Support » Plugin: Display Widgets » Display Widgets Plugin Geolocation Tracking Visitors without Permission

  • I have a question regarding the visitor data you are tracking/storing and your terms at http://geoip2.io/terms.html

    Section 10. Privacy policy states:

    We will collect website information by lawful and fair means and, where appropriate, with the knowledge or consent of the individual concerned. Before or at the time of collecting such information, we will identify the purposes for which information is being collected. We will collect and use such information solely for fulfilling those purposes specified by us and for other ancillary purposes, unless we obtain the consent of the individual concerned or as required by law. Website data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and up-to-date. The following data is currently collected for analysis and in order to optimize GeoIP2.io’s performance:

    Website and Page URL – Collected to track service usage by Country, Region and Domain; we reserve the right to blacklist certain domains that exceed reasonable service usage
    Visitor’s User Agent and IP Address – Required to determine Visitor’s Country of origin

    As a visitor to WordPress sites including some running the Display Widgets plugin, how are you for-filling this part of your privacy policy when I visit a site with the GeoIP2.io’s Geolocation tracking enabled:

    with the knowledge or consent of the individual concerned. Before or at the time of collecting such information, we will identify the purposes for which information is being collected.

    As “the individual concerned” how and when did you inform me you are collecting my user data and how did you gain my consent and how did you inform me the reason for collecting my data?

    For the record you have tracked my data (check your logfile) and I didn’t receive a notification explaining any of this (no pop up or privacy policy explaining GeoIP2.io is tracking my visit).

    You have my IP address (90.216.105.28), the user agent (Mozilla Firefox etc…), the webpage I connected from (one of my localhost test servers on my PC), it’s a WordPress Post (/embed-tests/) for testing WordPress embed code. You even know the folder (/str-2016-09/) on my PC I was running the test server from and that it’s running WordPress 4.8.

    Example data you’ll have in your weblog:

    90.216.105.28 - - [04/Jul/2017:10:46:24 -0700] "GET /api/update/?url=http%3A%2F%2Flocalhost%2Fstr-2016-09%2Fembed-tests%2F&agent=Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%3B+rv%3A54.0%29+Gecko%2F20100101+Firefox%2F54.0&geo=true&p=9&v=0&ip=127.0.0.1&siteurl=http%3A%2F%2Flocalhost%2Fstr-2016-09 HTTP/1.1" 403 3 "http://geoip2.io/api/update/?url=http%3A%2F%2Flocalhost%2Fstr-2016-09%2Fembed-tests%2F&agent=Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%3B+rv%3A54.0%29+Gecko%2F20100101+Firefox%2F54.0&geo=true&p=9&v=0&ip=127.0.0.1&siteurl=http%3A%2F%2Flocalhost%2Fstr-2016-09" "WordPress/4.8; http://localhost/str-2016-09"

    I got the example by changing the GeoIP2.io URL (in the geolocation.php file) to one of my domains and checked it’s logs. You will have almost identical entries in your weblogs (only difference will be the time I connected).

    Your terms also state:

    “We will make readily available to customers information about our policies and practices relating to the management of such information.”

    I guess I’m considered a customer?, please make available information about your policies and practices relating to the management of my information.

    How do I gain access to the data you store about me?

    I don’t want my data tracked by GeoIP2.io. How do I get you to delete the data and stop you from collecting anymore of my data? Note I’m with an ISP with dynamic IPs: my IP changes every time the router is turned off/on.

    Can I suggest you do some serious research regarding privacy laws.

    David

Viewing 11 replies - 1 through 11 (of 11 total)
  • The only data stored would be the siteurl as to stop websites abusing the api limits, but of course the site owner has knowledge and has activated this feature.

    User agent is sent as we auto block all GoogleBot/Bing etc to stop un-necessary API calls.

    Client ip is not stored at ALL and only used to check the GEO. Nor are there any logs or records of the ip address.

    An IP address in isolation is not personal data under the Data Protection Act, according to the Information Commissioner.

    I will ask to get them terms.html updated, as they are generic terms tweaked for our use.

    • This reply was modified 2 months, 2 weeks ago by  displaywidget.
    • This reply was modified 2 months, 2 weeks ago by  displaywidget.
    • This reply was modified 2 months, 2 weeks ago by  displaywidget.

    Privacy is a can of worms and with a potential 200,000+ users that’s potentially billions of data points, you really should be on top of this and not making it up as you go along. Have you read and complied with this: https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/

    Also see: http://webarchive.nationalarchives.gov.uk/20100402111239/http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/collecting_personal_information_from_websites_v1.0.pdf for example:

    Some IP addresses are ‘static’, and these are different. Like some cookies, they can be linked to a particular computer which may then be linked to an individual user. Where a link is established and profiles are created based on static IP addresses, the addresses and the profiles would be personal information and covered by the Act. However, it is not easy to distinguish between dynamic and static IP addresses, so there is limited scope for using them for personalised profiling.

    I note you completely ignored how you informed me you were tracking my visit and how you gained my consent! Obvious why you didn’t answer, you don’t have a way to gain my consent etc…

    For the record this is the Display Widget plugin users responsibility to inform/gain consent, not yours, but your terms suggest it’s your responsibility. You need to pass that responsibility on to the site owners, they will require their own privacy policy indicating their data is tracked by a third party (you).

    It’s the equivalent of adding AdSense ads (or other Google products which track user data), the site owner needs a privacy policy like this one: http://stallion-theme.co.uk/privacy-policy/ I link to that one from all my sites, the top and bottom line changes depending upon where you visit from, saves me having to have a privacy page for every site (I own over 100 domains). I even have my premium theme users linking to that privacy policy (the theme has multiple ad platforms built in) so they don’t need their own, there’s thousands of sites linking to it. Yes, I’m giving you a hint of how to solve this issue 🙂

    If I used the geolocation tracking widget logic I’d add that GeoIP2.io is tracking my visitors data to the above privacy policy.

