SlideShare a Scribd company logo

Corporates' malicious behaviour: Intent or accident?

Konark modi
Konark modi

Data collection, that often starts with cookies and ends up with mountains of information, is increasingly becoming a topic of debate and discussion. The question that begs to be answered is - Is data good or bad? There is no debate that Data is needed to build great products. Google, Facebook, Stylight,Booking.com, etc. would not be able to offer their services unless they had tons of data. No company or product is an exception. The current modus-operandi is "collect-as-much-as-you-can". Then, breach of personal data like passport number, bank details, personal relationships, etc. are a side-effect of the data-collection practices that we have been following for years. We can no more ignore the questions - who owns the data - users or the organization? Whose responsibility is it to safeguard thus collected data from falling into the hands of unfavourable recipients? Can we change the way we collect data?

Internet
1 of 59
Download to read offline
Corporates’ malicious behavior: Intent or Accident ? Konark Modi @konarkmodi Cliqz, Munich DAHO.AM 2018
Need a debit card ? DAHO.AM 2018 https://twitter.com/needadebitcard
Leaking passwords DAHO.AM 2018
Bank statements DAHO.AM 2018
How many of us think this is bad ? DAHO.AM 2018
DAHO.AM 2018
DAHO 2018
https://www.spotify.com/de/account/overview/?utm_source=spotify&utm_medi um=menu&utm_campaign=your_account&oauth%255ftoken=NAph...(REDAC TED)
Larger picture Corporates malicious behaviour: Intent or Accident • Legitimate use cases for 3rd parties • Web analytics • Content delivery network • On- and offsite user journey and conversion tracking • App performance • Audience measurement • Goal conversions • Content recommendation • Social sharing DAHO.AM 2018
“ The de facto standard of data collection is bound to produce privacy side-effects” DAHO.AM 2018
Compromising user’s privacy (unintentionally*)
Case of unintentional tracking • Google Analytics (GA) is massive, present on more than 44% of all page loads. • GA does not offer any service (public) that requires to build a session with all user’s activity. • GA actually cares a lot about privacy: - Ephemeral UIDs - Sanitization of URLs • Try this at home: - https://github.com/cliqz-oss/local-sheriff Corporates malicious behaviour: Intent or Accident DAHO.AM 2018
Case of unintentional tracking Corporates malicious behaviour: Intent or Accident spiegel.de 18:49:10 [91.5.xx.xx, 1440x736] DAHO.AM 2018
Case of unintentional tracking Corporates malicious behaviour: Intent or Accident https://www.foodora.de/en/restauran ts/lat/4…/lng/1…/plz/8…/city/M…/add ress/..stra/hno 18:51:00 [91.5.xx.xx, 1440x736] Geo coordinates Street name / PIN Street name / PIN DAHO.AM 2018
Case of unintentional tracking Corporates malicious behaviour: Intent or Accident https://secure.booking.com/m y-reservations/../../ 18:54:00 [91.5.xx.xx, 1440x736] Booking number Price Private window DAHO.AM 2018
Case of unintentional tracking Corporates malicious behaviour: Intent or Accident https://imgur.com/gallery/hc7otmu 18:54:00 [91.5.xx.xx, 1440x736] DAHO.AM 2018
Case of unintentional tracking Corporates malicious behaviour: Intent or Accident analytics.twitter.com/user/konarkmodi/ home 18:58:00 [91.5.xx.xx, 1440x736] DAHO.AM 2018
Case of unintentional tracking Corporates malicious behaviour: Intent or Accident https://emirates.com/sessionH andler.aspx/….. 18:59:00 [91.5.xx.xx, 1440x736] DAHO.AM 2018
Case of unintentional tracking Corporates malicious behaviour: Intent or Accident URL TS UID spiegel.de 09:49:10 [91.5.xx.xx, 1440x736] www.foodora.de/en/restaurants/lat/4…/lng/1…/plz/8 …/city/M…/address/..stra/hno 18:51:00 [91.5.xx.xx, 1440x736] twitter.com/mrmcd2017 18:54:00 [91.5.xx.xx, 1440x736] secure.booking.com/my-reservations/../../ 18:54:00 [91.5.xx.xx, 1440x736] imgur.com/gallery/hc7otmu 18:54:00 [91.5.xx.xx, 1440x736] analytics.twitter.com/user/konarkmodi/home 18:58:00 [91.5.xx.xx, 1440x736] emirates.com/sessionHandler.aspx/….. 18:59:00 [91.5.xx.xx, 1440x736] GA Backend DAHO.AM 2018
Case of unintentional tracking Corporates malicious behaviour: Intent or Accident URL TS UID spiegel.de 09:49:10 [91.5.xx.xx, 1440x736] www.foodora.de/en/restaurants/lat/4…/lng/1…/plz/8 …/city/M…/address/..stra/hno 18:51:00 [91.5.xx.xx, 1440x736] twitter.com/mrmcd2017 18:54:00 [91.5.xx.xx, 1440x736] secure.booking.com/my-reservations/../../ 18:54:00 [91.5.xx.xx, 1440x736] imgur.com/gallery/hc7otmu 18:54:00 [91.5.xx.xx, 1440x736] analytics.twitter.com/user/konarkmodi/home 18:58:00 [91.5.xx.xx, 1440x736] emirates.com/sessionHandler.aspx/….. 18:59:00 [91.5.xx.xx, 1440x736] GA Backend DAHO.AM 2018
Case of unintentional tracking Corporates malicious behaviour: Intent or Accident IP: 91.5.XX.XX https://www.google-analytics.com/collect? … dl=https%3A%2F %2Fanalytics.twitter.com%2Fuser%konarkmodi%2Fhome& ... &vp=1440x736&... DAHO.AM 2018
Case of unintentional tracking Corporates malicious behaviour: Intent or Accident IP: 91.5.XX.XX https://www.google- analytics.com/collect? … dr= https://emirates.com/sessionHandler.aspx/….. & ... &vp=1440x736&... DAHO.AM 2018
Case of unintentional tracking Corporates malicious behaviour: Intent or Accident URL TS UID spiegel.de 09:49:10 [91.5.xx.xx, 1440x736] www.foodora.de/en/restaurants/lat/4…/lng/1…/plz/8 …/city/M…/address/..stra/hno 18:51:00 [91.5.xx.xx, 1440x736] twitter.com/mrmcd2017 18:54:00 [91.5.xx.xx, 1440x736] secure.booking.com/my-reservations/../../ 18:54:00 [91.5.xx.xx, 1440x736] imgur.com/gallery/hc7otmu 18:54:00 [91.5.xx.xx, 1440x736] analytics.twitter.com/user/konarkmodi/home 18:58:00 [91.5.xx.xx, 1440x736] emirates.com/sessionHandler.aspx/….. 18:59:00 [91.5.xx.xx, 1440x736] GA Backend DAHO.AM 2018
Case of unintentional tracking Corporates malicious behaviour: Intent or Accident URL TS UID spiegel.de 09:49:10 [91.5.xx.xx, 1440x736] www.foodora.de/en/restaurants/lat/4…/lng/1…/plz/8 …/city/M…/address/..stra/hno 18:51:00 [91.5.xx.xx, 1440x736] twitter.com/mrmcd2017 18:54:00 [91.5.xx.xx, 1440x736] secure.booking.com/my-reservations/../../ 18:54:00 [91.5.xx.xx, 1440x736] imgur.com/gallery/hc7otmu 18:54:00 [91.5.xx.xx, 1440x736] analytics.twitter.com/user/konarkmodi/home 18:58:00 [91.5.xx.xx, 1440x736] emirates.com/sessionHandler.aspx/….. 18:59:00 [91.5.xx.xx, 1440x736] DAHO.AM 2018
Points to note • This data collection pattern relies on server-side aggregation per user. • For that the records need to be linked on the backend. • For records to be linked, client needs to attach an ID. • This method is bound to produce privacy side- effects. DAHO.AM 2018
Points to note • This data collection pattern relies on server-side aggregation per user. • For that the records need to be linked on the backend. • For records to be linked, client needs to attach an ID. • This method is bound to produce privacy side- effects. DAHO.AM 2018
Points to note • This data collection pattern relies on server-side aggregation per user. • For that the records need to be linked on the backend. • For records to be linked, client needs to attach an ID. • This method is bound to produce privacy side- effects. DAHO.AM 2018
Points to note • This data collection pattern relies on server-side aggregation per user. • For that the records need to be linked on the backend. • For records to be linked, client needs to attach an ID. • This method is bound to produce privacy side- effects. DAHO.AM 2018
Points to note • This data collection pattern relies on server-side aggregation per user. • For that the records need to be linked on the backend. • For records to be linked, client needs to attach an ID. • The data can be used for purposes other than counting, like profiling, re-targeting. DAHO.AM 2018
Case of unintentional tracking Corporates malicious behaviour: Intent or Accident URL TS UID spiegel.de 09:49:10 3rd Party cookie www.foodora.de/en/restaurants/lat/4…/lng/1…/plz/8 …/city/M…/address/..stra/hno 18:51:00 3rd Party cookie twitter.com/mrmcd2017 18:54:00 3rd Party cookie secure.booking.com/my-reservations/../../ 18:54:00 3rd Party cookie imgur.com/gallery/hc7otmu 18:54:00 3rd Party cookie analytics.twitter.com/user/konarkmodi/home 18:58:00 3rd Party cookie emirates.com/sessionHandler.aspx/….. 18:59:00 3rd Party cookie DAHO.AM 2018
Case of unintentional tracking
Who controls the data DAHO.AM 2018
Is there some evil plan ?
Example : Counting Unique visitors • 4 people visited spiegel.de/xyz? • 1 person visited spiegel.de/xyz visted 4 times? • How can it be resolved? Corporates malicious behaviour: Intent or Accident URL TS IP Spiegel.de/xyz 09:48:40 82.143.2.X Spiegel.de/xyz 09:48:42 137.9.10.X Spiegel.de/xyz 09:48:59 137.9.10.X Spiegel.de/xyz 09:49:12 137.9.10.X DAHO.AM 2018
Example : Counting Unique visitors • 4 people visited spiegel.de/xyz? • 1 person visited spiegel.de/xyz visited 4 times? • How can it be resolved? Corporates malicious behaviour: Intent or Accident URL TS IP Spiegel.de/xyz 09:48:40 82.143.2.X Spiegel.de/xyz 09:48:42 137.9.10.X Spiegel.de/xyz 09:48:59 137.9.10.X Spiegel.de/xyz 09:49:12 137.9.10.X • Identifying which records come from the same person to avoid over- counting. • A UID is needed • 4 visits, 3 unique visitors URL TS IP Spiegel.de/xyz 09:48:40 [82.143.2.X, 1320x910] Spiegel.de/xyz 09:48:42 [137.9.10.X, 1266x809] Spiegel.de/xyz 09:48:59 [137.9.10.X, 940x645] Spiegel.de/xyz 09:49:12 [137.9.10.X, 940x645] DAHO.AM 2018
Example : Counting Unique visitors • 4 people visited spiegel.de/xyz? • 1 person visited spiegel.de/xyz visted 4 times? • How can it be resolved? Corporates malicious behaviour: Intent or Accident Spiegel.de/xyz 09:48:40 82.143.2.X Spiegel.de/xyz 09:48:42 137.9.10.X Spiegel.de/xyz 09:48:59 137.9.10.X Spiegel.de/xyz 09:49:12 137.9.10.X • Identifying which records come from the same person to avoid over- counting. • A UID is needed • 4 visits, 3 unique visitors Spiegel.de/xyz 09:48:40 [82.143.2.X, 1320x910] Spiegel.de/xyz 09:48:42 [137.9.10.X, 1266x809] Spiegel.de/xyz 09:48:59 [137.9.10.X, 940x645] Spiegel.de/xyz 09:49:12 [137.9.10.X, 940x645] DAHO.AM 2018
What can we as technologists, developers, hackers do ? DAHO.AM 2018
Change in mindset DAHO.AM 2018
Since server side aggregation per user is the root of the problem, we should move aggregation per user to the client’s side – user’s browser DAHO.AM 2018
Green tracker • Modern browsers have the ability to keep state via HTML5 LocalStorage. • Looks pretty familiar, but is slightly different: • LocalStorage belongs to green-tracker.fbt.co (the collector backend) • Respects CORS • IFRAME is sandboxed (no access to Document) • Explicit control from site-owner (postMessage) • Explicit control from user (messages and state can be removed and inspect at will) DAHO.AM 2018
Server-side Aggregation – Google Analytics Spiegel.de/xyz Spiegel.de/xyz GA Backend CGT Backend Client-side Aggregation – CLIQZ Green Tracker Browser Browser GREEN TRACKER: COUNTING UNIQUE VISITORS Collecting data in a socially responsible manner DAHO.AM 2018
Server-side Aggregation – Google Analytics spiegel.de/xyz Spiegel.de/xyz GA Backend CGT Backend Client-side Aggregation – CLIQZ Green Tracker Browser Browser 3rd party tracking script 3rd party tracking script GREEN TRACKER: COUNTING UNIQUE VISITORS Collecting data in a socially responsible manner DAHO.AM 2018
Server-side Aggregation – Google Analytics spiegel.de/xyz spiegel.de/xyz GA Backend CGT Backend Client-side Aggregation – CLIQZ Green Tracker Browser Browser 3rd party tracking script 3rd party tracking script spiegel.de/xyz [137.9.10.X, 940x645] state = [] visit spiegel.de/xyz unique-visit spiegel.de/xyz GREEN TRACKER: COUNTING UNIQUE VISITORS Collecting data in a socially responsible manner DAHO.AM 2018
Server-side Aggregation – Google Analytics spiegel.de/xyz spiegel.de/xyz GA Backend CGT Backend Client-side Aggregation – CLIQZ Green Tracker Browser Browser 3rd party tracking script 3rd party tracking script spiegel.de/xyz [137.9.10.X, 940x645] state = [] visit spiegel.de/xyz unique-visit spiegel.de/xyz state = [ H(spiegel.de/xyz, unique- visit, timestamp)] GREEN TRACKER: COUNTING UNIQUE VISITORS Collecting data in a socially responsible manner DAHO.AM 2018
Server-side Aggregation – Google Analytics spiegel.de/xyz spiegel.de/xyz GA Backend CGT Backend Client-side Aggregation – CLIQZ Green Tracker Browser Browser 3rd party tracking script 3rd party tracking script state = [] state = [ H(spiegel.de/xyz, unique- visit, timestamp)] spiegel.de/xyz [137.9.10.X, 940x645] visitspiegel.de/xyz spiegel.de/xyz unique-visit GREEN TRACKER: COUNTING UNIQUE VISITORS Collecting data in a socially responsible manner DAHO.AM 2018
Server-side Aggregation – Google Analytics GA Backend CGT Backend Client-side Aggregation – CLIQZ Green Tracker Browser Browser spiegel.de/xyz [137.9.10.X, 940x645] visitspiegel.de/xyz spiegel.de/xyz unique-visit Count Uniques Count Uniques GREEN TRACKER: COUNTING UNIQUE VISITORS Collecting data in a socially responsible manner DAHO.AM 2018
Server-side Aggregation – Google Analytics spiegel.de/xyz spiegel.de/xyz GA Backend CGT Backend Client-side Aggregation – CLIQZ Green Tracker Browser Browser spiegel.de/xyz [137.9.10.X, 940x645] visitspiegel.de/xyz spiegel.de/xyz unique-visit GREEN TRACKER: COUNTING UNIQUE VISITORS Collecting data in a socially responsible manner DAHO.AM 2018
Server-side Aggregation – Google Analytics spiegel.de/xyz spiegel.de/xyz GA Backend CGT Backend Client-side Aggregation – CLIQZ Green Tracker Browser Browser 3rd party tracking script 3rd party tracking script spiegel.de/xyz [137.9.10.X, 940x645] visitspiegel.de/xyz spiegel.de/xyz unique-visit GREEN TRACKER: COUNTING UNIQUE VISITORS Collecting data in a socially responsible manner DAHO.AM 2018
Server-side Aggregation – Google Analytics spiegel.de/xyz spiegel.de/xyz GA Backend CGT Backend Client-side Aggregation – CLIQZ Green Tracker Browser Browser 3rd party tracking script 3rd party tracking script state = [] state = [ H(spiegel.de/xyz, unique- visit, timestamp)] spiegel.de/xyz [137.9.10.X, 940x645] visitspiegel.de/xyz spiegel.de/xyz unique-visit spiegel.de/xyz [137.9.10.X, 940x645] visit spiegel.de/xyz unique-visit spiegel.de/xyz GREEN TRACKER: COUNTING UNIQUE VISITORS Collecting data in a socially responsible manner DAHO.AM 2018
Server-side Aggregation – Google Analytics spiegel.de/xyz spiegel.de/xyz GA Backend CGT Backend Client-side Aggregation – CLIQZ Green Tracker Browser Browser 3rd party tracking script 3rd party tracking script state = [] state = [ H(spiegel.de/xyz, unique- visit, timestamp)] spiegel.de/xyz [137.9.10.X, 940x645] visitspiegel.de/xyz spiegel.de/xyz unique-visitspiegel.de/xyz [137.9.10.X, 940x645] visitspiegel.de/xyz GREEN TRACKER: COUNTING UNIQUE VISITORS Collecting data in a socially responsible manner DAHO.AM 2018
Server-side Aggregation – Google Analytics spiegel.de/xyz spiegel.de/xyz GA Backend CGT Backend Client-side Aggregation – CLIQZ Green Tracker Browser Browser 3rd party tracking script 3rd party tracking script state = [] state = [ H(spiegel.de/xyz, unique- visit, timestamp)] spiegel.de/xyz [137.9.10.X, 940x645] visitspiegel.de/xyz spiegel.de/xyz unique-visitspiegel.de/xyz [137.9.10.X, 940x645] visitspiegel.de/xyzCount Uniques Count Uniques GREEN TRACKER: COUNTING UNIQUE VISITORS Collecting data in a socially responsible manner DAHO.AM 2018
Beyond counting unique visitors https://github.com/cliqz-oss/green-analytics *Cliqz has no plans to become an analytics service, this approach is to demonstrate a responsible way to doing data collection, so feel free to fork, play and may become the next clean, green GA. DAHO.AM 2018
Human Web Anti-phishingSearch Anti-trackingNews Anolysis Safe Sync AristotleWhoTracks.Me Offrz Market Analysis https://github.com/cliqz-oss/
" I always knew what the right path was, but I never took it. You know why? Because it was too damn hard." – Colonel Slade “I always knew what the right path was, but I never took it. You know why? Because it was too damn hard." - Colonel Slade
Thank you for listening. Konark Modi, Tech lead @konarkmodi konark@cliqz.com

