This document discusses blackhat analytics techniques such as dark tracking and intentionally distorting web analytics data. It begins with defining blackhat analytics and providing examples of early blackhat techniques from pre-2010. It then discusses classifications of good and bad analytics data and potential penalties for violations. It notes an increase in online competitiveness and revenue at stake could lead to more malicious analytics practices. The document warns of increased scrutiny from organizations like Google's planned privacy "Red Team" and potential class action lawsuits in response to privacy issues.
Don't miss the next year of Marketing Festival Brno - http://www.marketingfestival.cz
You can also buy a video of this presentation at marketingfestival.cz
Blackhat Analyics 4: May the 25th be with you!Phil Pearce
Phil Pearce provides a summary of key points about the General Data Protection Regulation (GDPR) and steps for compliance. Some of the major changes under GDPR include higher fines for non-compliance, expanded definitions of personal information, and requirements for consent. Phil outlines settings to make in Google Analytics and Google Tag Manager to comply with GDPR, including disabling remarketing and IP anonymization. He also discusses privacy policy updates, supplier contracts, and automated health checks to monitor compliance.
This document discusses how a JavaScript data layer can help with SEO by providing structured data to search engines. It covers:
1. Using HTML, microdata, and a JavaScript data layer to provide different types of structured data. A JavaScript data layer allows providing data not accessible to robots through HTML alone.
2. Benefits of a data layer for SEO include increased organic click-through rate, better SEO analysis, and enabling dynamic remarketing in AdWords.
3. Examples of setting up a data layer using Google Tag Manager, JSON-LD syntax, and pinging Googlebot to re-crawl pages to index the new structured data.
TBEX June 2022_Marbella_Michael Collins_Travelmedia.ie_What the FLoC_with typ...TravelMedia.ie
What the FLoC? Google Topics and How New Data Tracking Affects Publishers, Advertisers and Platforms.
https://tbexcon.com/2022-europe/speakers/michael-collins/
This document provides an overview of setting up Google Analytics tracking. It discusses introducing Google Analytics and its features, creating an account, installing the tracking code on websites, basic administrative settings like adding users and profiles, and connecting Google Analytics to Google AdWords and Webmaster Tools. The document is intended as training for using Google Analytics and explains each step in the setup and configuration process.
WordCamp London 2019 - Content monetisation platforms with WordPressAngry Creative (UK)
In this presentation, David explains the term 'content monetisation', he also describe the principles and practices that support effective content monetisation. For this talk, David introduces a model for building and developing those platforms.
Google Analytics with an Intro to Google Tag Manager for Austin WordPress MeetupRich Plakas
Google Analytics with an Intro to Google Tag Manager for Austin WordPress Meetup.
This was an intermediate session where we took a deeper look into Google Analytics. We also introduced Google Tag Manager as a better way to run tracking code on a website.
Bug bounty programs involve paying security researchers rewards for finding vulnerabilities in companies' products. To participate, researchers need to understand the target company's products and domains, know which companies offer bounties, and find bugs that are in scope like XSS, SQL injection, or authentication bypasses. Rewards can range from $100 to $20,000. Major companies like Google, Facebook, and Mozilla run bounty programs and have collectively paid over $1 million to researchers. Examples are shown of real bugs found and reported through bounty programs. The conclusion encourages reporting bugs to companies rather than selling vulnerabilities.
Google collects extensive data on users' online activities through services like Gmail, Google Search, YouTube, and more. This data includes email content, search histories, videos watched, and other online behaviors. Google uses this data to personalize services for users and enable targeted advertising. While users retain ownership of their content, by agreeing to Google's terms of service users give Google broad rights to use their data. Google collects data through technologies like cookies, IP addresses, and server logs that allow tracking of users' activities and interests over time.
Five Cutting Edge Uses for Analytics in the EnterpriseInfoTrust LLC
Presentation by Jesse Nichols from Google. Five cutting edge uses for analytics in the enterprise. Presentation covers how to capture and measure consumer moments that matter in one place.
This document discusses how data can be leveraged for product management. It outlines how data can be used as the core of a product, to optimize unit economics by ensuring lifetime value exceeds customer acquisition costs, for marketing optimizations by testing channels and optimizing return on marketing investment, and for product optimizations through A/B testing. However, it notes that most A/B tests are not statistically valid or impactful. It also discusses using data for personalization, including basic personalization triggers not requiring data science. Overall, the document advocates using data to understand customers, test changes, and optimize performance.
The document discusses bug bounty hunting. It introduces Shubham Gupta and Yash Pandya who are security consultants and top bug hunters. It outlines the agenda which includes an introduction to bug bounty programs, reasons for bug hunting, how to find bugs, quick tips, proofs of concept, pros and cons, and a Q&A. It provides a brief history of bug bounty programs and notes that now anyone can participate from home. It discusses types of bugs and tools used for hunting. Quick tips include using Google dorks, testing for information disclosure vulnerabilities, and completing challenges to improve skills. Examples are provided of unique bugs found like SVG XSS and an IDOR issue found in Google.
