As a non-profit, independent product safety testing organization, Internet Safety Labs (ISL) is dedicated to catalyzing software changes to keep people safer while using technology. To this end, we sometimes discover serious safety risks as we conduct our ongoing research; we aren’t looking for these, but we happen upon them (such was the case with the dangling domain that Apple ultimately purchased, keeping countless people safe).
When we find these risks, we typically contact the developer and request that they make a specific change. We call this a responsible disclosure of a safety risk in the software, similar to the responsible disclosure of a security vulnerability. The best outcome is that the developer quietly makes the change, and we commend their responsiveness.
No organization is exempt from our safety scrutiny—whether it’s a commercial entity, a non-profit organization, or government organization. We feel a duty to expose these safety risks, even when they appear in the software of well-intended and highly beneficial non-profit organizations. As a non-profit organization ourselves, we keenly understand the challenges non-profit organizations face to survive and thrive in the world. Our responsible disclosures of safety risks are offered in a constructive and supportive spirit, working from an assumption that the organization may not be aware of the risk.
1.0 Executive Summary
Several months ago, Internet Safety Labs (ISL) noticed that the PBSKIDS.org website included a cross-site tracker from Comscore’s ScorecardResearch. Since that time, ISL contacted ten PBS executives through LinkedIn email in an effort at responsible disclosure and requested the removal of the tracker. Additionally, we called repeatedly and left messages raising the concern, receiving no response. We hope that by elevating the awareness of this problem, PBS is compelled to immediately remove the tracker from their website. (Note: ISL unhesitatingly supports the mission of PBS, and the value that they provide to people, young and old, around the world. We know that they will do the right thing for their youngest viewers.)
2.0 Description of Problem(s)
Number of Monthly Users: 1.953M unique monthly visitors. 87% from the USA, 3% from Canada, and about 1% each from the UK and Spain. (Source: Similarweb.com)
Description of Problem: While recently evaluating the safety of the PBSKIDS.org website, we observed a ScorecardResearch.com cross-site tracker uniquely identifying users (i.e. children).
According to MalwareTips:
“ScorecardResearch.com is a domain owned by Full Circle Studies, a market research company that is part of Comscore, Inc.”
It’s difficult to find current information about ScorecardResearch.com on the present Comscore website. From ScorecardResearch’s obsolete website they say their technology does two things:
“ScorecardResearch collects data through [sic] from two main sources: surveys and web tagging. For our surveys, we invite people on the Internet to provide us with anonymous demographic and Internet usage information that we can use to refine our reporting. These surveys are always voluntary, and are never used to collect personal information. For web tagging, participating websites agree to deploy a special code throughout their sites. Again, no personally identifiable information is ever transmitted by, or linked to, the web tags.”
It’s clear (see section 3.0 below) that the tracker we observed is for the web tagging function described. Specifically, the ScorecardResearch beacon creates a cookie with what appears to be a unique identifier, i.e. uniquely identifying the user, falsifying the last sentence of the excerpted description above.
According to this article by The Guardian the ScorecardResearch beacon on the PBSKIDS.org website has the ability to amass behavioral information about the user of the browser—in the case of PBSKIDS.org, a majority of these users would be children.
According to comScore, websites elect to take part in the company’s market research. The website owners place ScorecardResearch web beacons into the pages of their website.
When a browser loads a page that contains a ScorecardResearch web beacon, a cookie will be set. This, says comScore, allows it to observe “browser-level” behaviour, i.e. how often you return to a website or if, having visited one website, you go to another one that is related.
The data that is collected is used to build up reports on internet behaviour and trends.
Also, ScorecardResearch acknowledges that it sells and shares data, including identifiers, and behavioral information:
Once the UID cookie is created, subsequent browsing generates HTTP GET requests which are sent to ScorecardResearch servers for the lifetime of the cookie. Along with the UID cookie, these requests also contain information about the user’s browsing history, such as the current webpage, time accessed, and previous page visited. Figure 3.2 is an example of a subsequent HTTP GET from the PBSKIDS.org website to a ScorecardResearch server. The information in the request query is URL encoded, but still readable. The text in red shows what information the browser is sending in the request.
Figure 3.4 below illustrates the communication to Spotify servers including the UID cookie. Similar to what the behavior observed on PBSKIDS.org, information relating to our browsing can be seen being sent back to ScorecardResearch servers.
Finally, of interest, it appears that PBS Kids removed the ScorecardResearch SDKs from their mobile apps around three years ago (source: AppFigures), which is a positive step. ISL wonders why they didn’t also remove it from their website at the same time.
The investigation results in several safety and privacy concerns for child users of PBSkids.org.
- PBS is facilitating the collection and sharing of child data by having the ScorecardResearch tracker code on the PBSKIDS.org website.
- Children’s behavior is being tracked and shared (likely monetized) across websites [and companies] which may be a COPPA violation [we are not lawyers].
- ComScore is also on notice here, because their tracker is included in at least one site clearly meant for children, which means they are tracking children around the internet.
5.0 ISL’s Responsible Disclosures
ISL undertook the following efforts to make PBS aware of the concerns stated in this report:
- On August 10, 2023, ISL sent responsible disclosure notices to two PBS executives via LinkedIn. No response was received.
- On August 17, 2023 ISL sent a responsible disclosure notice to another PBS executive via LinkedIn. No response was received.
- On August 31, 2023 ISL sent responsible disclosure notices to two PBS executives via LinkedIn. One response was received indicating that we should contact a different executive. ISL replied that we had indeed contacted the referred executive and asked if this person could escalate. No further response was received.
- On September 7, 2023 ISL sent responsible disclosure notices to two PBS executives via LinkedIn. No response was received.
(703) 739-5127) and left a message. No response was received.
- ISL left messages every day from 10/2/23 through 10/6/23 on the PBSKIDS.org answering service. No response was received.
- ISL sent another email on November 6, 2023 with no response.
6.0 Call to Action for PBSKids
ISL is disappointed that our efforts in responsible disclosure have not resulted in the removal of this tracker. We hope with the publishing of this history, PBS does the right thing and immediately removes the ScorecardResearch tracker from PBSKIDS.org.
Old ScorecardResearch website:
MalwareTips “ScorecardResearch – What Is It And What Does It Do?”: