The process Quibi used to verify new users’ email addresses sent them to multiple third-party advertising and analytics companies including Google, Facebook, and Twitter, a new report has claimed. When a new user signed up to the streaming service, they received an email with a verification link. Clicking that link appended their address to the URL and sent it in plain text to multiple other companies.
Quibi is not the only company whose practices have been called out in the report, which was put together by Zach Edwards at the digital strategy firm Victory Medium. JetBlue, Wish, and the Washington Post were also found to be leaking addresses. But Edwards says that Quibi’s actions are especially egregious because the service launched less than a month ago, well after strict new privacy rules like Europe’s GDPR or the California Consumer Privacy Act went into effect, the New York Times notes.
In a statement given to Variety, Quibi said that it’s fixed the issue that the report raised. “The moment the issue on our web page was revealed to our security and engineering team, we fixed it immediately,” the company said, adding “Data protection is essential to Quibi and the security of user information is of the highest priority.”
However, Edwards says that it’s unlikely Quibi was unaware of the issue. “It’s an extremely disrespectful decision to purposefully leak all new user emails to your advertising partners, and there’s almost no way that numerous people at Quibi were not only aware of this plan, but helped to architect this user data breach,” Edwards says. “In 2020, no new technology organizations should be launching that leaks all new user-confirmed emails to advertising and analytics companies.”
Edwards said he confirmed that email addresses were still being leaked as late as April 26th.
Here’s the full list of places Edwards says that Quibi was initially sending email addresses to in plain text:
1) Google’s DoubleClick.net endpoint
2) Google’s updated ads endpoint @ google.com
3) Google Tag Manager (and therefore potentially custom tags could fire for specific visitors/geos/URL params, thus leaking this to more companies)
4) Twitter ads endpoint
5) Snapchat ads endpoint & the tr.Snapchat.com subdomain
6) Google Cloud infrastructure via cloudfunctions.net
7) CivicComputing.com, which redirects to https://www.civicuk.com/ and appears to be a company based in the United Kingdom.. this raises big GDPR red flags….
8) Facebook events / custom audiences for ads
9) Google ads conversion pixel
10) Twitter ads conversion pixel
11) Google Analytics
12) Facebook analytics, Google Analytics, Twitter analytics (they fire at the end of the page load again)
Since it’s launch on April 7th, Quibi says over 2.7 million people have downloaded its app. The service is built around short-form video, or “quick bites,” that are designed to be watched on mobile devices.
Disclosure: Vox Media is partnered with Quibi on two shows and there are discussions for a Verge show in the future.
Correction: An earlier version of this article cited Variety’s reporting, which said Quibi’s policy does not mention that email addresses can be collected and used for online tracking. This is not technically correct, as the policy does state this, but in a roundabout way.