Successfully reported this slideshow.

Unmanaged Tags - Data Protection in the Age of Mindless Proliferation

390 views

Published on

Slides for my talk at the Digital AnalyMeetups in Berlin Nov 2017.

Video is here: https://www.youtube.com/watch?v=iFDiRbcmP34&feature=youtu.be&t=1h23m (unrehearsed, sp please excuse the less than graceful delivery).

Published in: Data & Analytics
  • Be the first to comment

  • Be the first to like this

Unmanaged Tags - Data Protection in the Age of Mindless Proliferation

  1. 1. Unmanaged Tags Data Protection in the Age of Mindless Proliferation 14/11/2016 Digital Analytics Meetup Berlin
  2. 2. Digital Analytics Meetup Berlin So what is he talking about §  Legal Guidelines, of limited usefulness §  Tag Management, or, I think it would be a great idea §  Should we even care, or, of course, but why §  What do we do next, to make the world a little better Digital Analytics Meetup Seite 2
  3. 3. Digital Analytics Meetup Berlin Legal Guidelines EU Directives Other Rules National Laws Digital Analytics Meetup Seite 2 WTF?
  4. 4. Digital Analytics Meetup Berlin Digital Analytics Meetup Seite 4 Legal Guidelines EU Directives  §  informed consent as guiding principle §  not a „cookie law“ National Laws §  Bundesdatenschutzgesetz, Landesdatenschutzgesetz §  Telekommunikationsgesetz („Datensparsamkeit“) Other Regulations §  Vendors‘ terms of service §  Communiqués by privacy officers §  International agreements (e.g. Privacy Shield)
  5. 5. Digital Analytics Meetup Berlin Digital Analytics Meetup Seite 5 Legal Guidelines Laws provide guidelines §  It tells in broad terms what we can do or can‘t do §  If it‘s the same for all it puts us all on even footing But there is always a but §  Figuring out specifics might take legal counsel §  Most of these rules apply only to personally identifiable data §  But definitions are unclear and prone to change (e.g. IP-addresses might be PII or not, depending on whom you ask)
  6. 6. The Problem §  Developers are missing from that description §  Marketers and even „webmasters“ are not necessarily tech savy §  Ease of use invites abuse Digital Analytics Meetup Berlin Digital Analytics Meetup Page 6 Tag Management
  7. 7. Digital Analytics Meetup Berlin Digital Analytics Meetup Seite 7 Tag Management, dangers of TMS are Javascript Injectors §  They have been described as „XSS as a Service“ §  This is not actually funny Injected Tags run in the Page Context §  They have access to all page data (forms, cookies, user data) §  They can send data anywhere Other Problems §  Tags may break SSL encryption §  They may overwrite variables §  They may load heaps of other stuff
  8. 8. Digital Analytics Meetup Berlin Digital Analytics Meetup Seite 8 Tag Management and 3rd party tags §  Many marketing tags are container tags §  They may load other tags ... §  ... which may load other tags ... §  ... which may load even more tags ... §  (You see where this is going) §  Proliferation of tags makes control of data impossible
  9. 9. Digital Analytics Meetup Berlin Digital Analytics Meetup Seite 9 Tag Management – Stop-gap measures Set Permissions §  Exclude marketing from publishing (no offense meant) §  Let developers do vetting of tags §  Listen to them when they decline a tag Use Whitelists §  Some TMS (e.g. GTM) allow to whitelist/blacklist tags §  You should prefer whitelists §  If possible limit yourself to image tags and iframes §  But if you allow custom HTML tags and js variables you might as well not bother Kick Publishers Butts §  Why do they load 3rd party stuff anyway
  10. 10. Digital Analytics Meetup Berlin Digital Analytics Meetup Seite 10 Tag Management – Stop-gap measures Browser Testing §  Step manually through your site to see which tags are loaded §  Ghostery lists all tags that are loaded §  WASP Inspector displays dependencies between tags Continuous Testing §  Ghostery offers an (expensive) business solution §  For a homegrown solution, capture requests with a headless browser §  (Automating everything is a PITA, so mock your page with just empty HTML, a datalayer and the TMS code)
  11. 11. Digital Analytics Meetup Berlin Digital Analytics Meetup Seite 11 Tag Management – Stop-gap measures Content Security policies §  CSPs originally designed to combat XSS §  But then we know TMS are XSS as a service §  CSPs set „allowed origins“ for scripts and other ressources §  They prevent forms from being hacked, ensure SSL-encryption etc. Problems with CSPs §  No support by IE, limited support by Edge §  Notoriously difficult to manage
  12. 12. Digital Analytics Meetup Berlin Digital Analytics Meetup Page 12 Tag Management – Stop-gap measures Implementation of CSPs §  CSPs are supposed to be set as http headers §  So for full support they need to set on the server §  However some features can be set via <meta> tags §  So you can do some basic prototyping within your TMS
  13. 13. Digital Analytics Meetup Berlin Digital Analytics Meetup Seite 13 Tag Management – Stop-gap measures
  14. 14. Digital Analytics Meetup Berlin Digital Analytics Meetup Seite 14 Tag Management – Stop-gap measures
  15. 15. Digital Analytics Meetup Berlin Digital Analytics Meetup Page 15 Why do we care ? §  Because we are fundamentally good people §  Do unto others as you would have them do unto you Jesus (attr.) §  Act only according to that maxim whereby you can at the same time will that it should become a universal law without contradiction Immanuel Kant §  However in real life ethics often takes the back seat
  16. 16. Digital Analytics Meetup Berlin Digital Analytics Meetup Page 16 Why do we care ? §  „Every action has an equal and opposite reaction“ Isaac Newton §  Ex.: A single lawsuit took down Safe Harbor §  EU tightens regulations §  People are getting worried and angry §  Reaction might be very well rather disproportionate
  17. 17. Digital Analytics Meetup Berlin Digital Analytics Meetup Seite 17 What do we do now ? Transparency  §  Brilliant example: http://www.bbc.com/usingthebbc/cookies/ §  Problem: people prefer complaining over educating themselves Advocacy §  We do expert meetups. Why don‘t we do „layperson“ meetups ? §  Problem: This might be viewed as lobbyism Doing a better job §  Do more with less data §  More respect for user preferences §  Hold up our end of the bargain
  18. 18. Digital Analytics Meetup Berlin Digital Analytics Meetup Page 18 Who am I §  Eike Pierstorff §  Senior Implementation Consultant with e-dynamics §  Job: e.pierstorff@e-dynamics.de §  Casual: eike@diebesteallerzeiten.de §  Blogging about Analytics here: http://www.flesheatingarthropods.org/

×