Recommended

Mrmcd2017
Mrmcd2017Mrmcd2017
Mrmcd2017
Konark modi
 
Google Analytics Konferenz 2018_Rock your Data - Aktiviere deine Daten_ Thoma...
Google Analytics Konferenz 2018_Rock your Data - Aktiviere deine Daten_ Thoma...Google Analytics Konferenz 2018_Rock your Data - Aktiviere deine Daten_ Thoma...
Google Analytics Konferenz 2018_Rock your Data - Aktiviere deine Daten_ Thoma...
e-dialog GmbH
 
Data Collection without Privacy Side Effects
Data Collection without Privacy Side EffectsData Collection without Privacy Side Effects
Data Collection without Privacy Side Effects
Josep M. Pujol
 
15 companies you should copy: business models visualised by @boardofinno
15 companies you should copy: business models visualised by @boardofinno15 companies you should copy: business models visualised by @boardofinno
15 companies you should copy: business models visualised by @boardofinno
Board of Innovation
 
The Road to Intelligent Authentication Journeys
The Road to Intelligent Authentication JourneysThe Road to Intelligent Authentication Journeys
The Road to Intelligent Authentication Journeys
ForgeRock
 
Identity Live Sydney: Intelligent Authentication
Identity Live Sydney: Intelligent Authentication Identity Live Sydney: Intelligent Authentication
Identity Live Sydney: Intelligent Authentication
ForgeRock
 
