Since the EU’s new General Data Privacy Regulation (GDPR) came into effect, a number of companies have been named and shamed on a website called GDPR Hall of Shame. The website is dedicated to the greatest GDPR blunders to date, and its pages feature some pretty hilarious mistakes.
None, however, stand out more than the one made by Ghostery. The firm's error demonstrates just how easy it is (for even the most well-meaning of firms) to completely screw up while attempting to comply with GDPR.
Oopsy daisies
Ghostery is a privacy-focused browser extension that monitors for trackers while users visit websites using their browser. The tracking notification tool is generally praised by digital privacy advocates. However, on this occasion, Ghostery managed to self-inflict a faux pas that has put the service in GDPR hot water.
The embarrassing error occurred when Ghostery sent out an email to alert users about changes to its privacy policy. The email itself was completely innocuous:
“We at Ghostery hold ourselves to a high standard when it comes to users’ privacy, and have implemented measures to reinforce security and ensure compliance with all aspects of this new legislation.”
Unfortunately, it was not the composition of the email itself that got people hot under the collar - but rather the way the correspondence was delivered. Somehow, the well-meaning firm managed to carbon copy over 500 users’ email addresses into each instance of the email.
The result? Each Ghostery user was endowed with 499 fellow users’ email addresses. Private information that is now designated as “personal data” by the EU’s new GDPR legislation.
Twitter complaints
Having received the ill-fated policy update notification, Ghostery users took to Twitter to complain about the slip-up. One user, @andrewrstine, sarcastically commented:
Another user, @sebastianwaters, took to Twitter in disbelief:
“Wtf, did @Ghostery really just send out their #GDPR email with users‘ email address visible to everyone?! #GDPRfail”.
Public apology
Following public outcry, Ghostery published a blog post apologizing for its monstrous mistake:
“Dear Ghostery Users,
We are very sorry! Ghostery sent out an email yesterday that resulted in the exposure of account holders’ email addresses to other Ghostery account holders and Ghostery users. We would like to provide some clarification and transparency regarding our GDPR email that unintentionally revealed the email addresses of some of our user accounts.”
So, how did Ghostery make such a flabbergasting error?
According to the firm it recently decided to "stop using a third-party email automation platform". The idea behind the move was to "be more secure" by managing "user account emails in our own system, so we could fully monitor and control data practices surrounding them."
Sadly, "the best laid schemes o' mice an' men gang aft a-gley" (often go wrong):
"Due to a technical issue between us and the email sending tool we chose, the GDPR email, which was supposed to be a single email to each recipient was instead sent to a batch of users, accidentally revealing the email addresses for each batch to all recipients of a batch by adding everybody directly in the “To” field.
"We sincerely apologize for this incident. We are horrified and embarrassed that this happened, and are doing our best to make sure it never happens again."
Overly forgiving users?
Fortunately for Ghostery, it would appear that most users have decided to accept that apology. According to Gizmodo most Ghostery users that it contacted have said that they will continue to use the anti-tracking extension. However, for some people, the unfortunate email has been taken as a sign that the firm is not properly equipped to protect their data.
Twitter user @init3 said that he had only been testing Ghostery for a short time, and would definitely be giving the tool the wide berth from now on.
Here at ProPrivacy.com, we acknowledge that this was just a calamitous slip-up. So, if you want to keep using Ghostery, it does admittedly do the job of stopping trackers pretty well. However, it is also true that Ghostery has been criticized in the past for selling anonymized data to third parties (a practice that it has stopped in favor of selling analytics data about ads).
All things considered, it is hard not to be critical of Ghostery. Considering that there are better anti-tracking tools on the market - such as Electronic Frontier Foundation’s Privacy Badger - we can’t help thinking that maybe it's time to ditch Ghostery once and for all.
Ghostery will now need to report the data leak to the European Commission - in order to comply with GDPR.
To find out which VPN providers are compliant with GDPR, take a look at our GDPR industry report.
Title image credit: Zoltan Galantai/Shutterstock.com
Image credits: Ta-nya/Shutterstock.com, Sangoiri/Shutterstock.com