02 December 2008

Monitor Your Suppliers' Terms of Services

The inclusion of other people's code in your own web pages increases the potential number of vulnerabilities and it can have an effect on compliance.

Seemingly harmless code from third party sites is often included to provide:

  • advertisements (e.g. Google AdSense, DoubleClick, Amazon Associates)
  • widgets (e.g. bookmarking and social networking tools)
  • web analytics (e.g. Google Analytics, Omniture, Hitbox).

But these normally come with their own terms of service. Like any other component of your site you need to ensure your own privacy policy and, if there is personally identifiable information, your data protection act registration include the purposes (collection, use, retention, transfer) that the third party code requires.

Then the terms of service need to be actively monitored, since they can change unannounced. A recent example of this was the purchase of AddThis, a popular bookmarking widget provider, by Clearspring Technologies Inc at the end of September 2008.

Screen capture of an AddThis widget.

The AddThis terms of service were updated and their widget code changed to include tracking cookies. This meant the widget created cookies on the host web site's domain, as if the host had set them themselves. This is because the widget's code is running in the context of the hosted page. See John Haller's write up for further information. Here's one snippet from the new terms of service:

Data Rights

In order to provide certain Services, You must allow us to use raw data related to the use and distribution of Your Content ("Data") that will be collected as part of the Services. You hereby grant AddThis a non-exclusive, perpetual, worldwide and irrevocable right and license to utilize the Data to track, extract, compile, synthesize, aggregate, and analyze such Data, including, but not limited to, the creation of anonymous and promotional tracking data ("Tracking Data"). We reserve the right to use, reproduce, distribute and display Tracking Data, in our sole discretion.

If you have AddThis on your web site, are your users aware of these terms? A more common issue for web site owners than widgets is the use of web analytics services that have client-side code - typically JavaScript - embedded on each page.

Try to keep third party hosted code off your site, and certainly never have it in more sensitive areas such as registration, log in, password recovery, payments and restricted-access pages. If possible use server-side web analytics rather than adding client-side code.

Posted on: 02 December 2008 at 15:11 hrs

Comments Comments (0) | Permalink | Send Send | del.ico.us del.icio.us | Digg It! Digg It! | Technorati Technorati

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Monitor Your Suppliers' Terms of Services
http://www.clerkendweller.com/2008/12/2/Monitor-Your-Suppliers-Terms-of-Services

Page http://www.clerkendweller.com/2008/12/2/Monitor-Your-Suppliers-Terms-of-Services
Requested by 38.103.63.60 on Wednesday, 7 January 2009 at 15:11 hrs (London date/time)

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2009 clerkendweller.com