Privacy is becoming an important search engine ranking factor as it increases user trust and engagement. Websites can improve their privacy scores through both on-site and off-site factors such as implementing SSL encryption, having a readable privacy policy, positive reviews from trusted third-party sources, and maintaining a good social media reputation. Search engines are exploring ways to automatically evaluate these privacy-related qualities by blending various scoring metrics like security, privacy, reviews, social sentiment, and authorship.
The document provides guidance on running, growing, and moving a startup to Silicon Valley. It discusses why the Silicon Valley is attractive for startups, noting the large amounts of venture capital funding available. Over $47.8 billion was invested in the last 4 quarters across 4,729 deals. The document also outlines the sectors receiving the most investments and top locations. It emphasizes that startups need to secure venture capital funding to succeed and provides tips on creating an effective pitch deck to attract investors.
1. Google Gadgets are small applications or websites displayed on iGoogle and other platforms that are implemented as XML files containing metadata and interactive content.
2. Gadget ads allow advertisers to display interactive product listings and searches directly within gadgets to engage with consumers.
3. To generate traffic, gadget creators can build creative and useful gadgets, submit them to the gadget directory, and promote gadgets on other websites and through search engine optimization.
Google aims to become an AI-first company led by its large access to user data and computational resources which it uses to develop and apply AI across its business. It established 7 AI ethics principles but has faced criticism for its opaque governance structures. The document recommends Google improve its responsibility by restructuring its ethics boards, aiding industry adoption of AI, using AI to oversee itself, and sharing bias reduction tools.
Questioning Data Quality and Troubleshooting Tracking Gaps (SMX Munich 2020)Christopher Gutknecht
This session covers a wide range of causes for observed gaps across different data sources in a web tracking context. The three chapters are measurement settings, browser data loss and cookie consent. The session was held by Christopher Gutknecht at SMX Virtual Edition 2020.
The accompanying checklist can be found here: https://docs.google.com/spreadsheets/d/1C7Ojteg-EWazi_xDEwlljwALppHxG3PY8lBuodGSmxY/edit#gid=1216566297
BigData Meets the Federal Data Center - an overview of nosql solutions to data challenges (e.g. Hadoop, Hbase, Mongodb, cassandra, redis etc). Also includes a vignette on Google Prediction API.
Using Customer Development to get Traction in a Crowded SpaceOutlyer
How we used Customer Development at Dataloop.IO to get our initial customers and traction in the crowded monitoring space.
Presentation from Hacker News London Meetup - 9th October 2014
This is the post-project summary of a 3 month SEO & Analytics setup for a publishing client. The outcome was 25% organic growth in 3 months! I explain how this was achieved…
This document asks readers to vote for their favorite nerdy bowling shirt design on Twitter using a heart or like button. There will be two Amazon voucher winners chosen from those who vote. Thanks are given for participating in the vote.
Morphing GA into an Affiliate Analytics MonsterPhil Pearce
How to hack GA's native campaign tracking, leverage 1st party cookie power and align GA's sessionisation logic more closely with 30 day affiliate systems.
Plan a Digital Analytics Training Strategy for an Analytics AgencyPhil Pearce
This was the 2nd draft of a plan to develop a "training curriculum" for a Digital Analytics Agency to teach:
- Digital Analytics strategy
- GA & GTM implementation
- Reporting & Analysis best practices
To clients & other agencies with various levels of expertise, who could be project manager, marketers or developers.
The Kamasutra of GTM container positionsPhil Pearce
As recommended position of the GTM container has changed & this has caused some confusion. Hence, I created these diagrams explain how to optimise your container making experience...
QR code uses cases & Digital Marketing podcastsPhil Pearce
This document contains information about using QR codes, including examples of QR codes for a phone number, URLs, and text messages. It also includes URLs for downloading QR code reader apps for iPhone and Android phones, as well as URLs for Google Analytics mobile apps. Scannable QR codes are provided throughout the document to illustrate their uses.
This document outlines an agenda for a Crystal Maze analytics challenge event. Participants will break into teams and complete tasks in the categories of skill, physical, mental, and mystery to earn crystals. The team with the most crystals at the end will compete in a final analytics-themed challenge for prizes. Logins, instructions, and screenshots are provided to guide participants through each interactive task.
Phil recently completed a 400 man-hours GTM project & shares lessons learned. Migrating from GA Classic to Universal on 6 CMS platforms and 600 GA classic events is one thing, but facing a fine if the project is not complete within 3 months ads a touch of spice! Phil cleaned-up 2 years of in-house changes, including changes such as consolidated 74 pageview tags and centralizing 20 tags into easy to mange lookup table.
