Wednesday, March 22, 2017

Reader Privacy for Research Journals is Getting Worse

Ever hear of Grapeshot, Eloqua, Moat, Hubspot, Krux, or Sizmek? Probably not. Maybe you've heard of Doubleclick, AppNexus, Adsense or Addthis? Certainly you've heard of Google, which owns Doubleclick and Adsense. If you read scientific journal articles on publisher websites, these companies that you've never heard of will track and log your reading habits and try to figure out how to get you to click on ads, not just at the publisher websites but also at websites like and the Huffington Post.

Two years ago I surveyed the websites of 20 of the top research journals and found that 16 of the top 20 journals placed trackers from ad networks on their web sites. Only the journals from the American Physical Society (2 of the 20) supported secure (HTTPS) connections, and even now APS does not default to being secure.

I'm working on an article about advertising in online library content, so I decided to revisit the 20 journals to see if there had been any improvement. Over half the traffic on the internet now uses secure connections, so I expected to see some movement. One of the 20 journals, Quarterly Journal of Economics, now defaults to a secure connection, significantly improving privacy for its readers. Let's have a big round of applause for Oxford University Press! Yay.

So that's the good news. The bad news is that reader privacy at most of the journals I looked at got worse. Science, which could be loaded securely 2 years ago, has reverted to insecure connections. The two Annual Reviews journals I looked at, which were among the few that did not expose users to advertising network tracking, now have trackers for AddThis and Doubleclick. The New England Journal of Medicine, which deployed the most intense reader tracking of the 20, is now even more intense, with 19 trackers on a web page that had "only" 14 trackers two years ago. A page from Elsevier's Cell went from 9 to 16 trackers.

Despite the backwardness of most journal websites, there are a few signs of hope. Some of the big journal platforms have begun to implement HTTPS. Springer Link defaults to HTTPS, and Elsevier's Science Direct is delivering some of its content with secure connections. Both of them place trackers for advertising networks, so if you want to read a journal article securely and privately, your best bet is still to use Tor.


  1. One reasons publishers have been so slow implementing https is because libraries (the customers) can't handle it. Our proxy servers for giving access to users not on campus haven't always been able to cope with https (and it's still a bit of a fudge). I know at least one publisher, I think it was OUP, moved to https and had to go back again because of the outcry from customers. So blame the library management systems companies...

    1. The most popular proxy server fro remote access, EZProxy, fully supports proxying HTTPS. I would love to hear why you think it's "still a bit of a fudge".

    2. My uni doesn't use EZProxy, so I can't comment - our proxy is WAM, and support for https involves rewriting urls to replace the dots with hyphens - I call that a fudge!

    3. Maybe I need to have a chat with the folks at Innovative. But replacing dots with hyphens isn't a problem. Rewriting proxy servers have been a fudge all along (Ask Chris Zagar!) but they aren't a good excuse to reject privacy and security for journal users.

    4. I've confirmed that WAM fully supports HTTPS.

  2. So worthy of note. thank you for sharing this. I use https everywhere on my browser which does close off certain functions of pages - in addition to privacy badger. But as the default for journal publishing goes to some form of web-publishing, the chances for tracking increase. Tor is a great tool to access material that might otherwise be logged, using a VPN is another. But to keep it simple: STOP USING GOOGLE SCHOLAR because for all intents and purposes, we should expect that to be tracked. Again, thank you for sharing.

  3. Partly as a result of an inquiry from Eric last year, but mostly for other unrelated reasons, we at the American Physical Society have made our journal platform forcibly redirect to https for all connections as of yesterday. We are in the process of updating our Crossref registered URLs in the DOI handle system to use https (those URLs have been using https since last week). We will also be updating any absolute URLs within our CMS system. During the past week when we started redirecting all incoming to https, we have had no end user questions, complaints, or comments. So it looks like the barrier to moving to https for scholarly journals is lower than expected. Kudos to Eric for drawing attention to this issue.

    Mark Doyle
    Chief Information Officer
    American Physical Society