Sign Up and We’ll Share Your Email
To most people it is probably no surprise that their behavior might be tracked. For example, when they click on an advertisement or visit a website and blindly accept cookies. When signing up for a new service, however, users do not expect that their email address is automatically shared with others. And nor should they. Security researcher Zach Edwards – who also contributed to a recent Norwegian study that revealed that dating apps like Tinder and Grindr were in breach of the GDPR – discovered that millions of email addresses were being leaked to advertising and data analytics companies. Zach Edwards calls the leaks “breaches” as email addresses also count as personal information. In some cases, data was sent in plain text. In other instances, the simple base64 encoding was used. This only protects data on the surface. Consequently, this information can easily be decoded. Among the organizations included in Zach Edward’s research are many popular websites and some reputable organizations. Examples are Wish, JetBlue, Washington Post, MailChimp’s Mandrill and NGPVan. But there are many more. “They have hundreds of millions of emails and real users between them”, Zach Edwards clarified. So far, only Wish, MailChimp and The Washington Post have taken his report seriously. Most other organizations did not even respond. Only a few have taken further actions to remedy the leak.
Data Used to Complete Personal Profiles and Target Users
“Most popular websites on the internet are using 3rd party analytics and advertising Javascript code”, said Zach Edwards. “Depending on how a website sets up their marketing systems, typically email systems and new user signup flows, the user emails can accidentally and/or purposefully leak to companies across the global data supply chain.” The details are passed in “request headers” sent through a web browser. “This data can include what page a user is visiting, what type of device and browser they are using, their location, and other forms of fingerprinting, cookies, URL querystring or URL parameters that are used by advertising and analytics companies.” This data helps companies create or complete personal profiles and target users. As a result, they can show specific advertisements that are relevant to those users or are in line with their browsing patterns. People who use browsers like Safari, Firefox and Brave are better protected. This is because these browsers stop JavaScript and Cookies by default. Chrome users however have to pro-actively block JavaScript. Alternatively they can install Chrome’s Ad Blocker extension to prevent this leak from occuring.
The Worst Offenders
“Out of all the data breaches in this research, the Quibi research is the hardest to swallow due to how new this organization is, and how much money they had to push into their marketing and advertising to grow new users,” Zach Edwards commented. Mobile streaming service Quibi was launched as recently as April 6, 2020. This is long after new data privacy regulations such as the European GDPR and California’s CCPA went into effect. “In 2020, no new technology organizations should be launching that leaks all new user-confirmed emails to advertising and analytics companies — yet that’s what Quibi apparently decided to do.” The biggest leak, however, came from e-commerce site Wish.com. From July 2018 until January 2020, Wish probably transmitted hundreds of millions of user emails. “When users clicked on any marketing emails from Wish, their email was appended to the URL for any page/product-page they clicked from the marketing emails from Wish, and then when the user visited the Wish page, their email in base64 format was transmitted to Wish’s 3rd party advertising and analytics partners.”
What’s Next?
Zach Edwards believes there should be an easy way for individuals who use any of the above-mentioned services to request that their data be deleted. Unfortunately, it will be difficult for organizations to ensure and know whether data sent to 3rd party partners has been deleted. “All organizations should be extremely careful about 2-step forms, email tracking that appends encoded or plain text emails into URLs, and any process that “syncs a user email” to a 3rd party company”. Zach Edwards added. “This process is almost assuredly not described properly in Terms of Service and Privacy Policies for organizations, and it’s obviously not a process that most users expect to occur.”