Phil provides Technical insights for Advanced Implementers, aswell as Tactical insights for project managers & business people on area such as QA automation, mistakes to avoid, process examples & knowledge sharing tips.
Take-aways:
- QA tool
- Planning tools
- Free GTM developer guide
This document provides various life saving tools for Google Tag Manager including checklists, templates, and guides. It separates tools that are more technical in nature, such as a migration comparison sheet and auto-configuration file, from more tactical tools including resource planning charts, deadline templates, and user access audits. Free training videos are also referenced.
Google Data Studio - First impressions @ MeasurecampPhil Pearce
This document provides an agenda for a presentation on Google Data Studio. The agenda includes:
1. An overview of the role of data visualization in decision making.
2. How to create visualizations using Google Data Studio, including the interface and available connectors.
3. Examples of different types of reports that can be built in Google Data Studio, such as website analytics, YouTube analytics, AdWords performance, and marketing attribution.
4. A quiz for participants to test their understanding of Google Data Studio.
This document discusses supercharging organic click-through rate (CTR) through the use of JSON for Linked Data (JSON-LD). It covers:
1. What JSON-LD is and the benefits it provides like rich snippets and action buttons
2. Different implementation methods like using WordPress plugins or Google Tag Manager
3. Examples of JSON-LD markup for things like products, reviews, and local businesses
4. Testing and monitoring the impact on organic CTR before and after implementing JSON-LD
This document provides guidance for Client-domain.com to comply with new privacy regulations regarding cookies. It recommends: 1) auditing current cookies and removing unnecessary ones, 2) establishing a cookie policy and management process, and 3) focusing efforts on cookies that are most intrusive to user privacy like third-party cookies and remarketing codes. Specific actions include limiting remarketing cookies, adding opt-out options, and centralizing an updated cookie policy page. The goal is to protect user privacy while allowing necessary cookies and analytics for site functionality and improvements.
Moo.com would like to maximize their organic search performance. A high level SEO analysis identified the following top issues:
1. Temporarily update the homepage title tag to highlight a new promotion.
2. Consolidate multiple Google Webmaster Tools verification tags so configurations are not overwritten.
3. The sitemap only includes 20 pages rather than the full site of 32,000 pages, and pages are taking longer to appear in search results. Upload a new static sitemap file.
4. There are indexing errors with UTMs tags that should be removed from indexing in Google Webmaster Tools.
The document then provides details on addressing each of these and additional top 15 SEO
This audit was conducted using publicly available data from GoogleNews, Adword KW tool, AHREF.com, MyWOT.com & other web content sources.
It was designed to find any possible “holes in the armour” and thus strength these holes.
You have my permission to use this template to help understand & strength other vendors tool.
Thanks
Phil
SEO analytics: How to report & improve performancePhil Pearce
This was slides from the Bath Digital Analytics meetup on how to report & improve SEO performance.
It also has tips for customChannel groupings.
Thanks
Phil.
"Taster Slides" for Most advanced GTM implementationPhil Pearce
This document summarizes a presentation about implementing Google Tag Manager (GTM) on a very large website with over 1 billion monthly hits. The project involved migrating 600 Google Analytics events and pages from various platforms to GTM within 3 months. Key steps included using testing tools, separate development and live environments, auto-testing, and prioritizing tasks. Challenges included exceeding the monthly hit limit and dependencies on internal IT. Lessons learned focused on removing manual steps, enforcing audits and feedback, and moving to insights and optimization earlier.
The DealBook is our annual overview of the Ukrainian tech investment industry. This edition comprehensively covers the full year 2023 and the first deals of 2024.
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxSynapseIndia
Your comprehensive guide to RPA in healthcare for 2024. Explore the benefits, use cases, and emerging trends of robotic process automation. Understand the challenges and prepare for the future of healthcare automation
Transcript: Details of description part II: Describing images in practice - T...BookNet Canada
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and slides: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc
Six months into 2024, and it is clear the privacy ecosystem takes no days off!! Regulators continue to implement and enforce new regulations, businesses strive to meet requirements, and technology advances like AI have privacy professionals scratching their heads about managing risk.
What can we learn about the first six months of data privacy trends and events in 2024? How should this inform your privacy program management for the rest of the year?
Join TrustArc, Goodwin, and Snyk privacy experts as they discuss the changes we’ve seen in the first half of 2024 and gain insight into the concrete, actionable steps you can take to up-level your privacy program in the second half of the year.
This webinar will review:
- Key changes to privacy regulations in 2024
- Key themes in privacy and data governance in 2024
- How to maximize your privacy program in the second half of 2024
Sustainability requires ingenuity and stewardship. Did you know Pigging Solutions pigging systems help you achieve your sustainable manufacturing goals AND provide rapid return on investment.
