Hidden phone-home function

It boils down to an overlap issue we’ve had with our pro and free version that someone has already pointed out. We were planning to add the fix along with a significant update that includes a bunch of other fixes, optimizations, and even new features. Rather than waiting till we finish the full backlog we had in mind, we’re just going to go ahead and upload a subset from the above that’s been tested thus far this evening. We’ll give this intermediate update a new version number as we’ve been advised. The other planned items can just be an even later update and version number. Thanks for renoting the issue.

-EmbedPlus Team

Just remember that tracking users without express and explicit consent is a violation of terms on the WordPress plugin directory.

What is exactly being tracked? I want to know what information is being collected about users of this plugin and I want to know how I can access any information stored about us, which I am entitled to according European Law.

I suggest you read this with haste and seriousness https://ec.europa.eu/ipg/basics/legal/data_protection/index_en.htm

@elr3000: Example, called on every page in front end with YouTube Video embed:

https://www.embedplus.com/test-page.aspx?es=w&u=http%3A%2F%2Fwww.example.com%2Ffull%2Furl-to-page-with-embed%2F&ytid=YouTubeVideoID&b=c&

That is

es=w (hardcoded)
u=xxx (full url incl. domain to page with YouTube Video embed, without #hash)
ytid=xxx (YouTube Video ID) full param=value passed to function, description might be incomplete
b=X (browser identifier, c for chrome, empty otherwise)

plus cookies ASPXANONYMOUS and ASP.Net_SessionID

plus standard headers of your browser like user-agent, accept, …

plus user IP and everything else like with a normal GET-request.

• This reply was modified 7 years, 8 months ago by Ov3rfly.

Thank you Ov3rfly for being the wikileaks of wordpress community.

From the embedplus website:

Your privacy is very important to us. Accordingly, we have developed this Policy in order for you to understand how we collect, use, communicate and disclose and make use of personal information. The following outlines our privacy policy.

Before or at the time of collecting personal information, we will identify the purposes for which information is being collected.
We will collect and use of personal information solely with the objective of fulfilling those purposes specified by us and for other compatible purposes, unless we obtain the consent of the individual concerned or as required by law.
We will only retain personal information as long as necessary for the fulfillment of those purposes.
We will collect personal information by lawful and fair means and, where appropriate, with the knowledge or consent of the individual concerned.
Personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and up-to-date.
We will protect personal information by reasonable security safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
We will make readily available to customers information about our policies and practices relating to the management of personal information.

Why are you collecting IP addresses of users?

Also are you collecting the IP addresses of visitors of pages where you plugin is being used?

We take the law very seriously and the details of tracking collecting and storing user data without permission need to be communicated clearly to our users.

The law demands that the operators of websites make reasonable efforts to disclose how personal data is being collected and used and with this message hope to satisfy any enquiries that we are making every effort to communicate this to our website users.

At no point did we agree to have data about ourselves or our website users collected by anyone relating to this plugin.

The function itself is still there in 11.6, now also in non-minified version of js.

A switch/flag was added to the code which decides if the tracking is used or not. Not sure how that switch is used, deleted the plugin from all sites and won’t re-install for now.

@embedplus: Please fix 11.6 changelog, it is clearly incomplete. And please provide URL where reasons for and use of data of this tracking are explained in detail. The tracking voids any privacy policy in EU websites, when not mentioned there.

As mentioned before, it ran before due to an out of sync issue with the free and Pro codebases we have, which is fixed in 11.6. That was an error on our part.

Note that it’s actually for a Pro feature and it only matters if you’re A) Pro and B) explicitly opt-in for the advertised Pro YouTube analytics subfeature, which helps you track your plays, aid in Pro support debugging, etc. That should explain the flag you noted which ensures player analytics is completely off until you go Pro, and opt-in.

We’ll be updating the readme shortly. As far as all the EU discussion, there’s nothing stored about visitor IPs regardless of whether it’s Free or Pro.

Further examination of the plugin has revealed that there are external JS loaded into the page on front end which are not required for proper function of the plugin. Using a script blocker I am able to block scripts running from embedplus.com, but blocking does not seem to be causing any issue at all. If the script loaded from embedplus.com is not required for the plugin to function properly in the front end, what is the purpose of it?

Are you using the latest version? 11.6? Have you cleared browser caches as well as any plugin caches (like W3 Total Cache, etc.)?

If so, and the issue persists, please send us a link to your site so that we can investigate.

Looks like the JS I mentioned above is the same as what @ov3rfly as it is loading https://www.embedplus.com/test-page.aspx

Which says

Hello,

You found the EmbedPlus Test Page. There’s not much to this page besides the fact that it helps anonymously test that the video player is running smoothly and error free on your site. Efficiency is very important to us, especially as we continue to grow the services offered.

As mentioned above I take our website visitors privacy very seriously. I do not recall being asked if I accepted sending Embedplus this data.

Since the Mod has reacted to this with a simple warning, I assume that mean that there is nothing too suspicious happening with this plugin and that there has probably been a simple oversight regarding a recent update.

However @ov3rfly deemed it necessary to remove the plugin from all their websites.

Am I right not to panic, or should I stop using the plugin also as @ov3rfly has done?

Is short, is there really a problem here or not?

Thanks all.

@embedplus

I have “Version 11.5”. I will update as soon as I have documented some recent custom changes we had to make the plugin.

Thanks for the info. We’d definitely like to make sure you see the 11.6 fixes on your end when you update. When you do, let us know.

As far as all the EU discussion, there’s nothing stored about visitor IPs regardless of whether it’s Free or Pro.

@embedplus: Any request to any third party server needs to be disclosed to the end-user in a detailed privacy policy, no matter what the third party does or does not store. Your lawyer will happily explain this to you in detail.

Again: Please provide URL where reasons for and use of data of this tracking are explained in detail.

Also please provide exact information how long this feature was active “by accident”, so we can inform our customers, as they acted against the law during this time and were put in a high risk of lawsuits.

Note that it’s actually for a Pro feature..

@embedplus: This is a clear violation of www.ads-software.com plugin guideline #5

Please remove all Pro features from the free version of the plugin asap.