On Friday, June 11, checking the outgoing links in my blog, I’ve noticed something extremely bothersome. All of the direct links in my blog have suddenly started going through in-between viglink.com URL. So, for example, when someone clicked the Buy my books link on in my blog’s sidebar, they’d have the following going on between my blog and landing on Amazon’s page:
Knowing that VigLink was a tool for monetizing blogs through affiliate links [more here], and an affiliate themselves, got me really concerned. I thought my blog was hacked, and all direct links got switched to “viglinks” (read: someone’s earning money on my content). It turns out I was not the only one who got perplexed (more below).
Immediately I emailed Kellie Stevens of AffiliateFairPlay asking her opinion on what was going on.
I wasn’t entirely sure if the api.viglink.com URLs were setting the Amazon’s cookie (necessary for the affiliate commission to be credited to someone’s account), and Kellie’s reply was somewhat comforting. Having discovered that it was the Lijit’s Wijit (or the search widget) that the activity originated from, she also wrote:
No, it’s not setting an Amazon cookie at this time. However, the Lijit javascript contains a URL to a second javascript file. That second file appears to be the script that will do the actual replacement with an affiliate link. What I recorded on your site today was only a “ping” to the VigLink servers and the second javascript wasn’t called into action. But it’s there where it could be.
We then both did a bit more research into it. I was looking to see if Lijit has recently gotten into some kind of partnership with VigLink, and whether they have posted some kind of note about this in my Lijit account; while Kellie was doing her own digging and research. In the process of her research she found an interesting reference to something similar happening between VigLink and Posterous [see this post, as well as this coverage]. This wasn’t a good precedent for me to become aware of, and we kept digging. I didn’t find any mention of anything about any kind of partnership between Lijit and VigLink, and neither have I received any emails regarding this.
Finally, Kellie discovered the Lijit’s announcement on the topic, posted in their blog on June 10. The announcement read that to help it’s users “better understand” blog readers’ journeys past their clicks on the external links they:
…have partnered with Viglink to provide you with this data right inside your Lijit stats dashboard. They are providing Lijit publishers with this valuable information and offering an interesting opportunity as well. As a publisher , you can register with Viglink to help monetize any affiliate links you may have on your site. They do all of the heavy lifting , and you get an easy way to manage affiliate links and help monetize your existing affiliate traffic.
All of this is great, but I have a huge problem with this switch, and the whole way it was handled. There are three things in particular that must be pointed out here:
1) It was not announced to Lijit’s users directly — C’mon, Lijit, you’re emailing me my weekly stats updates (got one just now)! Couldn’t you also announce something as important as this via email too? In the comments under Lijit’s blog announcement you see Ned Jordan writing: “You should have informed your users by email before rolling this out. I wasted a lot of time tonight trying to track down the redirects in the fear that it was some sort of hack.”
2) It was not an opt-in decision — I was not only notified of the change. Nobody asked whether I want this to happen to my links; and neither do I see a way to opt-out of this. Apparently, I’m not the only one who has a problem with this. Peter Hesse does too, and his below-quoted Twitter conversation with Lijit is quite illustrative to this whole post of mine (highlighting added by me):
I find it interesting how a user says one thing (proposes “an option to disable” this new function), and Lijit says they “take everything [their] users tell [them] seriously”, but isn’t actually addressing the problem. Disabling it in an individual mode isn’t what he is (or I am) talking about.
3) Hosing an external javascript can actually become extremely risky — I’ve asked Kellie Stevens, an acclaimed expert in online malware, to give me her take on this, and here’s what she had to say:
The proliferation of widgets and plug-ins have greatly expanded the functionality and end user experience for publishers. However, this comes with a degree of risk for publishers, especially when an external javascript file is used for coding the widget. As happened in the particular instance, substantial changes in the behavior of the widget on the publisher’s site were made without the publisher changing the code sniplet placed on their site. The widget publisher had the ability to alter the behavior via the javascript files hosted on the Lijit web site. This type of scenario leaves the door open to program widgets to engage in malicious behavior, a fact that many web publishers may not consider. In this particular case, a search widget was altered to redirect links out going clicks from the publisher’s site. Widgets can also be used for more malicious behaviors such as installing malware which can result in the publisher’s web site being flagged as unsafe by security companies and even in Google’s search returns.