The future of FinTech product using pervasive Machine Learning automation - A...
The future of FinTech product using pervasive Machine Learning automation - A...The future of FinTech product using pervasive Machine Learning automation - A...
The future of FinTech product using pervasive Machine Learning automation - A...
Shift Conference
 
Connecting the "dots" around your Consumers
Connecting the "dots" around your ConsumersConnecting the "dots" around your Consumers
Connecting the "dots" around your Consumers
Digital Air Strike
 

Recommended

Mrmcd2017
Mrmcd2017Mrmcd2017
Mrmcd2017
Konark modi
 
Google Analytics Konferenz 2018_Rock your Data - Aktiviere deine Daten_ Thoma...
Google Analytics Konferenz 2018_Rock your Data - Aktiviere deine Daten_ Thoma...Google Analytics Konferenz 2018_Rock your Data - Aktiviere deine Daten_ Thoma...
Google Analytics Konferenz 2018_Rock your Data - Aktiviere deine Daten_ Thoma...
e-dialog GmbH
 
Data Collection without Privacy Side Effects
Data Collection without Privacy Side EffectsData Collection without Privacy Side Effects
Data Collection without Privacy Side Effects
Josep M. Pujol
 
15 companies you should copy: business models visualised by @boardofinno
15 companies you should copy: business models visualised by @boardofinno15 companies you should copy: business models visualised by @boardofinno
15 companies you should copy: business models visualised by @boardofinno
Board of Innovation
 
The Road to Intelligent Authentication Journeys
The Road to Intelligent Authentication JourneysThe Road to Intelligent Authentication Journeys
The Road to Intelligent Authentication Journeys
ForgeRock
 
Identity Live Sydney: Intelligent Authentication
Identity Live Sydney: Intelligent Authentication Identity Live Sydney: Intelligent Authentication
Identity Live Sydney: Intelligent Authentication
ForgeRock
 
The future of FinTech product using pervasive Machine Learning automation - A...
The future of FinTech product using pervasive Machine Learning automation - A...The future of FinTech product using pervasive Machine Learning automation - A...
The future of FinTech product using pervasive Machine Learning automation - A...
Shift Conference
 
Connecting the "dots" around your Consumers
Connecting the "dots" around your ConsumersConnecting the "dots" around your Consumers
Connecting the "dots" around your Consumers
Digital Air Strike
 
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
TigerGraph
 
Data Natives meets DataRobot | "Build and deploy an anti-money laundering mo...
Data Natives meets DataRobot | "Build and deploy an anti-money laundering mo...Data Natives meets DataRobot | "Build and deploy an anti-money laundering mo...
Data Natives meets DataRobot | "Build and deploy an anti-money laundering mo...
Dataconomy Media
 
Digital banking Account Take Over
Digital banking Account Take OverDigital banking Account Take Over
Digital banking Account Take Over
Laurent Pacalin
 
15 companies famous business models
15 companies famous business models15 companies famous business models
15 companies famous business models
Patrick Barrabé® 😊
 
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with Fargate
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with FargateDEM07 Best Practices for Monitoring Amazon ECS Containers Launched with Fargate
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with Fargate
Amazon Web Services
 
I´m not a number, I´m a free man
I´m not a number, I´m a free manI´m not a number, I´m a free man
I´m not a number, I´m a free man
vicenteDiaz_KL
 
Search Engine Marketing: Tracking Pages Without JavaScript by Using Web Beacons
Search Engine Marketing: Tracking Pages Without JavaScript by Using Web BeaconsSearch Engine Marketing: Tracking Pages Without JavaScript by Using Web Beacons
Search Engine Marketing: Tracking Pages Without JavaScript by Using Web Beacons
NavigationArts
 
Intelligent Authentication (Identity Live Berlin 2018)
Intelligent Authentication (Identity Live Berlin 2018)Intelligent Authentication (Identity Live Berlin 2018)
Intelligent Authentication (Identity Live Berlin 2018)
ForgeRock
 
Designing the data driven_Patrick Tripp
Designing the data driven_Patrick TrippDesigning the data driven_Patrick Tripp
Designing the data driven_Patrick Tripp
National Retail Federation
 
Protect Your Revenue Streams: Big Data & Analytics in Tax
Protect Your Revenue Streams: Big Data & Analytics in TaxProtect Your Revenue Streams: Big Data & Analytics in Tax
Protect Your Revenue Streams: Big Data & Analytics in Tax
Capgemini
 
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j
 
Google Analytics 4 : The Next Generation of Digital Analytics - Benjamin Kepn...
Google Analytics 4 : The Next Generation of Digital Analytics - Benjamin Kepn...Google Analytics 4 : The Next Generation of Digital Analytics - Benjamin Kepn...
Google Analytics 4 : The Next Generation of Digital Analytics - Benjamin Kepn...
DigiMarCon - Digital Marketing, Media and Advertising Conferences & Exhibitions
 
Technology Scouting: Silicon Valley Trends 2018
Technology Scouting: Silicon Valley Trends 2018Technology Scouting: Silicon Valley Trends 2018
Technology Scouting: Silicon Valley Trends 2018
Matteo Fabiano
 
Detecting Fraud and AML Violations In Real-Time for Banking, Telecom and eCom...
Detecting Fraud and AML Violations In Real-Time for Banking, Telecom and eCom...Detecting Fraud and AML Violations In Real-Time for Banking, Telecom and eCom...
Detecting Fraud and AML Violations In Real-Time for Banking, Telecom and eCom...
TigerGraph
 
How to Apply Machine Learning with R, H20, Apache Spark MLlib or PMML to Real...
How to Apply Machine Learning with R, H20, Apache Spark MLlib or PMML to Real...How to Apply Machine Learning with R, H20, Apache Spark MLlib or PMML to Real...
How to Apply Machine Learning with R, H20, Apache Spark MLlib or PMML to Real...
Kai Wähner
 
Marketo: hands on with Google Analytics
Marketo: hands on with Google AnalyticsMarketo: hands on with Google Analytics
Marketo: hands on with Google Analytics
Stijn Heijthuijsen
 
GDPR: 20 Million Reasons to Get Ready - Part 2: Living Compliance
GDPR: 20 Million Reasons to Get Ready - Part 2: Living ComplianceGDPR: 20 Million Reasons to Get Ready - Part 2: Living Compliance
GDPR: 20 Million Reasons to Get Ready - Part 2: Living Compliance
Cloudera, Inc.
 
Criteo Infrastructure (Platform) Meetup
Criteo Infrastructure (Platform) MeetupCriteo Infrastructure (Platform) Meetup
Criteo Infrastructure (Platform) Meetup
Ibrahim Abubakari
 
Ecommerce Website Security
Ecommerce Website SecurityEcommerce Website Security
Ecommerce Website Security
Sucuri
 
LES Keynote 2020
LES Keynote 2020LES Keynote 2020
LES Keynote 2020
Vinay Iyengar
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 

More Related Content

Similar to Corporates' malicious behaviour: Intent or accident?

Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
TigerGraph
 
Data Natives meets DataRobot | "Build and deploy an anti-money laundering mo...
Data Natives meets DataRobot | "Build and deploy an anti-money laundering mo...Data Natives meets DataRobot | "Build and deploy an anti-money laundering mo...
Data Natives meets DataRobot | "Build and deploy an anti-money laundering mo...
Dataconomy Media
 
Digital banking Account Take Over
Digital banking Account Take OverDigital banking Account Take Over
Digital banking Account Take Over
Laurent Pacalin
 
15 companies famous business models
15 companies famous business models15 companies famous business models
15 companies famous business models
Patrick Barrabé® 😊
 
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with Fargate
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with FargateDEM07 Best Practices for Monitoring Amazon ECS Containers Launched with Fargate
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with Fargate
Amazon Web Services
 
I´m not a number, I´m a free man
I´m not a number, I´m a free manI´m not a number, I´m a free man
I´m not a number, I´m a free man
vicenteDiaz_KL
 
Search Engine Marketing: Tracking Pages Without JavaScript by Using Web Beacons
Search Engine Marketing: Tracking Pages Without JavaScript by Using Web BeaconsSearch Engine Marketing: Tracking Pages Without JavaScript by Using Web Beacons
Search Engine Marketing: Tracking Pages Without JavaScript by Using Web Beacons
NavigationArts
 
Intelligent Authentication (Identity Live Berlin 2018)
Intelligent Authentication (Identity Live Berlin 2018)Intelligent Authentication (Identity Live Berlin 2018)
Intelligent Authentication (Identity Live Berlin 2018)
ForgeRock
 
Designing the data driven_Patrick Tripp
Designing the data driven_Patrick TrippDesigning the data driven_Patrick Tripp
Designing the data driven_Patrick Tripp
National Retail Federation
 
Protect Your Revenue Streams: Big Data & Analytics in Tax
Protect Your Revenue Streams: Big Data & Analytics in TaxProtect Your Revenue Streams: Big Data & Analytics in Tax
Protect Your Revenue Streams: Big Data & Analytics in Tax
Capgemini
 
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j
 
Google Analytics 4 : The Next Generation of Digital Analytics - Benjamin Kepn...
Google Analytics 4 : The Next Generation of Digital Analytics - Benjamin Kepn...Google Analytics 4 : The Next Generation of Digital Analytics - Benjamin Kepn...
Google Analytics 4 : The Next Generation of Digital Analytics - Benjamin Kepn...
DigiMarCon - Digital Marketing, Media and Advertising Conferences & Exhibitions
 
Technology Scouting: Silicon Valley Trends 2018
Technology Scouting: Silicon Valley Trends 2018Technology Scouting: Silicon Valley Trends 2018
Technology Scouting: Silicon Valley Trends 2018
Matteo Fabiano
 
Detecting Fraud and AML Violations In Real-Time for Banking, Telecom and eCom...
Detecting Fraud and AML Violations In Real-Time for Banking, Telecom and eCom...Detecting Fraud and AML Violations In Real-Time for Banking, Telecom and eCom...
Detecting Fraud and AML Violations In Real-Time for Banking, Telecom and eCom...
TigerGraph
 
How to Apply Machine Learning with R, H20, Apache Spark MLlib or PMML to Real...
How to Apply Machine Learning with R, H20, Apache Spark MLlib or PMML to Real...How to Apply Machine Learning with R, H20, Apache Spark MLlib or PMML to Real...
How to Apply Machine Learning with R, H20, Apache Spark MLlib or PMML to Real...
Kai Wähner
 
Marketo: hands on with Google Analytics
Marketo: hands on with Google AnalyticsMarketo: hands on with Google Analytics
Marketo: hands on with Google Analytics
Stijn Heijthuijsen
 
GDPR: 20 Million Reasons to Get Ready - Part 2: Living Compliance
GDPR: 20 Million Reasons to Get Ready - Part 2: Living ComplianceGDPR: 20 Million Reasons to Get Ready - Part 2: Living Compliance
GDPR: 20 Million Reasons to Get Ready - Part 2: Living Compliance
Cloudera, Inc.
 
Criteo Infrastructure (Platform) Meetup
Criteo Infrastructure (Platform) MeetupCriteo Infrastructure (Platform) Meetup
Criteo Infrastructure (Platform) Meetup
Ibrahim Abubakari
 
Ecommerce Website Security
Ecommerce Website SecurityEcommerce Website Security
Ecommerce Website Security
Sucuri
 
LES Keynote 2020
LES Keynote 2020LES Keynote 2020
LES Keynote 2020
Vinay Iyengar
 

Similar to Corporates' malicious behaviour: Intent or accident? (20)

Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
 
Data Natives meets DataRobot | "Build and deploy an anti-money laundering mo...
Data Natives meets DataRobot | "Build and deploy an anti-money laundering mo...Data Natives meets DataRobot | "Build and deploy an anti-money laundering mo...
Data Natives meets DataRobot | "Build and deploy an anti-money laundering mo...
 
Digital banking Account Take Over
Digital banking Account Take OverDigital banking Account Take Over
Digital banking Account Take Over
 
15 companies famous business models
15 companies famous business models15 companies famous business models
15 companies famous business models
 
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with Fargate
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with FargateDEM07 Best Practices for Monitoring Amazon ECS Containers Launched with Fargate
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with Fargate
 
I´m not a number, I´m a free man
I´m not a number, I´m a free manI´m not a number, I´m a free man
I´m not a number, I´m a free man
 
Search Engine Marketing: Tracking Pages Without JavaScript by Using Web Beacons
Search Engine Marketing: Tracking Pages Without JavaScript by Using Web BeaconsSearch Engine Marketing: Tracking Pages Without JavaScript by Using Web Beacons
Search Engine Marketing: Tracking Pages Without JavaScript by Using Web Beacons
 
Intelligent Authentication (Identity Live Berlin 2018)
Intelligent Authentication (Identity Live Berlin 2018)Intelligent Authentication (Identity Live Berlin 2018)
Intelligent Authentication (Identity Live Berlin 2018)
 
Designing the data driven_Patrick Tripp
Designing the data driven_Patrick TrippDesigning the data driven_Patrick Tripp
Designing the data driven_Patrick Tripp
 
Protect Your Revenue Streams: Big Data & Analytics in Tax
Protect Your Revenue Streams: Big Data & Analytics in TaxProtect Your Revenue Streams: Big Data & Analytics in Tax
Protect Your Revenue Streams: Big Data & Analytics in Tax
 
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
 
Google Analytics 4 : The Next Generation of Digital Analytics - Benjamin Kepn...
Google Analytics 4 : The Next Generation of Digital Analytics - Benjamin Kepn...Google Analytics 4 : The Next Generation of Digital Analytics - Benjamin Kepn...
Google Analytics 4 : The Next Generation of Digital Analytics - Benjamin Kepn...
 
