1. [photo of generla zorg]
BlackHat Analytics 2:
Detect & avoid Dark Tracking
2. #BlackhatAnalytics @philpearce
PPC, Privacy and Analytics Expert
6.Group/Class action wars
8.Look at the future
#BlackhatAnalytics #emetrics @philpearce
4. A long time ago...
… in a google universe far, far away...
7. If you do this search
Define: Blackhat Analytics
It turns out...
...I know more than Google ;)
At some point in the future "BlackHat Analytics" or “Faking
Conversions” might become more widespread. Because...
1. WA is becoming more important for
business decision making.
2. Automatic performance based PPC bid
management system are becoming more
3. Increase in online competitiveness &
more revenue at stake.
Intentional act of distorting, deleting, unethically
using, or hijacking WA data using technical or
legal loopholes; with the goal of making financial
gains, or obtaining a competitive advantage.
Phil Pearce 2009
11. Evil tracking from pre-2010
Referral backlink log spam
(depreciated SEO technique)
Ad behavioural targeting
(Interest Based Stalking)
Remarketing Ads (Return
Visitor Stalking) - Starwars
Safari 3rd party POST
Flash cookie respawn
Visited links CSS hack
GA log spam
(Spider visit loading JS)
(all of the above+)
12. Super evil: EverCookie
13. The EverCookie was
so difficult to delete:
even NSA considered using it!
But they decided
they did not need it ;)
14. Examples from USA
Intent Accidental Malicious
Target Own website Competitors website
Data collection PurposeSame Different purpose
Scale Niche Mass effect
Impact Data uneffected GA Account deletion
Intent Accidental Malicious
Target Own website
Scale Niche Mass effect
Google Wifi incident
Google (not provided)
Phone call logs
App error logs
Referral log spam
Google Wifi incident
18. If nasty tracking code is installed -
Who is liable?
19. Liability for Privacy & Security
Is the agency liable?
BUT agency is responsible for
• Uphold professional standards (e.g. GACP status)
• Pro-active client relationship
Local laws say... Website Owner is responsible
(not Agency or Vendor)
20. Why do people still do this bad stuff?
21. The Lure of the Dark side is too strong!
22. Its all about the money! €€€
Affiliate networks looking to increase
CPA and attract new Affiliate.
Online News website looking to retain
users & sell stories (e.g. NYT)
Banner networks looking to improve
CPM & reduce cookie deletion rates
and overcome keywords “not provided”.
Sustained CPC bidding wars
23. But there is a disturbance in the task
24. Meet the new Matt Cutts ...
Google Privacy “Red” team soon to be hired in 2013
following FTC settlement.
Mission to discovering and prioritizing subtle, unusual,
and emergent privacy & security flaws
Hired WebSpam fighter to Force quality
improvements in 2000.
“Red team” leaderMatt Cutts
25. “Internal” Imperial Bureau Security
New Google Product Manager of
Privacy & information security
26. F@#K - GA account deleted!
You will not collect any data that
personally identifies an individual such
or other data which can be
reasonably linked to such
information by Google
You must not circumvent any privacy features
(e.g, an opt-out) that are part of GA.
27. Why cant GA just remove the
bad PII data?
Free WA packages unable to remove PII without
deleting whole GA accounts!
Raw logs are only stored for ~30days
Right to be forgotten was introduced after GA was
(although this might be possible with Universal
which is user-centric, not visitor-centric)
28. “Sensitive” data also is an issue
29. Don’t use userID that contain PII…
used for userID)
31. Solution/Counter-measure for Accidental PII
Or use temporary robots.txt fix:
Add exclude parameters to
32. Legal Disclaimer: The purpose of this example is to demonstrate a hole in all Analytics
platforms, and how to patch this hole. It is used for TESTING purposes ONLY.
By reading this example you agree to NOT use this on a live website, and agree that I (Phil
Pearce) and NOT liabilities for and damage that a website owner may suffer arising out of
this example & tool.
