Cookie Policies From Hell: PHOTOBUCKET

Bob Leggitt | Saturday, 3 November 2012 |

I had a slight rant on my experimental Tumblr site about Photobucket’s revised Privacy Policy, back on 2nd April this year. Well, it was a rant compared with my usual standards of positivity, anyway. In fact, in the light of what I’m going to explore in this piece, I’d strongly recommend you read that Tumblr article – particularly the bit about opting out of emails. But now, I’m in even more of a ranting mood, and I must admit I find myself almost open-mouthed at the reality of Photobucket’s current heavy-handed approach with cookies.

Photobucket new interface in beta
As I write, Photobucket has a new interface in beta. This capture shows the interface as accessed with the Opera browser, blocking all ads. Without the ad block function, the interface still incorporates the usual Photobucket barrage of heavy advertising, and the cookies suggest that the advertisers will know rather a lot about you.

I want to begin by setting you a challenge. Open up a browser which has cookies disabled. Now try to get onto Photobucket. I don’t mean log in, by the way – I just mean try and access the homepage of the site… Did you manage it?… I didn’t. I tried all my browsers, and until I allowed them to accept cookies from Photobucket, I could not access the main Photobucket homepage – which is where you’ll go when you Google the site and click the referral link. Or, if you don’t accept cookies – where you won’t go. Because as far as I can establish, unless you take Photobucket cookies, Photobucket simply won’t let you on the site.

I mean, it’s one thing requiring visitors to accept cookies if they want to register and log in, but for a first visit to the homepage? For a site of Photobucket’s type, I’ve never seen anything like it. How are you supposed to find your way to the Cookie Policy and check you’re happy about the sort of cookies Photobucket puts on your system, if they won’t let you on the site until you’ve ALREADY consented to accept a load of their cookies?

By now I was suspicious as to why Photobucket wouldn’t let me block cookies whilst reading the homepage. I fired up a browser which accepts all cookies, and of course had no problem getting straight onto the site. I did, however, have a problem finding the cookie and privacy information. There’s no link to it on the homepage – not that I could find, anyway. You have to go into the Help menu, then click on Support. Once you’re on the Support page, you then finally see a link to the Privacy and Cookie policies. But even after clicking that link, you still don’t get the cookie policy. You get a small paragraph of waffle, with links to what Photobucket cite as the actual policy.

So you click yet another link to the Cookie Policy, and now you’re on the Privacy/Cookie page of the Photobucket site, right? Wrong. You’re on a site called Zendesk. In allowing me to get this far, incidentally, Photobucket had put a total of 178 files into my temp Intenet folder, including at least 30 cookies, most of which were from third party ad servers, and one of which was a massive wodge of text with Zendesk’s name on it. That’s what I had to accept in the normal course of finding any guidance on Photobucket’s cookie policy. And by and large, I learned a heck of a lot more about Photobucket’s attitude to privacy and cookies in the course of that journey, than I could find out by reading the page on the Zendesk site. Why’s the Photobucket privacy/cookie policy on Zendesk? No idea. Ask Photobucket.

Whilst some of the general paragraphs on the Zendesk page read like collections of weasel words, there was this rather interesting section. I’ve edited out a small portion to make it completely to the point…

“Our third-party tracking utility company employs a software technology called clear gifs… [edit]… Clear gifs are tiny graphics with a unique identifier, similar in function to cookies, and are used to track the online movements of Web users. Unlike cookies, which are stored on a user’s computer hard drive, clear gifs are embedded invisibly on Web pages. We tie the information gathered by clear gifs to our customers’ personal information, and use them in our HTML-based emails to learn which emails have been opened by recipients. This allows us to gauge the effectiveness of certain communications and our marketing campaigns. Customers can opt-out of these emails by following the unsubscribe instructions within such marketing emails.”

So not only (unless you specifically write them an opt-out email) are Photobucket sending you marketing spam – they’re also spying on whether or not you’re reading that spam. This is only me putting two and two together, but I’m guessing that if they detect that you've opened a particular type of marketing mailshot, you’re gonna get a whole lot more of them. As someone who specifically wrote an opt-out email to Photobucket, gladly, I won't have to find out. But I'd imagine very few users will go to the trouble of writing up an opt-out. You can find a template for a Photobucket email opt-out letter in my Photobucket Privacy article on Tumblr.

I should also mention that I was unable to use Photobucket in any practical way without accepting third party cookies. In other words, if I didn’t set my browsers to accept cookies from advertisers as well as from Photobucket, I couldn’t get any meaningful use out of the site. Third party cookies are highly undesirable, because they potentially mean your movements around the Web can, to a greater or lesser extent, be monitored by single organisations. There's more on third party cookies in my Web Cookies and Your Privacy article.

I thought, in the light of all this, that I’d have a look at some of the cookies Photobucket was setting on my drive. There are multiple sets of cookies placed on your system and read whilst you’re using Photobucket. But one cookie in the root domain set caught my attention. It’s called adParams. It has no expiry date, it’s not categorised as Secure, and it can be read by entities other than the creator. It contains information such as your age, your gender, your postcode/zip (if you’ve given one), your username, the make and model of your camera, etc. If this cookie is read by advertisers – and there’s nothing I can see to suggest it wouldn’t be – that’s a fair bit of personal information Photobucket is passing on to the Toms, Dicks and Harrys of Web advertising, just through the use of a single cookie.

This may not be particularly unusual, but if Photobucket wishes to act in a way that raises suspicions, it can only expect explorative articles like this to surface. What I did find quite abnormal, however, was that Photobucket filled in its own make/model of camera. I never leave Exif data in my photo uploads, and I certainly haven’t told Photobucket what type of camera I use. Nevertheless, the cookie was associating me with a Canon camera. I deleted that cookie, and another was subsequently generated – this time associating me with a Sony. I’ve never owned a Sony camera. My postcode (which I’d never in a million years give to Photobucket), just read “empty”, but how interesting that in the absence of me providing any details about my camera, Photobucket apparently made the information up! I wonder if Photobucket gets paid for giving third parties details about people’s cameras? If so, I’m glad I’m not the one paying for the info, because at least some of it is completely ficticious.

I think Photobucket’s approach with cookies is oppressive, and whilst I've praised elements of Photobucket on this blog before, I now have no hesitation whatsoever in suggesting you steer clear of the site.

Planet Botch is contactable only via Twitter.