Technology Scouting: Silicon Valley Trends 2018
Technology Scouting: Silicon Valley Trends 2018Technology Scouting: Silicon Valley Trends 2018
Technology Scouting: Silicon Valley Trends 2018
 
Detecting Fraud and AML Violations In Real-Time for Banking, Telecom and eCom...
Detecting Fraud and AML Violations In Real-Time for Banking, Telecom and eCom...Detecting Fraud and AML Violations In Real-Time for Banking, Telecom and eCom...
Detecting Fraud and AML Violations In Real-Time for Banking, Telecom and eCom...
 
How to Apply Machine Learning with R, H20, Apache Spark MLlib or PMML to Real...
How to Apply Machine Learning with R, H20, Apache Spark MLlib or PMML to Real...How to Apply Machine Learning with R, H20, Apache Spark MLlib or PMML to Real...
How to Apply Machine Learning with R, H20, Apache Spark MLlib or PMML to Real...
 
Marketo: hands on with Google Analytics
Marketo: hands on with Google AnalyticsMarketo: hands on with Google Analytics
Marketo: hands on with Google Analytics
 
GDPR: 20 Million Reasons to Get Ready - Part 2: Living Compliance
GDPR: 20 Million Reasons to Get Ready - Part 2: Living ComplianceGDPR: 20 Million Reasons to Get Ready - Part 2: Living Compliance
GDPR: 20 Million Reasons to Get Ready - Part 2: Living Compliance
 
Criteo Infrastructure (Platform) Meetup
Criteo Infrastructure (Platform) MeetupCriteo Infrastructure (Platform) Meetup
Criteo Infrastructure (Platform) Meetup
 
Ecommerce Website Security
Ecommerce Website SecurityEcommerce Website Security
Ecommerce Website Security
 
LES Keynote 2020
LES Keynote 2020LES Keynote 2020
LES Keynote 2020
 

Recently uploaded

Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 

Recently uploaded (12)

Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 

Corporates' malicious behaviour: Intent or accident?

