Trackers and Sneaky Bots In WordPress, Moving Foward
This weekend, as we were preparing for a nice Mother’s Day weekend, we came upon a nasty shock. A reader informed us that Irregular Times was exposing people to a piece of software called SkimLinks.
SkimLinks is a plugin that transforms simple html links into money-making engines for SkimLinks clients. The links include code that tags readers as belonging to the client’s affiliate program. Every time that the readers subsequently purchase from any retailer integrated with the SkimLinks affiliate programs, the client receives some money in return. Sometimes, SkimLinks also creates entirely new links of its own in bloggers’ text, leading to merchandisers who then give SkimLinks and its clients a cut of the profits. This makes it appear that bloggers endorse the merchandise being linked to, although they know nothing about it at all, and may not approve of the sites that SkimLinks sends readers to.
The really creepy part of is that SkimLinks had been operating in the background of the Irregular Times web site invisibly – probably for at least two weeks. The only reason that we discovered it was that a frequent reader of ours checked Irregular Times with a browser plugin called Ghostery. Ghostery is available free of charge, but it’s invaluable, because it enables people using the Internet to finally see all the hidden pieces of software for surveillance and profiteering that are embedded in web sites. It’s not uncommon to come across a web site with 20 or more of these spammy bots lying in wait, just out of view.
SkimLinks is the kind of software we would never voluntarily place on Irregular Times, because we have created this web site as a place that is free from corporate financial influence. We also don’t regard it as ethical for a web site to use its readers as sources of financial income without letting them know what’s going on. Yet, that’s just what SkimLinks is designed to do. SkimLinks even brags that the links it creates are specially designed to appear normal, so that readers won’t know that they’re being used in a secret financial scheme.
To their credit, the people at Automattic, the company that owns WordPress, responded quickly to our concerns about the appearance of Skim Links on independent web sites using WordPress software. They acknowledged the problem, found the error that caused it, and told us in detail about the code they had put in place to prevent the error from recurring. The CEO of Automattic even came to Irregular Times and offered more than one apology. There was no attempt at a coverup, or a denial of responsibility. Automattic stepped up and did the right thing in dealing with the particular problem with SkimLinks. Jetpack and WordPress software would no longer be siphoning readers into affiliate programs without their knowledge, we were assured.
However, the fact remains that WordPress software creates risk for online writers and readers. Even though it’s powerful software, it requires a great deal of trust, because control over a vast range of seemingly independent blogs is actually centralized at Automattic headquarters. Though Automattic assures us that the insertion of SkimLinks plugins into independently-hosted blogs using WordPress was accidental, the fact remains that the system that quickly spread SkimLinks across the Internet without authorization, or even notification, remains in place. Automattic retains the ability to change the operation of independent WordPress blogs, integrating software without the knowledge of writers or readers. In fact, almost all of the readers and writers of web sites that use WordPress software still don’t know that they were made subject to tracking and profiteering by SkimLinks.
For this reason, it’s entirely plausible that a similar intrusion of unauthorized tracking or profiteering software will take place again. What’s more, future glitches at Automattic could expose readers and writers to far more instrusive plugins than SkimLinks.
UPDATE: As of 5/30/2014, this has in fact taken place. WordPress Jetpack software has placed KISSMetrics, tracking software with a terrible record of privacy violations, onto a huge number of independent web sites without their knowledge or permission.
Jetpack is clean and clear, we’ve been told, but the SkimLinks spillover has taught us an important lesson: When it comes to online relationships, it’s not sufficient simply to trust that everything is as it appears to be. We believe that the people at Automattic mean well, but we also note that the CEO has admitted that Automattic has plans to introduce what the company euphemistically calls “advertising” software into the Jetpack plugin. He tells us that the use of this software will be “opt in”, but even so, such an increased integration of ethically questionable software packages such as SkimLinks into the full range of WordPress blogs will make additional glitches even more likely than they are now. What’s more, we’ve seen online “opt in” programs from other companies transform into “opt out” status too many times in the past not to retain some suspicion.
So, our plan at Irregular Times is to re-engage with Jetpack, but to do so warily. We will turn the Jetpack plugin back on, but conduct regular examinations of Irregular Times with Ghostery and other tools for detecting invisible packages of software that could abuse our readers’ trust. The minute we detect a risk, we’ll shut Jetpack back down, and reconsider our use of WordPress as a whole.
We will also, in the meantime, re-establish some of our use of pages that use plain old HTML, outside of WordPress or any similar software package. For example, we’ve created a page that links to online resources available to people who are seeking to get involved in the movement to elect Bernard Sanders President in 2016. We could have created the page using WordPress, but basic HTML seems a better fit for activism that involves Senator Sanders, given the way that Sanders himself avoids financial entanglements with secretive systems of corporate financing.
In addition, if any of our readers notice any strange bits of software operating surreptitiously at Irregular Times, please let us know. We still believe in the old ethic of the Internet – that people should be able to enjoy the enhanced ability to communicate and learn that the online world enables, without always having to look over their shoulders or censor themselves out of fear that their activities are being watched or being used dishonestly.