How Customer Support Messengers Violate Your Privacy

An analysis of the data collected and shared by Drift, Intercom, and Crisp

Richard Chu
June 30, 2020

There’s a privacy problem with customer support tools.

You know: those chat widgets on the bottom right corner of websites. You may have heard of Intercom, Drift, Crisp, or other companies who offer these types of embeddable widgets.

They’re getting more and more popular across the Internet because they let website owners talk with their visitors with minimum friction.

Unfortunately, that’s not the only thing they do. These widgets collect absurd amounts of data on website visitors and are often built in a way that is fundamentally opposed to user privacy.

Let’s take a look at three popular chat widgets—Drift, Intercom, and Crisp—and analyze how they invade your privacy.

Drift

1. They connect your identity information with information from third parties

While I was browsing Drift’s website, I noticed a message pop up:

Drift uses third parties to glean your employment information

It seems like they’re using my IP address to create personalized messages—in this case, targeting the company I work at. This means they’re likely transferring my IP address and other information to third parties.

Looking at their GDPR page confirms it—they use a whopping three “Data Enrichment” subprocessors (one is apparently not enough for them):

Drift uses three data subprocessors to target messages to you

These subprocessors are companies that collect and sell reams of public and private information about people. I’m wary of trusting any company that uses them!

The cherry on top is that despite using so many sources, Drift’s “Data Enrichment” doesn’t even work all that well. I have never even heard of PubMatic, much less work there!

2. They track your location and many other types of information

Drift’s privacy policy has a disconcerting “Location Information” section:

We use and store information about your general location. We use this information to provide features of our Services and to improve and customize our Services.

Why does a chat widget need to know my location? It doesn’t seem like this is crucial to helping website owners provide better customer support.

But that’s not the only thing they collect. If you look at their “CCPA Privacy Statement” section, they provide some more detailed information:

The many types of data that Drift collects

This is a staggering amount of information—for just a simple chat widget!

Notably, Drift collects “Information on a consumer’s interaction with a website, application, or advertisement.” This means that Drift and website owners can essentially spy on your website activity, including what pages you visit and how long you spend on each page.

Don’t analytics services also collect this kind of data? Yes, but at least they aggregate and anonymize it.

In contrast, the website activity that Drift collects is tied directly to your identity. They know exactly what you specifically have done. That’s the only way they can show targeted material (like messages) to you based on your website activity.

3. They track your website activity very closely

Drift tracks all of the clicks that you make on their website—even when you’re not clicking on a link or a button. In the video below, Drift sends a network request for every click I make on their website—even if I am simply clicking on text.

That’s not to mention the 16 trackers (according to uBlock Origin) that they have on their home page! Why does a website need so many trackers? I literally feel unsafe browsing their website without an ad blocker.

Even if the click tracking or trackers are only present on Drift’s landing page (and not on websites that install Drift), it doesn’t exactly inspire confidence in how much Drift cares about your privacy.

Intercom

1. They collect many types of information

Drift is not the only customer support tool that collects copious amounts of data. Intercom does as well:

Intercom collects lots of data

This data includes sensitive data like your geolocation, employment information, “pages you view, items you click, advertisements you interact with, and social media content you engage with.”

They use all of this data to draw “inferences” and “create a profile reflecting your preferences, characteristics, and behavior.”

Sounds suspiciously like what advertising companies do! I thought this was a customer support company?

2. They connect your identity information with information from third parties

According to Intercom’s Privacy Policy, Intercom uses a third party data provider called FullContact. Here’s what it does:

FullContact […] enable[s] you [the website owner] to retrieve publicly-available information about People including without limitation social media information, profile information, gender, company, job titles, photos, physical addresses, and website URLs based on People’s email addresses input into the Services.

Why does Intercom think this is okay? If I’m providing them with a piece of information like my name, why do they think I consent to them using my name to find out even more information about me—like my physical address, gender, and what company I work for?

If you scroll further down, you can see Intercom’s justification for working with these types of companies:

Even if the third party is affiliated with us through a business partnership or otherwise, we are not responsible for the privacy practices of such third party.

Yes, because you totally have no control over what third parties you work with.

