Quibi has changed its signup process in response to allegations that it shared users’ email addresses with a range of third-party organizations, including advertising and analytics sectors of Google, Facebook, Snapchat, and Twitter.
According to an April 29 report from Zach Edwards, founder of analytics consulting firm Victory Medium, when a new Quibi user signed up for an account and confirmed their email address, that address was automatically being shared without users’ knowledge or consent.
Data is also shared through a common analytics tool known as an HTTP referer. When you browse the internet and click on the a link, the referer embedded in that link sends a request–and information about you, like geographical location–to the server that hosts the webpage you’re trying to visit. In some cases, though, that outgoing ping can go not only to the host server, but to third parties.
They (and Quibi) could then use those addresses to track users’ activity across the web, collecting more information all the while. The practice is “a sloppy and dangerous growth hack that is used to improve attribution tracking for analytics tools and used to optimize and segment retargeting advertising campaigns,” Edwards alleges.
He acknowledged that these kind of data leaks can happen accidentally, but alleged that “it’s an extremely disrespectful decision to purposefully leak all new user emails to your advertising partners, and there’s almost no way that numerous people at Quibi were not only aware of this plan, but helped to architect this user data breach.”
Quibi disagrees on both counts. It was unaware of the leak despite rigorous engineering and security testing, it tells Tubefilter, and was not informed about issues until April 28. “The moment the issue on our webpage was revealed to our security and engineering team, we fixed it immediately,” a spokesperson says.
He concludes that companies like Quibi should publicly post the names of all advertising and analytics vendors that could’ve received their users’ email addresses. They should also issue deletion requests to those vendors, and ensure their processes are not sending data–accidentally or on purpose–to third parties.