Blackhat Analytics 3: Do be evil – Force awakens (@Superweek 2015)
1. BlackHat Analytics 3: Do Be evil: Force Awakens
2. #SPWK @philpearce Web Analytics Exchange mentor 750 GA questions answered Tracking protection group (DNT) Welcome Phil Pearce Analytics Expert & Master of the Dark Arts Freelancer @philpearce linkedin.com/in/philpearce
3. Fun fact… I`m an identical Twin… #SPWK @philpearce …He recently got married
4. I organised a Stag party for my Brother… As you can see – I`m the evil one 😉 #SPWK @philpearce
5. Why was I Darth Maul… Because my uncle was… #SPWK @philpearce Darth Vader!
6. Blackhat Analytics Summary 1. Definition 2. History and evolution 3. Example Techniques 4. Light & Dark task 5. Questions #SPWK @philpearce
7. A long time ago… … in a google universe far, far away…
8. Define: Blackhat Analytics
9. Define: Blackhat Analytics Define: Blackhat Analytics “0” results
10. If you do this search now… Define: Blackhat Analytics
11. It turns out… …I know more than Google 😉 Me Me Me Me
12. Definition Intentional act of distorting, deleting, unethically using, or hijacking WA data using technical or legal loopholes; with the goal of making financial gains, or obtaining a competitive advantage. Phil Pearce 2009
13. How did we get here… 1. Intentional abusing the system. 2. Accidentally abusing the system 3. Automatically monitoring & enforcement of the system
14. 1. Intentional Abusing the system
15. Early Malicious techniques/attacks Referral backlink log spam (depreciated SEO technique) These links no-followed and no longer pass pagerank
16. Referral backlink log spam (to get traffic from website owners) Early Malicious techniques/attacks Exclude bots GA setting Should prevent this
17. Early Malicious techniques/attacks GA log spam (Spider visit loading JS) Exclude Robot hits via IAB blacklist tickbox in GA
18. Early Malicious techniques/attacks Visited links CSS hack (History Sniffing) Browser patch rollout for link colours (method made harmless)
19. Early Malicious techniques/attacks Flash cookie respawn (Zombie Cookies) Chrome privacy settings integrated with Flash Winduw control panel
20. Early Malicious techniques/attacks EverCookie (all of the previous techniques and more!) Tor browser (anonymous browsing)
21. Revenue Spam
22. Counter-measure for Revenue Spam https://developers.google.com/analytics/devguides/collection/analyticsjs/enhanced-ecommerce#measuring-refunds Tool to manually fix… bit.ly/bigintegerfix
23. *edge case example: small startups like beencounter Intentional blackhat is rare and users don’t cares
24. 2. Accidentally abusing the system
25. www.yoursite.com firstname.lastname@example.org https://support.google.com/adwords/answer/7217785?visit_id=0-636583115098854429-2307243043&rd=2 site:comptetitor.com inurl:”utm_content * gmail.com“ https://ipv6.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dinurl:de%2Binurl:utm_content%2B&q=EhAqA7DAAAEA0AAAAAAA4JABGIGWi9YFIhkA8aeDS-HvLw_kNqUqrQ1HWLQNVffS9MuPMgFy*+gmail+-blog+- google&pws=0&num=100&filter=0&as_qdr=all&cad=b&biw=1921&bih=869&dpr=1&cad=cb v&sei=qkK9VKiRHJLvat-ggbgF e.g. www.centredeformationjuridique.com/E- learning/v3/soutien/interface/index.php?page=cs.call_menu&menu_use=[ID_MENU]&email =NAME.REMOVED@gmail.com&mdp=coutcout&utm_medium=SMS&utm_source=CS_2 014&utm_campaign=ouverture_inscriptions_intensif2&utm_content=Paris Accidental email PII
26. Google Analytics Skip to content GOOGLE ANALYTICS TERMS OF SERVICE These Google Analytics Terms of Service (this “Agreement”) are entered into by Google Inc. (“Google”) and the entity executing this Agreement (“You”). This Agreement governs Your use of the standard Google Analytics (the “Service”). BY CLICKING THE “I ACCEPT” BUTTON, COMPLETING THE REGISTRATION PROCESS, OR USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE REVIEWED AND ACCEPT THIS AGREEMENT AND ARE AUTHORIZED TO ACT ON BEHALF OF, AND BIND TO THIS AGREEMENT, THE OWNER OF THIS ACCOUNT. In consideration of the foregoing, the parties agree as follows: 1. Definitions. “Account” refers to the billing account for the Service. All Profiles linked to a single Property will have their Hits aggregated before determining the charge for the Service for that Property. “Confidential Information” includes any proprietary data and any other information disclosed by one party to the other in writing and Google Analyses TOS Skip..
