Tracking as a service: ShareThis to be profiled!

If you've never made a website, you might have not heard of AddThis or ShareThis, but chances are you've encountered them. These services offer the "share" buttons that easily integrates into websites. However, this feature is also used by these companies to track visitors across the web.

Key findings
  • Companies like AddThis and ShareThis unexpectedly track you around the web through free website features.
  • This business model is not unique and many companies in the online advertising space collect personal data through "free" services or features.
  • As with many other actord in the adtech ecosystem, this data is often collected without people's knowledge or consent and can be used in widely different contexts
Case Study

Behind their tecchie names, AddThis and ShareThis are simple services: they allow web-developers and less tech-savvy users to integrate social networking "share" buttons on their site. While they might also offer some additional services such as analytics, these tools gained traction mostly by providing an easy and free way to integrate Facebook, Twitter and other social networks share buttons. Anyone can use any of these service and in a few clicks be provided with a plugin for their site or a few lines of code they can integrate, making it a very simple and accessible service used by millions of people.

Examples of ShareThis share buttons. An innocent looking feature for your website

However, behind this seemingly helpful and practical service lies a darker truth: these companies make money by tracking and profiling website visitors. By being implemented on hundreds of thousands of websites, these companies are in a unique position to track people on the web, compiling their browsing history into profiles that can then be shared, processed and sold. They are able to do so using different tracking technologies such as cookies or canvas fingerprinting (which AddThis was one of the first to develop and deploy back in 2014). This basically allows them to give users a unique identifier so that when you visit, for example, Page A about sport and Page B about dogs the company is capable of recording you as a unique individual interested in these two topics. Apply this scenario across a sufficiently high number of websites (15 millions, according to AddThis) and you obtain something close to one's browsing history.

But that's not the only information these services might collect. For example, in its privacy notice, ShareThis details the other data it might collect, including time spent on a page, geolocation data, or searches from a referring page:

AddThis Privacy Notice on 4 December 2020

What this results in is companies that leverage a simple, free and apparently harmless service to build millions of individual profiles, most of the time without the profiled user knowing or consenting. Most internet users will indeed have accepted AddThis or ShareThis privacy policy without noticing when dismissing cookie banners by clicking "Accept". We've discussed how these banners are useless and harmful and how this bundled consent is not meaningful consent under GDPR. These companies, much like many other adtech companies and data brokers, are taking advantage of this confusion to harvest you data and profile you.

AddThis says it has insights on 1.9 billion web visitors

Collected data and profiles don't usually sit only in these companies servers. While some like AddThis offer their own analytics and customer insight tools, they also exploit the value of this data through data marketplaces such as Lotame or identity solutions like LiveRamp. The list of partners of AddThis on this front is pretty impressive and gives a sense of where the collected data might end up. It's also worth noting that AddThis now belongs to Oracle, one of the Data Brokers against which PI submitted a complaint to the ICO in 2018. ShareThis has a different approach and doesn't seem to shared data directly but offer a feature called "Data Feed" which allows integration with AdTech companies such as theTradeDesk or AppNexus. One of the main problems arising from this type of data sharing is the lack of user control over how the data might be used by these other companies as it can easily be linked to other data they possess on an individual.

Taking a step back, we observe that these are actually cogs in the the bigger online tracking ecosystem, offering yet another source of data for targeting and participating in the consolidation of unique profiles across the industry. All of this happens without effective user consent or knowledge. While most of these companies provide ways for users to opt-out (here for ShareThis and here for AddThis), for the later you have to be prepared to submit a form with a lot of personal data to do so. It is also likely that very few people will actually be aware that these opt-out options even exist and won't be obviously presented with them. Indeed, visiting these websites for the first time won't necessarily show a consent popup as you might have accepted their privacy policy on another website through bundled consent. A better practice, used by some similar services like AddToAny, would be to respect “Do Not Track” (DNT) and do not track users with DNT enabled which is a good start.

All in all, these companies participate to the creation of our secret identities, a side effect of the online tracking ecosystem which can have important negative impacts in our real life. Our online activities shouldn't be submitted to invasive surveillance over which we have limited practical means of control, even less coming from tools meant to make websites easier to use. PI's complaints and work on the topic are challenging these practices at a systemic level. But we do need your help too. If you want to take action in the meantime, have a look at our suggestions to reclaim your online identities.