Last month, @megalag and I caught the Honey shopping extension not just violating affiliate network rules (failing to “stand down” in circumstances where networks so require), but intentionally tricking testers. By checking users’ cookies (to see who had logged into a network’s admin console) and checking user account details (such as whether account was new or had few points), Honey could assess the likelihood that the user is a tester — and avoid breaking the rules when a tester was watching.
Honey today gave a statement to Hello Partner. In relevant part: “The code causing this behavior has been identified and no longer has an impact. The code was implemented prior to PayPal’s acquisition, and appears to affect less than 0.1% of Honey’s traffic.”
As to “implemented prior to PayPal’s acquisition”: The code is old, yes. But Honey has changed the settings. Acquisition was announced on November 20, 2019 and completed on January 6, 2020. Since then, Honey continued changing the selective stand down (ssd) settings. My article points out the ssd configuration as of June 2022, preserved by VPT, there instructing the Honey plug-in to not stand down in quite general conditions (requiring just 501 points for a Rakuten merchant, and requiring no specific number of points for any other network). Yet by 2025, Honey’s config had totally changed these settings, requiring 65,000 points at most merchants. Changing this setting, 4+ years after the acquisition — that shows PayPal staff knew what Honey had been doing.
As to “affect less than 0.1% of Honey’s traffic”: No doubt few users are affiliate marketing professionals with cookies showing recent login to an affiliate network console. The number of such users is really besides the point. The problem is that Honey affirmatively sought to trick industry pros and potential testers. No matter or how few such people there were, these are the people whose diligent testing would have revealed Honey’s violations. It was wrong to target them for different behavior, to try to trick them. It was equally wrong whether they are 10%, 1%, 0.1%, or 0.01% of users.
After Dieselgate, investigation sought to determine which Volkswagen leaders knew what, when. So too for Uber’s serious misconduct in 2017, prompting an investigation by former US Attorney General Eric Holder. Rather than conduct a proper and independent investigation of what went wrong here, Honey seems to think it can self-certify its supposed clean-up. I doubt the affiliate marketing industry will accept that. If I ran a network that was contemplating letting Honey join, rejoin, or remain, I’d want to know the identities of the specific staff who requested, wrote, updated, and approved ssd, and I’d want assurance that they have been reassigned. I’d want Honey to pay the network’s costs for the time and hassle of both historic investigation and future testing. I’d want a genuine apology that admits responsibility without PR spin. Honey’s statement to Hello Partner offers none of this.