27. Results in… GA account deleted (if violation). You must not collect any data that personally identifies an individual such as a: 1. full name 2. email address 3. billing information GA account deleted (if violation)
29. Validation that a privacy link is present is not automatically checked 0.24% of domains using GA are compliant! =(17000+341+36000+11000)/26416097= 0.24%
30. • • • Validation that a privacy link is present is not automatically checked Est 5% German websites backlinks Link growth to this page should be increasing based on GA usage, only tiny increases.
32. 3. Automatically monitoring & enforcement of the system. aka Automatic “Health checks”
34. 2 years reign! Infighting & disunity between Advertisers & Privacy Advocates. Definition of Tracking (DNT) still not defined! http://www.theregister.co.uk/2013/11/05/do_not_track_w3c_ads_privacy/ W3C republic
35. Group disbanded Peter Swire – Chief resign Jonathan Mayer – Firefox resigns Digital Advertisers Association – leaves group! Old W3C republic Key member: Thomas Roessler joins Google!
36. Imperial Durnt, durnt, durnt… durnt, dan ner! External Feedback mechanism
37. New Imperial Advertising Principles AdChoices proposed as replacement for W3C`s DNT Source: http://www.adweek.com/digital/daa-convene-new-do-not-track-group-updated-153023/
38. https://www.wordstream.com/blog/ws/2014/01/22/adchoices http://www.youronlinechoices.com/hu/ https://silktide.com/blog/ Feedback example
39. ICO cookie law investigations – did`nt happen As they got more complaints about spam text messages, so focused on this instead.
40. SilkTide example from UK
41. Are users Cookies for sale on SilkRoad Litmus test
42. No one cares users are not complaining hence, regulators are not enforcing.
43. 3. Google lost market share in search now they care!
44. Google Adwords privacy cpc tax SSL as ranking signal SERP ranking organic bonus. Google “trusted stores” program Note: See “Privacy as a ranking factor slides” and TrustFactor video.
45. Practical Example…
47. Force Rankings: Make a note of your Light score
48. Darkness and the Light – scorings 10 Yoda 6-8 Luke 3-5 Leia 0-2 Chewbacca 0 Neutral Zone – 0-2 Darth Maul – 3-5 Count Dooku – 6-8 Darth Vader – 10 Darth Sideous Light score –
49. Dark Score 1. 3rd party cookies are being deployed on your website -1 2. Have not enable frequency capping on Display network -1 3. UserID tracking is enabled, but not declared to users on privacy page. 4. GA`s data append via CSV upload (dimension widening) for userID as a customDimension using sensitive data (e.g. Financial grouping/status based on users postcode/address) -1 5. Using Device Signature (Android App only) -1 6. Email address stored in GA url report -1 7. Storing passwords in GA URL report -1 8. Respawn of users sessionID cookie, after the user tries to clear cookie -1 9. Using any of the techniques mentioned on evercookie -1 10.Using GA to track progress of trojan virus installations -100 [n] / 10
50. Force Rankings: Make a note of your Dark score
51. Darkness and the Light – scorings 10 Yoda 6-8 Luke 3-5 Leia 0-2 Chewbacca 0 Neutral Zone – 0-2 Darth Maul – 3-5 Count Dooku – 6-8 Darth Vader – 10 Darth Sideous Light score Dark Score – –
52. Now: Light Score – Dark score = Actual score
53. Darkness and the Light – scorings 10 Yoda 6-8 Luke 3-5 Leia 0-2 Chewbacca 0 Neutral Zone – 0-2 Darth Maul – 3-5 Count Dooku – 6-8 Darth Vader – 10 Darth Sideous Light score Dark Score Sum of both – – –
