Quibi, the baffling mobile-first video streaming service that launched earlier this month, has already been found doing some shady stuff with your data. A new report has found the company leaked user email addresses to several third-party advertising and analytics firms via its email verification process.
The report was published on Medium by Zach Edwards, founder of analytics firm Victory Medium and an alum of the 2008 Obama campaign’s digital team. In it, Edwards says that new Quibi users were prompted to submit their emails to create an account and then asked to confirm that account via a link. However, that link also contained that user’s email address in the URL, which was then sent in plain text to third parties including Google, Twitter, Snapchat, Facebook, and a UK-based firm called CivicComputing.com.
Edwards notes that Quibi was notified of the leak on April 17, but that emails were still being leaked as of April 26. That, and since the original test, Quibi was found sending user data to several newer companies such as LiveRamp.com, SkimAds, and Tapad.
At this point, hardened internet veterans probably assume everything we do online is being sold left and right. To that point, Edwards’s report also calls out plenty of other companies like the Washington Post, JetBlue, Mailchimp, and Wish.com for sharing user emails with third-party marketers. That said, there are a few reasons why Quibi doing it is so alarming.
First off, Quibi is brand-spanking new. It launched April 6—roughly three weeks ago—and already has more than 2.7 million app downloads. While you can assume some of those are the same users redownloading the app onto multiple devices, that’s a lot of folks who have had their emails leaked. Quibi’s newness also doesn’t shield it from the fact that it launched long after privacy legislation like Europe’s GDPR and the California Consumer Privacy Act were in place. Any new company launching should’ve had these privacy protection regulations in mind when building out their product. Put those two things together and it’s hard to believe Quibi had no idea what it was doing. Even if you did believe it was an “accident,” that’s alarming for a whole other reason.
In his report, Edwards acknowledges this, writing that “it’s an extremely disrespectful decision to purposefully leak all new user emails to your advertising partners, and there’s almost no way that numerous people at Quibi were not only aware of this plan, but helped architect this user breach.”
In fairness, Quibi’s privacy policy does state that it may share personal information to third parties for things like website hosting, data storage, data analysis, personalized advertising, ad measurement and verification, conversion tracking, social sharing, and a whole lot of other marketing gobbledygook. But as pointed out by Variety, nowhere in the privacy policy does Quibi explicitly include online activity tracking—which is what leaking these emails will help these companies do as they combine data from various sources.
We asked Quibi for more information as to how and why any of this happened in the first place, but a Quibi spokesperson declined to comment on the record. The company did tell Variety that it had immediately addressed the issue the “moment” it was revealed to Quibi’s security and engineering team—but none of that clears up why this sort of practice was even