Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
BlackHat Analytics 3:
Do Be evil: Force Awakens
#SPWK @philpearce
Web Analytics
Exchange mentor
750 GA
questions answered
Tracking
protection group
(DNT)
Welcome
Phil Pea...
Fun fact... I`m an identical Twin...
#SPWK @philpearce
...He recently got married
I organised a Stag party for my Brother...
As you can see - I`m the evil one ;)
#SPWK @philpearce
Why was I Darth Maul...
Because my uncle was...
#SPWK @philpearce
Darth Vader!
Blackhat Analytics
Summary
1. Definition
2. History and evolution
3. Example Techniques
4. Light & Dark task
5. Questions
...
A long time ago...
… in a google universe far, far away...
Define: Blackhat Analytics
Define: Blackhat Analytics
Define: Blackhat Analytics
“0” results
If you do this search
now...
Define: Blackhat Analytics
It turns out...
...I know more than Google ;)
Me
Me
Me
Me
Definition
Intentional act of distorting, deleting, unethically
using, or hijacking WA data using technical or
legal looph...
How did we
get here…
1. Intentional abusing the system.
2. Accidentally abusing the system
3. Automatically monitoring
& e...
1. Intentional Abusing the system
Early Malicious techniques/attacks
Referral backlink log spam
(depreciated SEO technique)
These links no-followed and
no l...
Referral backlink log spam
(to get traffic from website owners)
Early Malicious techniques/attacks
Exclude bots GA setting...
Early Malicious techniques/attacks
GA log spam
(Spider visit loading JS)
Exclude Robot hits via
IAB blacklist tickbox in GA
Early Malicious techniques/attacks
Visited links CSS hack
(History Sniffing)
Browser patch rollout for link
colours (metho...
Early Malicious techniques/attacks
Flash cookie respawn
(Zombie Cookies)
Chrome privacy
settings integrated
with Flash Win...
Early Malicious techniques/attacks
EverCookie
(all of the previous techniques
and more!)
Tor browser
(anonymous browsing)
Revenue Spam
Counter-measure for Revenue Spam
https://developers.google.com/analytics/devguides/collection/analyticsjs/enhanced-ecommer...
*edge case example:
small startups like beencounter
Intentional blackhat is rare
and users don’t cares
2. Accidentally abusing the system
www.yoursite.com
privacy@google.com
https://support.google.com/adwords/answer/8206?contact=1&rd=1
site:comptetitor.com inu...
Google Analytics
Skip to content
GOOGLE ANALYTICS TERMS OF SERVICE
These Google Analytics Terms of Service (this "Agreemen...
Results in… GA account deleted (if violation).
You must not collect any data that
personally identifies an individual such...
Don’t worry…. PII capture is not enforced
1. Its not pro-actively (automatic) enforced
2. only re-active (manual) enforcem...
Validation that a privacy link is present
is not automatically checked
0.24% of domains using
GA are compliant!
=(17000+34...
• https://ahrefs.com/site-explorer/overview/prefix/?target=www.google.com/policies/privacy/partners/
• https://ahrefs.com/...
No one pro-actively monitors
because cookies are harmless
3. Automatically monitoring &
enforcement of the system.
aka Automatic “Health checks”
Example…
2 years reign!
Infighting & disunity between
Advertisers & Privacy Advocates.
Definition of Tracking (DNT) still
not defin...
Group disbanded
Peter Swire - Chief resign
Jonathan Mayer – Firefox resigns
Digital Advertisers Association –
leaves group...
Imperial
Durnt, durnt, durnt… durnt, dan ner!
External Feedback mechanism
New Imperial Advertising Principles
AdChoices proposed as
replacement for W3C`s DNT
Source:
http://www.adweek.com/news/tec...
http://www.wordstream.com/blog/ws/2014/01/22/adchoices
http://www.youronlinechoices.com/hu/
http://blog.silktide.com/2013/...
ICO cookie law investigations –
did`nt happen
As they got more complaints about
spam text messages, so focused on
this ins...
SilkTide example from UK
Are users Cookies
for sale on SilkRoad
Litmus test
No one cares
users are not complaining
hence, regulators are not
enforcing.
3. Google lost
market share in search
now they care!
Google Adwords privacy cpc tax
SSL as ranking signal SERP ranking
organic bonus.
