Courses communicating back to metrics.articulate.com

Wow. We discovered this today and I have to say I am shocked and I don't think you guys understand the problems you have likely caused for yourselves and countless customers. To say you do not collect personal information is not true. I just did some packet inspection and sure enough your calls to https://metrics.articulate.com/v1/import do indeed include a great deal of private, personal, and sometimes confidential information. For example, the Referer request header includes the full module URL (server hostname for sure and often descriptive of the course and module and perhaps department or other information reflected in the URL path) and xAPI parameters including actor (email address of the user), LRS endpoint URL, and activity ID. And of course you have the IP address of the requester and the time of the request. Add this to the fact that you are not just collecting the technology profile of each user as described above, but rather you are collecting information on every slide navigation, effectively creating a history of each users activity. Regardless of how pure your intent might have been, and whether your working databases are only saving the technology profile information listed above, you are indeed collecting all this information in server and network access logs.

I don't think most of your customers have any idea you started doing this. Now that we know about it we can turn it off, but even that is problematic because under quite a few privacy laws it is illegal to pre-check opt-in selections that collect personal information, and your implementation is not up to the user to opt-in but rather it follows the setting on the computer of the employee or contractor of the curriculum developer who publishes from Storyline module, not the end user who is being tracked nor even a person with authority of the company serving that content to end users. 

The number of times per day that you and your customers are now violating FERPA, HIPPA, GDPR, and a host of other laws is stunning. 

Hi, Steve.

Really sorry for the trouble and confusion on this.  I think you may be seeing traffic to your LRS, since much of the data you mention is not sent to Articulate.  We want to dig deep and be 100% certain though, so I've created a Support Case on your behalf and escalated it to the highest level of our Support Team.  We'll be in touch shortly.

No confusion here. All that data is in the HTTP request your software is initiating from the client PC to your servers. It might be your intent to only persist some of it, but I assure you the rest is being sent and is almost certain to be recorded in your Apache logs and potentially by your CDN (x-cache header shows that cloudfront tried and failed to handle the request) or other edge caching servers or firewalls. 

Good Morning, Steve.

For the benefit of the greater community, I wanted to revisit this forum thread and share what we found and discussed with you privately:

1. You helped us to confirm that the referring URL is present within the header of the analytic event that is sent to Articulate when learners launch a course. This URL can be verbose, especially when the course has been published for xAPI, and it creates the false appearance that Articulate is collecting more information than we need. Here’s what we’re doing about it:
   • The referring URL is not saved anywhere on Articulate’s servers. We are not logging, seeing, or storing this data in any way, and it is impossible for us to intercept it. We drop this information entirely as soon as it hits our CDN. This is not a change, and this has always been our practice.
   • In a future update to Articulate 360, we will force the referring URL to be less detailed. We won’t be able to prevent the event from including the domain that referred it, but we think we can cut it down to only the domain (not the full URL). Despite the fact that we’re not receiving this data, we hope we can increase confidence by making sure it isn’t sent at all.
2. You also helped us to confirm that we are currently sending per-slide performance data each time a learner changes slides. We added this information in an effort to improve the learner experience, and although the event does not include any PII, this was a mistake and we’ll be disabling it in a future update to Articulate 360.
3. As has been the case, we are only storing learner data that has been anonymized and cannot be used to re-identify the learner. And, when you disable the analytics option in the Articulate 360 application, Articulate 360 immediately sends an analytic event indicating that you opted out. After that, no more events are sent from the Articulate desktop software or from Articulate courses published from that point forward.

Please let us know if you have any other questions or concerns, and thanks for working with us on this!

+ 1 on Storyline 3 "Privacy" section - this should be a "no-brainer" !

Hi Bill,

We're still on target for the next update of Storyline 3 to be released this quarter, and that'll include the opt-out option at that point. We'll keep you posted here! 

I am working with the latest version of Storyline 360. I have turned on the Privacy setting but my courses are still blocked from opening when our learners are going to our LMS through an extranet site. Not a VPN, just an extranet site. 

Any and all suggestions would be help. I'm told we'll be going back to L-tora if we can't resolve this. 

Hi Bill,

The latest update of Storyline 3 is now available and includes the option to opt out of sending usage data to Articulate. Take a look at the details here, and you'll be able to update to Storyline 3, build 3.6.18134.0 by accessing the download option here.

Hi Steve,

I see you're still working through this with our Support engineers too, so I've escalated that within the team. You'll hear from one of our Senior support engineers shortly.