jeremy Herve also wrote an e-mail and asked us to share the following contents:

    “Let me try to explain what happened and how we fixed the issue to make sure the problem doesn’t happen again.

    “To support the service (and keep free features free), we sometimes run advertisements on WordPress.com. Skimlinks is part of our advertising system on WordPress.com, and is loaded on WordPress.com blogs that do not use the No-Ads upgrade.

    “Obviously, none of this should matter when your blog is not hosted on WordPress.com. However, the Jetpack plugin you use on this site allows you to bring a lot of WordPress.com features into your self-hosted blog. Among these features you’ll find Jetpack Comments. The Jetpack Comment form replaces your regular comment form by an iFrame, and loads a comment form that is hosted on a WordPress.com site, jetpack.wordpress.com.

    “When we added the Skimlinks library to WordPress.com blogs, it was also added to jetpack.wordpress.com as well. When we found out about this bug, we added some code to remove the Skimlinks library from that particular site. It doesn’t need to be loaded there since we do not run any ads in the comment form. That library is in fact useless when loaded in a Jetpack comment form.

    “2 weeks ago, on April 24, we made some changes to the way the Skimlinks library is loaded, to fix an unrelated bug on WordPress.com sites. Unfortunately, the change caused the Skimlinks library to start appearing again on jetpack.wordpress.com, and as a result on all sites using Jetpack and the Comment form module. That’s something we overlooked when making the change.

    “After you reported the bug, one of my colleagues added some extra code to avoid loading Skimlinks, as well as any kind of Ad libraries to jetpack.wordpress.com.

    “Once the whole team is back to work tomorrow, we’ll look at the code again and make sure we took the necessary measures to prevent anything like this (not just Skimlinks) from ever happening again.

    “I hope this clarifies things. Thanks again for letting us know about the problem.”

    Although the issue of Skimlinks was highly troubling, I find the prompt communication on this issue to be admirable.

    • Bill

      “Although the issue of Skimlinks was highly troubling, I find the prompt communication on this issue to be admirable.”

      No intention to detract from the prompt responsiveness on this issue…but did I mention that I sent an email to Automattic’s CEO shortly after J posted this article?

      One of the lessons I’ve learned in a long internet lifetime: you want a quick resolution to your problem? Drop the CEO a line. How many times I’ve heard CEOs opine “make this go away!”

      • J Clifford

        Interesting, Bill. Did you get a direct response?

        Also, Bill, I’d like to hear what you think the appropriate action for Irregular Times should be from here on in. Should we reactivate the Jetpack plugin that has proven to be a carrier for SkimLinks in the past, hoping that it won’t happen again? Should we stick with WordPress but without Jetpack, or do without WordPress at all?

        Do you see alternate possibilities?

        • Bill

          You pose an interesting question, J. On the one hand I am impressed by the alacrity of Automattic’s response, and the obvious seriousness of their intent to fix the problem. On the other hand, I find the technical infrastructure of WordPress (as revealed by this incident) troubling: if I understand correctly, the SaaS (software as a service) characteristics of JetPack made it possible for one guy, changing one line of code somewhere in California, to negatively and instantly impact, what, millions of blog sites around the world? That’s pretty disturbing. Will the next guy at Automattic who changes a line of code suddenly cause blogs worldwide to be adorned with pics of Miley Cyrus twerking at the White House? Does Automattic have the common-sense (and once-upon-a-time industry standard) change control and code testing systems and procedures in place to catch such mistakes BEFORE they go live? Apparently not. That’s rather nervous-making.

          I have no experience with blogging s/w other than WordPress…heck, I couldn’t even say if there IS other s/w (although I’m sure there is). It’s a devil-you-know vs. the-devil-you-don’t-know issue. On the other hand, it’s reasonably straightforward to implement a blog-like site without commercial blogging software, using just some HTML page templates, a little CSS, a little Javascript, and a mySQL database. But that requires (modest) technical resources that Irregular Times probably doesn’t possess.

          Ya pays yer money, ya takes yer chances.

          • Bill

            What this all comes down to can be illustrated by a brief story.

            Many years ago, when I was a young and earnest EMT, we had drilled into our heads during training a checklist of things to think about when diving into an accident scene. Number One on that list was: First, make sure the accident is over! That is to say, if the victim is laying in the middle of a busy street, imperiling both himself and you, then the accident ain’t over yet, so before you start treating the vic move him to safety.

            I would suggest that the accident ain’t over yet in this instance. Yes, Automattic fixed the offending line of code. Yes, they kludged in a coupla safety checks to try to keep the exact same thing from happening again. But, alas, a kludge is exactly what this is…one can fairly smell the duct tape. Automattic needs to continue to be forthcoming with us, and with its entire customer base, by informing us of how they will fundamentally change the way they do business (by imposing better change control and code-testing processes company-wide) to keep other such accidents from happening again. Because, otherwise, they will. “Murphy willing” isn’t a real confidence builder.

            • J Clifford

              Agreed, Bill. Admitting that Automattic intends to introduce “advertising” (translation: invisible affiliate link schemes, tracking software and who knows what else) isn’t a confidence builder either. These things almost always start “opt-in”, and then slide on over to an “opt-out”, which slides over into “these are the terms, take it or leave it”.