If you are in any doubt, please seek the advice of the Google legal team
www.google.com/contact/ or your local legal counsel BEFORE testing.
Note: This issue has been raised on the GACP private discussion forum 6months ago, prior
to this event.
Do you recognise this number?
It is a Quintillion or “Big Integer”
34. Intentional Data damage
WARNING: Don’t Try this at Home!
http://www.google-analytics.com/__utm.gif?utmwv=5.4.6&utms=44&utmn=393079074&utmhn=domain.com&utmt=tran&utmtid=8148350&utmtst= affiliation&utmtto=-9223372036854775807&utmttx=-9223372036854775807&utmtsp=0.00&utmtci=-&utmtrg=-&utmtco=-&utmcs= UTF-8&utmsr =1366x768&utm vp=1366x550&utmsc=24- bit&utmul=en- us&utmje=1&utmfl=11.9 r900&utmdt=TITLE&utmhid=509485053&utmr =-&utmp=/&utmht=1385061484294&utmac=UA-XXXXX-1&utmcc=__utma=251194116.2116214072.1385060410.1385060410.1385060410.1; __utmz=251194116.1385060410.1.1.utmcsr=( direct)|utmccn=(direct)|utmcmd=(none);&utmu=qjAL~
35. Solution/Counter-measure for intention Data Damage
Tool to manually fix…
Legal Disclaimer: The purpose of this example is to demonstrate a hole in all Analytics platforms, and how to patch
this hole. It is used for TESTING purposes ONLY.
By reading this example you agree to NOT use this on a live website, and agree that I (Phil Pearce) and NOT liabilities
for and damage that a website owner may suffer arising out of this example & tool.
If you are in any doubt, please seek the advice of the Google legal team www.google.com/contact/ or your local legal
counsel BEFORE testing.
Note: This issue has been raised on the GACP private discussion forum 6months ago, prior to this event.
36. Fine calculator
Fine = (No. users effected * Scale badness * Size of Brand)
(Website Risk assessment
+ Vendor privacy self certification)
37. Sony €320K fine by ICO for email &
Adobe password Breach expected to be
Here is a Fine example
38. Breach notification
notify DPA within
of time, but not
to notify public!
39. Consumers VS Advertiser
But there is still an Imbalance in the force
• Maturity in Advertising sector
• User data allows better Ad targeting = €
• MORE data better targeting = €€
41. Data is power
42. Rise of the
Big Data Empire
43. Data Greed
Fear of losing existing user data
45. Group/Class Action Wars
Note: “Class” is a collective of users
(e.g. “South Bohemian Mothers group” vs Temelin nuclear Power plant)
46. Define: Class Action Prosecutor
they represent the users.
Like Affiliates (i.e revenue motivated)
but larger resources & clever-er
47. US Class Action Prosecutor:
Like bounty hunters, but more
48. BIG class-action fines in US
49. Do class action lawsuits exist in Europe
or are they only in US?
50. Class Action Prosecutors:
also now active in UK!
e.g. Google UK vs Olswang Class Action
(Safari 3rd party cookie bypassing on iOS)
51. First every UK “group action” vs Google UK on
Feb 2013 claiming 10m Safari users effected
www.googlelawsuit.co.uk and www.facebook.com/SafariUsersAgainstGooglesSecretTracking
UK test case, could set
EU class-action cases!
52. Successful class action raids in
Settlement funds 50:50 between users and Class Action
Previous settlements 70:30, thus smaller % cut for Class
Action Lawyers, but huge number users in claim.
53. W3C republic – A new hope for Truce
Must be UNSET by default
DNT user signal
54. Browser ignore the W3C consensus on DNT
Firefox: Talk`s about a blockade of
3rd party cookies
MS: Windows8 IE10 rollsout DNT=1
which is UNSET by default!