Google “trusted stores” program
Note: See...
Practical Example…
Light Score
1. Do you have a Privacy Policy? +1
2. Do you link to Privacy Policy on global footer(or header) try.powermapp...
Force Rankings:
Make a note of your Light score
Darkness and the
Light - scorings
10 Yoda
6-8 Luke
3-5 Leia
0-2 Chewbacca
0 Neutral Zone
- 0-2 Darth Maul
- 3-5 Count Dook...
Dark Score
1. 3rd party cookies are being deployed on your website -1
2. Have not enable frequency capping on Display netw...
Force Rankings:
Make a note of your Dark score
Darkness and the
Light - scorings
10 Yoda
6-8 Luke
3-5 Leia
0-2 Chewbacca
0 Neutral Zone
- 0-2 Darth Maul
- 3-5 Count Dook...
Now:
Light Score - Dark score =
Actual score
Darkness and the
Light - scorings
10 Yoda
6-8 Luke
3-5 Leia
0-2 Chewbacca
0 Neutral Zone
- 0-2 Darth Maul
- 3-5 Count Dook...
Malintent Accidental
Bad
Good
Overall Score?
-10
+10
If you got a dark score join these…
 “MOA code of conduct” or “DAA code of ethics” will eventually introduce
one
www.digi...
Thanks & Questions
#SPWK @philpearce
Appendix…
DISCLAIMER – I`m not a lawyer
GA terms of service
http://www.google.com/analytics/terms/us.html
http://www.google.com/anal...
Discussion Questions
 How much is your data worth?
 Can you afford to drive traffic in the dark with no
insight?
 Is PI...
Related presentations & resources
.
CookieTAB virus screenshots
https://www.dropbox.com/s/w0gprycb23ajguw/2011_03_18%20Coo...
Appendix
External privacy feedback mechanisms:
safeharbor.export.gov/companyinfo.aspx?id=16626
feedback-form.truste.com/wa...
Blackhat Analytics 3 @  superweek - Do be evil: Force awakens
Blackhat Analytics 3 @  superweek - Do be evil: Force awakens
Blackhat Analytics 3 @  superweek - Do be evil: Force awakens
Blackhat Analytics 3 @  superweek - Do be evil: Force awakens
Upcoming SlideShare
Loading in …5
×

Blackhat Analytics 3 @ superweek - Do be evil: Force awakens

3,607 views

Published on

Blackhat Analytics 3 @ superweek - Do be evil: Force awakens

Published in: Software

Blackhat Analytics 3 @ superweek - Do be evil: Force awakens

  1. 1. BlackHat Analytics 3: Do Be evil: Force Awakens
  2. 2. #SPWK @philpearce Web Analytics Exchange mentor 750 GA questions answered Tracking protection group (DNT) Welcome Phil Pearce Analytics Expert & Master of the Dark Arts Freelancer @philpearce linkedin.com/in/philpearce
  3. 3. Fun fact... I`m an identical Twin... #SPWK @philpearce ...He recently got married
  4. 4. I organised a Stag party for my Brother... As you can see - I`m the evil one ;) #SPWK @philpearce
  5. 5. Why was I Darth Maul... Because my uncle was... #SPWK @philpearce Darth Vader!
  6. 6. Blackhat Analytics Summary 1. Definition 2. History and evolution 3. Example Techniques 4. Light & Dark task 5. Questions #SPWK @philpearce
  7. 7. A long time ago... … in a google universe far, far away...
