Blog

Research

ComScore Cross-Site Tracker Found in PBSKIDS.org 

Written by Internet Safety Labs
January 22, 2024

Updated 1/22/24 

We’re happy to report that the ScorecardResearch tracker has been removed from the PBSKids.org website. We appreciate PBS removing this cross-site tracker.  

Updated 11/29/23 

As a non-profit, independent product safety testing organization, Internet Safety Labs (ISL) is dedicated to catalyzing software changes to keep people safer while using technology. To this end, we sometimes discover serious safety risks as we conduct our ongoing research; we aren’t looking for these, but we happen upon them (such was the case with the dangling domain that Apple ultimately purchased, keeping countless people safe). 

When we find these risks, we typically contact the developer and request that they make a specific change. We call this a responsible disclosure of a safety risk in the software, similar to the responsible disclosure of a security vulnerability. The best outcome is that the developer quietly makes the change, and we commend their responsiveness.  

No organization is exempt from our safety scrutiny—whether it’s a commercial entity, a non-profit organization, or government organization. We feel a duty to expose these safety risks, even when they appear in the software of well-intended and highly beneficial non-profit organizations. As a non-profit organization ourselves, we keenly understand the challenges non-profit organizations face to survive and thrive in the world. Our responsible disclosures of safety risks are offered in a constructive and supportive spirit, working from an assumption that the organization may not be aware of the risk.  

1.0 Executive Summary 

Several months ago, Internet Safety Labs (ISL) noticed that the PBSKIDS.org website included a cross-site tracker from Comscore’s ScorecardResearch. Since that time, ISL contacted ten PBS executives through LinkedIn email in an effort at responsible disclosure and requested the removal of the tracker. Additionally, we called repeatedly and left messages raising the concern, receiving no response. We hope that by elevating the awareness of this problem, PBS is compelled to immediately remove the tracker from their website. (Note: ISL unhesitatingly supports the mission of PBS, and the value that they provide to people, young and old, around the world. We know that they will do the right thing for their youngest viewers.) 

2.0 Description of Problem(s) 

Site:  PBSKIDS.org 

Number of Monthly Users:  1.953M unique monthly visitors.  87% from the USA, 3% from Canada, and about 1% each from the UK and Spain. (Source: Similarweb.com) 

Description of Problem:  While recently evaluating the safety of the PBSKIDS.org website, we observed a ScorecardResearch.com cross-site tracker uniquely identifying users (i.e. children).  

According to MalwareTips: 

“ScorecardResearch.com is a domain owned by Full Circle Studies, a market research company that is part of Comscore, Inc.” 

It’s difficult to find current information about ScorecardResearch.com on the present Comscore website. From ScorecardResearch’s obsolete website they say their technology does two things: 

ScorecardResearch collects data through [sic] from two main sources: surveys and web tagging. For our surveys, we invite people on the Internet to provide us with anonymous demographic and Internet usage information that we can use to refine our reporting. These surveys are always voluntary, and are never used to collect personal information. For web tagging, participating websites agree to deploy a special code throughout their sites. Again, no personally identifiable information is ever transmitted by, or linked to, the web tags.” 

It’s clear (see section 3.0 below) that the tracker we observed is for the web tagging function described. Specifically, the ScorecardResearch beacon creates a cookie with what appears to be a unique identifier, i.e. uniquely identifying the user, falsifying the last sentence of the excerpted description above. 

According to this article by The Guardian the ScorecardResearch beacon on the PBSKIDS.org website has the ability to amass behavioral information about the user of the browser—in the case of PBSKIDS.org, a majority of these users would be children. 

According to comScore, websites elect to take part in the company’s market research. The website owners place ScorecardResearch web beacons into the pages of their website. 
When a browser loads a page that contains a ScorecardResearch web beacon, a cookie will be set. This, says comScore, allows it to observe “browser-level” behaviour, i.e. how often you return to a website or if, having visited one website, you go to another one that is related. 
The data that is collected is used to build up reports on internet behaviour and trends. 

There are also several disturbing behaviors noted in the ScorecardResearch privacy policy (https://www.scorecardresearch.com/privacy.aspx). First, it indicates that the “tags” collect online identifiers, location, and internet or “other electronic network activity including information about your browsing history and other info.” The privacy policy, however, fails to indicate that the “online identifier” is a globally unique, cross-site identifier, as it appears to be.  

The privacy policy further asserts that they collect additional user information from 3rd parties, in particular citing Google and 58 other entities, including Facebook, Acxiom, Oracle, Xander, Adobe and Roku. A reminder that the users we’re talking about here are children 

Also, ScorecardResearch acknowledges that it sells and shares data, including identifiers, and behavioral information:

Finally, ScorecardResearch notes the following regarding children’s privacy policy which is applicable in this situation, and which, from the description in the next section, does not accurately describe the behavior of their cookies: 

3.0 Details 

The cross-site tracker described above is generated by this tracking script: https://sb.scorecardresearch.com/beacon.js which creates (or accesses an already created) user-identifying cookie named “UID” (presumably for “Universal Identifier”). We know it’s likely to be universally identifying due to its name, its duration (two years) and the [long] string length of 33 digits. These types of cookies can track all user activity within the browser, all tabs, until the cookie is cleared or expires. Any site that includes the beacon javascript is creating or accessing the UID cookie. 