55. Firefox Lost battle: Too many False positive
Firefox says its Han`s
are tied for a few month
on 3rd party cookies
Dark Side too
56. MS IE10 DNT=1 browser
ON by default…
…Both Apache &
Yahoo threaten to
57. Allow “Good”
Alternative Cookie Clearinghouse
proposed (like stopbad malware list)
58. 2 years reign!
Infighting & disunity between
Advertisers & Privacy Advocates.
Definition of Tracking (DNT) still
59. Group “almost”
Peter Swire - Chief resign
Jonathan Mayer – Firefox resigns
Digital Advertisers Association –
Old W3C republic
Durnt, durnt, durnt… durnt, dan ner!
61. New Imperial Advertising Principles
AdChoices proposed as
replacement for W3C`s DNT
62. Privacy in the Universe restored!
Users have choice & freedom within
the Global Imperial Empire
63. But… The secret arms race
64. The Dark Star
Also affiliate networks start
building Device Signature
conversion tracking tools:
We (tradedoubler.com) are looking at options such as device recognition,
using non-personally identifiable information that is freely available from a
user’s device. Using advanced matching algorithms a single device can
be recognized at the point of impression/click and conversion without the
cookies/ [Jun 2013]
BIG Data Centre with ability to
1. Device Signature tracking
2. UserID respawn
3. Custom Remarketing
study (by KU Leuven University)
66. War for Anonymity
(aka War of Shadows)
67. Browser (excluding Chrome) secretly
move to anonymise device signatures
So that all
extensions look the
68. Facebook(Borg) & Google (Empire)
Use Force-browser power, to set
DNT=0 (Do Target Me)
when user signs into service (messenger/gmail)
69. Prism Tracker
Unexpected “Snow den monster”
Enforcers/regulators get a boost of user support
70. Headless Browser robotic crawler
causing havok in GA data!
Impossible to differentiate from a real user!
headless browser is a
WITHOUT a user
might be only way to
exclude Headless Brower
Dark get darker
(e.g. IE fav icon 3rd party
cookies bypassing browser
White get whiter
& ixquick.com, mezzobit.com
increase in usage)
73. Return of the Jedi Strike
2015 invasion of Privacy officers
Forced 5% global revenue power
(max €100 million)
University Research divisions
expand use of Taint Droids
Note: Anti-train droid link:
74. $ Fines/Lawsuits
Low Chance of
High Chance of
Balance of Power
Ad Revenue $
(in the middle)
Google Data Empire
75. …HAS CAUSED
& A MUDDLE
76. Data Dealer video
77. THIS HAS CAUSED
& A MUDDLE
78. So… Are we the bad guys?
79. In the eyes of the user… YES!!
80. …How do WE prevent
(and niche bad players)
misusing user data/power?
81. With Great Data
comes Great responsibility
82. Industry need to govern
& enforce itself!
Look to the future…
83. That’s means YOU need to agree
not break the analytics code of honour
AND make sure no one else abuses the system!
looks a bit
84. Standards & Self regulation
• Vendor built-in privacy & miss-use protection
• Adwords & Adsense ToS levels
• Affiliate network guidelines
• WAA Code of Conduct
• GA qualified individual
• GAP certified partner
• WAA Certified Ethical Analyst
• Risk assessment / Compliance audit
• Third party reviews & compliance automated monitoring
85. Please look out for U.i.O
User Intent Override
86. Is this a User Intent Override?
87. ONE exception…
(false U.i.O sighting)
Reads tracking message &
they still say… YES, track me!
Then its not UiO
self – tracking
88. Need for Industry standards and Honey
pots / seeds tests.
Forced Training & Accreditation (e.g.