  8. 8. Define: Blackhat Analytics
  9. 9. Define: Blackhat Analytics Define: Blackhat Analytics “0” results
  10. 10. If you do this search now... Define: Blackhat Analytics
  11. 11. It turns out... ...I know more than Google ;) Me Me Me Me
  12. 12. Definition Intentional act of distorting, deleting, unethically using, or hijacking WA data using technical or legal loopholes; with the goal of making financial gains, or obtaining a competitive advantage. Phil Pearce 2009
  13. 13. How did we get here… 1. Intentional abusing the system. 2. Accidentally abusing the system 3. Automatically monitoring & enforcement of the system
  14. 14. 1. Intentional Abusing the system
  15. 15. Early Malicious techniques/attacks Referral backlink log spam (depreciated SEO technique) These links no-followed and no longer pass pagerank
  16. 16. Referral backlink log spam (to get traffic from website owners) Early Malicious techniques/attacks Exclude bots GA setting Should prevent this
  17. 17. Early Malicious techniques/attacks GA log spam (Spider visit loading JS) Exclude Robot hits via IAB blacklist tickbox in GA
  18. 18. Early Malicious techniques/attacks Visited links CSS hack (History Sniffing) Browser patch rollout for link colours (method made harmless)
  19. 19. Early Malicious techniques/attacks Flash cookie respawn (Zombie Cookies) Chrome privacy settings integrated with Flash Winduw control panel
  20. 20. Early Malicious techniques/attacks EverCookie (all of the previous techniques and more!) Tor browser (anonymous browsing)
  21. 21. Revenue Spam
  22. 22. Counter-measure for Revenue Spam https://developers.google.com/analytics/devguides/collection/analyticsjs/enhanced-ecommerce#measuring-refunds Tool to manually fix… bit.ly/bigintegerfix
  23. 23. *edge case example: small startups like beencounter Intentional blackhat is rare and users don’t cares
  24. 24. 2. Accidentally abusing the system
  25. 25. www.yoursite.com privacy@google.com https://support.google.com/adwords/answer/8206?contact=1&rd=1 site:comptetitor.com inurl:"utm_content * gmail.com“ https://www.google.com/search?q=inurl:de+inurl:utm_content+*+gmail+-blog+- google&pws=0&num=100&filter=0&as_qdr=all&cad=b&biw=1921&bih=869&dpr=1&cad=cb v&sei=qkK9VKiRHJLvat-ggbgF e.g. www.centredeformationjuridique.com/E- learning/v3/soutien/interface/index.php?page=cs.call_menu&menu_use=[ID_MENU]&email =NAME.REMOVED@gmail.com&mdp=coutcout&utm_medium=SMS&utm_source=CS_2 014&utm_campaign=ouverture_inscriptions_intensif2&utm_content=Paris Accidental email PII
  26. 26. Google Analytics Skip to content GOOGLE ANALYTICS TERMS OF SERVICE These Google Analytics Terms of Service (this "Agreement") are entered into by Google Inc. ("Google") and the entity executing this Agreement ("You"). This Agreement governs Your use of the standard Google Analytics (the "Service"). BY CLICKING THE "I ACCEPT" BUTTON, COMPLETING THE REGISTRATION PROCESS, OR USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE REVIEWED AND ACCEPT THIS AGREEMENT AND ARE AUTHORIZED TO ACT ON BEHALF OF, AND BIND TO THIS AGREEMENT, THE OWNER OF THIS ACCOUNT. In consideration of the foregoing, the parties agree as follows: 1. Definitions. "Account" refers to the billing account for the Service. All Profiles linked to a single Property will have their Hits aggregated before determining the charge for the Service for that Property. "Confidential Information" includes any proprietary data and any other information disclosed by one party to the other in writing and Google Analyses TOS Skip..
  27. 27. Results in… GA account deleted (if violation). You must not collect any data that personally identifies an individual such as a: 1. full name 2. email address 3. billing information GA account deleted (if violation)
  28. 28. Don’t worry…. PII capture is not enforced 1. Its not pro-actively (automatic) enforced 2. only re-active (manual) enforcement. The same for… You must post a link to a Privacy Policy which has an opt-out…
  29. 29. Validation that a privacy link is present is not automatically checked 0.24% of domains using GA are compliant! =(17000+341+36000+11000)/26416097= 0.24%
  30. 30. • https://ahrefs.com/site-explorer/overview/prefix/?target=www.google.com/policies/privacy/partners/ • https://ahrefs.com/site-explorer/overview/prefix/?target=tools.google.com/dlpage/gaoptout • https://ahrefs.com/site-explorer/overview/prefix/?target=www.aboutads.info/choices/ Validation that a privacy link is present is not automatically checked Est 5% German websites backlinks Link growth to this page should be increasing based on GA usage, only tiny increases.
  31. 31. No one pro-actively monitors because cookies are harmless
  32. 32. 3. Automatically monitoring & enforcement of the system. aka Automatic “Health checks”
  33. 33. Example…
  34. 34. 2 years reign! Infighting & disunity between Advertisers & Privacy Advocates. Definition of Tracking (DNT) still not defined! http://www.theregister.co.uk/2013/11/05/do_not_track_w3c_ads_privacy/ W3C republic
  35. 35. Group disbanded Peter Swire - Chief resign Jonathan Mayer – Firefox resigns Digital Advertisers Association – leaves group! Old W3C republic Key member: Thomas Roessler joins Google!
