This document provides an overview of blackhat analytics techniques from the perspective of an analytics expert named Phil Pearce. It begins with Phil introducing himself and his background. The document then defines blackhat analytics and discusses its history, including early malicious techniques, intentional abusing of analytics systems, and accidentally abusing systems. It provides examples of light and dark tasks involving analytics and concludes with discussion questions.
2. #SPWK @philpearce
Web Analytics
Exchange mentor
750 GA
questions answered
Tracking
protection group
(DNT)
Welcome
Phil Pearce
Analytics Expert & Master of the Dark Arts
Freelancer
@philpearce
linkedin.com/in/philpearce
3. Fun fact... I`m an identical Twin...
#SPWK @philpearce
...He recently got married
4. I organised a Stag party for my Brother...
As you can see - I`m the evil one ;)
#SPWK @philpearce
5. Why was I Darth Maul...
Because my uncle was...
#SPWK @philpearce
Darth Vader!
12. Definition
Intentional act of distorting, deleting, unethically
using, or hijacking WA data using technical or
legal loopholes; with the goal of making financial
gains, or obtaining a competitive advantage.
Phil Pearce 2009
13. How did we
get here…
1. Intentional abusing the system.
2. Accidentally abusing the system
3. Automatically monitoring
& enforcement of the system
27. Google Analytics
Skip to content
GOOGLE ANALYTICS TERMS OF SERVICE
These Google Analytics Terms of Service (this "Agreement") are
entered into by Google Inc. ("Google") and the entity executing this
Agreement ("You"). This Agreement governs Your use of the
standard Google Analytics (the "Service"). BY CLICKING THE "I
ACCEPT" BUTTON, COMPLETING THE REGISTRATION
PROCESS, OR USING THE SERVICE, YOU ACKNOWLEDGE
THAT YOU HAVE REVIEWED AND ACCEPT THIS AGREEMENT
AND ARE AUTHORIZED TO ACT ON BEHALF OF, AND BIND TO
THIS AGREEMENT, THE OWNER OF THIS ACCOUNT. In
consideration of the foregoing, the parties agree as follows:
1. Definitions.
"Account" refers to the billing account for the Service. All Profiles
linked to a single Property will have their Hits aggregated before
determining the charge for the Service for that Property.
"Confidential Information" includes any proprietary data and any
other information disclosed by one party to the other in writing and
Google Analyses TOS
Skip..
28. Results in… GA account deleted (if violation).
You must not collect any data that
personally identifies an individual such
as a:
1. full name
2. email address
3. billing information
GA account deleted
(if violation)
29. Don’t worry…. PII capture is not enforced
1. Its not pro-actively (automatic) enforced
2. only re-active (manual) enforcement.
The same for… You must post a link to a Privacy Policy which has an opt-out…
30. Validation that a privacy link is present
is not automatically checked
0.24% of domains using
GA are compliant!
=(17000+341+36000+11000)/26416097= 0.24%
36. 2 years reign!
Infighting & disunity between
Advertisers & Privacy Advocates.
Definition of Tracking (DNT) still
not defined!
http://www.theregister.co.uk/2013/11/05/do_not_track_w3c_ads_privacy/
W3C republic
37. Group disbanded
Peter Swire - Chief resign
Jonathan Mayer – Firefox resigns
Digital Advertisers Association –
leaves group!
Old W3C republic
Key member:
Thomas Roessler
joins Google!
39. New Imperial Advertising Principles
AdChoices proposed as
replacement for W3C`s DNT
Source:
http://www.adweek.com/news/technology/daa-convene-new-do-not-track-group-updated-153023
47. Google Adwords privacy cpc tax
SSL as ranking signal SERP ranking
organic bonus.
Google “trusted stores” program
Note: See “Privacy as a ranking factor slides” and TrustFactor video.
