Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Clicktale Vendor Privacy Audit (August 2013)

569 views

Published on

This audit was conducted using publicly available data from GoogleNews, Adword KW tool, AHREF.com, MyWOT.com & other web content sources.

It was designed to find any possible “holes in the armour” and thus strength these holes.

You have my permission to use this template to help understand & strength other vendors tool.

Thanks

Phil

Published in: Data & Analytics
  • Login to see the comments

  • Be the first to like this

Clicktale Vendor Privacy Audit (August 2013)

  1. 1. ClickTale Privacy review by Phil Pearce Aug-2013
  2. 2. Foreword This audit was conducted using publicly available data from GoogleNews, Adword KW tool, AHREF.com, MyWOT.com & other web content sources. It was designed to find any possible “holes in the armour” and thus strength these holes. You have my permission to use this template to help understand & strength other vendors tool. Phil Pearce (Aug 2013)
  3. 3. Positive PR is important for ClickTale
  4. 4. Users increasingly aware and concerned about privacy (US data)
  5. 5. Evidence of “user confusion” Clicktale = Spyware? This thing is unauthorised and… Mouse tracking Keystroke logging Monitoring
  6. 6. Spyware = “Dangerous”?
  7. 7. Were these 4 users on previous slide a non-representative sample? Re: Clicktale = Spyware? Yes (At the moment) but…
  8. 8. Concerned users ARE searching for reassurance Clicktale “privacy monitor”
  9. 9. Video privacy policy examples • Privacy principles for Customers of ClickTale: http://www.youtube.com/watch?v=_g6BSy0yJIc&list=PL45AABD8BB96 D3785&index=15 • Example of how a Government website use cookies: http://www.youtube.com/watch?v=gqDZuS0xZjE&list=PL45AABD8BB9 6D3785 • Funny Cookie video for users tracked by ClickTale http://www.youtube.com/watch?v=A6fV2v7LLPo&list=PL45AABD8BB9 6D3785
  10. 10. User privacy dashboard examples:
  11. 11. 1. Do users know what ClickTale is/does? (Privacy video) 2. Example of what it stores about them? (e.g. cookie values) 3. Reasons to leave this turned ON? (Value exchange) Lack of understanding or reassurance = “Just disable/block it”
  12. 12. Result No.2 “Disable Clicktale” Yikes! Meta description not suitable… Disable and get 100 FREE recording?
  13. 13. SEO backlinks to Privacy page increasing…
  14. 14. Are ClickTale ToS being enforced? Q: Do all clicktale customers have • an opt-out link • a link to the Clicktale privacy policy
  15. 15. Customers are deleting the opt-out backlink…
  16. 16. What are Business owners views on privacy?
  17. 17. Business owners increasingly concerned about privacy fines:
  18. 18. Large Enterprise even more concerned and at risk: clicktale security clicktale privacy & security clicktale privacy compliance clicktale privacy breaches clicktale privacy ethics clicktale privacy officer clicktale privacy director
  19. 19. This is good… New Director of Security
  20. 20. This is good… “IP tracking removed” and no 3rd party cookies
  21. 21. This is good: “Gain Customers Trust article”
  22. 22. This is good • "security fixes patched” in php module Release 0.23 (to allow ClickTale bot to cache pages): • And responding to customer concerns on the forum: http://forums.clicktale.com/viewtopic.php?p=6525&sid=a15af364c3e99f84fdfdf40 ab22aeb9e#p6525
  23. 23. This is good very good, but ONLY on Wiki not Main site! http://wiki.clicktale.com/Article/Frequently_asked_questions#Privacy_Assured Privacy Assured How will visitors’ privacy be affected? Your visitors’ privacy is a top priority for us. That’s why we make every effort to protect your visitors’ personal information. 1. ClickTale does not collect any personally identifiable information unless a visitor voluntarily and knowingly submits this type of data. 2. Password fields are never recorded. During session playback asterisks are displayed instead of the input. 3. Any text that a visitor enters into a form but does not submit is hidden. You can still generate Form Analytics reports on these fields, but you are not able to view the text. Can ClickTale be used to record sensitive personal or financial information? • We require that you block recording of any sensitive personal or financial information about your visitors by using the ClickTale API (please see the Terms of use, section 7, for more information on this). Breaking these Terms of Use will instantly invalidate your • ClickTale subscription and revoke your access to all past, present and future recordings. You can use the ClickTaleSensitive class to censor information entered into form fields or the ClickTaleExcludeBlock method to prevent the recording of any element on your page. Do my visitors know they are being recorded? • The recording process itself is completely transparent to the end user. However, all ClickTale subscribers should place a disclaimer in their Privacy Policy letting their visitors know that they may be recorded. For more information please see our Terms of use. Question: Over alltime (and per month) how many subscriptions have been revoke due to PII AND who reported/detected these was it the end user, the client, staff, regulator?
