by Phil Pearce
This audit was conducted using publicly available data
from GoogleNews, Adword KW tool, AHREF.com,
MyWOT.com & other web content sources.
It was designed to find any possible “holes in the
armour” and thus strength these holes.
You have my permission to use this template to help
understand & strength other vendors tool.
Phil Pearce (Aug 2013)
Were these 4 users on previous slide
a non-representative sample?
Re: Clicktale = Spyware?
Yes (At the moment) but…
Concerned users ARE searching for
• Privacy principles for Customers of ClickTale:
• Funny Cookie video for users tracked by ClickTale
1. Do users know what ClickTale is/does? (Privacy video)
2. Example of what it stores about them? (e.g. cookie values)
3. Reasons to leave this turned ON? (Value exchange)
Lack of understanding or reassurance
= “Just disable/block it”
Meta description not
suitable… Disable and get
100 FREE recording?
Business owners increasingly
concerned about privacy fines:
Large Enterprise even more concerned
and at risk:
clicktale privacy & security
clicktale privacy compliance
clicktale privacy breaches
clicktale privacy ethics
clicktale privacy officer
clicktale privacy director
This is good
• "security fixes patched” in php module
Release 0.23 (to allow ClickTale bot to cache
• And responding to customer concerns on the
This is good very good,
but ONLY on Wiki not Main site!
How will visitors’ privacy be affected?
Your visitors’ privacy is a top priority for us. That’s why we make every effort to protect your visitors’ personal information.
1. ClickTale does not collect any personally identifiable information unless a visitor voluntarily and knowingly submits this type of
2. Password fields are never recorded. During session playback asterisks are displayed instead of the input.
3. Any text that a visitor enters into a form but does not submit is hidden. You can still generate Form Analytics reports on these
fields, but you are not able to view the text.
Can ClickTale be used to record sensitive personal or financial information?
• We require that you block recording of any sensitive personal or financial information about your visitors by using the ClickTale
• ClickTale subscription and revoke your access to all past, present and future recordings. You can use the ClickTaleSensitive
class to censor information entered into form fields or the ClickTaleExcludeBlock method to prevent the recording of any
element on your page.
Do my visitors know they are being recorded?
• The recording process itself is completely transparent to the end user. However, all ClickTale subscribers should place a
Question: Over alltime (and per month) how many subscriptions have been revoke due to
PII AND who reported/detected these was it the end user, the client, staff, regulator?
Can ClickTale track visitors after they leave my site?
• No, ClickTale can only track visitors on the specific web pages that contain your ClickTale tracking code.
Can my visitors choose not to be recorded?
• Yes, we offer an opt out option for anyone who does not want to be recorded. This inserts a cookie within your visitor's browser
that will prevent them from being recorded by any ClickTale customer.
How secure is my data?
• Very secure. ClickTale takes several steps to ensure your data’s security.
• We restrict employees’ access to your data. ClickTale employees cannot access your data unless you provide us with your
password and specific permission to access your account.
• HTTPS page data is passed to the ClickTale servers via SSL and is fully encrypted.
• Our servers are hosted at SAS/70 Type II certified data centers.
• We use firewalls to limit access to the ClickTale servers.
• We regularly apply updates to servers, OS, firewalls and all software to prevent security vulnerabilities.
Doh! Not a good idea to use this screenshot in
the wiki /firstname.lastname@example.org
is being tracked
Link to page:
Yike! Is this a depreciated feature??
n=2010_10_21_110&ct=enable,t(2010_10_21_110),t(Customer Name=Eul lee)
404 handler needs updating
is not redirecting to
is not redirecting to
Wiki - Change the form action form
POST to GET could have privacy
Is ClickTale bot a
Backdoor/Firewall security risk?
• Bypass companies firewalls by whitelisting our
servers IP ranges which are 22.214.171.124/26
and 126.96.36.199/26 and opening a network
connection (normally port 80/443) for the
ClickTale bot from these IP's to the sites ports
on your server(eg. 8080)
Concerning Auto-Refill_Data captured by
ClickBot & FetchFromWithCookies
• Auto form restoration when ClickTale bot tried to cache a page with
websiteSessionIdToken=1234 or FetchFromWithCookies
Excluding/removing website sessionID would be advisable (if possible).
• Also client-side HTTP content upload should be used with caution:
Question: When using
FetchFromWithCookies is data always
sent over SSL back to Clicktale server?
Database append risks
• Lots of integrations with other tools:
Too much data = increase risk
Of identifying the user in the
real world, or capturing sensitive
Be especially careful in Health and
Finance sectors to avoid capture
sensitive personal data
Monitor this follow-up user study
Be careful… Cited in privacy research paper
Appendix: Ghostery page incorrect?
Digital Analytics Association
Is Data Sharing this correct?
No category for
Links to privacy polices
Debug mode – shows if user has opt-out and rate of recording (e.g. 1 in 334 on www.conrad.de/ce/?ct=debug)
Hosted tracking scripts:
Appendix – digitalData layer notes
Need for standardised field names or classes e.g.
class="digitalData_sensitive" or class="ClickTaleSensitive"
dataLayer object can be used to disable all field tracking, but this greatly reduces the
insight gained from the Customer Experience Analytics tools.
Here is an example disabling of this technique:
Monitor AdBlocker lists
and report false positives for spyware