  36. 36. Imperial Durnt, durnt, durnt… durnt, dan ner! External Feedback mechanism
  37. 37. New Imperial Advertising Principles AdChoices proposed as replacement for W3C`s DNT Source: http://www.adweek.com/news/technology/daa-convene-new-do-not-track-group-updated-153023
  38. 38. http://www.wordstream.com/blog/ws/2014/01/22/adchoices http://www.youronlinechoices.com/hu/ http://blog.silktide.com/2013/01/the-stupid-cookie-law-is-dead-at-last/ Feedback example
  39. 39. ICO cookie law investigations – did`nt happen As they got more complaints about spam text messages, so focused on this instead.
  40. 40. SilkTide example from UK
  41. 41. Are users Cookies for sale on SilkRoad Litmus test
  42. 42. No one cares users are not complaining hence, regulators are not enforcing.
  43. 43. 3. Google lost market share in search now they care!
  44. 44. Google Adwords privacy cpc tax SSL as ranking signal SERP ranking organic bonus. Google “trusted stores” program Note: See “Privacy as a ranking factor slides” and TrustFactor video.
  45. 45. Practical Example…
  46. 46. Light Score 1. Do you have a Privacy Policy? +1 2. Do you link to Privacy Policy on global footer(or header) try.powermapper.com +1 3. HTML links on Privacy Policy: • Do you mention you use cookies OR link to “How Google uses cookie data“ www.google.com/policies/privacy/partners/ +0.25 • Do you mention the word “Do Not Track” or DNT on privacy policy +0.25 • Link to GA opt-out plugin OR GA opt-out page +0.25 • Link to DoubleClick remarketing opt-out OR Adchoices link +0.25 4. Has your Privacy Policy has been updated within the last 12months +1 5. If your using session recording (e.g. ClickTale) have you set sensitive fields to either type=password OR have relevant class: <input id="CreditCardPin" class="tracking- sensitive ClickTaleSensitive -metrika-nokeys“type="text"> +1 6. Is AnonymiseIP enabled for German Visitors +1 7. Is GTM`s 2 stage authentication login setting enabled OR similar TMS setting +1 8. Do you have a GA custom email alert for URLs containing “@” or “@gmail” +1 9. GA exclude traffic from robot setting is enabled +1 10.You have actioned atleast one GA heathcheck alert +1 Ref: www.google.com/analytics/terms/us.html [n] / 10
  47. 47. Force Rankings: Make a note of your Light score
  48. 48. Darkness and the Light - scorings 10 Yoda 6-8 Luke 3-5 Leia 0-2 Chewbacca 0 Neutral Zone - 0-2 Darth Maul - 3-5 Count Dooku - 6-8 Darth Vader - 10 Darth Sideous Light score -
  49. 49. Dark Score 1. 3rd party cookies are being deployed on your website -1 2. Have not enable frequency capping on Display network -1 3. UserID tracking is enabled, but not declared to users on privacy page. 4. GA`s data append via CSV upload (dimension widening) for userID as a customDimension using sensitive data (e.g. Financial grouping/status based on users postcode/address) -1 5. Using Device Signature (Android App only) -1 6. Email address stored in GA url report -1 7. Storing passwords in GA URL report -1 8. Respawn of users sessionID cookie, after the user tries to clear cookie -1 9. Using any of the techniques mentioned on evercookie -1 10.Using GA to track progress of trojan virus installations -100 [n] / 10
  50. 50. Force Rankings: Make a note of your Dark score
  51. 51. Darkness and the Light - scorings 10 Yoda 6-8 Luke 3-5 Leia 0-2 Chewbacca 0 Neutral Zone - 0-2 Darth Maul - 3-5 Count Dooku - 6-8 Darth Vader - 10 Darth Sideous Light score Dark Score - -
  52. 52. Now: Light Score - Dark score = Actual score
  53. 53. Darkness and the Light - scorings 10 Yoda 6-8 Luke 3-5 Leia 0-2 Chewbacca 0 Neutral Zone - 0-2 Darth Maul - 3-5 Count Dooku - 6-8 Darth Vader - 10 Darth Sideous Light score Dark Score Sum of both - - -
