Blackhat Analytics 2 @ Superweek
29th May 2015
Blackhat Analytics – dark score test to printout
29th May 2015



1. BlackHat Analytics 3: Do Be evil: Force Awakens

2. #SPWK @philpearce Web Analytics Exchange mentor 750 GA questions answered Tracking protection group (DNT) Welcome Phil Pearce Analytics Expert & Master of the Dark Arts Freelancer @philpearce

3. Fun fact… I`m an identical Twin… #SPWK @philpearce …He recently got married

4. I organised a Stag party for my Brother… As you can see – I`m the evil one 😉 #SPWK @philpearce

5. Why was I Darth Maul… Because my uncle was… #SPWK @philpearce Darth Vader!

6. Blackhat Analytics Summary 1. Definition 2. History and evolution 3. Example Techniques 4. Light & Dark task 5. Questions #SPWK @philpearce

7. A long time ago… … in a google universe far, far away…

8. Define: Blackhat Analytics

9. Define: Blackhat Analytics Define: Blackhat Analytics “0” results

10. If you do this search now… Define: Blackhat Analytics

11. It turns out… …I know more than Google 😉 Me Me Me Me

12. Definition Intentional act of distorting, deleting, unethically using, or hijacking WA data using technical or legal loopholes; with the goal of making financial gains, or obtaining a competitive advantage. Phil Pearce 2009

13. How did we get here… 1. Intentional abusing the system. 2. Accidentally abusing the system 3. Automatically monitoring & enforcement of the system

14. 1. Intentional Abusing the system

15. Early Malicious techniques/attacks Referral backlink log spam (depreciated SEO technique) These links no-followed and no longer pass pagerank

16. Referral backlink log spam (to get traffic from website owners) Early Malicious techniques/attacks Exclude bots GA setting Should prevent this

17. Early Malicious techniques/attacks GA log spam (Spider visit loading JS) Exclude Robot hits via IAB blacklist tickbox in GA

18. Early Malicious techniques/attacks Visited links CSS hack (History Sniffing) Browser patch rollout for link colours (method made harmless)

19. Early Malicious techniques/attacks Flash cookie respawn (Zombie Cookies) Chrome privacy settings integrated with Flash Winduw control panel

20. Early Malicious techniques/attacks EverCookie (all of the previous techniques and more!) Tor browser (anonymous browsing)

21. Revenue Spam

22. Counter-measure for Revenue Spam Tool to manually fix…

23. *edge case example: small startups like beencounter Intentional blackhat is rare and users don’t cares

24. 2. Accidentally abusing the system

25. [email protected] inurl:”utm_content *“*+gmail+-blog+- google&pws=0&num=100&filter=0&as_qdr=all&cad=b&biw=1921&bih=869&dpr=1&cad=cb v&sei=qkK9VKiRHJLvat-ggbgF e.g. learning/v3/soutien/interface/index.php?page=cs.call_menu&menu_use=[ID_MENU]&email [email protected]&mdp=coutcout&utm_medium=SMS&utm_source=CS_2 014&utm_campaign=ouverture_inscriptions_intensif2&utm_content=Paris Accidental email PII

26. Google Analytics Skip to content GOOGLE ANALYTICS TERMS OF SERVICE These Google Analytics Terms of Service (this “Agreement”) are entered into by Google Inc. (“Google”) and the entity executing this Agreement (“You”). This Agreement governs Your use of the standard Google Analytics (the “Service”). BY CLICKING THE “I ACCEPT” BUTTON, COMPLETING THE REGISTRATION PROCESS, OR USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE REVIEWED AND ACCEPT THIS AGREEMENT AND ARE AUTHORIZED TO ACT ON BEHALF OF, AND BIND TO THIS AGREEMENT, THE OWNER OF THIS ACCOUNT. In consideration of the foregoing, the parties agree as follows: 1. Definitions. “Account” refers to the billing account for the Service. All Profiles linked to a single Property will have their Hits aggregated before determining the charge for the Service for that Property. “Confidential Information” includes any proprietary data and any other information disclosed by one party to the other in writing and Google Analyses TOS Skip..

27. Results in… GA account deleted (if violation). You must not collect any data that personally identifies an individual such as a: 1. full name 2. email address 3. billing information GA account deleted (if violation)

28. Don’t worry…. PII capture is not enforced 1. Its not pro-actively (automatic) enforced 2. only re-active (manual) enforcement. The same for… You must post a link to a Privacy Policy which has an opt-out…

29. Validation that a privacy link is present is not automatically checked 0.24% of domains using GA are compliant! =(17000+341+36000+11000)/26416097= 0.24%

30. • • • Validation that a privacy link is present is not automatically checked Est 5% German websites backlinks Link growth to this page should be increasing based on GA usage, only tiny increases.

31. No one pro-actively monitors because cookies are harmless

32. 3. Automatically monitoring & enforcement of the system. aka Automatic “Health checks”

33. Example…

34. 2 years reign! Infighting & disunity between Advertisers & Privacy Advocates. Definition of Tracking (DNT) still not defined! W3C republic

35. Group disbanded Peter Swire – Chief resign Jonathan Mayer – Firefox resigns Digital Advertisers Association – leaves group! Old W3C republic Key member: Thomas Roessler joins Google!