Due to all of the above, and the conclusions I had to make, Lijit’s Wijit (the search widget) goes from my blog.
You don’t want additional stats? 😉
Pingback: » Troubling adverb
Lijit’s responses on their blog and through Twitter hit me as arrogant, that they somehow know better than their publisher’s what should happen on the publisher’s blog. It’s amamzing Lijit seems to be ignoring the references to “hacking”, one they should be paying close attention to, because they really are teetering on that tightrope.
Both the implementation of this “upgrade” and Lijit’s response to concerns is disturbing. I’ve seen nothing yet to not make me wonder if Lijit’s benefits from the partnership with VigLinks is outweighing everything else.
Yes, Kellie, this certainly is a disturbing situation, and the way that Lijit is handling it doesn’t help anyone. As mentioned in the above post, I’ve just received my weekly update on stats for the period of 06/06/10 – 06/13/10 (email created at 10:31 pm EST of June 13), but no one is planning on notifying me of this major “upgrade”…
There are thousands of people/bloggers (couldn’t find the actual numbers anywhere yet; it may easily be hundreds of thousands) using their service, and the above-quoted problems — especially the failure to notify, and no way to opt out of this — are really serious. Lijit should address this a.s.a.p.
I’ve had a continued discussion after the twitter thread quoted above with Lijit’s VP of Operations, Tom Hart. While I agree that immediately they did not make any changes but say they are taking their customers seriously, I was impressed by the immediate direct email from the Lijit higher-ups. We have continued the discussions and I don’t want to publish the contents here without their permission, but I encourage everyone that is having concerns and issues with this to reach out directly to Lijit and I expect you will be responded to. I think their best move would have been to roll back the change, but since they aren’t doing that they will have to engineer and test a change to allow an opt-in or opt-out and these things take time to do safely.
From my perspective, since my blog does not monetize and depend on referrals for anything, I have left the wijit in place for now; their direct communication with me has given them the benefit of the doubt in my mind.
–Peter (@pmhesse)
Thank you for your input, Peter. I appreciate you chiming in. While it is commendable that they’ve taken your concern seriously and engaged in a direct correspondence with you, we didn’t see any changes on a larger scale (between Lijit and all of its users). Hopefully, this will change soon.
FYI the CEO of Lijit posted this update today:
Good to see Lijit has reversed its stance on this particular item.
Yes, Peter, I’ve received this message from them about an hour ago too. Good to see them react to it. Some questions still remain, but it’s a start…
Geno,
Thanks, again, for your candor in reference to this feature. Per our sidebar communications, I wanted to provide you with the communication that our CEO sent out to our Publisher base in response to some of the feedback we received in relation to this feature.
I’m very hopeful that the communication below sheds additional light on the intent of this feature – and, is noted as a direct and transparent reflection of the value we place on the feedback we receive from our Publishers.
Speaking for everyone here at Lijit, we sincerely hope that you’ll reconsider our services – and, we’d welcome the opportunity to support you as our Publisher in the future. Thanks, again, for your feedback.
Here’s the communication from our CEO that went out to our Publisher base earlier today:
————————————————–
Late last week Lijit released a new feature that helps publishers understand how readers leave their site. This feature reports in your publisher dashboard the egress links that readers are clicking on your site. This feature is powered by a partner VigLink that helps publishers optimize their affiliate links. The service we integrated did not use the monetization component of the Viglink product rather just the analytics components. It was our plan to offer the monetization component later as an opt-in service for our publishers.
By default we turned the analytics feature on for all publishers. Since that time we have received some concern from some in the publisher base that this feature was not adequately communicated ahead of time. After considering this input we decided to turn off this new feature and bring it back as an opt-in feature in the near future. This feature was turned off this morning at 9:00am MST.
If you are interested in knowing your top outbound links, please send us a note at [email protected] and we would be happy to turn the stat on.
As always our first concern is supplying a quality product to our publisher base. We take all comments and concerns extremely seriously. If you have any questions please feel free to contact us.