  • 1. Corporates’ malicious behavior: Intent or Accident ? Konark Modi @konarkmodi Cliqz, Munich DAHO.AM 2018
  • 2.
  • 3.
  • 4.
  • 5. Need a debit card ? DAHO.AM 2018 https://twitter.com/needadebitcard
  • 8. How many of us think this is bad ? DAHO.AM 2018
  • 12.
  • 13. Larger picture Corporates malicious behaviour: Intent or Accident • Legitimate use cases for 3rd parties • Web analytics • Content delivery network • On- and offsite user journey and conversion tracking • App performance • Audience measurement • Goal conversions • Content recommendation • Social sharing DAHO.AM 2018
  • 14. “ The de facto standard of data collection is bound to produce privacy side-effects” DAHO.AM 2018
  • 16. Case of unintentional tracking • Google Analytics (GA) is massive, present on more than 44% of all page loads. • GA does not offer any service (public) that requires to build a session with all user’s activity. • GA actually cares a lot about privacy: - Ephemeral UIDs - Sanitization of URLs • Try this at home: - https://github.com/cliqz-oss/local-sheriff Corporates malicious behaviour: Intent or Accident DAHO.AM 2018
  • 17. Case of unintentional tracking Corporates malicious behaviour: Intent or Accident spiegel.de 18:49:10 [91.5.xx.xx, 1440x736] DAHO.AM 2018
  • 18. Case of unintentional tracking Corporates malicious behaviour: Intent or Accident https://www.foodora.de/en/restauran ts/lat/4…/lng/1…/plz/8…/city/M…/add ress/..stra/hno 18:51:00 [91.5.xx.xx, 1440x736] Geo coordinates Street name / PIN Street name / PIN DAHO.AM 2018
  • 19. Case of unintentional tracking Corporates malicious behaviour: Intent or Accident https://secure.booking.com/m y-reservations/../../ 18:54:00 [91.5.xx.xx, 1440x736] Booking number Price Private window DAHO.AM 2018
  • 20. Case of unintentional tracking Corporates malicious behaviour: Intent or Accident https://imgur.com/gallery/hc7otmu 18:54:00 [91.5.xx.xx, 1440x736] DAHO.AM 2018
  • 21. Case of unintentional tracking Corporates malicious behaviour: Intent or Accident analytics.twitter.com/user/konarkmodi/ home 18:58:00 [91.5.xx.xx, 1440x736] DAHO.AM 2018
  • 22. Case of unintentional tracking Corporates malicious behaviour: Intent or Accident https://emirates.com/sessionH andler.aspx/….. 18:59:00 [91.5.xx.xx, 1440x736] DAHO.AM 2018
  • 23. Case of unintentional tracking Corporates malicious behaviour: Intent or Accident URL TS UID spiegel.de 09:49:10 [91.5.xx.xx, 1440x736] www.foodora.de/en/restaurants/lat/4…/lng/1…/plz/8 …/city/M…/address/..stra/hno 18:51:00 [91.5.xx.xx, 1440x736] twitter.com/mrmcd2017 18:54:00 [91.5.xx.xx, 1440x736] secure.booking.com/my-reservations/../../ 18:54:00 [91.5.xx.xx, 1440x736] imgur.com/gallery/hc7otmu 18:54:00 [91.5.xx.xx, 1440x736] analytics.twitter.com/user/konarkmodi/home 18:58:00 [91.5.xx.xx, 1440x736] emirates.com/sessionHandler.aspx/….. 18:59:00 [91.5.xx.xx, 1440x736] GA Backend DAHO.AM 2018
  • 24. Case of unintentional tracking Corporates malicious behaviour: Intent or Accident URL TS UID spiegel.de 09:49:10 [91.5.xx.xx, 1440x736] www.foodora.de/en/restaurants/lat/4…/lng/1…/plz/8 …/city/M…/address/..stra/hno 18:51:00 [91.5.xx.xx, 1440x736] twitter.com/mrmcd2017 18:54:00 [91.5.xx.xx, 1440x736] secure.booking.com/my-reservations/../../ 18:54:00 [91.5.xx.xx, 1440x736] imgur.com/gallery/hc7otmu 18:54:00 [91.5.xx.xx, 1440x736] analytics.twitter.com/user/konarkmodi/home 18:58:00 [91.5.xx.xx, 1440x736] emirates.com/sessionHandler.aspx/….. 18:59:00 [91.5.xx.xx, 1440x736] GA Backend DAHO.AM 2018
  • 25. Case of unintentional tracking Corporates malicious behaviour: Intent or Accident IP: 91.5.XX.XX https://www.google-analytics.com/collect? … dl=https%3A%2F %2Fanalytics.twitter.com%2Fuser%konarkmodi%2Fhome& ... &vp=1440x736&... DAHO.AM 2018
  • 26. Case of unintentional tracking Corporates malicious behaviour: Intent or Accident IP: 91.5.XX.XX https://www.google- analytics.com/collect? … dr= https://emirates.com/sessionHandler.aspx/….. & ... &vp=1440x736&... DAHO.AM 2018
  • 27. Case of unintentional tracking Corporates malicious behaviour: Intent or Accident URL TS UID spiegel.de 09:49:10 [91.5.xx.xx, 1440x736] www.foodora.de/en/restaurants/lat/4…/lng/1…/plz/8 …/city/M…/address/..stra/hno 18:51:00 [91.5.xx.xx, 1440x736] twitter.com/mrmcd2017 18:54:00 [91.5.xx.xx, 1440x736] secure.booking.com/my-reservations/../../ 18:54:00 [91.5.xx.xx, 1440x736] imgur.com/gallery/hc7otmu 18:54:00 [91.5.xx.xx, 1440x736] analytics.twitter.com/user/konarkmodi/home 18:58:00 [91.5.xx.xx, 1440x736] emirates.com/sessionHandler.aspx/….. 18:59:00 [91.5.xx.xx, 1440x736] GA Backend DAHO.AM 2018
  • 28. Case of unintentional tracking Corporates malicious behaviour: Intent or Accident URL TS UID spiegel.de 09:49:10 [91.5.xx.xx, 1440x736] www.foodora.de/en/restaurants/lat/4…/lng/1…/plz/8 …/city/M…/address/..stra/hno 18:51:00 [91.5.xx.xx, 1440x736] twitter.com/mrmcd2017 18:54:00 [91.5.xx.xx, 1440x736] secure.booking.com/my-reservations/../../ 18:54:00 [91.5.xx.xx, 1440x736] imgur.com/gallery/hc7otmu 18:54:00 [91.5.xx.xx, 1440x736] analytics.twitter.com/user/konarkmodi/home 18:58:00 [91.5.xx.xx, 1440x736] emirates.com/sessionHandler.aspx/….. 18:59:00 [91.5.xx.xx, 1440x736] DAHO.AM 2018
  • 29. Points to note • This data collection pattern relies on server-side aggregation per user. • For that the records need to be linked on the backend. • For records to be linked, client needs to attach an ID. • This method is bound to produce privacy side- effects. DAHO.AM 2018
  • 30. Points to note • This data collection pattern relies on server-side aggregation per user. • For that the records need to be linked on the backend. • For records to be linked, client needs to attach an ID. • This method is bound to produce privacy side- effects. DAHO.AM 2018
  • 31. Points to note • This data collection pattern relies on server-side aggregation per user. • For that the records need to be linked on the backend. • For records to be linked, client needs to attach an ID. • This method is bound to produce privacy side- effects. DAHO.AM 2018
  • 32. Points to note • This data collection pattern relies on server-side aggregation per user. • For that the records need to be linked on the backend. • For records to be linked, client needs to attach an ID. • This method is bound to produce privacy side- effects. DAHO.AM 2018
  • 33. Points to note • This data collection pattern relies on server-side aggregation per user. • For that the records need to be linked on the backend. • For records to be linked, client needs to attach an ID. • The data can be used for purposes other than counting, like profiling, re-targeting. DAHO.AM 2018
  • 34. Case of unintentional tracking Corporates malicious behaviour: Intent or Accident URL TS UID spiegel.de 09:49:10 3rd Party cookie www.foodora.de/en/restaurants/lat/4…/lng/1…/plz/8 …/city/M…/address/..stra/hno 18:51:00 3rd Party cookie twitter.com/mrmcd2017 18:54:00 3rd Party cookie secure.booking.com/my-reservations/../../ 18:54:00 3rd Party cookie imgur.com/gallery/hc7otmu 18:54:00 3rd Party cookie analytics.twitter.com/user/konarkmodi/home 18:58:00 3rd Party cookie emirates.com/sessionHandler.aspx/….. 18:59:00 3rd Party cookie DAHO.AM 2018
  • 36. Who controls the data DAHO.AM 2018
  • 37. Is there some evil plan ?
  • 38. Example : Counting Unique visitors • 4 people visited spiegel.de/xyz? • 1 person visited spiegel.de/xyz visted 4 times? • How can it be resolved? Corporates malicious behaviour: Intent or Accident URL TS IP Spiegel.de/xyz 09:48:40 82.143.2.X Spiegel.de/xyz 09:48:42 137.9.10.X Spiegel.de/xyz 09:48:59 137.9.10.X Spiegel.de/xyz 09:49:12 137.9.10.X DAHO.AM 2018