Figure 3.1


ISL observed the UID cookie get created when the beacon javascript runs for the first time on PBSKids.org (see Figure 3.1).

Once the UID cookie is created, subsequent browsing generates HTTP GET requests which are sent to ScorecardResearch servers for the lifetime of the cookie. Along with the UID cookie, these requests also contain information about the user’s browsing history, such as the current webpage, time accessed, and previous page visited. Figure 3.2 is an example of a subsequent HTTP GET from the PBSKIDS.org website to a ScorecardResearch server. The information in the request query is URL encoded, but still readable.  The text in red shows what information the browser is sending in the request. 

Figure 3.2


Our testing confirmed that as the user navigates the internet via the browser, ScorecardResearch continues to receive data about browsing habitsFor instance, Spotify also allows includes the beacon javascript that accesses the UID cookie (see Figure 3.3).  

Figure 3.3


Figure 3.4 below illustrates the communication to Spotify servers including the UID cookie. Similar to what the behavior observed on PBSKIDS.org, information relating to our browsing can be seen being sent back to ScorecardResearch servers. 

Figure 3.4


Likewise, any website that allows placement of the ScorecardResearch cookie (i.e. includes the beacon javascript) collects and sends user-identified information back to ScorecardResearch.  According to WhoTracksMe, the cookie exists in 1,179 of the top 10,000 websites, including  news sites, social media platforms, and online retailers in multiple countries around the world. Figure 3.5 is the word cloud from WhoTracksMe. 

Figure 3.5


Finally, of interest, it appears that PBS Kids removed the ScorecardResearch SDKs from their mobile apps around three years ago (source: AppFigures), which is a positive step. ISL wonders why they didn’t also remove it from their website at the same time.  

4.0 Concerns 

The investigation results in several safety and privacy concerns for child users of PBSkids.org.  

      • PBS is facilitating the collection and sharing of child data by having the ScorecardResearch tracker code on the PBSKIDS.org website.  
      • Children’s behavior is being tracked and shared (likely monetized) across websites [and companies] which may be a COPPA violation [we are not lawyers].  
      • ComScore is also on notice here, because their tracker is included in at least one site clearly meant for children, which means they are tracking children around the internet.  

5.0 ISL’s Responsible Disclosures 

ISL undertook the following efforts to make PBS aware of the concerns stated in this report: 

    1. On August 10, 2023, ISL sent responsible disclosure notices to two PBS executives via LinkedIn. No response was received. 
    2. On August 17, 2023 ISL sent a responsible disclosure notice to another PBS executive via LinkedIn. No response was received.  
    3. On August 31, 2023 ISL sent responsible disclosure notices to two PBS executives via LinkedIn. One response was received indicating that we should contact a different executive. ISL replied that we had indeed contacted the referred executive and asked if this person could escalate. No further response was received. 
    4. On September 7, 2023 ISL sent responsible disclosure notices to two PBS executives via LinkedIn. No response was received. 
    5. On 9/22/23, ISL called the PBS phone number identified on the PBS Kids Privacy Policy (https://pbskids.org/privacy/)
      (703) 739-5127) and left a message. No response was received. 
    6. ISL left messages every day from 10/2/23 through 10/6/23 on the PBSKIDS.org answering service. No response was received. 
    7. ISL sent another email on November 6, 2023 with no response. 

6.0 Call to Action for PBSKids 

ISL is disappointed that our efforts in responsible disclosure have not resulted in the removal of this tracker. We hope with the publishing of this history, PBS does the right thing and immediately removes the ScorecardResearch tracker from PBSKIDS.org.  

7.0 References 

Old ScorecardResearch website:
https://web.archive.org/web/20231008185858/https://www.scorecardresearch.com/home.aspx 

Current ScorecardResearch privacy policy:
https://web.archive.org/web/20231008190309/https://www.scorecardresearch.com/privacy.aspx  

ScorecardResearch privacy policy link to 3rd party data providers:
http://web.archive.org/web/20231016185954/https://www.comscore.com/About/Privacy/Partners  

ScorecardResearch privacy policy 3rd party data providers more info:
http://web.archive.org/web/20231016185954/https://www.comscore.com/About/Privacy/Partners  

ScorecardResearch (ComScore): What is it and what does it do? | Cookies and web tracking | The Guardian 

MalwareTips “ScorecardResearch – What Is It And What Does It Do?”:
https://malwaretips.com/blogs/scorecardresearch/#more-170961