Are WordPress And Automattic Purposefully Sneaking Surveillance Bots Into Jetpack For Self-Hosted Bloggers?
The people at Automattic and WordPress have a right to be proud of their software. WordPress is a strong piece of software that enables large numbers of people to nice-looking web sites online quickly and affordably. That serves the cause of democracy, supporting an informed and active citizenry. At Irregular Times, we have been happy users of WordPress for years.
This month, however, our experience with WordPress has taken a strong downturn. We are seeing signs of growing trouble at WordPress.
Three weeks ago, just five days after WordPress owner Automattic announced that it had secured $160 million in funding from investors interested in making WordPress more profitable, we discovered that a piece of software called Skimlinks had been invisibly slipped onto IrregularTimes.com. A WordPress plugin package called Jetpack, which automatically comes with new WordPress installations, was the culprit.
Skimlinks software gathers information about where readers go, and what they buy, spying on their private reading activity. Skimlinks surreptitiously converts links into moneymaking devices, giving Skimlinks users a share of the profits made when people buy things online. Skimlinks even automatically creates new links that articles’ authors never intended to make, for no other purpose than to redirect readers into financial schemes, and to gather more data on them.
When we found out that Skimlinks had been placed into Jetpack, we researched the problem and discovered that other WordPress users had reported the same violation six months beforehand. WordPress claimed to have fixed the problem then, but here it had popped up once again. We contacted WordPress, which to its credit got back in touch with us through several staff members, including Automattic CEO Matt Mullenweg. They told us that the insertion of Skimlinks was an honest mistake, explained some aspects of the problem, and promised that the problem would not be repeated again. We turned the Jetpack plugin back on, and hoped for the best.
Now, less than three weeks later, another piece of surveillance software has suddenly appeared in the WordPress software package. This time, it’s Kissmetrics, a piece of surveillance software than not only tracks where our readers go, but also combines that information with data available from other sources of personally-identifiable information to create detailed profiles, compiling and analyzing their private, personal activities, so that the information can be used to commercially target real people. If the NSA happens to scoop up your Kissmetrics data, then the information goes into the national security database as well. “KISSMetrics takes analytics to another level,” writes FastCompany, “enabling businesses to build out customer funnels and group website visitors into cohorts based on common actions and triggers.”
Kissmetrics is not the kind of company that inspires trust. In 2011, Kissmetrics was hit with a class action lawsuit for abusive practices invading the privacy of Internet users. Kissmetrics created cookies (bits of tracking code) that could not be deleted by web site users. The case was settled out of court.
I double checked to make sure that Kissmetrics had not appeared just on one of our articles, due to something like a surreptitious code inserted into a link. I went through all of our plugins to make sure that we had not inadvertently placed Kissmetrics on our site. The search led to the same conclusion as with Skimlinks. It was Jetpack that was responsible for inserting surveillance software, without our permission, onto Irregular Times.
WordPress tells its users that the software is open for them to inspect. It promises to adhere by a fourfold Bill of Rights: The freedom to run the program, for any purpose; The freedom to study how the program works, and change it to make it do what you wish; The freedom to redistribute; The freedom to distribute copies of your modified versions to others.
In practice, it’s difficult for readers, much less web site owners, to fully investigate what WordPress software is really doing. Quite a bit of technical know-how is required to sleuth through what’s actually going on with a WordPress package. I only discovered that WordPress had put Skimlinks and Kissmetrics onto Irregular Times because I use Ghostery, a browser plugin that scans for surveillance software as people browse the web.
Given that readers and online publishers don’t all have the time or skills required to do a weekly review of changes to WordPress software, we need to trust that WordPress isn’t sneaking software into independent web sites in order to invade readers’ privacy. We now have three independent cases within half a year in which the Jetpack plugins integrated into WordPress have placed unauthorized tracking packages onto independent web sites, gathering information about personal activities without letting anyone know what’s going on. WordPress update notices don’t tell us that this has been happening. Neither do user agreements that accompany WordPress installations.