3. They share data with advertising companies

According to their Cookie Policy, Intercom advertises extensively with many different advertising networks, including:

  • AppNexus
  • Bing Ads
  • DoubleClick
  • Facebook Custom Audience
  • Google AdWords Conversion
  • Google Dynamic Remarketing
  • LinkedIn Ads

They share your data (including your activity data and customer lists) with these advertising companies:

We may allow third party companies to collect information about your activity on the Offerings and other online services to facilitate delivery of interest-based ads, and/or use hashed customer lists that we shared with them to deliver ads to our customers and similar users on their platforms.

No privacy-respecting company should be giving money and data to the advertisement industry.

4. Your conversation data is shared with third parties

It’s fairly common to send sensitive information like credit card information or your physical address in a support request.

Thus, you would think your conversations in Intercom would be private. Think again:

We may share your personal information with third-party service providers to permit such parties to provide services that help us with our business activities […]. The data shared can include name, job title, email address, message history, company information.

That’s right: they can share your conversation data with basically any third parties they work with—including companies like FullContact, so they can collect even more data about you, or advertising companies, so they can serve even more “relevant” ads to you.

Crisp

Crisp does not have a very detailed privacy policy (just a ”Privacy Statement”), so it’s hard to know what exactly they’re doing. Here’s a few things that I found out from poking around their website and product.

1. Website owners who use Crisp can see exactly what you’re seeing on the website

Crisp provides their customers with a feature called MagicBrowse, which “lets you [website owners] co-browse with your customers without any other plugin.” This feature lets website owners take control of their users’ screens—presumably with their consent.

What they don’t advertise about MagicBrowse is that website owners can use it to see a live view of exactly what you’re seeing on their website—even without your explicit consent!

This is the equivalent of someone watching over your shoulder as you browse the Internet—without you even knowing they’re there.

2. They use third-party cookies

Crisp uses third-party cookies, which allows them to personally track you across all websites that have the Crisp chat widget on it!

They could theoretically build up a cross-domain profile of all of your information and messages across all websites with the Crisp widget. This is an incredible violation of privacy!

There’s no reason any privacy-respecting company would be using third-party cookies. In fact, I would highly suggest blocking all third party cookies by default in your browser. Here’s what it looks like in Chrome:

Chrome block third party cookies setting

3. They connect your identity information with information from third parties

Read this excerpt from Crisp’s GDPR page:

Crisp resolves end-user identity information (first and last name, avatar, company) from external APIs. Those external APIs source this data from public information that the end-user consented to share on a third-party service (eg. on social networks such as LinkedIn or Twitter). This end-user identity information is stored on Crisp services, for as long as the Crisp customer wishes them to be stored in their Crisp CRM database.

Basically, Crisp is Internet stalking you. If you provide any small piece of information about yourself, they’ll scour the Internet with that information to see if they can scrounge up more information about you from other websites. This is creepy if a person does it, and even more creepy when a company is doing it.

If you’re providing your name, then that should be the extent of what the website owner or Crisp knows about you. You shouldn’t have to worry about having your social network information stored in the website owner’s CRM for eternity. And for what purpose? Does it really help them give you better customer support?

It astonishes me that Drift, Intercom, and Crisp all use these kinds of “Data Enrichment” third parties.

How you can help

Chat widgets are some of the most egregious offenders of Internet privacy today. I’ve taken a look at how Drift, Intercom, and Crisp violate your privacy, but they are by no means the only chat widgets that do this kind of data collection, tracking, and sharing. This is an industry-wide problem shared by many other customer support products.

If you use a website that has a chat widget that’s not privacy-friendly, I encourage you to write to the owner of the website. Direct them to this article and ask them to use a more privacy-friendly chat widget.

If you own a website and are using a chat widget, I encourage you to take a look at Letterbase. It’s a privacy-friendly customer support messenger that doesn’t track your website activity, sell your data to third parties, or store third party cookies. I started it because I’m appalled at how privacy-invasive customer support tools are today, and I believe we can do things in a better way.

Privacy is a fundamental right. We shouldn’t tolerate having our website activity tracked and our data sold to third parties. If we demand privacy in all the products we use, then we can start taking back control of our data and start building a more privacy-friendly Internet.

Get notified when we publish new blog posts.

Simple, fast, and privacy-friendly website messenger