7 min read
UPDATE: Sunday, May 14th, 2017 - I heard from Edmodo last night, and they have removed the tracking that is observed and discussed in this post from their web application. Their response was fast, and they deserve a lot of credit for making this decision, and implementing it quickly. Details available here. END UPDATE
This has been a rough week for Edmodo. Unlike many other people, I will not be writing about the data breach that leaked information about 77 million Edmodo users. Instead, in this post, I will look at ad tracking within Edmodo that affects both teachers and students.
Looking at Edmodo was not on my list of things to do this week. I did this research on my personal time, completely disconnected from my work. The reason I was looking at all was that I received a message from a person advising me about what to look for, and this message contained details that made the report credible. While I can't promise I will be able to research everything sent my way, I am always interested in working with students, parents, and teachers. If you see something that looks or feels odd, please be in touch.
For this post, I set up a test Edmodo teacher account, and two sample student accounts. I observed traffic while logged in using OWASP ZAP. The test student account in this test was from a student in a fourth grade class, so the student would be under 13. All cookies, the browser cache, and browsing history were cleared prior to testing. The browser was re-cleared between all test sessions.
2. What We Aren't Looking At
This spring, Edmodo announced that they are allowing ads (Edmodo calls them "sponsored" or "promoted" content) to be displayed in their site. This post is not about Edmodo displaying ads in their site.
3. Displaying Ads versus Tracking
There is a big difference between displaying an ad and tracking users. When an ad is displayed, the actual ad can be understood as a visual indication of potential tracking.
However, users can be tracked without ads being immediately displayed. This type of tracking is largely invisible to end users, but this tracking sends a regular stream of data back to the data broker/ad network. This data includes, at minimum, the page a user is on, the precise time they are on it, the operating system and version, the IP address of the user, and the browser and version. All of this information is tied together via a common identifier. In many cases, the combination of technical factors about a user - device information and/or IP address - is adequate to identify, or come close to identifying, an individual. Because this information is all tied together with a common identifier, the probability of identifying an individual increases.
Because of this, we treat the display of ads as a separate issue from tracking users. Both can be problematic, and ads can be displayed with or without user tracking. In this post, I focus only on mechanisms used to track users.
4. Tracking Teachers
Teachers are targeted by a range of ad trackers, as shown below. The teacher login occurs in line 175; we can observe multiple trackers getting called after login.
This is pretty standard ad tracking behavior, and we are not going to spend additional time on this, as the student tracking is more complicated. However, for educators using Edmodo, this is how your usage information is passed to data brokers when you are logged into the site working with students.
5. Tracking Students
In Edmodo, students are exposed to targeted ad tracking as follows. I will open with a brief description, and then follow that with a more detailed description that includes screenshots from the proxy logs used to capture traffic.
5.1 Brief description
- A. When a student logs in to Edmodo, Edmodo allows Google's Doubleclick to set a tracking cookie.
- B. While a student is logged in, there are additional calls to Doubleclick. These calls include information about the student's computer, and the page that they are currently on.
- C. When the student logs out of Edmodo, this triggers a call to Doubleclick.
- D. In turn, this spawns two additional calls to ad networks. The ID value that is sent to Doubleclick is the same value that is set when the student logged in, and the referrer from Edmodo clearly identifies the user as a student.
5.2.A. When a student logs in to Edmodo, Edmodo allows Google's Doubleclick to set a tracking cookie.
The login occurs in line 141. The call to Doubleclick occurs after login in line 160.
In the above screenshot, Doubleclick sets a cookie in the student's browser with a unique ID. The test account in this writeup is a student in a fourth grade class, so the student would be well under 13. Edmodo allows teachers to specify student grade level of their courses, so arguably Edmodo would have actual knowledge in some cases if a student is under 13.
5.2.B. While a student is logged in, there are additional calls to Doubleclick. These calls include information about the student's computer, and the page that they are currently on.
Each of these individual calls contain information about the students path through the platform, which is shared with Doubleclick and tied to the tracking ID created in Step A.
5.2.C. When the student logs out of Edmodo, this triggers a call to Doubleclick.
The logout occurs in Line 554. The calls to Doubleclick occur in Lines 561, 564, 571, and 573. These calls are discussed in more detail below.
5.2.D. In turn, this spawns two additional calls to ad networks.
The ID value that is sent to Doubleclick is the same value that is set when the student logged in, and the referrer from Edmodo clearly identifies the user as a student (note the
user_type=student at the end of the URL).
On the left hand side of the screenshot, you will notice a reference to "pubmatic" and "rubicon." These are two commonly used ad brokers: https://pubmatic.com and http://rubiconproject.com
Calls are made to these two ad brokers based on the redirect observed above.
6. This Couldn't Happen Without Edmodo's Active Involvement
To see a little bit behind the mechanics here, we need to take a look at the source code on Edmodo's site. The screenshot below is taken from the page source, while logged in as a student user in a test fourth grade class.
Note the conversion ID that Edmodo has hardcoded into their web page. Then, we will take a look at the call that is made to Doubleclick after our test 4th grade student has logged in:
The referrer here is the student's home page within Edmodo, and the call to Doubleclick includes the hardcoded value set by Edmodo.
As documented in this post, the presence of ad trackers for both teachers and students can be observed when we inspect traffic via an intercepting proxy. Some obvious questions that come to mind are:
- How aware are teachers in the Edmodo community that they are being tracked by ad brokers permitted on the site by Edmodo?
- How aware are students, teachers, and parents that ad brokers can collect data on students while using Edmodo?
- How does the presence of ad trackers that push information about student use to data brokers improve student learning?
- Are Edmodo Ambassadors briefed on the student-level tracking that occurs within Edmodo? If not, why not?
An additional (and likely) possibility here is that not everyone within Edmodo is aware that this tracking is occurring. Companies are not monoliths, and few decisions within companies have the support and/or awareness of everyone in the company.
It is also possible that the student level tracking is the result of a technical error that did not get caught by a QA/testing process.
There are additional questions that can and should be asked, but in the interest of keeping a narrow focus, I will leave things here.