Inspectlet on wordpress.com

This is a personal blog post, not “WordPress News” to be reported. I hate having to make that clear, but I really mean it. WP-related blog stalkers/scrapers, you know who you are.

Okay, so I have this problem where I keep trying to sign up for email subscriptions to WP blogs and instead it subscribes me through the wordpress.com reader, which I don’t use (it’s fine, just not my workflow). Every few months or so I try to investigate settings to get it to send me emails instead of sending things to the reader, and every time I eventually give up because those settings are still really hard to find and/or get your head around and/or change successfully. So I miss a lot of blog posts, sorry. If it’s important for me specifically to see something, ping me to make sure I saw it.

Consider the scene set: early-rising worker bee trying to navigate the bowels of wordpress.com settings at 5am looking for a way to change post subscriptions from going to the reader to being sent by email.

Today I tried again and I noticed something I hadn’t seen before. This doesn’t mean it’s new or noteworthy, just that I never noticed it, and if there was an announcement about it in the past* I missed it. Here’s what I saw on the wordpress.com account settings screen:

Screenshot from settings page with privacy notice

I’m a weird mix of rabidly pro-privacy in theory and carelessly blasé when it comes to guarding my own information (3-time victim of identity theft!). But I do have strong feelings about unauthorized tracking of online behavior.

  • I think these types of things should be opt-in, not opt-out.
  • I also think the opting should be done via checkbox or other selector on the site I have the relationship with, not by forcing me to go to an external site that I don’t want to visit and I assume just cookied the crap out of me as a visitor to their site separately from the cookies they already had because of the automatic inclusion.
  • At the very least, if a policy changes or a new tracking service is added, I want to be informed in advance and allowed to opt out before the new tracking happens.

I have always known that wordpress.com does some stats tracking (hello, little pixel smilie pace in the margin of our sites), but I was not aware that we’d started using a service called Inspectlet.

That said, a lot of work news does kind of slip right by me unless someone tells me about it — subscription woes aside, I stopped following the other Automattic team blogs at Matt’s suggestion when I made that big effort to stop working 16-hour days a year or two ago — so I wasn’t too upset, figuring there must have been an email with a note about it offering me an opt-out link that I’d missed. I’d just opt out now, and all would be well.

Except that when I went to their site to opt out and looked on their home page to see what Inspectlet actually does, it freaked me right the [expletive] out:

Screenshot of Inspectlet service description

Dude.

That’s like… even creepier than Woopra was, and wow, what an invasion of privacy to do something that invasive as opt-out rather than opt-in. It records all the keystrokes? So if I write (for example) a long rant about how x does y and doesn’t need z (or whatever) but think better of it and erase it rather than publish (the number of times per day I hit Cancel Reply instead of Publish has a direct relationship to my productivity and mental health), there’s a recording of it out there anyway, on a third-party service I never signed up for? THAT. IS. CREEPY. AND. WRONG. If a site wants to record that kind of live usage, then not only should the user have to opt-in, but maybe they should even get rewarded somehow for their willingness to participate. How much do we pay each person that lets us watch them use wordpress.com via usertesting.com? How many airline miles does someone earn for filling out surveys? We could at least send these people a t-shirt in exchange for recording their every (heretofore assumed to be private-ish) move.

Trust me, I get it that this is not with malicious intent. I truly believe that Automattic — and every Automattician — has good intentions, or I wouldn’t work there.** I get the concepts of aggregate data, real-time usage data, real users in real situations vs simulated experiences in usability testing setups. I really, really, really do. I’m still not down with it being opt-out. So if you missed this like I did, and you use wordpress.com, and you just feel weird about your actions being recorded, head on over to https://wordpress.com/settings/account/ to access the opt-out link.

I hope I don’t get in trouble for posting this, but if I do, maybe one of you will buy me a mocha to cheer me up as a reward for bringing this to your attention? :)

*Investigation shows that opt-out links were added in May 2013 and posted about on internal blogs. Didn’t see a post on the wordpress.com news blog, nor an email in my email archives. That said, it’s possible I may have deleted such an email without reading it, so I have asked the folks who set up the Inspectlet stuff if there was one.

**I’ve quit jobs in the past over moral disagreement with things as minor as how they spent their advertising dollars (cough, Vermont Teddy Bear), so I’m pretty serious when I say that I won’t work for a company that I think has bad intentions.

17 thoughts on “Inspectlet on wordpress.com

  1. Just as I was rereading this, I was thinking I should give Paypal as an example of a site that is great about sending notifications when the privacy policy changes. (For the record, that used to also be a requirement for anything like trust-e, etc.) But! As I was thinking about Paypal, and credit cards and bank info online (I also was in the Target hack pool), it struck me that this service could be recording the keystrokes to enter credit card information into the store. Now THAT actually worries me. If Dropbox, and Target, and oh just about everyone gets hit eventually, why should I think that Inspectlet will keep those recordings so much more secure? Must combat new paranoia with breakfast, because the last time I used turning off automatic cookies as my means of combat, I was beyond annoyed within an hour at how many stupid agreement boxes I had to click and went back to automatically accepting cookies.

  2. Interestingly on wpcom when I opt out of Inspectlet (which I did) the wpcom page doesn’t say opt-in, it continues to say opt out. Logically that should be “Manage your settings” instead because Inspectlet is browser based, not site based…. Well hell, now I like it less.

    Opting out of Inspectlet will disable screen capture for your browser by any websites using Inspectlet.

    How does it work?
    We will put a cookie on your site that tells Inspectlet not to record screen captures.

    • Oh, and from the very first public release of Jetpack until we finally removed it, there was a disclaimer front and center on the WordPress.org plugins page by way of readme.txt, that we were using Quantcast to enrich the data in our stats module.

      • George, thanks for the update! I’m trying to keep my pulse on privacy disclosures; however, it’s difficult to find good information. I’m very surprised there’s no discussion at WordPress.org nor guidance from Automattic on California’s 2014 web privacy regulations. Is everyone just ignoring the new law (requiring disclosure within a website’s privacy policy on how the site will handle web browser ‘Do Not Track’ signals)? I noticed Automattic’s own privacy policy isn’t compliant in regards to this disclosure (unless I overlooked something). Does anyone know any resource to help comply with this new California law?

  3. So much for those who choose the option “I would like my site to be private, visible only to users I choose”. Most disappointing yet, there’s no way to opt-out once and for all due to it being cookie-based :(
    I’m aware that any WordPress staff can access any blogs for support reasons, and I’m fine with that, but having information recorded and sent to a third party is, like you mentionned, creepy and sleazy, especially given the “passive consent” most users are not even not aware of.

    I understand this is your personal blog, but any insider info ;) on whether some actions will be taken to make this inspectlet less creepy? At the very least, have a way to definitely opt-out from it. Or is this request better brought up in the wp.com forum?

    Thanks for bringing that up, ‘hope you don’t get in trouble, or else I’ll buy you a mocha :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s