36. Imperial Durnt, durnt, durnt… durnt, dan ner! External Feedback mechanism

37. New Imperial Advertising Principles AdChoices proposed as replacement for W3C`s DNT Source:

38. Feedback example

39. ICO cookie law investigations – did`nt happen As they got more complaints about spam text messages, so focused on this instead.

40. SilkTide example from UK

41. Are users Cookies for sale on SilkRoad Litmus test

42. No one cares users are not complaining hence, regulators are not enforcing.

43. 3. Google lost market share in search now they care!

44. Google Adwords privacy cpc tax SSL as ranking signal SERP ranking organic bonus. Google “trusted stores” program Note: See “Privacy as a ranking factor slides” and TrustFactor video.

45. Practical Example…

46. Light Score 1. Do you have a Privacy Policy? +1 2. Do you link to Privacy Policy on global footer(or header) +1 3. HTML links on Privacy Policy: • Do you mention you use cookies OR link to “How Google uses cookie data“ +0.25 • Do you mention the word “Do Not Track” or DNT on privacy policy +0.25 • Link to GA opt-out plugin OR GA opt-out page +0.25 • Link to DoubleClick remarketing opt-out OR Adchoices link +0.25 4. Has your Privacy Policy has been updated within the last 12months +1 5. If your using session recording (e.g. ClickTale) have you set sensitive fields to either type=password OR have relevant class: <input id=”CreditCardPin” class=”tracking- sensitive ClickTaleSensitive -metrika-nokeys“type=”text”> +1 6. Is AnonymiseIP enabled for German Visitors +1 7. Is GTM`s 2 stage authentication login setting enabled OR similar TMS setting +1 8. Do you have a GA custom email alert for URLs containing “@” or “@gmail” +1 9. GA exclude traffic from robot setting is enabled +1 10.You have actioned atleast one GA heathcheck alert +1 Ref: [n] / 10

47. Force Rankings: Make a note of your Light score

48. Darkness and the Light – scorings 10 Yoda 6-8 Luke 3-5 Leia 0-2 Chewbacca 0 Neutral Zone – 0-2 Darth Maul – 3-5 Count Dooku – 6-8 Darth Vader – 10 Darth Sideous Light score –

49. Dark Score 1. 3rd party cookies are being deployed on your website -1 2. Have not enable frequency capping on Display network -1 3. UserID tracking is enabled, but not declared to users on privacy page. 4. GA`s data append via CSV upload (dimension widening) for userID as a customDimension using sensitive data (e.g. Financial grouping/status based on users postcode/address) -1 5. Using Device Signature (Android App only) -1 6. Email address stored in GA url report -1 7. Storing passwords in GA URL report -1 8. Respawn of users sessionID cookie, after the user tries to clear cookie -1 9. Using any of the techniques mentioned on evercookie -1 10.Using GA to track progress of trojan virus installations -100 [n] / 10

50. Force Rankings: Make a note of your Dark score

51. Darkness and the Light – scorings 10 Yoda 6-8 Luke 3-5 Leia 0-2 Chewbacca 0 Neutral Zone – 0-2 Darth Maul – 3-5 Count Dooku – 6-8 Darth Vader – 10 Darth Sideous Light score Dark Score – –

52. Now: Light Score – Dark score = Actual score

53. Darkness and the Light – scorings 10 Yoda 6-8 Luke 3-5 Leia 0-2 Chewbacca 0 Neutral Zone – 0-2 Darth Maul – 3-5 Count Dooku – 6-8 Darth Vader – 10 Darth Sideous Light score Dark Score Sum of both – – –

54. Malintent Accidental Bad Good Overall Score? -10 +10

55. If you got a dark score join these… ? “MOA code of conduct” or “DAA code of ethics” will eventually introduce one

56. Thanks & Questions #SPWK @philpearce

57. Appendix…

58. DISCLAIMER – I`m not a lawyer GA terms of service Privacy Trouble shooter Report a privacy concern Contact Google Analytics Report a security concern [email protected]

59. Discussion Questions ? How much is your data worth? ? Can you afford to drive traffic in the dark with no insight? ? Is PII or sensitive data or urls being accidentally tracked? ? When was the last time you audited your WA installation? ? Are you capturing data that easily allows an individual to be “linked” or “re-identified” by Google (e.g. detailed demographic data example, or + example1 or example2)

60. Related presentations & resources . CookieTAB virus screenshots eenshots%20.pptx Effect of EU Cookie law on US businesses: 04%20GAUGE%20Boston%20- %20Effect%20of%20EU%20Cookie%20law%20on%20US%20organisations.pptx Recipe for a Cookie Law okie%20Law%20by%20Phil%20Pearce%20.pptx Cookie law Implementation Examples %20Pearce%202012_03_18.pptx Cookie compliance Audit – Example.docx t%20-%20Example.docx CookieLaw research in 90mb Dropbox:

61. Appendix External privacy feedback mechanisms: 214105/file-a-complaint code-nai-member-company-2 [ form] [W3C feedback mechanism] m&cmpt=q [user web searches in category of “privacy” per country] Security & Privacy prize of upto £13K offered by Google for detecting holes: Example XSS hole in GA found in 2008: 12/msg00200.html Open Source feedback techniques Free to check cookie databases:

0117 3361103


For the PDF Copy, please enter email address
Click Me