Is this being done purposefully? I don’t know the answer to that, but the implications are disturbing, whether or not the introduction of Kissmetrics surveillance software into WordPress Jetpack software was done intentionally. The possibilities are:
1. That WordPress has poorly designed software that frequently allows profiteering surveillance software to pop up without authorization onto independent web sites, despite repeated attempts by Automattic software experts to repair the problem.
2. There is a malicious hacker who has infiltrated WordPress and purposefully sent unauthorized tracking software out into independent web sites across the Internet through WordPress but without its knowledge.
3. In order to show profit for its new investors, people at WordPress are purposefully experimenting with secretly placing tracking software on independent web sites that use WordPress software.
I don’t know which one of these is the case. I do know that Irregular Times can’t trust the Jetpack package of plugins from WordPress to respect the privacy of our writers and readers. I’ve talked with the other Irregular Times writers, and we’ve agreed to close down the Jetpack plugins. Doing so will make the operation of the web site more simple, and maintain trust with our readers. We are frequent critics of efforts by the federal government and corporations to invade people’s privacy through Big Data systems that combine surveillance with commercial data mining. It would be hypocritical of Irregular Times to allow WordPress to continue to use Jetpack to insert surveillance software onto our web site without our permission and without the knowledge of our readers.
The problem is bigger than Irregular Times, of course. As Automattic itself brags, “WordPress powers more than 17% of the web – a figure that rises every day.” There are an immense number of web sites that have unwittingly been exposing their readers to surveillance from the Skimlinks and Kissmetrics, and perhaps other surveillance bots as well.
Many of the web sites that have been violated by invisible infiltration by Skimlinks and Kissmetrics through WordPress contain politically, culturally, or personally sensitive information. The people who read these sites often form networks of dissent that rely on anonymity in order to operate effectively. WordPress has allowed Skimlinks and Kissmetrics to gather information about these private activities, keeping records of who people interact with across different web sites. The likelihood that government surveillance programs will sweep up this corporate Big Data into the NSA’s own databases, despite the scanty fig leaf of protection provided by the USA FREEDOM Act, makes the violation even more serious.
Put into the wrong hands, the information that has been gathered surreptitiously through independent web sites using WordPress could be used as a tool of political control.
I will be contacting Automattic once again in order to inform them of the unauthorized insertion of Kissmetrics into our web site’s WordPress system. I will ask for an explanation of the violation, and detailed information about what WordPress will do to correct the situation. I will post that information on Irregular Times when it becomes available.
Whatever kind of response I get, Irregular Times will not be turning the Jetpack plugin on again. We were promised before, not even a month ago, that steps had been taken at WordPress to ensure that this kind of error would not happen again. We can see that such promises aren’t worth much.
Trust in WordPress has been broken.
Update: Three days after I submitted a request for a response and remedy from WordPress (read it here), we have been contacted by Jeremy Herve from WordPress, but he says that he has been unable to replicate the problem.
It appears that something happened to allow KissMetrics software to slip onto independent web sites for a time, before disappearing again. It’s not known, then, when KissMetrics might rear its head again.
It would be helpful, therefore, for independently-hosted web sites running WordPress software to check their sites with plugins like Ghostery, and leave messages here if they observe KissMetrics popping up again. This KissMetrics spectre needs to be nailed down.
I have temporarily reactivated Jetpack this morning to confirm that the KissMetrics software is actually there, and as this new screenshot shows, it is.
This was on Jetpack version 2.9.3. Jetpack was updated to 3.0.1 two weeks ago. I updated to 3.0.1, in the hopes that whatever had allowed KissMetrics to appear on Irregular Times would disappear. It didn’t. As the final screenshot on the left shows, at 8:16 this morning, with 3.0.1 installed, KissMetrics was still there.
Jetpack remains on, temporarily, until Jeremy Herve visits the site to confirm what I’m seeing through my own browser. As soon as he visits, we will turn Jetpack back off, and restore your privacy. In the meantime, we urge you to opt out of KissMetrics surveillance.