ghostery-extension
ghostery-extension copied to clipboard
ghostery
Domain misclassification: transcend.io
Description
You recently classified all of transcend.io as a tracker. None of our first-party client-side tools (e.g. Transcend Consent Manager) or SaaS products (e.g. Transcend Privacy Requests) are used for tracking users, except to comply with privacy requests.
Transcend Consent Manager collects telemetry but we make sure to only send this data specifically to telemetry.transcend.io, and additionally the content of this data does not track PII. The telemetry tracks internal regulation metrics that pertain to the website and does not uniquely identify the user or include any other form of unique identifiers (feel free to go ahead and inspect observed network request payloads yourself to confirm).
Here's a breakdown of all of the data sent to our telemetry endpoint: https://docs.transcend.io/docs/consent-management/reference/telemetry
It's okay if you block our telemetry (we'd prefer if you didn't, given our reasons above), but if you block all of transcend.io indiscriminately you will end up increasing tracking for users browsing websites using our consent manager.
Our consent manager is used by website owners to regulate first and third party trackers at the network level. By blocking our consent manager, some manually-configured first-party tracker data flows that are not recognized by Ghostery are no longer regulated by our consent manager.
This issue is also causing our Privacy Center APIs to be blocked, preventing Ghostery users from interacting with our customer's Privacy Centers.
Expected Behavior
Transcend Consent Manager and Transcend Privacy Centers load fine. Transcend Consent Manager telemetry is potentially blocked by Ghostery.
Actual Behavior
All Transcend Consent Manager and Transcend Privacy Center resources are blocked by Ghostery.
Ghostery users visiting sites using Transcend Consent Manager may end up with increased tracking and decreased security (our consent manager also helps generate dynamic consent-derived Content Security Policies) due to this behavior.
Thank you for reporting and sorry for the lag in the response.
The change in Ghostery behavior comes from the fact we started to block so called "annoyances" by default (#728). Transcend is affected as it is present in EasyList https://github.com/easylist/easylist/blob/692250d4b1b4898fbdb9b04d31ebb5b99ceab221/easylist_cookie/easylist_cookie_thirdparty.txt#L98
In principle Ghostery put consent managers into the essentials category which is not blocked by default. Any form of tracking we categorize into site analytics category (blocked by default) and this is probably where telemetry.transcend.io belongs.
To improve the situation we will create an entry for transcend at whotracks.me and categorize correctly in Ghostery extension.
Update to the trackers database will likely happen after Easter.
@eligrey can you please provide examples of affected websites so we can test before full rollout?
@chrmod Sure. Here are a couple examples of affected websites:
-
https://www.indiegogo.com/
- Issue: Consent manager doesn't load as
cdn.transcend.iois blocked (non-visual, can check that it loaded by checking for the existence ofwindow.airgap)
- Issue: Consent manager doesn't load as
-
https://privacy.patreon.com/
- Issue: Site cannot render as
api.transcend.ioGraphQL endpoint is blocked
- Issue: Site cannot render as
@chrmod The transcend.io script is also a privacy issue (useragent, fingerprinting/cookie, analytics checks). See cleaned up JS on https://www.pastiebin.com/626284218f23b
My response to @ryanbr's claim that the transcend.io scripts are a privacy issue: https://github.com/easylist/easylist/issues/11762#issuecomment-1107103657