  54. 54. Malintent Accidental Bad Good Overall Score? -10 +10
  55. 55. If you got a dark score join these…  “MOA code of conduct” or “DAA code of ethics” will eventually introduce one www.digitalanalyticsassociation.org/codeofethics www.moaweb.nl/Richtlijnen/internationale-gedragscodes-en-richtlijnen/2012-09-17%20GRBN%20Code%20Comparison.pdf/view
  56. 56. Thanks & Questions #SPWK @philpearce
  57. 57. Appendix…
  58. 58. DISCLAIMER – I`m not a lawyer GA terms of service http://www.google.com/analytics/terms/us.html http://www.google.com/analytics/learn/privacy.html Privacy Trouble shooter http://support.google.com/bin/static.py?hl=en&ts=1291807&page=ts.cs Report a privacy concern http://www.google.com/contact/ Contact Google Analytics http://support.google.com/analytics/bin/request.py?hlrm=en&contact_type=contact_policy https://support.google.com/adwords/answer/8206?contact=1&rd=1 Report a security concern security@google.com http://www.google.com/security.html
  59. 59. Discussion Questions  How much is your data worth?  Can you afford to drive traffic in the dark with no insight?  Is PII or sensitive data or urls being accidentally tracked?  When was the last time you audited your WA installation?  Are you capturing data that easily allows an individual to be “linked” or “re-identified” by Google (e.g. detailed demographic data example, or Netflix.com + IMDB.com example1 or example2)
  60. 60. Related presentations & resources . CookieTAB virus screenshots https://www.dropbox.com/s/w0gprycb23ajguw/2011_03_18%20CookieTAB%20virus%20scr eenshots%20.pptx Effect of EU Cookie law on US businesses: https://www.dropbox.com/s/ces1m53mm7o4gmm/2012-10- 04%20GAUGE%20Boston%20- %20Effect%20of%20EU%20Cookie%20law%20on%20US%20organisations.pptx Recipe for a Cookie Law https://www.dropbox.com/s/l9n3gchusdv57bm/2011_03_18%20Recipe%20for%20a%20Co okie%20Law%20by%20Phil%20Pearce%20.pptx Cookie law Implementation Examples https://www.dropbox.com/s/7q8qfxesk44tpkc/Implimentation%20Examples%20by%20Phil %20Pearce%202012_03_18.pptx Cookie compliance Audit - Example.docx https://www.dropbox.com/s/idyrql6c1aniaw6/01%20UK%20Cookie%20compliance%20Audi t%20-%20Example.docx CookieLaw research in 90mb Dropbox: https://www.dropbox.com/s/uapu90d7rc2uxl1/2012_Cookie_Law_Resources_Folder_40mb _Download.zip
  61. 61. Appendix External privacy feedback mechanisms: safeharbor.export.gov/companyinfo.aspx?id=16626 feedback-form.truste.com/watchdog/request?url=www.google.com www.bbb.org/sanjose/business-reviews/internet-services/google-in-mountain-view-ca- 214105/file-a-complaint www.networkadvertising.org/contact-support/report-problem/i-would-report-violation-of-nai- code-nai-member-company-2 www.snapsurveys.com/swh/surveylogin.asp?k=133707671186 [ICO.gov.uk form] addons.mozilla.org/en-US/firefox/addon/privacy-dashboard/ [W3C feedback mechanism] www.google.com/trends/explore?hl=en#cat=0-14-54-1281&geo=US&date=today%203- m&cmpt=q [user web searches in category of “privacy” per country] Security & Privacy prize of upto £13K offered by Google for detecting holes: www.google.com/about/appsecurity/reward-program/ blog.chromium.org/2012/08/announcing-pwnium-2.html Example XSS hole in GA found in 2008: derkeiler.com/Mailing-Lists/Full-Disclosure/2008- 12/msg00200.html Open Source feedback techniques fourthparty.info/data appanalysis.org/download.html Free to check cookie databases: www.cookielaw.org/cookie-search.aspx?domain=http://www.facebook.com www.cookiecert.com/cookies-for-facebook.com privacyscore.com/score_details/2a03b4fe8d9d4eb8b4fb0ccf356cbaaa/showcase

×