50. Light Score
1. Do you have a Privacy Policy? +1
2. Do you link to Privacy Policy on global footer(or header) try.powermapper.com +1
3. HTML links on Privacy Policy:
• Do you mention you use cookies OR link to “How Google uses cookie data“
www.google.com/policies/privacy/partners/ +0.25
• Do you mention the word “Do Not Track” or DNT on privacy policy +0.25
• Link to GA opt-out plugin OR GA opt-out page +0.25
• Link to DoubleClick remarketing opt-out OR Adchoices link +0.25
4. Has your Privacy Policy has been updated within the last 12months +1
5. If your using session recording (e.g. ClickTale) have you set sensitive fields to either
type=password OR have relevant class: <input id="CreditCardPin" class="tracking-
sensitive ClickTaleSensitive -metrika-nokeys“type="text"> +1
6. Is AnonymiseIP enabled for German Visitors +1
7. Is GTM`s 2 stage authentication login setting enabled OR similar TMS setting +1
8. Do you have a GA custom email alert for URLs containing “@” or “@gmail” +1
9. GA exclude traffic from robot setting is enabled +1
10.You have actioned atleast one GA heathcheck alert +1
Ref: www.google.com/analytics/terms/us.html
[n] / 10
52. Darkness and the
Light - scorings
10 Yoda
6-8 Luke
3-5 Leia
0-2 Chewbacca
0 Neutral Zone
- 0-2 Darth Maul
- 3-5 Count Dooku
- 6-8 Darth Vader
- 10 Darth Sideous
Light
score
-
53. Dark Score
1. 3rd party cookies are being deployed on your website -1
2. Have not enable frequency capping on Display network -1
3. UserID tracking is enabled, but not declared to users on privacy page.
4. GA`s data append via CSV upload (dimension widening) for userID as a
customDimension using sensitive data (e.g. Financial grouping/status
based on users postcode/address) -1
5. Using Device Signature (Android App only) -1
6. Email address stored in GA url report -1
7. Storing passwords in GA URL report -1
8. Respawn of users sessionID cookie, after the user tries to clear cookie -1
9. Using any of the techniques mentioned on evercookie -1
10.Using GA to track progress of trojan virus installations -100
[n] / 10
57. Darkness and the
Light - scorings
10 Yoda
6-8 Luke
3-5 Leia
0-2 Chewbacca
0 Neutral Zone
- 0-2 Darth Maul
- 3-5 Count Dooku
- 6-8 Darth Vader
- 10 Darth Sideous
Light
score
Dark
Score
Sum
of both
- - -
59. If you got a dark score join these…
“MOA code of conduct” or “DAA code of ethics” will eventually introduce
one
www.digitalanalyticsassociation.org/codeofethics
www.moaweb.nl/Richtlijnen/internationale-gedragscodes-en-richtlijnen/2012-09-17%20GRBN%20Code%20Comparison.pdf/view
62. DISCLAIMER – I`m not a lawyer
GA terms of service
http://www.google.com/analytics/terms/us.html
http://www.google.com/analytics/learn/privacy.html
Privacy Trouble shooter
http://support.google.com/bin/static.py?hl=en&ts=1291807&page=ts.cs
Report a privacy concern
http://www.google.com/contact/
Contact Google Analytics
http://support.google.com/analytics/bin/request.py?hlrm=en&contact_type=contact_policy
https://support.google.com/adwords/answer/8206?contact=1&rd=1
Report a security concern
security@google.com
http://www.google.com/security.html
63. Discussion Questions
How much is your data worth?
Can you afford to drive traffic in the dark with no
insight?
Is PII or sensitive data or urls being accidentally
tracked?
When was the last time you audited your WA
installation?
Are you capturing data that easily allows an
individual to be “linked” or “re-identified” by Google
(e.g. detailed demographic data example, or
Netflix.com + IMDB.com example1 or example2)
64. Related presentations & resources
.
CookieTAB virus screenshots
https://www.dropbox.com/s/w0gprycb23ajguw/2011_03_18%20CookieTAB%20virus%20scr
eenshots%20.pptx
Effect of EU Cookie law on US
businesses: https://www.dropbox.com/s/ces1m53mm7o4gmm/2012-10-
04%20GAUGE%20Boston%20-
%20Effect%20of%20EU%20Cookie%20law%20on%20US%20organisations.pptx
Recipe for a Cookie Law
https://www.dropbox.com/s/l9n3gchusdv57bm/2011_03_18%20Recipe%20for%20a%20Co
okie%20Law%20by%20Phil%20Pearce%20.pptx
Cookie law Implementation Examples
https://www.dropbox.com/s/7q8qfxesk44tpkc/Implimentation%20Examples%20by%20Phil
%20Pearce%202012_03_18.pptx
Cookie compliance Audit - Example.docx
https://www.dropbox.com/s/idyrql6c1aniaw6/01%20UK%20Cookie%20compliance%20Audi
t%20-%20Example.docx
CookieLaw research in 90mb Dropbox:
https://www.dropbox.com/s/uapu90d7rc2uxl1/2012_Cookie_Law_Resources_Folder_40mb
_Download.zip
65. Appendix
External privacy feedback mechanisms:
safeharbor.export.gov/companyinfo.aspx?id=16626
feedback-form.truste.com/watchdog/request?url=www.google.com
www.bbb.org/sanjose/business-reviews/internet-services/google-in-mountain-view-ca-
214105/file-a-complaint
www.networkadvertising.org/contact-support/report-problem/i-would-report-violation-of-nai-
code-nai-member-company-2
www.snapsurveys.com/swh/surveylogin.asp?k=133707671186 [ICO.gov.uk form]
addons.mozilla.org/en-US/firefox/addon/privacy-dashboard/ [W3C feedback mechanism]
www.google.com/trends/explore?hl=en#cat=0-14-54-1281&geo=US&date=today%203-
m&cmpt=q [user web searches in category of “privacy” per country]
Security & Privacy prize of upto £13K offered by Google for detecting holes:
www.google.com/about/appsecurity/reward-program/
blog.chromium.org/2012/08/announcing-pwnium-2.html
Example XSS hole in GA found in 2008: derkeiler.com/Mailing-Lists/Full-Disclosure/2008-
12/msg00200.html
Open Source feedback techniques
fourthparty.info/data
appanalysis.org/download.html
Free to check cookie databases:
www.cookielaw.org/cookie-search.aspx?domain=http://www.facebook.com
www.cookiecert.com/cookies-for-facebook.com
privacyscore.com/score_details/2a03b4fe8d9d4eb8b4fb0ccf356cbaaa/showcase