As I write, Photobucket has a new interface in beta. This capture shows the interface as accessed with the Opera browser, blocking all ads. Without the ad block function, the interface still incorporates the usual Photobucket barrage of heavy advertising, and the cookies suggest that the advertisers will know rather a lot about you.
I want to begin by setting you a challenge. Open up a browser which has cookies disabled. Now try to get onto Photobucket. I don’t mean log in, by the way – I just mean try and access the homepage of the site… Did you manage it?… I didn’t. I tried all my browsers, and until I allowed them to accept cookies from Photobucket, I could not access the main Photobucket homepage – which is where you’ll go when you Google the site and click the referral link. Or, if you don’t accept cookies – where you won’t go. Because as far as I can establish, unless you take Photobucket cookies, Photobucket simply won’t let you on the site.
Whilst some of the general paragraphs on the Zendesk page read like collections of weasel words, there was this rather interesting section. I’ve edited out a small portion to make it completely to the point…
“Our third-party tracking utility company employs a software technology called clear gifs… … Clear gifs are tiny graphics with a unique identifier, similar in function to cookies, and are used to track the online movements of Web users. Unlike cookies, which are stored on a user’s computer hard drive, clear gifs are embedded invisibly on Web pages. We tie the information gathered by clear gifs to our customers’ personal information, and use them in our HTML-based emails to learn which emails have been opened by recipients. This allows us to gauge the effectiveness of certain communications and our marketing campaigns. Customers can opt-out of these emails by following the unsubscribe instructions within such marketing emails.”
So not only (unless you specifically write them an opt-out email) are Photobucket sending you marketing spam – they’re also spying on whether or not you’re reading that spam. This is only me putting two and two together, but I’m guessing that if they detect that you've opened a particular type of marketing mailshot, you’re gonna get a whole lot more of them. As someone who specifically wrote an opt-out email to Photobucket, gladly, I won't have to find out. But I'd imagine very few users will go to the trouble of writing up an opt-out. You can find a template for a Photobucket email opt-out letter in my Photobucket Privacy article on Tumblr.
I should also mention that I was unable to use Photobucket in any practical way without accepting third party cookies. In other words, if I didn’t set my browsers to accept cookies from advertisers as well as from Photobucket, I couldn’t get any meaningful use out of the site. Third party cookies are highly undesirable, because they potentially mean your movements around the Web can, to a greater or lesser extent, be monitored by single organisations. There's more on third party cookies in my Web Cookies and Your Privacy article.
I thought, in the light of all this, that I’d have a look at some of the cookies Photobucket was setting on my drive. There are multiple sets of cookies placed on your system and read whilst you’re using Photobucket. But one cookie in the root domain set caught my attention. It’s called adParams. It has no expiry date, it’s not categorised as Secure, and it can be read by entities other than the creator. It contains information such as your age, your gender, your postcode/zip (if you’ve given one), your username, the make and model of your camera, etc. If this cookie is read by advertisers – and there’s nothing I can see to suggest it wouldn’t be – that’s a fair bit of personal information Photobucket is passing on to the Toms, Dicks and Harrys of Web advertising, just through the use of a single cookie.
This may not be particularly unusual, but if Photobucket wishes to act in a way that raises suspicions, it can only expect explorative articles like this to surface. What I did find quite abnormal, however, was that Photobucket filled in its own make/model of camera. I never leave Exif data in my photo uploads, and I certainly haven’t told Photobucket what type of camera I use. Nevertheless, the cookie was associating me with a Canon camera. I deleted that cookie, and another was subsequently generated – this time associating me with a Sony. I’ve never owned a Sony camera. My postcode (which I’d never in a million years give to Photobucket), just read “empty”, but how interesting that in the absence of me providing any details about my camera, Photobucket apparently made the information up! I wonder if Photobucket gets paid for giving third parties details about people’s cameras? If so, I’m glad I’m not the one paying for the info, because at least some of it is completely ficticious.
I think Photobucket’s approach with cookies is oppressive, and whilst I've praised elements of Photobucket on this blog before, I now have no hesitation whatsoever in suggesting you steer clear of the site.