Certified Analyst or MOWA member)
Google Adwords privacy cpc tax and
Google organic SERP ranking bonus
(SSL as ranking signal is a start)
89. Fixes (GA profile filters)
GA profile filters:
Hostname include filter: (^|.)yourdomain.com$
ISP location exclude Ask.com bot: ^(inktomi corporation|iac search
and media europe ltd|iac search media inc|yahoo! inc.|facebook
inc.|stumbleupon inc.|dub6 ec2|site confidence test agent servers|site
?confidence|apache ltd.|nielsen netratings|affinity internet inc|microsoft corp)$
Top content report - Contains box:
(email|add|postcode|zipcode|tel) or [?&](.+)=(.*)gmail.com
Weekly scheduled report to check for the above
Check data stored in
utm_content, User-defined, CustomFields & Event fields
Check all GA profiles including Raw Data profile for
PII`s, and add exclude parameters where necessary.
90. Fixes (process changes)
Training for developers and marketers
Check Scheduled reports not sending to
Limit number of Number of Admin users
Enable 2 stage authentication if possible.
Looks for unusual variances of data spikes in
GA (especially new visits to homepage)
CPA audits (GA vs Affiliate report)
91. Back to the present day…
92. Expected soon
Yikes… are they Disabling Tracking??
…California DNT track law Sept 2013
93. I`ll be track-ed (still)
No! California just asks for DNT visibility
(i.e. Does your server read the DNT signal?)
Use a tag management system, that is configured with
digitalData layer privacy features enabled (see appendix)
Try to use POST request rather than GET request where
possible, or a form action=/thankyoupage.html
Keep pdf reader, flash & java updated
Lockdown FTP to fixed set of static IP`s, use long passwords,
and ideally use 2stage Authentication for GTM write-access.
95. Recent development… Privacy Vigilantism
• Egypt Gov “disconnected the
Internet” to control decedents
• Anonymous coordinated with
decedents to re-setup internet
communications in Egypt
• They ignore the law!
• Young & inexperienced
• “Splitter groups” & “out of control”
- hacking random websites!
Small Group of Users are revolting: Anonymous
96. This is how things should be…
Google acts even
Facebook introduces a more
human(friendly) privacy interface
Users should not needing to rely
on despicable class action lawyers
Enforcers become just watchers
not needing to intervene
97. May the Data be on your side!
20:10 MyCool King +
21:00 Charlie Straight
22:15 midi lidi
98. May 4th be with you!
20:10 MyCool King +
21:00 Charlie Straight
22:15 midi lidi
But.. be careful of the 5th November!
May the force
And 25th December - I feel your presents
99. Please Sign up to be a force for good…
Google for “DAA code of ethics” or “MOA code of conduct” Please Sign!
102. DISCLAIMER – I`m not a lawyer
GA terms of service
Privacy Trouble shooter
Report a privacy concern
Contact Google Analytics
Report a security concern
103. Discussion Questions
How much is your data worth?
Can you afford to drive traffic in the dark with no
Is PII or sensitive data or urls being accidentally
Can competitors detect that PII data is being sent
Are you in a very competitive industry?
When was the last time you audited your WA
Are you capturing data that easily allows an
individual to be “linked” or “re-identified” by Google
(e.g. detailed demographic data example, or
Netflix.com + IMDB.com example1 or example2)
104. Related presentations & resources
CookieTAB virus screenshots
Effect of EU Cookie law on US
Recipe for a Cookie Law
Cookie law Implementation Examples
Cookie compliance Audit - Example.docx
CookieLaw research in 90mb Dropbox:
External privacy feedback mechanisms:
www.snapsurveys.com/swh/surveylogin.asp?k=133707671186 [ICO.gov.uk form]
addons.mozilla.org/en-US/firefox/addon/privacy-dashboard/ [W3C feedback mechanism]
m&cmpt=q [user web searches in category of “privacy” per country]
Security & Privacy prize of upto £13K offered by Google for detecting holes:
Example XSS hole in GA found in 2008: derkeiler.com/Mailing-Lists/Full-Disclosure/2008-
Open Source feedback techniques
Free to check cookie databases: