Blackhat Analytics 3 @ superweek - Do be evil: Force awakens

BlackHat Analytics 3:Do Be evil: Force Awakens

#SPWK @philpearce

Web Analytics Exchange mentor

750 GA questions answered

Tracking protection group

(DNT)

WelcomePhil PearceAnalytics Expert & Master of the Dark Arts Freelancer

@philpearcelinkedin.com/in/philpearce

Fun fact... I`m an identical Twin...

#SPWK @philpearce

...He recently got married

I organised a Stag party for my Brother...

As you can see - I`m the evil one ;)

#SPWK @philpearce

Why was I Darth Maul...

Because my uncle was...

#SPWK @philpearce

Darth Vader!

Blackhat AnalyticsSummary

1. Definition2. History and evolution3. Example Techniques4. Light & Dark task5. Questions

#SPWK @philpearce

A long time ago...… in a google universe far, far away...

Define: Blackhat Analytics

Define: Blackhat Analytics

Define: Blackhat Analytics

“0” results

If you do this searchnow...

Define: Blackhat Analytics

It turns out...

...I know more than Google ;)

Me

MeMe

Me

Definition

Intentional act of distorting, deleting, unethicallyusing, or hijacking WA data using technical or

legal loopholes; with the goal of making financial gains, or obtaining a competitive advantage.

Phil Pearce 2009

How did we get here…

1. Intentional abusing the system.

2. Accidentally abusing the system

3. Automatically monitoring & enforcement of the system

1. Intentional Abusing the system

Early Malicious techniques/attacks

Referral backlink log spam (depreciated SEO technique)

These links no-followed and no longer pass pagerank

Referral backlink log spam (to get traffic from website owners)

Early Malicious techniques/attacks

Exclude bots GA setting Should prevent this

Early Malicious techniques/attacks

GA log spam (Spider visit loading JS)

Exclude Robot hits via IAB blacklist tickbox in GA

Early Malicious techniques/attacks

Visited links CSS hack (History Sniffing)

Browser patch rollout for link colours (method made harmless)

Early Malicious techniques/attacks

Flash cookie respawn(Zombie Cookies)

Chrome privacy settings integrated

with Flash Winduwcontrol panel

Early Malicious techniques/attacks

EverCookie(all of the previous techniquesand more!)

Tor browser (anonymous browsing)

Revenue Spam

Counter-measure for Revenue Spam

https://developers.google.com/analytics/devguides/collection/analyticsjs/enhanced-ecommerce#measuring-refunds

Tool to manually fix… bit.ly/bigintegerfix

*edge case example: small startups like beencounter

Intentional blackhat is rareand users don’t cares

2. Accidentally abusing the system

www.yoursite.com

[email protected]://support.google.com/adwords/answer/8206?contact=1&rd=1

site:comptetitor.com inurl:"utm_content * gmail.com“

https://www.google.com/search?q=inurl:de+inurl:utm_content+*+gmail+-blog+-google&pws=0&num=100&filter=0&as_qdr=all&cad=b&biw=1921&bih=869&dpr=1&cad=cbv&sei=qkK9VKiRHJLvat-ggbgF

e.g. www.centredeformationjuridique.com/E-learning/v3/soutien/interface/index.php?page=cs.call_menu&menu_use=[ID_MENU]&[email protected]&mdp=coutcout&utm_medium=SMS&utm_source=CS_2014&utm_campaign=ouverture_inscriptions_intensif2&utm_content=Paris

Accidental email PII

Google AnalyticsSkip to contentGOOGLE ANALYTICS TERMS OF SERVICE

These Google Analytics Terms of Service (this "Agreement") are entered into by Google Inc. ("Google") and the entity executing this Agreement ("You"). This Agreement governs Your use of the standard Google Analytics (the "Service"). BY CLICKING THE "I ACCEPT" BUTTON, COMPLETING THE REGISTRATION PROCESS, OR USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE REVIEWED AND ACCEPT THIS AGREEMENT AND ARE AUTHORIZED TO ACT ON BEHALF OF, AND BIND TO THIS AGREEMENT, THE OWNER OF THIS ACCOUNT. In consideration of the foregoing, the parties agree as follows:

1. Definitions.

"Account" refers to the billing account for the Service. All Profiles linked to a single Property will have their Hits aggregated before determining the charge for the Service for that Property.

"Confidential Information" includes any proprietary data and any other information disclosed by one party to the other in writing and marked "confidential" or disclosed orally and, within five business

Google Analyses TOS

Skip..

Results in… GA account deleted (if violation).

You must not collect any data that personally identifies an individual such as a:

1. full name2. email address3. billing information

GA account deleted (if violation)

Don’t worry…. PII capture is not enforced

1. Its not pro-actively (automatic) enforced 2. only re-active (manual) enforcement.

The same for… You must post a link to a Privacy Policy which has an opt-out…

Validation that a privacy link is present is not automatically checked

0.24% of domains using GA are compliant!

=(17000+341+36000+11000)/26416097= 0.24%

• https://ahrefs.com/site-explorer/overview/prefix/?target=www.google.com/policies/privacy/partners/• https://ahrefs.com/site-explorer/overview/prefix/?target=tools.google.com/dlpage/gaoptout• https://ahrefs.com/site-explorer/overview/prefix/?target=www.aboutads.info/choices/

Validation that a privacy link is present is not automatically checked

Est 5% German websites backlinks

Link growth to this page should be increasing based on GA usage, only tiny increases.

No one pro-actively monitorsbecause cookies are harmless

3. Automatically monitoring & enforcement of the system.

aka Automatic “Health checks”

Example…

2 years reign!

Infighting & disunity between Advertisers & Privacy Advocates.

Definition of Tracking (DNT) still not defined!

http://www.theregister.co.uk/2013/11/05/do_not_track_w3c_ads_privacy/

W3C republic

Group disbanded

Peter Swire - Chief resignJonathan Mayer – Firefox resignsDigital Advertisers Association –leaves group!

Old W3C republic

Key member: Thomas Roessler

joins Google!

Imperial

Durnt, durnt, durnt… durnt, dan ner!

External Feedback mechanism

New Imperial Advertising Principles AdChoices proposed as

replacement for W3C`s DNT

Source: http://www.adweek.com/news/technology/daa-convene-new-do-not-track-group-updated-153023

http://www.wordstream.com/blog/ws/2014/01/22/adchoiceshttp://www.youronlinechoices.com/hu/http://blog.silktide.com/2013/01/the-stupid-cookie-law-is-dead-at-last/

Feedback example

ICO cookie law investigations –did`nt happen

As they got more complaints about spam text messages, so focused on

this instead.

SilkTide example from UK

Are users Cookies for sale on SilkRoad

Litmus test

No one caresusers are not complaininghence, regulators are not

enforcing.

3. Google lostmarket share in search

now they care!

Google Adwords privacy cpc tax

SSL as ranking signal SERP ranking organic bonus.

Google “trusted stores” program

Note: See “Privacy as a ranking factor slides” and TrustFactor video.

Practical Example…

Light Score1. Do you have a Privacy Policy? +12. Do you link to Privacy Policy on global footer(or header) try.powermapper.com +13. HTML links on Privacy Policy:

• Do you mention you use cookies OR link to “How Google uses cookie data“ www.google.com/policies/privacy/partners/ +0.25

• Do you mention the word “Do Not Track” or DNT on privacy policy +0.25• Link to GA opt-out plugin OR GA opt-out page +0.25• Link to DoubleClick remarketing opt-out OR Adchoices link +0.25

4. Has your Privacy Policy has been updated within the last 12months +15. If your using session recording (e.g. ClickTale) have you set sensitive fields to either

type=password OR have relevant class: <input id="CreditCardPin" class="tracking-sensitive ClickTaleSensitive -metrika-nokeys“type="text"> +1

6. Is AnonymiseIP enabled for German Visitors +17. Is GTM`s 2 stage authentication login setting enabled OR similar TMS setting +18. Do you have a GA custom email alert for URLs containing “@” or “@gmail” +19. GA exclude traffic from robot setting is enabled +110.You have actioned atleast one GA heathcheck alert +1

Ref: www.google.com/analytics/terms/us.html

[n] / 10

Force Rankings:

Make a note of your Light score

Darkness and the Light - scorings

10 Yoda

6-8 Luke

3-5 Leia

0-2 Chewbacca

0 Neutral Zone

- 0-2 Darth Maul

- 3-5 Count Dooku

- 6-8 Darth Vader

- 10 Darth Sideous

Light

score

-

Dark Score1. 3rd party cookies are being deployed on your website -12. Have not enable frequency capping on Display network -13. UserID tracking is enabled, but not declared to users on privacy page.4. GA`s data append via CSV upload (dimension widening) for userID as a

customDimension using sensitive data (e.g. Financial grouping/status based on users postcode/address) -1

5. Using Device Signature (Android App only) -16. Email address stored in GA url report -17. Storing passwords in GA URL report -18. Respawn of users sessionID cookie, after the user tries to clear cookie -19. Using any of the techniques mentioned on evercookie -110.Using GA to track progress of trojan virus installations -100

[n] / 10

Force Rankings:

Make a note of your Dark score

Darkness and the Light - scorings

10 Yoda

6-8 Luke

3-5 Leia

0-2 Chewbacca

0 Neutral Zone

- 0-2 Darth Maul

- 3-5 Count Dooku

- 6-8 Darth Vader

- 10 Darth Sideous

Light

score

Dark

Score

- -

Now:

Light Score - Dark score =

Actual score

Darkness and the Light - scorings

10 Yoda

6-8 Luke

3-5 Leia

0-2 Chewbacca

0 Neutral Zone

- 0-2 Darth Maul

- 3-5 Count Dooku

- 6-8 Darth Vader

- 10 Darth Sideous

Light

score

Dark

Score

Sum

of both

- - -

Malintent Accidental

Bad

Good

Overall Score?

