Awesome Motive’s 3+ Million Install All in One SEO Plugin Is Tracking Usage Without Consent
The WordPress Plugin Review Team is currently considering restrictions on plugins from automatically installing additional plugins when setting up a plugin. A couple of the major offenders, when it comes to doing that, have chimed in. Unsurprisingly, they are suggesting not stopping that from happening. One of those was the CEO of the not so awesome Awesome Motive. Their automatic installation of additional plugins causes problems for users of Awesome Motive plugins, as well as introducing additional security risk to the websites, as their plugins have had plenty of security vulnerabilities over the years. While looking in to how those players are currently handling that automatic installation, we noticed that a couple of multi-million installs plugins from them are tracking usage without users choosing to opt in, and in the case Awesome Motive’s 3+ Million Install All in One SEO, without disclosing that usage tracking is being enabled.
Here is how the guidelines for the Plugin Directory explain how usage tracking should be handled:
7. Plugins may not track users without their consent.
In the interest of protecting user privacy, plugins may not contact external servers without explicit and authorized consent. This is commonly done via an ‘opt in’ method, requiring registration with a service or a checkbox within the plugin settings. Documentation on how any user data is collected, and used, should be included in the plugin’s readme, preferably with a clearly stated privacy policy.
Some examples of prohibited tracking include:
- Automated collection of user data without explicit confirmation from the user.
- Intentionally misleading users into submitting information as a requirement for use of the plugin itself.
- Offloading assets (including images and scripts) that are unrelated to a service.
- Undocumented (or poorly documented) use of external data (such as blocklists).
- Third-party advertisement mechanisms which track usage and/or views.
An exception to this policy is Software as a Service, such as Twitter, an Amazon CDN plugin, or Akismet. By installing, activating, registering, and configuring plugins that utilize those services, consent is granted for those systems.
What isn’t clear there and these players appear to be taking advantage of, is if a checkbox opt-in can be checked by default. Automattic’s 7+ million install WooCommerce has the box checked by default and stuck down on the page where it easily could be missed:
Is a pre-checked box explicit consent? A 2019 EU ruling says that it isn’t.
The page does provide a clear message about usage tracking:
I agree to share my data to tailor my store setup experience, get more relevant content, and help make WooCommerce better for everyone. You can opt out at any time in WooCommerce settings. Learn more about usage tracking.
It doesn’t appear they provide “Documentation on how any user data is collected, and used, should be included in the plugin’s readme, preferably with a clearly stated privacy policy.”
With All in One SEO, usage tracking isn’t mentioned and is checked by default on this setup page:
The message just says:
Help make AIOSEO better for everyone
Yes, count me in
If you highlight the question box next to that, it says, “Complete documentation on usage tracking is available here.” If you clicked on the link on that (which didn’t include) it contains analytics tracking code, at the end of the URL, “?utm_source=WordPress&utm_campaign=liteplugin&utm_medium=documentation&utm_content=usageTracking.”
It also doesn’t appear they provide “Documentation on how any user data is collected, and used, should be included in the plugin’s readme, preferably with a clearly stated privacy policy.”
When a user of the plugin asked how to opt-out of the tracking, the developer responded to with this misleading claim, “Please note that usage tracking is disabled by default, but you may have enabled it via the Setup Wizard.” As shown above, it is enabled by default through the Setup Wizard. Here is another discussion with the developer talking around what is going on.
One of the three Senior Team members of the Plugin Review Team is an employee of Awesome Motive. The other two work directly for the head of Automattic. This isn’t the first time the employer or sponsor of a prominent member of the team has appeared to be violating the usage tracking rules.
Plugins with million of installs should be getting regularly vetting by WordPress to catch and address issues like this, but they haven’t been. In June, an employee of Automattic who has never been disclosed to be a member of the Plugin Review team, wrote on the team’s blog as if they were member of the team, and was suggesting that directory re-vet every plugin with 20,000+ installs every two years. That is a rather low install count to use as the floor, which makes it seem less likely to get implemented. Why not start, at say, a million installs and then possibly expand down the road?
Plugin Security Scorecard Grade for All in One SEO
Checked on September 10, 2024See issues causing the plugin to get less than A+ grade