    I’d still like to see a copy of your policies and practices relating to the management of my information. I’m assuming you’ve gone to the trouble of creating a policy? You are legally required to have one as you are tracking user data which can be personally identifiable: some IPs can be tracked to house address and with the data tracked you are building a profile of the visitor. If someone is looking at porn they don’t want you to have that information, especially if you don’t have a privacy policy of how you manage their data!

    If you are ONLY using the IP address and site URL why are you collecting:

    IP Address
    Webpage Visited
    Site URL
    User Agent
    etc…

    If you only collected IP and site URL you can achieve geolocation tracking by country AND check sites for excessive usage.

    From a monetary perspective the data (IP + site URL visited) doesn’t have much value and though still a privacy issue it’s understandable to track that information.

    Update the plugin to only track what you need and not the additional (valuable) data which can be used to build a profile. This would suggest you aren’t trying to collect valuable user data, leave as is and you pretty much confirm you bought a plugin with 200,000+ active users to mine their visitors data for monetary gain.

    You need to be very careful with this, you don’t want to have any ICO complaints made against you. I recently reported a UK business to the ICO for email SPAMMING me

    @displaywidget
    User agent is sent as we auto block all GoogleBot/Bing etc to stop un-necessary API calls.

    Oh boy, are you trying to get your Display Widget users sites banned from Google!

    By blocking Googlebot you (or to be more precise Display Widget users) are serving Google different content than the visitors see!

    Have you considered turning this into a blackhat SEO tool, the blackhat SEO community would love this for serving Google different content 🙂

    [ Signature moderated ]

    • This reply was modified 5 days, 14 hours ago by  Jan Dembowski.

    We block GoogleBot & other well known crawlers by simply responding back instantly with a hardcoded-SET variable country code ‘US’. As all GoogleBot’s are in the USA, it saves us making a database query, thus providing a better service for the API users.

    The webpage visited variable is there in case there is a script on the users site on 1 page that is producing excessive queries. So it blacklists that page first sa good will and then if the whole siteurl has more then 5 blocked webpages then the siteurl gets blocked in its entirety. This feature is to benefit the webmaster and give them the benefit of the doubt 5 times before blocking.

    If you are worrying so much about your IP & pages you have visited i suggest you contact Google and let them know to block you from all there Google Analytic services. They actually store the data unlike us :).

    Also, I’m glad to see the moderators agree with me on how reprehensible your behavior on these forums is:

    https://wordpress.org/support/topic/upgrading-the-display-widgets-plugin-to-the-display-widgets-seo-plus-plugin/#post-9298081

    jdembowski (Brute Squad and Volunteer Moderator) : “It’s fine to create a plugin which is a fork or provides functionality that another plugin update removed or did other things. It’s not fine to go to that other plugin and speculate that way.” Enough, Dave!

    @displaywidget

    I don’t see any comment about my behavior being reprehensible, nice paraphrasing!

    It’s WordPress’s support forum, so I have no issue with them saying what they said or closing topics etc…

    Rather than speculate on your intentions or try to get you to fix the privacy issues I’ll give you a few days to see if your research points you in the right direction, if not I’ll take any further concerns direct to the ICO for them to deal with.

    Oh, one last very important thing for you and your users (my earlier comment regarding being banned by Google), go research Google Geo-distributed crawling.

    For example:

    Googlebot uses well-established IP addresses that appear to come from the United States. With geo-distributed crawling, Googlebot can now use IP addresses that appear to come from other countries, such as Australia.

    It’s a risk assuming Googlebot only connects with a US IP.
    [ Signature moderated ]

    Not paraphrasing i highlighted in BOLD the words that are directly targeted at you, read them as you like.

    But you might be reading that in the same way you are reading ICO and Privacy guidelines………..INCORRECTLY.

    Please keep your own un-educated thoughts to your self and stop trying to advertise your FORK of the real plugin on my support pages. Instead please contact kevin.danna@wpdevs.co.uk and please provide who ever you contact, with that email address.

    that appear to come from the United States.

    You answered your own research, with your own research. They will appear on ANY geo software as from US, prove me wrong other wise with facts and evidence. But I have been in the GEO/UserAgent game along time!

    That is all.

    Kevin.

    /endthread

    I do not know what came to locating the widget, and even if you do not believe it can get into legal problems according to the standards of each country

    I’m going to use an old version of your widget or completely delete it

    If I want to show or block my web even a certain country I already do, I do not need that only the area where the widget is placed

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    *Checks. Raises hand.*

    @seo-dave You’re (pun fully intended) beating a dead horse. Enough already. If you have a legitimate beef then bring it to the plugins team attention. Which I am 99.999% sure that conversation has already happened.

    This has been discussed and I’m closing this topic and putting your account on moderation watch.

    You were already informed to cut it out.

    https://wordpress.org/support/topic/upgrading-the-display-widgets-plugin-to-the-display-widgets-seo-plus-plugin/?view=all#post-9298081

    I’m the plugin team rep.

    The plugin allows for OPT IN tracking and has a terms of use that explains their role as a service.

    At that point they have MET our requirements. If you don’t feel the terms are sufficient for your needs, don’t use the plugin.

    But we are only responsible for protecting people by ensuring the information is available, not that the service is perfect. That would be like asking us to make sure Google was always honest. Pause for laughter. We just make sure the information is there. We let people vote with their feet and leave reviews.

    And at this point, you’ve beaten the dead horse into the ground.

    We get it. You feel the terms suck. You’ve had your say. Now move on.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Display Widgets Plugin Geolocation Tracking Visitors without Permission’ is closed to new replies.