UPDATE: On October 1st, Shareaholic announced “Promoted Content”. This swaps out Related Content with native advertising. The feature was launched ON and configured with a medium setting (in my tests this means if you’re displaying 6 related blocks, it is 2 ads and 4 posts).
Note: Since my original and this post went live, Shareaholic has made a few changes. Updates on those can be found in my open letter to Shareaholic.
Since I wrote a post on Shareaholic’s hijacking of website links, I’ve been inundated with tons of emails and notifications. As I write this, I am supposed to meet with the VP of Product sometime today or Friday, but we’ll see, after our latest email exchange, if that will happen. I’m very interested to discuss all my findings with him, and do hope he will be transparent about the company’s practices. That won’t, however, keep me from alerting others to my findings as they occur.
You see, it is important to me that users aren’t taken for granted and that one’s privacy is respected. Although I found out about the link hijack because I fell victim to it myself, none of this is about me. It’s about unsuspecting people who put their trust that what WordPress feeds them in search results is an approved and legitimate plugin. And that a plugin advertised to do one thing doesn’t wind up doing another without first notifying the user and giving him or her the option to use new features. When I realized that all 340,000+ websites using Shareaholic (even those not running WordPress) could be affected, I was dumbfounded.
This post may not be in the best of order, but I’m trying to get everything that I can together before another flurry of emails come in, sending my iPhone into a steady stream of d-i-i-ings!
The Shareaholic plugin, which is also released under the name Sexy Bookmarks, has been pulled at least once from WordPress’s Plugin Database. There is rumor as to why, but a post by Shareaholic refers to it as an issue of not properly communicating features in the plugin directory and WordPress dashboard.
[UPDATE] I’ve been informed it’s possible the plugin did not violate guidelines because it is primarily a gateway to the Shareaholic service. The bulk of the features managed from within the plugin are updated at the Shareaholic servers.
In August 2013, more users complained about seeing Google tracking code that referenced a different ID than their own. Shareaholic confirmed that it had, in fact, inserted the code in the sexy-bookmarks-public.js file as a means to see how the plug in was being used on live sites. They claim it was necessary to make speed improvement, and that they hoped to get rid of the code in a subsequent release or “at the very least include an opt-in/out soon.”
As of the time of this post, the option for “Use trusted third party data services” is checked by default.
Note: The initial Get Started screen does state that Shareaholic uses Google Analytics, and that you can turn the option off in the plugin’s Advanced settings. Though that option does warn you that changing the setting is not recommended. Shareaholic does not disclose what it’s actually tracking and/or sharing with others for the sake of marketing.
After another user pointed out WordPress’s Guide for plugins, it’s clear that Shareaholic violates them.
Shareaholic’s service, which interacts with the plugin, violates two points under item #7:
“No unauthorized collection of user data. For example, sending the admin’s email address back to your own servers without permission of the user is not allowed; but asking the user for an email address and collecting if they choose to submit it is fine. All actions taken in this respect MUST be of the user’s doing, not automatically done by the plugin.”
Shareaholic does perform some actions that aren’t of the user’s doing. All of my client sites I set up with this plugin were referenced under my email address, even if the admin email address for the site did not match that within Shareaholic’s account for me. While, according to these guidelines, Shareaholic couldn’t try to “match” the email address, it did assume that because I was personally left logged into an account outside of WordPress that the client’s account was also mine. In short, I was never asked on a per site basis if I wanted to create an account for that site, nor did I realize it was putting the clients account controls under my login.
“Note that if you do include what we consider to be “advertising spam”, or attempt to game somebody else’s advertising system, then we will not only remove your plugin, but also report your code to the advertising system’s abuse mechanism as well. We do not react kindly to spam. Don’t try it.”
Let’s read that again… “or attempt to game somebody else’s advertising system…”, which Shareaholic clearly did. It rewrites links to use its Affiliate Links feature. However, any pre-existing affiliate links it misses do game one’s advertising system. Referral and partner links, for example, that do not go through a standard affiliate channel may get rewritten.
Failure to Notify
Shareaholic never notified me of the changes to their inserting a graphical ad in the post-share box, or about the Affiliate Links feature. Both of these updates were added in the last month.
Shareaholic says it emailed all users, and wanted to know if I left the box checked for receiving these updates, which I did. In fact, I left all the default options:
They also advised I check my emails spam folder. Disclosure: I don’t filter spam out of this particular email account. Everything comes in and everything is read and/or filed. I searched my email account for “shareaholic”, “sexy bookmarks” and “affiliate links”. Here’s the return that yields all the results:
Of the people I’ve conversed with – believe me, it’s nowhere near the 300,000+ websites this company serves – not one was notified about the two latest updates in question. In other words, the only way we could have learned about Affiliate Links was to visit the Shareaholic blog or peruse the plugin’s support section at WordPress. Now I read. I read A LOT. But to assume I’m going to visit your blog or support section to find out if any questionable features have been added is ridiculous.
