Technology, Thoughts & Trinkets

Touring the digital through type

Weebly, Analytics, and Privacy Violations (Updated II)

Failing StreetThose who create and author technical systems can and do impose their politics, beliefs, and inclinations onto how technology is perceived, used, and understood. On the Internet, this unfortunately means that the technically savvy often recommend choices to users who are less knowledgeable. A number of these recommendations are tainted by existing biases, legal (mis)understandings, or stakeholder gamesmanship. In the case of website development firms, such as Weebly, recommendations can lead users to violate terms of service and legal provisions to the detriment of those users. In essence, bad advice from firms like Weebly can lead to harms befalling their blissfully ignorant users.

In this short post, I talk about how Weebly blatantly encourages its customers to conduct surveillance on websites without telling them of their obligations to notify website visitors that surveillance is being conducted. I also note how the company deceives those visiting Weebly’s own properties by obfuscating whether information is collected and who is involved in the collection of visitors’ data. I conclude by briefly noting that Google ought to behave responsibly and publicly call out, and lean on, the company to ensure that Google’s Analytics product is used responsibly and in concordance with its terms of service.

What is Weebly Doing?

Weebly is a company driven to help people get online. To this end, they provide an easy to use interface that lets Weebly customers create websites. Its day-to-day functionality in designing and creating webpages have already been reviewed, so that’s not going to be something I address. Instead, I identify two problems: First, how the company instructs users to use Google Analytics; second, the company’s failure to disclose that they are applying Google Analytics to their users’ webpage without imposing privacy notices on users’ sites that disclose this practice.

When you sign up for a Weebly account, you can quickly learn how to start using Google Analytics to track your visitors by clicking on the prominently displayed ‘Support’ tab, and subsequently navigating to ‘Stats & SEO’ and ‘Add Google Google Analytics to a Site.’ Once there, customers are guided through the process of registering for a Google account, getting the code required to run Google Analytics and how to to paste the code into the Weebly website design wizard. Nowhere are Weebly customers informed that Google requires Analytics users to post a privacy policy, nor is there any suggestion that Google requires a particular bit of legalese before a user can legitimately run the product. I contacted Weebly last month and requested that they modify their FAQ to inform users that they needed to create a privacy policy when running Google’s product. Weebly has yet to respond. All the company would need to do is add the following line to their present support page:

Before publishing your website, you will also need to create a privacy policy to notify visitors that you are using Google Analytics. To do this, you will need to add another page (see the Create a New Page knowledge base article on how to do this), ensure that it is prominently displayed, and insert the following statement:

“This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”).  Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States . Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage.  Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.  You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.  By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.”

Since I discovered what Weebly was(n’t) doing, I’ve contacted a variety of users who have followed the company’s instructions to install the Analytics product but whom had no idea that any kind of privacy policy or legal language was required to use the product. While it is disappointing that the company has yet to respond to me, change their privacy policy, or notify their users, it is perhaps unsurprising. Weebly themselves obfuscates their usage of the Google Analytics service. I identified their usage of Google Analytics by navigating around the Weebly website in Firefox with the Ghostery plugin installed after I had logged into their service. (Curiously, non-logged in users are also tracked by Google Analytics on the Weebly support page though not necessarily on other elements of the public website.) In their privacy policy, the company notes that:

Weebly may automatically receive and record information on our server logs from your browser, including your IP address, cookies, and the pages you request. We also may collect other use information as part of our analytics services, in order to improve the service.

