Embed Size (px)
Citation preview
BlackHat Analytics 3:Do Be evil: Force Awakens
#SPWK @philpearce
Web Analytics Exchange mentor
750 GA questions answered
Tracking protection group
(DNT)
WelcomePhil PearceAnalytics Expert & Master of the Dark Arts Freelancer
@philpearcelinkedin.com/in/philpearce
Fun fact... I`m an identical Twin...
#SPWK @philpearce
...He recently got married
I organised a Stag party for my Brother...
As you can see - I`m the evil one ;)
#SPWK @philpearce
Why was I Darth Maul...
Because my uncle was...
#SPWK @philpearce
Darth Vader!
Blackhat AnalyticsSummary
1. Definition2. History and evolution3. Example Techniques4. Light & Dark task5. Questions
#SPWK @philpearce
A long time ago...… in a google universe far, far away...
Define: Blackhat Analytics
Define: Blackhat Analytics
Define: Blackhat Analytics
“0” results
If you do this searchnow...
Define: Blackhat Analytics
It turns out...
...I know more than Google ;)
Me
MeMe
Me
Definition
Intentional act of distorting, deleting, unethicallyusing, or hijacking WA data using technical or
legal loopholes; with the goal of making financial gains, or obtaining a competitive advantage.
Phil Pearce 2009
How did we get here…
1. Intentional abusing the system.
2. Accidentally abusing the system
3. Automatically monitoring & enforcement of the system
1. Intentional Abusing the system
Early Malicious techniques/attacks
Referral backlink log spam (depreciated SEO technique)
These links no-followed and no longer pass pagerank
Referral backlink log spam (to get traffic from website owners)
Early Malicious techniques/attacks
Exclude bots GA setting Should prevent this
Early Malicious techniques/attacks
GA log spam (Spider visit loading JS)
Exclude Robot hits via IAB blacklist tickbox in GA
Early Malicious techniques/attacks
Visited links CSS hack (History Sniffing)
Browser patch rollout for link colours (method made harmless)
Early Malicious techniques/attacks
Flash cookie respawn(Zombie Cookies)
Chrome privacy settings integrated
with Flash Winduwcontrol panel
Early Malicious techniques/attacks
EverCookie(all of the previous techniquesand more!)
Tor browser (anonymous browsing)
Revenue Spam
Counter-measure for Revenue Spam
https://developers.google.com/analytics/devguides/collection/analyticsjs/enhanced-ecommerce#measuring-refunds
Tool to manually fix… bit.ly/bigintegerfix
*edge case example: small startups like beencounter
Intentional blackhat is rareand users don’t cares
2. Accidentally abusing the system
www.yoursite.com
[email protected]://support.google.com/adwords/answer/8206?contact=1&rd=1
site:comptetitor.com inurl:"utm_content * gmail.com“
https://www.google.com/search?q=inurl:de+inurl:utm_content+*+gmail+-blog+-google&pws=0&num=100&filter=0&as_qdr=all&cad=b&biw=1921&bih=869&dpr=1&cad=cbv&sei=qkK9VKiRHJLvat-ggbgF
e.g. www.centredeformationjuridique.com/E-learning/v3/soutien/interface/index.php?page=cs.call_menu&menu_use=[ID_MENU]&[email protected]&mdp=coutcout&utm_medium=SMS&utm_source=CS_2014&utm_campaign=ouverture_inscriptions_intensif2&utm_content=Paris
Accidental email PII
Google AnalyticsSkip to contentGOOGLE ANALYTICS TERMS OF SERVICE
These Google Analytics Terms of Service (this "Agreement") are entered into by Google Inc. ("Google") and the entity executing this Agreement ("You"). This Agreement governs Your use of the standard Google Analytics (the "Service"). BY CLICKING THE "I ACCEPT" BUTTON, COMPLETING THE REGISTRATION PROCESS, OR USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE REVIEWED AND ACCEPT THIS AGREEMENT AND ARE AUTHORIZED TO ACT ON BEHALF OF, AND BIND TO THIS AGREEMENT, THE OWNER OF THIS ACCOUNT. In consideration of the foregoing, the parties agree as follows:
1. Definitions.
"Account" refers to the billing account for the Service. All Profiles linked to a single Property will have their Hits aggregated before determining the charge for the Service for that Property.
"Confidential Information" includes any proprietary data and any other information disclosed by one party to the other in writing and marked "confidential" or disclosed orally and, within five business
Google Analyses TOS
Skip..
Results in… GA account deleted (if violation).
You must not collect any data that personally identifies an individual such as a:
1. full name2. email address3. billing information
GA account deleted (if violation)
Don’t worry…. PII capture is not enforced
1. Its not pro-actively (automatic) enforced 2. only re-active (manual) enforcement.
The same for… You must post a link to a Privacy Policy which has an opt-out…
Validation that a privacy link is present is not automatically checked
0.24% of domains using GA are compliant!
=(17000+341+36000+11000)/26416097= 0.24%
• https://ahrefs.com/site-explorer/overview/prefix/?target=www.google.com/policies/privacy/partners/• https://ahrefs.com/site-explorer/overview/prefix/?target=tools.google.com/dlpage/gaoptout• https://ahrefs.com/site-explorer/overview/prefix/?target=www.aboutads.info/choices/
Validation that a privacy link is present is not automatically checked
Est 5% German websites backlinks
Link growth to this page should be increasing based on GA usage, only tiny increases.
No one pro-actively monitorsbecause cookies are harmless
3. Automatically monitoring & enforcement of the system.
aka Automatic “Health checks”
Example…
2 years reign!
Infighting & disunity between Advertisers & Privacy Advocates.
Definition of Tracking (DNT) still not defined!
http://www.theregister.co.uk/2013/11/05/do_not_track_w3c_ads_privacy/
W3C republic
Group disbanded
Peter Swire - Chief resignJonathan Mayer – Firefox resignsDigital Advertisers Association –leaves group!
Old W3C republic
Key member: Thomas Roessler
joins Google!
Imperial
Durnt, durnt, durnt… durnt, dan ner!
External Feedback mechanism
New Imperial Advertising Principles AdChoices proposed as
replacement for W3C`s DNT
Source: http://www.adweek.com/news/technology/daa-convene-new-do-not-track-group-updated-153023
http://www.wordstream.com/blog/ws/2014/01/22/adchoiceshttp://www.youronlinechoices.com/hu/http://blog.silktide.com/2013/01/the-stupid-cookie-law-is-dead-at-last/
Feedback example
ICO cookie law investigations –did`nt happen
As they got more complaints about spam text messages, so focused on
this instead.
SilkTide example from UK
Are users Cookies for sale on SilkRoad
Litmus test
No one caresusers are not complaininghence, regulators are not
enforcing.
3. Google lostmarket share in search
now they care!
Google Adwords privacy cpc tax
SSL as ranking signal SERP ranking organic bonus.
Google “trusted stores” program
Note: See “Privacy as a ranking factor slides” and TrustFactor video.
Practical Example…
Light Score1. Do you have a Privacy Policy? +12. Do you link to Privacy Policy on global footer(or header) try.powermapper.com +13. HTML links on Privacy Policy:
• Do you mention you use cookies OR link to “How Google uses cookie data“ www.google.com/policies/privacy/partners/ +0.25
• Do you mention the word “Do Not Track” or DNT on privacy policy +0.25• Link to GA opt-out plugin OR GA opt-out page +0.25• Link to DoubleClick remarketing opt-out OR Adchoices link +0.25
4. Has your Privacy Policy has been updated within the last 12months +15. If your using session recording (e.g. ClickTale) have you set sensitive fields to either
type=password OR have relevant class: <input id="CreditCardPin" class="tracking-sensitive ClickTaleSensitive -metrika-nokeys“type="text"> +1
6. Is AnonymiseIP enabled for German Visitors +17. Is GTM`s 2 stage authentication login setting enabled OR similar TMS setting +18. Do you have a GA custom email alert for URLs containing “@” or “@gmail” +19. GA exclude traffic from robot setting is enabled +110.You have actioned atleast one GA heathcheck alert +1
Ref: www.google.com/analytics/terms/us.html
[n] / 10
Force Rankings:
Make a note of your Light score
Darkness and the Light - scorings
10 Yoda
6-8 Luke
3-5 Leia
0-2 Chewbacca
0 Neutral Zone
- 0-2 Darth Maul
- 3-5 Count Dooku
- 6-8 Darth Vader
- 10 Darth Sideous
Light
score
-
Dark Score1. 3rd party cookies are being deployed on your website -12. Have not enable frequency capping on Display network -13. UserID tracking is enabled, but not declared to users on privacy page.4. GA`s data append via CSV upload (dimension widening) for userID as a
customDimension using sensitive data (e.g. Financial grouping/status based on users postcode/address) -1
5. Using Device Signature (Android App only) -16. Email address stored in GA url report -17. Storing passwords in GA URL report -18. Respawn of users sessionID cookie, after the user tries to clear cookie -19. Using any of the techniques mentioned on evercookie -110.Using GA to track progress of trojan virus installations -100
[n] / 10
Force Rankings:
Make a note of your Dark score
Darkness and the Light - scorings
10 Yoda
6-8 Luke
3-5 Leia
0-2 Chewbacca
0 Neutral Zone
- 0-2 Darth Maul
- 3-5 Count Dooku
- 6-8 Darth Vader
- 10 Darth Sideous
Light
score
Dark
Score
- -
Now:
Light Score - Dark score =
Actual score
Darkness and the Light - scorings
10 Yoda
6-8 Luke
3-5 Leia
0-2 Chewbacca
0 Neutral Zone
- 0-2 Darth Maul
- 3-5 Count Dooku
- 6-8 Darth Vader
- 10 Darth Sideous
Light
score
Dark
Score
Sum
of both
- - -
Malintent Accidental
Bad
Good
Overall Score?