Todd Vernon
CEO Lijit Networks
————————————————–
Its still doesn’t matter how much they try to do damage control. They had to know about this long ahead of time, and then they flipped the switch without any precursor. As if they had an instant eureka moment and decided to go out of their way to help us do something we can already do with many analytics services. We work too, too, hard to be smacked around and treated in such an unethical manner. Then we get told they are having a Mother Theresa moment.
This thing stinks, sorry, thats just the way I feel.
Tom, thank you for chiming in; and for reacting to the situation. Better late than never. In future, coupling a feature/upgrade launch with a proper announcement (through all available channels of communication) would be a good idea.
A question and a suggestion:
1) Question: How many publishers does Lijit currently have?
2) Suggestion: You may want to make a “turn on/off” option available for your publishers within their interface. Will help streamline things for both parties.
Geno,
Great suggestions – we appreciate it! Yes, we’re definitely evaluating the capability to allow our Publishers to enable/disable this feature. Per Todd’s note, we’re allowing Publishers to contact us on a case-by-case basis.
In terms of your question, Lijit currently has 12,038 publishers in 25 topical networks generating 6,737,341,527 page views since Jan 1, 2008. For reference, we keep this statistic updated on our home page.
Thanks, again, for the suggestions and overall feedback in reference to this feature. We hope to have the chance to support you again in the very near future!
Geno,
I just wanted to close the loop on this. We got a little ahead of ourselves this week with the launch of this feature. We do releases about every 3 or 4 weeks with enhancements all the time. The difference this time is that the feature required a little more instrumentation on the publisher side which is not something we change very often.
I have been using VigLink as a separate service on my personal blog for a while now and found the value of the data to be high which lead to its inclusion in the product queue. I also like the idea of offering the publisher an easy way to optimize their affiliate links down stream, although we did not launch that part last week.
It seemed like a good value proposition to our publishers but our communication of the feature could have been better executed. As a result after reading your post we backed off the feature within 30 minutes (thats the time it takes our global CDN to flush the cache).
I like the idea of making it selectable by the publisher and this is how we will re-release it. In the mean time we are happy to turn it on for publishers that want to try it. It’s pretty cool.
We are always looking for ways to add more value to our service for our publishers. Sometimes it’s hard to decide to default a new feature on or off and we called the ball wrong on this one. In retrospect it was a little invasive to be defaulted on.
It was my idea, so I’m the one to blame.
To answer your other questions Lijit is currently installed on a little over 12K publisher sites and 700M page views a month. We have grown over 100% in the first half of this year. Between 30 and 50 new publishers install Lijit everyday.
Thanks.
Todd
Pingback: Lijit Angers Bloggers, Pay-Per-Call Case Study, and Free Beer
Thanks for bringing this to light! I noticed this too, but didn’t have a chance to explore.
Understandably these platforms and tools/widgets are attempting to monetize, however no excuse not to notify loyal users/customers and parse out all concerns before executing something.
This is becoming an ongoing problem and even in the bigger picture of things, privacy concerns in the social media space.
Bottom line, settings and changes like this need to be treated more judiciously.
PS: I see the above comment from Todd, CEO of Lijit. So that’s ‘Respect’ for his response or shal I say very ‘Lejit’ the way he responded.
Tom, and Todd, thank you for your comments. It’s good to see a company care about its reputation enough to address an issue, and own a mistake. Having said this, you should see (and hopefully act upon) this tweet too:
Daniel, thanks for chiming in too. Yes, the area that widget-developing companies work in is extremely delicate, and they should be uber-sensitive to issues of privacy, and security, and think at least twice before launching something of the above kind.
Hmmm. I was doing some research to install Lijit on my blog for search but now have second thoughts. Do you see this issue being resolved? At this point, would you guys then recommend staying away? That is my impression from reading these first hand….thanks so much!
Farnoosh, they did resolve the issue originally described (see comments from their marketing guy and CEO above). I agree with Kelly’s above tweet about policy, and still believe it wasn’t the right thing to introduce the above-described function automatically (without users’ consent or way to get out of it); but I did appreciate them finally handling the issue the way they did.
I am a fan of Lijit and have been using their wijits for the last 2 years without any issues and their reponse is always great. Yes, this issue created some ruckus in my site too, and am glad that they turned it off now. I am sure, they must have learnt from this mistake and 1)will inform the publishers of a coming change 2)will provide the service as opt in.