Of course, this statement suggests that the company may not automatically receive and record the information. Clearly this is not the case, unless they decide to configure their systems to intentionally discard the information. ‘May’ then comes to mean ‘technically it is a possibility that we would not collect information, despite our lack of intentions to do that.’ It is, in effect, a term used to misguide anyone who actually reads their privacy policy. Moreover, they never once mention that at least some element of their analytics services are actually third-party owned and controlled. This is not a small matter, as Google themselves states that they may further transfer collected data to third-parties; users are not just entering an agreement with Weebly but with Google as well, though they never know that Google is a member of the user-Weebly relationship. Neither the Weebly support page, nor pages shown to logged in customers, have a separate privacy notice that indicates that the company is using Google’s third-party analytics engine. Consequently, users are not well informed about the surveillance that is being conducted and cannot reasonably consent to the surveillance on grounds that they lack the knowledge to consent. Further, no user can ever agree with Google’s statement that the company “may collect other use information as part of our analytics services, in order to improve the service.” In effect, we have a large and growing Web 2.0 company that seems to be intentionally misguiding its visitors and ‘educating’ its user base to similarly misguide their visitors.

This ‘misguidance’ is compounded by their possession of a TRUSTe privacy seal. The seal is intended to demonstrate the company’s commitment to privacy, though as discussed by Bennett and Raab (2006) “there is no provision in the TRUSTe program for an onsite examination of a site’s privacy practices as a precondition for receiving the TRUSTe mark. In the case of a privacy violation, licensee sites are contractually liable to a more comprehensive examination of its privacy practices. A TRUSTe-designated public accounting firm will then investigate the alleged violations. However, this comprehensive examination is only performed “for cause” at TRUSTe request in response to formally stated concerned about a licensed site’s compliance with the TRUSTe requirements” (165). In aggregate, Weebly is intentionally, and actively, contributing to not just the surveillance of visitors to its properties, but to masking its actual business practices whilst representing itself as a ‘privacy friendly’ corporation.

Of course, even if a Weebly customer does not sign up to Google Analytics that customers’ website visitors will regardless be monitored using the Google product. In my test, using the website ‘testingprivacy.weebly.com‘ and Ghostery, I found that both Google Analytics and Quantcast were in operation as soon as the site was published. I never added the required Analytics code, nor the Quantcast code, to the website. Both were running and transmitting data about visitors’ use patterns without any notice to those users or notification to site owners that such surveillance was taking place. Thus, not only could visitors not realize what was going on, but site owners themselves were not notified. This is clearly unethical behaviour that, at the very least, violates Google’s own terms of service. Specifically, any and all websites that run Google’s Analytics product must include a privacy policy that is placed in a “prominent position.” Moreover, the owner must use “reasonable endeavours” to bring the policy (and Google’s required text) to the website’s users. Weebly is not doing this on their users’ website and, thus, is arguably violating the terms of service that Google lays out for using the Analytics service. As far as I can tell, Quantcast lacks requirements similar to Google, and thus authorizes the use of Quantcast surveillance without requiring notice to website visitors.

Google Needs to Step Up

Weebly is not a small organization. The company’s web development platform is reportedly used by over 7 million people and has previously been recognized as one of Time’s top 50 websites. While Google could be excused for not noticing when individuals or small organizations are misusing their products, this is a case where a medium-to-large sized organization is flagrantly deceiving their users about the deployment of  a Google product. Google should step up and begin monitoring for such violations and in Weebly’s case put a moratorium on delivering statistics to the company on the basis that Weebly has already mislead users about the tracking mechanisms the company deploys. Further, Google should only enable Analytics for Weebly users if those users have published a privacy policy on their website.

Would this process be more onerous than Google’s current ‘please read a lot of legal text and then add something to your website’ whilst relying on ‘Scout’s honour’? Yes. Would doing so contribute to making people a little more aware of the magnitude of online surveillance? Yes. Would such an action comply with the Google’s mantra of ‘Do no evil?’ Yes.