      • Jim Cook

        Bill, a big fat explicit thanks for that. Speaking truth to the top is important. Hearing back is really noticeable.

  • Matt Mullenweg, CEO of Automattic, here. I just wanted to reinforce my colleagues comments and apologize for this bug making you appear hypocritical, which sucks, and I hope your readers appreciate it was our fault not yours. We will probably offer advertising options for Jetpack blogs at some point, but it will be explicitly opt-in. (It would have to be for us to be able to send people money.)

    It looks like you also turned off YARPP here. For what it’s worth, Jetpack also includes a related post feature that’s much lighter on your database, and also doesn’t intentionally insert any third-party trackers. Murphy-willing it won’t put in any unintentional ones in the future.

    • Jim Cook

      Matt,

      Thanks for writing back and using the word “sucks.” More honchos should use direct words like that.

      I don’t know what we’re going to do here — probably take a few days to pause and think about it before we step back in. But, and just speaking for myself here, I really notice the difference from some other interactions we’ve had. I DO think it matters that you have written back, repeatedly and in detail, and also responded in practical terms. I think of (by contrast) my attempts to communicate with Americans Elect / Unity08, whose leaders treated questions as if they were stabbings and who refused to respond to any of them. This is not an Americans Elect – like situation at all, I think, and I’m grateful for the difference.

      • J Clifford

        I also remember as contrast our interaction with the American Pork Council, who threatened us for our use of the slogan Muskrat: The Other Other White Meat.

    • J Clifford

      Matt, thanks for your attention to this issue, and your understanding of its ethical importance to us. I trust your sincerity and am aware that you come from a perspective of empowering people, and trying not to abuse them.

      I also have a sense of trust, if you can call it that, in the power of businesses motivated by profits to grow into entities that no longer hold true to the sense of ethics that shaped their founding.

      WordPress is an impressive organization, but the pressures for online businesses to push the boundaries of monetization is also impressive.

      So, Matt, you have my thanks for addressing this problem… but Automattic will also have my watchful eye in the future.

  • Alicia Navarro, CEO at Skimlinks, here. I very much understand that advertising and monetization can be sensitive subjects, and the assumption is often that advertising solutions are in some way dodgy. For what it’s worth though, Skimlinks truly tries to do good, and behave openly and with integrity. Our mission is to help websites get more fairly compensated for the role their content plays in creating intent, and we try to do it in a way that doesn’t affect the user experience as much as big display ads do. We insist in our terms of service that our publishers are open about their use of Skimlinks, and we have an active network quality team to ensure our publishers are using our technology ethically and legitimately. Automattic is great as they do disclose their use, allow users to share in the revenues, or to opt-out with a small fee. We also do not believe in injecting our service into other users’ sites without their knowledge or permission, which is why as soon as I was alerted to your post, I instantly called up my contact at Automattic to have this addressed immediately. We can also confirm what Matt says: that as Skimlinks was in an iframe we didn’t monetize any jetpack-enabled sites. You were right to raise this, thank you.

    Also, when we say we “Your links look normal, so your readers can see and trust exactly where they are going.” it is because compared to normal affiliate links that look like this:
    http://click.linksynergy.com/fs-bin/stat?id=nIYMMwtWj4s&offerid=146261&type=3&subid=0&tmpid=1826&RD_PARM1=http%253A%252F%252Fitunes.apple.com%252FWebObjects%252FMZStore.woa%252Fwa%252FviewSoftware%253Fid%253D312720263%2526mt%253D8%2526partnerId%253D30&u1=RedLaser

    we believe it is more helpful to a user to know that by clicking on this link, they will go to itunes.com. We don’t want to be deceptive, we want to be transparent about what a link’s destination is. The link’s destination isn’t affected by the fact that itunes will pay the publisher a referral commission. And we encourage publishers to be open about their use of this technology in their terms and in their normal methods of disclosing their advertising relationships. I know there will always be people that don’t like the idea of affiliate marketing or advertising solutions, and there have been a lot of players over the years that have helped to tarnish the space, but Skimlinks tries to be one of the good guys, and elevate this industry to one that can be trusted and works with reputable partners.

    • Bill

      Sorry, Alicia, but you lost me at “Our mission is to help websites get more fairly compensated….” SkimLinks is a business. It’s mission is to make money; period. There’s nothing whatsoever wrong with that (at least not in my book; I happen to be a businessperson, too), but when a CEO says otherwise one really need not listen to any further words that follow. Try speaking honestly instead.

      • If I was in it just for the money, I’d be doing something else. Yes, my role as CEO is to build a financially viable business. But what makes me enjoy it is that I get to help publishers get paid. I love the internet, and love that it has democratized information, but the implication is that the creators of that content are expected to create and supply their content for free. I think the creation of value deserves to be paid for, so I enjoy the challenge of finding ways to pay content creators without relying on traditional banner ads. You may roll your eyes, and I appreciate that what I’m writing can read as overly sentimental, but it is possible to have a meaningful mission that drives a commercial goal.

Leave a Reply

  

  

  

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>