Browse By

Trackers and Sneaky Bots In WordPress, Moving Foward

This weekend, as we were preparing for a nice Mother’s Day weekend, we came upon a nasty shock. A reader informed us that Irregular Times was exposing people to a piece of software called SkimLinks.

SkimLinks is a plugin that transforms simple html links into money-making engines for SkimLinks clients. The links include code that tags readers as belonging to the client’s affiliate program. Every time that the readers subsequently purchase from any retailer integrated with the SkimLinks affiliate programs, the client receives some money in return. Sometimes, SkimLinks also creates entirely new links of its own in bloggers’ text, leading to merchandisers who then give SkimLinks and its clients a cut of the profits. This makes it appear that bloggers endorse the merchandise being linked to, although they know nothing about it at all, and may not approve of the sites that SkimLinks sends readers to.

The really creepy part of is that SkimLinks had been operating in the background of the Irregular Times web site invisibly – probably for at least two weeks. The only reason that we discovered it was that a frequent reader of ours checked Irregular Times with a browser plugin called Ghostery. Ghostery is available free of charge, but it’s invaluable, because it enables people using the Internet to finally see all the hidden pieces of software for surveillance and profiteering that are embedded in web sites. It’s not uncommon to come across a web site with 20 or more of these spammy bots lying in wait, just out of view.

SkimLinks is the kind of software we would never voluntarily place on Irregular Times, because we have created this web site as a place that is free from corporate financial influence. We also don’t regard it as ethical for a web site to use its readers as sources of financial income without letting them know what’s going on. Yet, that’s just what SkimLinks is designed to do. SkimLinks even brags that the links it creates are specially designed to appear normal, so that readers won’t know that they’re being used in a secret financial scheme.

If we didn’t put SkimLinks on Irregular Times, though, who did? At first, we assumed that a hacker had somehow placed a piece of malware on our server, but we could find no sign of that. After much searching, we finally found the culprit: WordPress, the creator of the software that facilitates the blog portion of our web site. The Jetpack plugin that is automatically installed along with WordPress had inserted SkimLinks into Irregular Times without our knowledge, without our permission, and in violation of the terms of use of WordPress software. We shut down the Jetpack software on the Irregular Times server, along with all other software that might contain any surreptitious trackers.

opt inTo their credit, the people at Automattic, the company that owns WordPress, responded quickly to our concerns about the appearance of Skim Links on independent web sites using WordPress software. They acknowledged the problem, found the error that caused it, and told us in detail about the code they had put in place to prevent the error from recurring. The CEO of Automattic even came to Irregular Times and offered more than one apology. There was no attempt at a coverup, or a denial of responsibility. Automattic stepped up and did the right thing in dealing with the particular problem with SkimLinks. Jetpack and WordPress software would no longer be siphoning readers into affiliate programs without their knowledge, we were assured.

However, the fact remains that WordPress software creates risk for online writers and readers. Even though it’s powerful software, it requires a great deal of trust, because control over a vast range of seemingly independent blogs is actually centralized at Automattic headquarters. Though Automattic assures us that the insertion of SkimLinks plugins into independently-hosted blogs using WordPress was accidental, the fact remains that the system that quickly spread SkimLinks across the Internet without authorization, or even notification, remains in place. Automattic retains the ability to change the operation of independent WordPress blogs, integrating software without the knowledge of writers or readers. In fact, almost all of the readers and writers of web sites that use WordPress software still don’t know that they were made subject to tracking and profiteering by SkimLinks.

For this reason, it’s entirely plausible that a similar intrusion of unauthorized tracking or profiteering software will take place again. What’s more, future glitches at Automattic could expose readers and writers to far more instrusive plugins than SkimLinks.

UPDATE: As of 5/30/2014, this has in fact taken place. WordPress Jetpack software has placed KISSMetrics, tracking software with a terrible record of privacy violations, onto a huge number of independent web sites without their knowledge or permission.

Jetpack is clean and clear, we’ve been told, but the SkimLinks spillover has taught us an important lesson: When it comes to online relationships, it’s not sufficient simply to trust that everything is as it appears to be. We believe that the people at Automattic mean well, but we also note that the CEO has admitted that Automattic has plans to introduce what the company euphemistically calls “advertising” software into the Jetpack plugin. He tells us that the use of this software will be “opt in”, but even so, such an increased integration of ethically questionable software packages such as SkimLinks into the full range of WordPress blogs will make additional glitches even more likely than they are now. What’s more, we’ve seen online “opt in” programs from other companies transform into “opt out” status too many times in the past not to retain some suspicion.

So, our plan at Irregular Times is to re-engage with Jetpack, but to do so warily. We will turn the Jetpack plugin back on, but conduct regular examinations of Irregular Times with Ghostery and other tools for detecting invisible packages of software that could abuse our readers’ trust. The minute we detect a risk, we’ll shut Jetpack back down, and reconsider our use of WordPress as a whole.

We will also, in the meantime, re-establish some of our use of pages that use plain old HTML, outside of WordPress or any similar software package. For example, we’ve created a page that links to online resources available to people who are seeking to get involved in the movement to elect Bernard Sanders President in 2016. We could have created the page using WordPress, but basic HTML seems a better fit for activism that involves Senator Sanders, given the way that Sanders himself avoids financial entanglements with secretive systems of corporate financing.

In addition, if any of our readers notice any strange bits of software operating surreptitiously at Irregular Times, please let us know. We still believe in the old ethic of the Internet – that people should be able to enjoy the enhanced ability to communicate and learn that the online world enables, without always having to look over their shoulders or censor themselves out of fear that their activities are being watched or being used dishonestly.

4 thoughts on “Trackers and Sneaky Bots In WordPress, Moving Foward”

  1. Bill says:

    It’s ironic, but sometimes it is success that kills you. Automattic has raised nearly a third of a billion dollars in investment, most recently including a whopping $160 million Series C round just this month. Don’t get me wrong: I’m not saying this is bad, or evil, or selling out. Heck, I make my living in part by helping companies do this same sort of thing. What I am saying is that those investors chipped in because they believe Automattic has huge revenue potential ahead of it in the near term. And so now the company has to stand and deliver, monetizing everything they can think of in order to deliver outsized profits (likely with the goal of either making itself an irresistible acquisition target or going public). That’s a lot of pressure. Under that kind of pressure, Stuff Will Happen. We have seen, for instance, how quickly Sergey Brin went from “don’t be evil” to “hey, can’t you guys find any more kinds of evil we can be?” And he’s certainly not alone.

    Let’s hope Automattic dodges that bullet. But let’s not depend on it.

  2. J Clifford says:

    It’s making financial success the primary measurement of success that’s the problem. Good enough isn’t easy to defend any more. So much of Web 2.0 has turned from empowerment to exploitation that I wouldn’t be surprised if the bubble of pops within the next few years, at a scale that will make the Internet crash of the late 90s look tiny in comparison.

  3. Bill says:

    I can’t help but notice that, following its initial burst of responses, Automattic seems to have gone dark on us, failing to respond to the larger issues pointed out here. Hopefully they’re just taking the time to reflect and to thoughtfully formulate policy, ’cause the accident ain’t over yet, folks.

    1. J Clifford says:

      We can’t know what they’re up to behind closed doors, but we can watch their public actions, and report what we see.

Leave a Reply

Your email address will not be published. Required fields are marked *

Psst... what kind of person doesn't support pacifism?

Fight the Republican beast!