[UPDATE] I’ve confirmed that I never fully registered at Shareaholic’s site, though it definitely appeared I had. My access to all the tools was granted after I confirmed and authorized my Twitter account.
A BIG Clarification on Those Associated Accounts
One of the biggest issues with WordPress consultants, designers and developers is that Shareaholic settings for client sites are falling under their own accounts. Shareaholic attempted to explain the difference between an “account” and a “profile”. An account is created with an email address and password. A profile is essentially a website listed under an account.
There’s a great deal of back and forth about how these profiles fall under other people’s accounts, and Shareaholic says it’s “super easy” to change this by first removing the profile from your own account, then creating an account for a client. But let’s look at what’s really happening.
I used one of my own sites from a different browser. I am not logged into my own Shareaholic account. I install the Shareaholic plugin, activate it, and then log out of the WordPress admin.
Then I go to my other browser (where I am logged into my Shareaholic account). I launch the WordPress admin for this other site, look at the Shareaholic plugin, and then log out of WordPress.
I then look at my personal Shareaholic account, and voila…
Now, Shareaholic can say this is only a profile, but I can do quite a few things in here. I can toggle on floating buttons, turn on and off Affiliate Links (which is ON by default), and turn on a cookie consent banner.
I can change the domain and name of the website under the profile. I can change the platform used. I can setup a content category as well as the primary language.
I can change the message format so when people tweet out a link to a page on this other website it can say “be sure to follow @pamelahazelton”, AND – get this – I can setup all the post-share follow buttons to actually go to my own accounts!
I can turn on shareable images, as well as display advertising (which is ON by default).
I can exclude pages from Related Content (which means I can exclude a page that generates the most leads), and I can turn on or off “third party services” (which is ON by default).
And, if I verify the site (which is nothing more than having Shareaholic verify the code is between the head tags at that site), I can see statistics. Note that Shareaholic says verifying using this method “tells us that you own it“.
This means, folks, that you could be running the Shareaholic plugin, and if you never create the account (which they don’t give you any reason to save for additional features that are turned on anyway), not only are your links subject to monetization, but so are the settings for the website. It means that if you hired me to work in the WordPress admin one time, I can then control the Shareaholic services. I can hijack your sharing links, as well as your follow links. Fancy that!
This isn’t an oversight or a bug. Shareaholic supports this functionality.
Many consultants prefer to keep the site linked to their own profile as they’re the ones that continue to maintain the site even after the initial setup — it’s a personal / situational preference.
– Shareaholic Support/Plugin Author (You can read the full explanation of this quote here)
The problem is, the CLIENT should be the one making this decision. Always. And Shareaholic takes no measures to confirm the action is on behalf of the client.
Now, what happens when the client creates a Shareaholic account to verify the site? He can’t. I mean, he can click the “Add Website” button, but that’s going to generate a new profile for the site, along with a new Site ID. He cannot claim the existing site because I’ve already claimed it.
Shareaholic does not list this as a reason why someone cannot verify a site he owns:
Apparently the only way to have a site profile moved from one user account to another is for the initial user to “unclaim” the profile.
Revenue from Ads Goes Beyond Your Own Site
Now, if you’re familiar with how advertising concepts like remarketing works, you probably understand what this means. For those who don’t, remarketing ads are those that follow you after you’ve already left a site. For example, if you visit Home Depot’s website, and then move onto other sites, you may see a Home Depot ad that’s targeted to you, based on your initial visit its site. According to Shareaholic’s policy, they engage in a type of remarketing (or at least intend to), which means after ads are served up on your own site (usually in the post-share box), or after certain interests trigger an ad set, ads may be served up at other websites, and Shareaholic more than likely gets a piece of that pie.
Is this practice uncommon? Not really. But the fact it’s not disclosed unless you dig for it is disconcerting. The fact that any setting that opts you into this type of advertising is already ticked off for you? Blech.
This first video runs just under 10 minutes. It is a complete walk through of how you can install Shareaholic in WordPress, and then hire someone to help you on something, only to find they’ve claimed your site profile and have control. How’d you like it if I could make all the tweets sent through the sharer say “this client is a turdbucket?” Or how about if I direct those clicking on the post-share follow buttons to like and follow my accounts instead? Yep, I can do that.
This video is around 3 minutes and shows that because there’s no real method use to confirm the owner of a site, once someone (like a contractor) claims it, you cannot.