-10
+10
If you got a dark score join these…
“MOA code of conduct” or “DAA code of ethics” will eventually introduce
one
www.digitalanalyticsassociation.org/codeofethics
www.moaweb.nl/Richtlijnen/internationale-gedragscodes-en-richtlijnen/2012-09-17%20GRBN%20Code%20Comparison.pdf/view
Thanks & Questions
#SPWK @philpearce
Appendix…
DISCLAIMER – I`m not a lawyer
GA terms of servicehttp://www.google.com/analytics/terms/us.htmlhttp://www.google.com/analytics/learn/privacy.html
Privacy Trouble shooterhttp://support.google.com/bin/static.py?hl=en&ts=1291807&page=ts.cs
Report a privacy concernhttp://www.google.com/contact/
Contact Google Analyticshttp://support.google.com/analytics/bin/request.py?hlrm=en&contact_type=contact_policyhttps://support.google.com/adwords/answer/8206?contact=1&rd=1
Report a security [email protected]://www.google.com/security.html
Discussion Questions
How much is your data worth?
Can you afford to drive traffic in the dark with no insight?
Is PII or sensitive data or urls being accidentally tracked?
When was the last time you audited your WA installation?
Are you capturing data that easily allows an individual to be “linked” or “re-identified” by Google (e.g. detailed demographic data example, or Netflix.com + IMDB.com example1 or example2)
Related presentations & resources
.
CookieTAB virus screenshotshttps://www.dropbox.com/s/w0gprycb23ajguw/2011_03_18%20CookieTAB%20virus%20screenshots%20.pptx
Effect of EU Cookie law on US businesses: https://www.dropbox.com/s/ces1m53mm7o4gmm/2012-10-04%20GAUGE%20Boston%20-%20Effect%20of%20EU%20Cookie%20law%20on%20US%20organisations.pptx
Recipe for a Cookie Lawhttps://www.dropbox.com/s/l9n3gchusdv57bm/2011_03_18%20Recipe%20for%20a%20Cookie%20Law%20by%20Phil%20Pearce%20.pptx
Cookie law Implementation Exampleshttps://www.dropbox.com/s/7q8qfxesk44tpkc/Implimentation%20Examples%20by%20Phil%20Pearce%202012_03_18.pptx
Cookie compliance Audit - Example.docxhttps://www.dropbox.com/s/idyrql6c1aniaw6/01%20UK%20Cookie%20compliance%20Audit%20-%20Example.docx
CookieLaw research in 90mb Dropbox: https://www.dropbox.com/s/uapu90d7rc2uxl1/2012_Cookie_Law_Resources_Folder_40mb_Download.zip
AppendixExternal privacy feedback mechanisms:safeharbor.export.gov/companyinfo.aspx?id=16626feedback-form.truste.com/watchdog/request?url=www.google.comwww.bbb.org/sanjose/business-reviews/internet-services/google-in-mountain-view-ca-214105/file-a-complaintwww.networkadvertising.org/contact-support/report-problem/i-would-report-violation-of-nai-code-nai-member-company-2www.snapsurveys.com/swh/surveylogin.asp?k=133707671186 [ICO.gov.uk form]addons.mozilla.org/en-US/firefox/addon/privacy-dashboard/ [W3C feedback mechanism]www.google.com/trends/explore?hl=en#cat=0-14-54-1281&geo=US&date=today%203-m&cmpt=q [user web searches in category of “privacy” per country]
Security & Privacy prize of upto £13K offered by Google for detecting holes:www.google.com/about/appsecurity/reward-program/blog.chromium.org/2012/08/announcing-pwnium-2.htmlExample XSS hole in GA found in 2008: derkeiler.com/Mailing-Lists/Full-Disclosure/2008-12/msg00200.html
Open Source feedback techniques fourthparty.info/dataappanalysis.org/download.html
Free to check cookie databases:www.cookielaw.org/cookie-search.aspx?domain=http://www.facebook.comwww.cookiecert.com/cookies-for-facebook.comprivacyscore.com/score_details/2a03b4fe8d9d4eb8b4fb0ccf356cbaaa/showcase