Now, will a privacy policy stop people from using Analytics engines? Of course not, and that’s not the point. From a pedagogical point of view, the value of creating a privacy policy is that it makes website developed briefly reflect on their own data collection, retention, and analysis processes. They become aware of what it means to be engaged in surveillance. There isn’t anything necessarily wrong with using Analytics, but if people feel ‘awkward’ publishing a privacy policy on the basis that they don’t want visitors to know surveillance is being conducted then those same people should reflect on whether they even want to monitor their web visitors. True, this moment of reflection might be brief, and the depth of reflection quite shallow, but the simple awareness of one’s engagement in online surveillance establishes a helpful baseline from which subsequent discussions about online surveillance can be launched. While there is a pedagogical moment for otherwise ignorant users, when businesses are conducting deceptive practices the brunt of the law ought to be brought to bear and punishment meted out.

Google demands that a very low baseline be met as a condition of using Analytics to surveil web visitors: the company should be obliged to ensure that the baseline is met and, where it isn’t, apply consequences for violating Google’s terms of service. If Google can take a hard line on pseudonyms on their social networking service, why can’t they take a similar line concerning the use of the company’s older Analytics product?

Update (I)

David Rusenko, Weebly’s CEO, contacted me on August 16, 2011. Since I posted this piece, the company has modified a clause in their privacy policy to indicate that they will, and are, collecting information from web browsers and storing the information. The updated clause reads:

Weebly automatically receives and records information on our server logs from your browser, including your IP address, cookies, and the pages you request. We also collect other use information as part of our analytics services, in order to improve the service. However, we do not link such information to any personally identifiable information you submit while on our site.

Thus far this is the only change that has been made to the company’s privacy policy. I still do not believe that customers or visitors will read the following clause and realize that the company uses a third-party analytics engine (Google Analytics) to monitor online transactions, nor am I certain that this meets Google’s own requirements.

Weebly may use or share your personal information where it is necessary to complete a transaction, to operate or improve the Weebly products and services, or to do something that you have asked us to do. We use other third parties such as a credit card processing company to bill you for goods and services. These third parties are prohibited from using your personally identifiable information for promotional purposes.

This said, the company has stated to me that they will update their support page on setting up Google Analytics. Specifically, they will include instructions on constructing a privacy policy, to the advantage of those users who are simply following the company’s guidance. As for Weebly’s usage of Google Analytics and Quantcast on their customers’ websites, they intend to “make progress” in this area but maintain that this will take time given that it could significantly impact the design of their customers’ websites (i.e. adding privacy policies to each page). I look forward to seeing this progress.

I hope that the company makes further strides by modifying their privacy policy to indicate to visitors that Google Analytics and other third-party monitoring systems are in use. I also hope that Weebly fully commits to making prominent the use of similar monitoring systems on their customers’ web pages. As changes occur – further modifications to the privacy policy, updates to the support page on setting up analytics, and impositions of privacy policies on their customers’ web pages – I will update this post.

Update (II)

Since my last update, Weebly has further modified their privacy policy to clearly indicate that they are using Google Analytics. They have specifically added a section titled “Google Analytics” and include the language required by Google. This is an excellent step forward and makes very clear to their visitors that the company is using the third-party analytics system.

Book Source

C. J. Bennett and C. D. Raab. (2006). The Governance of Privacy: Policy Instruments in Global Perspective. Cambridge, Mass.: The MIT Press.

1 Comment

  1. I am not happy with the blunder Weebly has done. I had 5 interlinked sites for my companies and they are vital for my business.

    Suddenly all the websites are not working and when I inquired on the supportline they said that they terminated my account due to violation of terms & conditions. I went through the TOC but couldnt figure our what have I done wrong.

    As a professional organization, Weebly should have sent a warning before taking down the site. To the best I understand I have done everything right according to the TOC. And its a shame that I cannot recover my work or contents. I feel like weebly has stolen my years of professional work and left me and my company in the dark. So much for an organization who says they help small timers to build up.

    Please Weebly reply to my last mail and answer as to what I have done wrong and where I have Violated your TOC. At least I can make sure I dont make that mistake again and share it with others. And Please let me recover my content as they are years of hard work and I’m lost without them.

    My username is lienkay

    Sad & Disappointed

Leave a Reply

Your email address will not be published.

*