  24. 24. Continued… http://wiki.clicktale.com/Article/Frequently_asked_questions#Privacy_Assured Privacy Assured … Can ClickTale track visitors after they leave my site? • No, ClickTale can only track visitors on the specific web pages that contain your ClickTale tracking code. Can my visitors choose not to be recorded? • Yes, we offer an opt out option for anyone who does not want to be recorded. This inserts a cookie within your visitor's browser that will prevent them from being recorded by any ClickTale customer. How secure is my data? • Very secure. ClickTale takes several steps to ensure your data’s security. • We restrict employees’ access to your data. ClickTale employees cannot access your data unless you provide us with your password and specific permission to access your account. • HTTPS page data is passed to the ClickTale servers via SSL and is fully encrypted. • Our servers are hosted at SAS/70 Type II certified data centers. • We use firewalls to limit access to the ClickTale servers. • We regularly apply updates to servers, OS, firewalls and all software to prevent security vulnerabilities.
  25. 25. Technical errors
  26. 26. Doh! Not a good idea to use this screenshot in the wiki /page.aspx?email=sono@client.com is being tracked Link to page: http://wiki.clicktale.co m/Article/ActivePlayba ck_API#Debugging_you r_ActivePlayback_code
  27. 27. Yike! Is this a depreciated feature?? http://clicks.skem1.com/preview/?c=537&g=987&p=e240e16b504c7714ea27a 5618baa08cb&utm_medium=email&utm_source=contactology&utm_campaig n=2010_10_21_110&ct=enable,t(2010_10_21_110),t(Customer Name=Eul lee) http://clicks.electionemail.com/preview/?c=2155&g=781&p=4209474eb0aff8e 0b98b1bd1fc2e4b4b&utm_medium=email&utm_source=ElectionMall Technologies Inc.&utm_campaign=Hinojosa&ct=enable,t(Arpaio),t(Zip= 23888) http://blog.clicktale.com/2009/01/22/announcing-clicktale-email-tracking-extreme-visibility-into-your-email-campaigns/
  28. 28. Broken Privacy policy link on affiliate signup page http://aff.clicktale.com/scripts/signu p.php
  29. 29. Broken link on Privacy policy http://www.clicktale.com/privacy- policy
  30. 30. 404 handler needs updating www.clicktale.com/privacy >> /page-cannot-be-found Note: www.clicktale.net/bla is not redirecting to www.clicktale.com/bla Note: www.clicktale.com/disable.html is not redirecting to www.clicktale.net/disable.html
  31. 31. Wiki - Change the form action form POST to GET could have privacy implications http://wiki.clicktale.com/Article/POST_pages#How_ClickTale_ha ndles_POST_pages http://redant.com.au/blog/clicktale-review-technology/
  32. 32. Is ClickTale bot a Backdoor/Firewall security risk? • Bypass companies firewalls by whitelisting our servers IP ranges which are 75.125.82.64/26 and 50.97.162.64/26 and opening a network connection (normally port 80/443) for the ClickTale bot from these IP's to the sites ports on your server(eg. 8080) http://wiki.clicktale.com/Article/Offline_recordings
  33. 33. Concerning Auto-Refill_Data captured by ClickBot & FetchFromWithCookies • Auto form restoration when ClickTale bot tried to cache a page with websiteSessionIdToken=1234 or FetchFromWithCookies http://wiki.clicktale.com/Article/Sensitive_data#Preventing_Auto- Refill_Data_In_Playback http://wiki.clicktale.com/Article/ClickTaleFetchFromWithCookies Excluding/removing website sessionID would be advisable (if possible). • Also client-side HTTP content upload should be used with caution: http://wiki.clicktale.com/Article/JavaScript_API#ClickTaleUploadPage Question: When using FetchFromWithCookies is data always sent over SSL back to Clicktale server?
  34. 34. Database append risks • Lots of integrations with other tools: http://www.clicktale.com/why-clicktale/partners http://wiki.clicktale.com/Article/Help_talk:GA_Integration#I._Import_ClickTale_IDs_into_GA Too much data = increase risk Of identifying the user in the real world, or capturing sensitive Data.
  35. 35. Be especially careful in Health and Finance sectors to avoid capture sensitive personal data Vertical risks
  36. 36. http://cseweb.ucsd.edu/~d1jang/papers/ccs10.pdf Monitor this follow-up user study Be careful… Cited in privacy research paper
  37. 37. Be careful… The vulture are circling
  38. 38. Questions?
  39. 39. Appendix: Ghostery page incorrect? Digital Analytics Association Is Data Sharing this correct? No category for mouse tracking, or keystroke logging.
  40. 40. Links to privacy polices Privacy FAQ`s http://wiki.clicktale.com/Article/Frequently_asked_questions#Privacy_Assured Privacy policy (site) http://www.clicktale.com/privacy-policy http://wiki.clicktale.com/Article/ClickTale_Wiki:Privacy_policy Privacy policy (service) http://www.clicktale.com/privacy-service http://www.clicktale.com/enterprise-terms ToS http://www.clicktale.com/terms-use http://www.clicktale.com/enterprise-terms2 Debug mode – shows if user has opt-out and rate of recording (e.g. 1 in 334 on www.conrad.de/ce/?ct=debug) http://www.cbsnews.com/?ct=debug Hosted tracking scripts: https://clicktalecdn.sslcs.cdngc.net/www/ptc/5d9396e0-fb55-443d-8209-b5eb60af50e2.js http://cdn.clicktale.net/www/ptc/5d9396e0-fb55-443d-8209-b5eb60af50e2.js http://s.clicktale.net/WRd.js http://s.clicktale.net/XHRWrapper.js (AJAX)
  41. 41. Appendix – digitalData layer notes Need for standardised field names or classes e.g. class="digitalData_sensitive" or class="ClickTaleSensitive" http://wiki.clicktale.com/Article/JavaScript_API#ClickTaleSensitive_CSS_Class http://wiki.clicktale.com/Article/Sensitive_data#ClickTaleSetAllSensitive dataLayer object can be used to disable all field tracking, but this greatly reduces the insight gained from the Customer Experience Analytics tools. Here is an example disabling of this technique: http://wiki.clicktale.com/Article/JavaScript_API#ClickTaleEventsMask e.g. ClickTaleEventsMask-=4; or { "visitor": { "isKeystokeTrackingDisabled": true } }
  42. 42. Monitor AdBlocker lists and report false positives for spyware • http://easylist- msie.adblockplus.org/easyprivacy.tpl

×