UPDATED: Quibi shared the email addresses of users who signed up for the service with third-party advertising and tracking companies through plain-text web links, a new study claims. While the company said it changed its signup process to stop sharing emails through URLs, Quibi reserves the right to use users’ email addresses to track them online, Variety has confirmed.
Less than a month after its April 6 launch, Quibi was discovered to be making available email addresses of users who clicked on confirmation links on signup to third-party partners via plain text in the URL (i.e., the email addresses were readable in the link), according to report published Wednesday by Zach Edwards, founder of analytics consulting firm Victory Medium.
Quibi was sharing the email addresses via the web links with companies including Google, Twitter, Snapchat and Facebook, which would facilitate the tracking of users’ online activity and make them easier to target with ads.
In a statement, Quibi said it addressed the issue “immediately” once the company was notified April 28. “Data protection is essential to Quibi and the security of user information is of the highest priority,” it said. “The moment the issue on our web page was revealed to our security and engineering team, we fixed it immediately.” Quibi reconfigured its email verification process so that no user email addresses will be sent to third-party vendors in that way, according to the company.
Meanwhile, per Edwards’ report, other companies he also found to be improperly using URLs to share users’ email addresses with third-party marketing firms included the Washington Post, JetBlue, Mailchimp and ecommerce platform Wish.com, according to the report. In some cases, the data sharing has been in place for several years, Edwards claimed.
The practice is a “sloppy and dangerous growth hack,” according to Edwards, which is used by companies to improve attribution tracking for analytics tools as well as to optimize retargeting ad campaigns.
Edwards singled out Quibi’s “user data breach” as “one of the most egregious in this research, because they are a new and extremely well-funded organization.” In addition, he pointed out, Quibi launched well after two major privacy regulations — Europe’s GDPR and the California Consumer Privacy Act (CCPA) — went into effect; both of those laws require companies to notify users if their email or other private info is being shared.
“In 2020, no new technology organizations should be launching that leaks all new user-confirmed emails to advertising and analytics companies — yet that’s what Quibi apparently decided to do,” Edwards wrote. He also claimed that “there’s almost no way that numerous people at Quibi were not only aware of this plan, but helped to architect this user data breach.”
Last week, Quibi announced that it had surpassed 2.7 million app downloads in the first two weeks of launch for the short-form video service, which includes dozens of original scripted and unscripted shows. According to research firm Sensor Tower, the figure is plausible if the tally included re-downloads and installs by individual users on multiple devices. Quibi, whose name is a portmanteau of “quick bites,” launched with a free 90-day trial of the service (with ads) to anyone who downloads the app.
Led by founder Jeffrey Katzenberg and CEO Meg Whitman, Quibi has raised $1.75 billion from investors including Disney, NBCUniversal, Sony Pictures Entertainment, ViacomCBS, WarnerMedia, Goldman Sachs and JPMorgan.