-10

+10

If you got a dark score join these…

“MOA code of conduct” or “DAA code of ethics” will eventually introduce

one

www.digitalanalyticsassociation.org/codeofethics

www.moaweb.nl/Richtlijnen/internationale-gedragscodes-en-richtlijnen/2012-09-17%20GRBN%20Code%20Comparison.pdf/view

Thanks & Questions

#SPWK @philpearce

Appendix…

DISCLAIMER – I`m not a lawyer

GA terms of servicehttp://www.google.com/analytics/terms/us.htmlhttp://www.google.com/analytics/learn/privacy.html

Privacy Trouble shooterhttp://support.google.com/bin/static.py?hl=en&ts=1291807&page=ts.cs

Report a privacy concernhttp://www.google.com/contact/

Contact Google Analyticshttp://support.google.com/analytics/bin/request.py?hlrm=en&contact_type=contact_policyhttps://support.google.com/adwords/answer/8206?contact=1&rd=1

Report a security [email protected]://www.google.com/security.html

Discussion Questions

How much is your data worth?

Can you afford to drive traffic in the dark with no insight?

Is PII or sensitive data or urls being accidentally tracked?

When was the last time you audited your WA installation?

Are you capturing data that easily allows an individual to be “linked” or “re-identified” by Google (e.g. detailed demographic data example, or Netflix.com + IMDB.com example1 or example2)

Related presentations & resources

.

CookieTAB virus screenshotshttps://www.dropbox.com/s/w0gprycb23ajguw/2011_03_18%20CookieTAB%20virus%20screenshots%20.pptx

Effect of EU Cookie law on US businesses: https://www.dropbox.com/s/ces1m53mm7o4gmm/2012-10-04%20GAUGE%20Boston%20-%20Effect%20of%20EU%20Cookie%20law%20on%20US%20organisations.pptx

Recipe for a Cookie Lawhttps://www.dropbox.com/s/l9n3gchusdv57bm/2011_03_18%20Recipe%20for%20a%20Cookie%20Law%20by%20Phil%20Pearce%20.pptx

Cookie law Implementation Exampleshttps://www.dropbox.com/s/7q8qfxesk44tpkc/Implimentation%20Examples%20by%20Phil%20Pearce%202012_03_18.pptx

Cookie compliance Audit - Example.docxhttps://www.dropbox.com/s/idyrql6c1aniaw6/01%20UK%20Cookie%20compliance%20Audit%20-%20Example.docx

CookieLaw research in 90mb Dropbox: https://www.dropbox.com/s/uapu90d7rc2uxl1/2012_Cookie_Law_Resources_Folder_40mb_Download.zip

AppendixExternal privacy feedback mechanisms:safeharbor.export.gov/companyinfo.aspx?id=16626feedback-form.truste.com/watchdog/request?url=www.google.comwww.bbb.org/sanjose/business-reviews/internet-services/google-in-mountain-view-ca-214105/file-a-complaintwww.networkadvertising.org/contact-support/report-problem/i-would-report-violation-of-nai-code-nai-member-company-2www.snapsurveys.com/swh/surveylogin.asp?k=133707671186 [ICO.gov.uk form]addons.mozilla.org/en-US/firefox/addon/privacy-dashboard/ [W3C feedback mechanism]www.google.com/trends/explore?hl=en#cat=0-14-54-1281&geo=US&date=today%203-m&cmpt=q [user web searches in category of “privacy” per country]

Security & Privacy prize of upto £13K offered by Google for detecting holes:www.google.com/about/appsecurity/reward-program/blog.chromium.org/2012/08/announcing-pwnium-2.htmlExample XSS hole in GA found in 2008: derkeiler.com/Mailing-Lists/Full-Disclosure/2008-12/msg00200.html

Open Source feedback techniques fourthparty.info/dataappanalysis.org/download.html

Free to check cookie databases:www.cookielaw.org/cookie-search.aspx?domain=http://www.facebook.comwww.cookiecert.com/cookies-for-facebook.comprivacyscore.com/score_details/2a03b4fe8d9d4eb8b4fb0ccf356cbaaa/showcase