Report: Quibi has been leaking users' email addresses to ad firms

Quibi, along with the likes of The Washington Post, Wish, and JetBlue, shared user emails with third parties during verification processes.

Daniel Boczarski/Getty Images Entertainment/Getty Images

Short-form video streaming app Quibi reportedly used an account verification process that sent user information to third-party advertisers and analytics companies, a new report reveals. Big tech companies like Twitter, Google, Snapchat, and Facebook were included in those transmissions.

According to the report, the Quibi account-creation process included a verification link that, when clicked, added their email address to the URL and sent it — unencrypted — to multiple third-parties. Quibi's model of high-budget short-form video series is already a gamble, and the coronavirus has thrown it a curveball when it hoped commuters would be one of its key target markets. So finding itself in the middle of a data-leaking scandal within its first month of business doesn't do anything to bolster its fledgling image, even if the company says its since fixed the problem.

Not just Quibi — The report, which was compiled by researcher Zach Edwards, says other companies have been engaging in similar practices. Some of the largest companies named in the report are Wish, JetBlue, and The Washington Post. Collectively, that amounts to millions of email addresses being sent to third parties without any sort of consent from users.

But Quibi is the worst of it — Edwards calls Quibi’s part in this the “most egregious” because it’s only been live since April 6, well after new privacy regulations went into effect in California and Europe.

“In 2020, no new technology organizations should be launching that leak all new user-confirmed emails to advertising and analytics companies,” the report states. “Yet that’s what Quibi apparently decided to do.

Quibi was made aware of the situation by Edwards on April 17. When Edwards tested the verification process again on April 26, he found that the problem persisted.

It’s fixed now, but… — In a statement to Variety published on April 29, Quibi said it addressed the problem “immediately” after being made aware of it. That's a lie, according to Edwards.

“Data protection is essential to Quibi and the security of user information is of the highest priority,” the company said.

But Edwards says in his report that it’s very unlikely Quibi was ever unaware of the issue. He calls it a “sloppy and dangerous growth hack” that’s sometimes used by companies to improve attribution tracking for analytics tools.

Quibi has been downloaded over 2.7 million times since its launch earlier this month. But leaking your users’ account information to multiple third-party companies seems like a bad way to build trust. If the company wants to be successful in the future, it will need to learn from this mistake and be more transparent about how it handles data moving forward. It'll also need to convince people its offering is worth paying for when their 90 day trials start to expire in July.