  • 39. Example : Counting Unique visitors • 4 people visited spiegel.de/xyz? • 1 person visited spiegel.de/xyz visited 4 times? • How can it be resolved? Corporates malicious behaviour: Intent or Accident URL TS IP Spiegel.de/xyz 09:48:40 82.143.2.X Spiegel.de/xyz 09:48:42 137.9.10.X Spiegel.de/xyz 09:48:59 137.9.10.X Spiegel.de/xyz 09:49:12 137.9.10.X • Identifying which records come from the same person to avoid over- counting. • A UID is needed • 4 visits, 3 unique visitors URL TS IP Spiegel.de/xyz 09:48:40 [82.143.2.X, 1320x910] Spiegel.de/xyz 09:48:42 [137.9.10.X, 1266x809] Spiegel.de/xyz 09:48:59 [137.9.10.X, 940x645] Spiegel.de/xyz 09:49:12 [137.9.10.X, 940x645] DAHO.AM 2018
  • 40. Example : Counting Unique visitors • 4 people visited spiegel.de/xyz? • 1 person visited spiegel.de/xyz visted 4 times? • How can it be resolved? Corporates malicious behaviour: Intent or Accident Spiegel.de/xyz 09:48:40 82.143.2.X Spiegel.de/xyz 09:48:42 137.9.10.X Spiegel.de/xyz 09:48:59 137.9.10.X Spiegel.de/xyz 09:49:12 137.9.10.X • Identifying which records come from the same person to avoid over- counting. • A UID is needed • 4 visits, 3 unique visitors Spiegel.de/xyz 09:48:40 [82.143.2.X, 1320x910] Spiegel.de/xyz 09:48:42 [137.9.10.X, 1266x809] Spiegel.de/xyz 09:48:59 [137.9.10.X, 940x645] Spiegel.de/xyz 09:49:12 [137.9.10.X, 940x645] DAHO.AM 2018
  • 41. What can we as technologists, developers, hackers do ? DAHO.AM 2018
  • 43. Since server side aggregation per user is the root of the problem, we should move aggregation per user to the client’s side – user’s browser DAHO.AM 2018
  • 44. Green tracker • Modern browsers have the ability to keep state via HTML5 LocalStorage. • Looks pretty familiar, but is slightly different: • LocalStorage belongs to green-tracker.fbt.co (the collector backend) • Respects CORS • IFRAME is sandboxed (no access to Document) • Explicit control from site-owner (postMessage) • Explicit control from user (messages and state can be removed and inspect at will) DAHO.AM 2018
  • 45. Server-side Aggregation – Google Analytics Spiegel.de/xyz Spiegel.de/xyz GA Backend CGT Backend Client-side Aggregation – CLIQZ Green Tracker Browser Browser GREEN TRACKER: COUNTING UNIQUE VISITORS Collecting data in a socially responsible manner DAHO.AM 2018
  • 46. Server-side Aggregation – Google Analytics spiegel.de/xyz Spiegel.de/xyz GA Backend CGT Backend Client-side Aggregation – CLIQZ Green Tracker Browser Browser 3rd party tracking script 3rd party tracking script GREEN TRACKER: COUNTING UNIQUE VISITORS Collecting data in a socially responsible manner DAHO.AM 2018
  • 47. Server-side Aggregation – Google Analytics spiegel.de/xyz spiegel.de/xyz GA Backend CGT Backend Client-side Aggregation – CLIQZ Green Tracker Browser Browser 3rd party tracking script 3rd party tracking script spiegel.de/xyz [137.9.10.X, 940x645] state = [] visit spiegel.de/xyz unique-visit spiegel.de/xyz GREEN TRACKER: COUNTING UNIQUE VISITORS Collecting data in a socially responsible manner DAHO.AM 2018
  • 48. Server-side Aggregation – Google Analytics spiegel.de/xyz spiegel.de/xyz GA Backend CGT Backend Client-side Aggregation – CLIQZ Green Tracker Browser Browser 3rd party tracking script 3rd party tracking script spiegel.de/xyz [137.9.10.X, 940x645] state = [] visit spiegel.de/xyz unique-visit spiegel.de/xyz state = [ H(spiegel.de/xyz, unique- visit, timestamp)] GREEN TRACKER: COUNTING UNIQUE VISITORS Collecting data in a socially responsible manner DAHO.AM 2018
  • 49. Server-side Aggregation – Google Analytics spiegel.de/xyz spiegel.de/xyz GA Backend CGT Backend Client-side Aggregation – CLIQZ Green Tracker Browser Browser 3rd party tracking script 3rd party tracking script state = [] state = [ H(spiegel.de/xyz, unique- visit, timestamp)] spiegel.de/xyz [137.9.10.X, 940x645] visitspiegel.de/xyz spiegel.de/xyz unique-visit GREEN TRACKER: COUNTING UNIQUE VISITORS Collecting data in a socially responsible manner DAHO.AM 2018
  • 50. Server-side Aggregation – Google Analytics GA Backend CGT Backend Client-side Aggregation – CLIQZ Green Tracker Browser Browser spiegel.de/xyz [137.9.10.X, 940x645] visitspiegel.de/xyz spiegel.de/xyz unique-visit Count Uniques Count Uniques GREEN TRACKER: COUNTING UNIQUE VISITORS Collecting data in a socially responsible manner DAHO.AM 2018
  • 51. Server-side Aggregation – Google Analytics spiegel.de/xyz spiegel.de/xyz GA Backend CGT Backend Client-side Aggregation – CLIQZ Green Tracker Browser Browser spiegel.de/xyz [137.9.10.X, 940x645] visitspiegel.de/xyz spiegel.de/xyz unique-visit GREEN TRACKER: COUNTING UNIQUE VISITORS Collecting data in a socially responsible manner DAHO.AM 2018
  • 52. Server-side Aggregation – Google Analytics spiegel.de/xyz spiegel.de/xyz GA Backend CGT Backend Client-side Aggregation – CLIQZ Green Tracker Browser Browser 3rd party tracking script 3rd party tracking script spiegel.de/xyz [137.9.10.X, 940x645] visitspiegel.de/xyz spiegel.de/xyz unique-visit GREEN TRACKER: COUNTING UNIQUE VISITORS Collecting data in a socially responsible manner DAHO.AM 2018
  • 53. Server-side Aggregation – Google Analytics spiegel.de/xyz spiegel.de/xyz GA Backend CGT Backend Client-side Aggregation – CLIQZ Green Tracker Browser Browser 3rd party tracking script 3rd party tracking script state = [] state = [ H(spiegel.de/xyz, unique- visit, timestamp)] spiegel.de/xyz [137.9.10.X, 940x645] visitspiegel.de/xyz spiegel.de/xyz unique-visit spiegel.de/xyz [137.9.10.X, 940x645] visit spiegel.de/xyz unique-visit spiegel.de/xyz GREEN TRACKER: COUNTING UNIQUE VISITORS Collecting data in a socially responsible manner DAHO.AM 2018
  • 54. Server-side Aggregation – Google Analytics spiegel.de/xyz spiegel.de/xyz GA Backend CGT Backend Client-side Aggregation – CLIQZ Green Tracker Browser Browser 3rd party tracking script 3rd party tracking script state = [] state = [ H(spiegel.de/xyz, unique- visit, timestamp)] spiegel.de/xyz [137.9.10.X, 940x645] visitspiegel.de/xyz spiegel.de/xyz unique-visitspiegel.de/xyz [137.9.10.X, 940x645] visitspiegel.de/xyz GREEN TRACKER: COUNTING UNIQUE VISITORS Collecting data in a socially responsible manner DAHO.AM 2018
  • 55. Server-side Aggregation – Google Analytics spiegel.de/xyz spiegel.de/xyz GA Backend CGT Backend Client-side Aggregation – CLIQZ Green Tracker Browser Browser 3rd party tracking script 3rd party tracking script state = [] state = [ H(spiegel.de/xyz, unique- visit, timestamp)] spiegel.de/xyz [137.9.10.X, 940x645] visitspiegel.de/xyz spiegel.de/xyz unique-visitspiegel.de/xyz [137.9.10.X, 940x645] visitspiegel.de/xyzCount Uniques Count Uniques GREEN TRACKER: COUNTING UNIQUE VISITORS Collecting data in a socially responsible manner DAHO.AM 2018
  • 56. Beyond counting unique visitors https://github.com/cliqz-oss/green-analytics *Cliqz has no plans to become an analytics service, this approach is to demonstrate a responsible way to doing data collection, so feel free to fork, play and may become the next clean, green GA. DAHO.AM 2018
  • 58. " I always knew what the right path was, but I never took it. You know why? Because it was too damn hard." – Colonel Slade “I always knew what the right path was, but I never took it. You know why? Because it was too damn hard." - Colonel Slade
  • 59. Thank you for listening. Konark Modi, Tech lead @konarkmodi konark@cliqz.com