So, it’s probably hard to believe this, given my user name, but sometimes I want to be sober instead of wasted or possibly overdosing… I do not consider myself to be in recovery or have a drug problem, but today is a bad day, and I feel like sobriety may be a better option than the alternative.
There are generally two options when it comes to recovery from drugs. One is Narcotics Anonymous and one is Smart Recovery. The difference is Narcotics Anonymous involves “high powers” as a step, which I view as religious baloney. Since I hate religion, but also want to be sober, Smart Recovery is the main alternative.
Both of these websites have canvas fingerprint tracking in them.
This is incredibly irresponsible and selfish and dangerous and either is a result of extreme technological ignorance or just willful disregard of people visiting those sites.
Smart Recovery seems to be much worse than NA in terms of data privacy because Smart Recovery is loading up things from content delivery networks and lots of external scripts, none of which likely care about the privacy of someone not wanting to be tracked.
Yes, it’s “great” that NA and Smart Recovery can take a browser fingerprint of users and sell that to Meta who will then market this information to Rehab Facilities. (I’m not sure if that is what they do, but it wouldn’t surprise me.)
But this information also is likely getting sold somehow to data brokers and that information could end up being looked at by a variety of people, including potential employers. If a large employer is looking at a potential employee, they can and often do get detailed information from data brokers. People are incredibly naive as to how much data brokers store about people. It’s irresponsible and certainly not anonymous for these sites to track people like this, claim to be anonymous, and not even warn users prior to fingerprinting their hardware and identity.
Additionally, because na.org and smartrecovery.org are not hospitals or medical providers, this information is likely not HIPPA protected and certainly even if it were we have no way of knowing what data brokers do with these canvas profiles, which almost certainly link to real KYC canvas fingerprint profiles of naive users. And most users are naive users.
It’s also so frustrating because many of these meetings are being done on zoom, so accessing the meeting is done by going to the website and visitors or former addicts or people attending meetings are getting canvas fingerprinted every time. It’s disgusting, appalling, and another example of why it’s just better to keep an addiction secret, try to detox on your own, and try to sober up on your own and stay sober if you can.
It’s just infuriating. Thanks for reading my rant. And you can go to these sites yourself to check out the scripts in them. If I am misstating the privacy risks involved, I’d be happy to be told so.
Well I’m definitely not going to a meeting. Perhaps I can stick with coffee, although it’s pretty late for coffee?
I’m a country coordinator for a SMART Recovery country other than the US.
This is highly unlikely, but I will check this out.
I find the idea that SMART would sell your data highly unlikely. SMART is privacy focused. Nick names are encouraged, you can enter zoom meetings with camera and mic silenced. SMART definitely does not collect personal data, only attendance numbers for internal statistics. SMART accepts donations from recovery organizations, but does not have any obligations towards them.
As I said, I will follow up.
Much of IT is subcontracted, so there may be the origin, and it will be looked into.
BTW, SMART’s Financials are public. You are free to check if there is income from selling your data.
Why would it be unlikely?
I have no reason to lie about this. Here’s more proof:
Smartrecovery.org may be getting lower cost or free services by allowing these companies to collect user information and then sell it, which likely would not show up in a public financial statement.
As I said previously: “This is incredibly irresponsible and selfish and dangerous and either is a result of extreme technological ignorance or just willful disregard of people visiting those sites.” I am not claiming smartrecovery.org is an advertising company.
I appreciate the effort to look into this but am skeptical that 6 months from now the third-party javascript will look any different, and for now I will continue to not use your site.
Also, for comparison:
This is from na.org which also has much less third-party tracking and no third-party google scripts, but still take canvas fingerprints which can usually uniquely identify users, unless the site is being accessed at a library or using a specialized browser:
aa.org, in comparison, does not use canvas fingerprint tracking in the site, but does have a google maps api javascript request and although I have no proof, I can’t fathom google doesn’t collect information from that api including the origination IP and the website it’s embedded into, which is possibly tracking aa users as well for google. Why does aa need to call up a ad tracking and surveilance company api instead of something like openmaps which does not have a business model of tracking users?
My prediction is none of these organizations will have changed any of these things within the next year, if ever, despite the fact it could have real-world consequences for people visiting these sites.
It’s almost certainly some traffic analytics package for the website.
They sound good in their marketing, they provide a bunch of useful statistics about visitors so the site can be tweaked for ease of access or to lower bounce rate.
The downside is that they often have rights to that data under their TOS because aggregation of data from multiple sites is how they provide a service.
The concern is that this data can be used to locate individual people and to learn of their associated identities. This is true even if they claim the data is “anonymized”, it’s a trivially simple process to use a second data set to correlate details and deanonymize the data.
Maybe.
Thank you for adding this.
Also, even if the TOS of their many “trusted partners” didn’t specify selling it, and there’s a huge amount of third party javascript on their site, taking a canvas fingerprint of a browser is highly sensitive and often is close to getting identification, since most people use Chrome for everything including online shopping sites. Why is a canvas fingerprint needed at all? What’s next, adding Persona? Even if the canvas fingerprint is coming from cloudflare, US companies are allowed to lie to users in their terms and share data with the war-tech-bro-complex and lie to everyone. This is not a conspiracy theory; this was recently an admission made by Microsoft in regards to handling EU data with Azure; US companies can always be forced to lie. There’s no way to verify that information isn’t stored in a dataset, no matter who is obtaining the fingerprint, including for users of the site from other countries like those in the EU.