54. Malintent Accidental Bad Good Overall Score? -10 +10
55. If you got a dark score join these… ? “MOA code of conduct” or “DAA code of ethics” will eventually introduce one www.digitalanalyticsassociation.org/codeofethics www.moaweb.nl/Richtlijnen/internationale-gedragscodes-en-richtlijnen/2012-09-17%20GRBN%20Code%20Comparison.pdf/view
56. Thanks & Questions #SPWK @philpearce
58. DISCLAIMER – I`m not a lawyer GA terms of service http://www.google.com/analytics/terms/us.html https://support.google.com/analytics/answer/6004245 Privacy Trouble shooter https://support.google.com/policies/troubleshooter/7575787?hl=en&visit_id=0-636583119757826757-986331167&rd=2 Report a privacy concern http://www.google.com/contact/ Contact Google Analytics https://support.google.com/adwords/answer/7217785?visit_id=0-636583115098854429-2307243043&rd=2 Report a security concern email@example.com https://www.google.com/about/appsecurity/
59. Discussion Questions ? How much is your data worth? ? Can you afford to drive traffic in the dark with no insight? ? Is PII or sensitive data or urls being accidentally tracked? ? When was the last time you audited your WA installation? ? Are you capturing data that easily allows an individual to be “linked” or “re-identified” by Google (e.g. detailed demographic data example, or Netflix.com + IMDB.com example1 or example2)
60. Related presentations & resources . CookieTAB virus screenshots https://www.dropbox.com/s/w0gprycb23ajguw/2011_03_18%20CookieTAB%20virus%20scr eenshots%20.pptx Effect of EU Cookie law on US businesses: https://www.dropbox.com/s/ces1m53mm7o4gmm/2012-10- 04%20GAUGE%20Boston%20- %20Effect%20of%20EU%20Cookie%20law%20on%20US%20organisations.pptx Recipe for a Cookie Law https://www.dropbox.com/s/l9n3gchusdv57bm/2011_03_18%20Recipe%20for%20a%20Co okie%20Law%20by%20Phil%20Pearce%20.pptx Cookie law Implementation Examples https://www.dropbox.com/s/7q8qfxesk44tpkc/Implimentation%20Examples%20by%20Phil %20Pearce%202012_03_18.pptx Cookie compliance Audit – Example.docx https://www.dropbox.com/s/idyrql6c1aniaw6/01%20UK%20Cookie%20compliance%20Audi t%20-%20Example.docx CookieLaw research in 90mb Dropbox: https://www.dropbox.com/s/uapu90d7rc2uxl1/2012_Cookie_Law_Resources_Folder_40mb _Download.zip
61. Appendix External privacy feedback mechanisms: safeharbor.export.gov/companyinfo.aspx?id=16626 feedback-form.truste.com/watchdog/request?url=www.google.com www.bbb.org/sanjose/business-reviews/internet-services/google-in-mountain-view-ca- 214105/file-a-complaint www.networkadvertising.org/contact-support/report-problem/i-would-report-violation-of-nai- code-nai-member-company-2 www.snapsurveys.com/swh/surveylogin.asp?k=133707671186 [ICO.gov.uk form] addons.mozilla.org/en-US/firefox/addon/privacy-dashboard/ [W3C feedback mechanism] www.google.com/trends/explore?hl=en#cat=0-14-54-1281&geo=US&date=today%203- m&cmpt=q [user web searches in category of “privacy” per country] Security & Privacy prize of upto £13K offered by Google for detecting holes: www.google.com/about/appsecurity/reward-program/ blog.chromium.org/2012/08/announcing-pwnium-2.html Example XSS hole in GA found in 2008: derkeiler.com/Mailing-Lists/Full-Disclosure/2008- 12/msg00200.html Open Source feedback techniques fourthparty.info/data appanalysis.org/download.html Free to check cookie databases: www.cookielaw.org/cookie-search.aspx?domain=http://www.facebook.com www.cookiecert.com/cookies-for-facebook.com privacyscore.com/score_details/2a03b4fe8d9d4eb8b4fb0ccf356cbaaa/showcase