Getty Images—among the world's largest providers of stock and editorial photos—has announced a major change to the way it is offering its pictures for sites to use. Beginning this week, in addition to the traditional licensing options, people can embed images in their sites at no cost and with no watermarks, so long as they use the provided embed code and iframe.

There's at least one reason this move is exciting and positive: it's encouraging to see companies experimenting with different business models and using the proverbial carrot instead of the stick. In other words, Getty is making it easier to engage in desirable behavior—giving proper attribution and a link—rather than simply raising the costs of being non-compliant with legal threats and suits. That's better for users, and it may ultimately be more effective for the company.

Getty's got a point of reference, too. It has pursued the latter strategy of threatening letters and even filing lawsuits against unauthorized users over the years. That isn't unprecedented either. Though the scale is dramatically different, the Recording Industry Association of America used the same general technique in its long-running and ill-fated campaign against its fans. There's no firm evidence that Getty has given up this strategy—according to Businessweek, the company filed five new copyright lawsuits in a single week in January—but if it has, that's a good development.

But in other ways, this move rings alarm bells—especially from a privacy perspective. Some of the complaints are common to all sites serving third-party scripts or resources: when a site embeds that content, whether it's Google Analytics, a YouTube video, a Facebook Like button, or now a Getty Images iframe, it is creating a connection between its readers and the third-party host. The third-party host can possibly get and log your IP address and the exact time of the request; information about the web browser you're using, your browser's version, your operating system, processor information, language settings, and other data; the URL of the website you're coming from; and sometimes tracking cookies.

This problem is, unfortunately, a fundamental property of the web as we know it. But a few facts about Getty make this situation especially troubling. For one thing, given its scale and popularity, Getty Images embeds may appear on a significant number of different sites that a single user visits. That would allow Getty to correlate more information about a user's browsing history than any single site could. That information, in turn, is subject to government requests, sales to data brokers, or even breaches or leaks.

These concerns might be mitigated by a strong privacy policy or some indication of what Getty intends to log and how it's going to use it. Unfortunately, we've gotten the opposite. A business development executive at Getty Images told The Verge that the company has "certainly thought about" monetizing usage data, but has no specific plans. We spoke to a representative of Getty Images who said that at this time it does not collect information beyond what's necessary to store aggregate viewing numbers for individual images. That's commendable, but since that practice is significantly more privacy-protective than what the company claims in its general privacy policy—last updated in May 2012—it could change at any time. Best practices are to minimize the amount of data collected and held to meet a site's needs, but that's at odds with an incentive to collect-it-all and sort out what's needed later.

Beyond what Getty Images does with user data, its current implementation also serves images over an unencrypted HTTP connection. As a result, others on the same network, or the user's ISP, can eavesdrop on those requests. In the case of a news site protecting its readers' privacy by serving over and HTTPS connection, this side channel could reveal what articles they are reading.

These privacy threats aren't likely to affect everybody, but they are real for some people. So too are the implications for archives and even web pages that are concerned about preserving their own history: letting another site host images may seem like an attractive bargain, but those images may not always be available, and could interfere with efforts like the Internet Archive's ability to preserve a page as it once appeared.

If Getty Images is going to continue offering images as iframe embeds, there are a few ways it can improve the deal for end users. It should offer images over an encrypted HTTPS connection by default. It should explain clearly and publicly what its practices are for minimizing the amount of data it collects and stores on users. And even if the company adheres to its current minimal data collection standards, it should commit to setting a high bar on following the Do Not Track spec: if users are sending a signal that they do not wish to be tracked, Getty Images should honor it fully.

Finally, websites should consider whether embedding a third-party resource is best for their readers. There are, after all, options. Some publications have described Getty Images as the largest provider of stock photos, but that overlooks a major category: Flickr alone has hundreds of millions of images released under Creative Commons licenses, and the Wikimedia Commons has tens of millions more. Unlike the Getty embedding terms of use, Creative Commons licenses allow images to be served directly by the host, aren't subject to change in the future, and sometimes even allow for the images to be remixed and mashed up.

It's good to see Getty exploring new avenues, and we'll be even more encouraged if this strategy replaces its earlier litigious stance entirely. But it's important that users know that, in some cases, embedding "free" photos might come at a real cost to readers.

Image: Camera Lens by Elliot Bennett, released under Creative Commons Attribution 2.0