How? Our systems recover over 99% of product in transfer piping. Recovering trapped product from transfer lines that would otherwise become flush-waste, means you can increase batch yields and eliminate flush waste. From raw materials to finished product, if you can pump it, we can pig it.
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Chris Swan
Have you noticed the OpenSSF Scorecard badges on the official Dart and Flutter repos? It's Google's way of showing that they care about security. Practices such as pinning dependencies, branch protection, required reviews, continuous integration tests etc. are measured to provide a score and accompanying badge.
You can do the same for your projects, and this presentation will show you how, with an emphasis on the unique challenges that come up when working with Dart and Flutter.
The session will provide a walkthrough of the steps involved in securing a first repository, and then what it takes to repeat that process across an organization with multiple repos. It will also look at the ongoing maintenance involved once scorecards have been implemented, and how aspects of that maintenance can be better automated to minimize toil.
YOUR RELIABLE WEB DESIGN & DEVELOPMENT TEAM — FOR LASTING SUCCESS
WPRiders is a web development company specialized in WordPress and WooCommerce websites and plugins for customers around the world. The company is headquartered in Bucharest, Romania, but our team members are located all over the world. Our customers are primarily from the US and Western Europe, but we have clients from Australia, Canada and other areas as well.
Some facts about WPRiders and why we are one of the best firms around:
More than 700 five-star reviews! You can check them here.
1500 WordPress projects delivered.
We respond 80% faster than other firms! Data provided by Freshdesk.
We’ve been in business since 2015.
We are located in 7 countries and have 22 team members.
With so many projects delivered, our team knows what works and what doesn’t when it comes to WordPress and WooCommerce.
Our team members are:
- highly experienced developers (employees & contractors with 5 -10+ years of experience),
- great designers with an eye for UX/UI with 10+ years of experience
- project managers with development background who speak both tech and non-tech
- QA specialists
- Conversion Rate Optimisation - CRO experts
They are all working together to provide you with the best possible service. We are passionate about WordPress, and we love creating custom solutions that help our clients achieve their goals.
At WPRiders, we are committed to building long-term relationships with our clients. We believe in accountability, in doing the right thing, as well as in transparency and open communication. You can read more about WPRiders on the About us page.
Coordinate Systems in FME 101 - Webinar SlidesSafe Software
If you’ve ever had to analyze a map or GPS data, chances are you’ve encountered and even worked with coordinate systems. As historical data continually updates through GPS, understanding coordinate systems is increasingly crucial. However, not everyone knows why they exist or how to effectively use them for data-driven insights.
During this webinar, you’ll learn exactly what coordinate systems are and how you can use FME to maintain and transform your data’s coordinate systems in an easy-to-digest way, accurately representing the geographical space that it exists within. During this webinar, you will have the chance to:
- Enhance Your Understanding: Gain a clear overview of what coordinate systems are and their value
- Learn Practical Applications: Why we need datams and projections, plus units between coordinate systems
- Maximize with FME: Understand how FME handles coordinate systems, including a brief summary of the 3 main reprojectors
- Custom Coordinate Systems: Learn how to work with FME and coordinate systems beyond what is natively supported
- Look Ahead: Gain insights into where FME is headed with coordinate systems in the future
Don’t miss the opportunity to improve the value you receive from your coordinate system data, ultimately allowing you to streamline your data analysis and maximize your time. See you there!
Details of description part II: Describing images in practice - Tech Forum 2024BookNet Canada
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and transcript: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
Best Programming Language for Civil EngineersAwais Yaseen
The integration of programming into civil engineering is transforming the industry. We can design complex infrastructure projects and analyse large datasets. Imagine revolutionizing the way we build our cities and infrastructure, all by the power of coding. Programming skills are no longer just a bonus—they’re a game changer in this era.
Technology is revolutionizing civil engineering by integrating advanced tools and techniques. Programming allows for the automation of repetitive tasks, enhancing the accuracy of designs, simulations, and analyses. With the advent of artificial intelligence and machine learning, engineers can now predict structural behaviors under various conditions, optimize material usage, and improve project planning.
Are you interested in dipping your toes in the cloud native observability waters, but as an engineer you are not sure where to get started with tracing problems through your microservices and application landscapes on Kubernetes? Then this is the session for you, where we take you on your first steps in an active open-source project that offers a buffet of languages, challenges, and opportunities for getting started with telemetry data.
The project is called openTelemetry, but before diving into the specifics, we’ll start with de-mystifying key concepts and terms such as observability, telemetry, instrumentation, cardinality, percentile to lay a foundation. After understanding the nuts and bolts of observability and distributed traces, we’ll explore the openTelemetry community; its Special Interest Groups (SIGs), repositories, and how to become not only an end-user, but possibly a contributor.We will wrap up with an overview of the components in this project, such as the Collector, the OpenTelemetry protocol (OTLP), its APIs, and its SDKs.
Attendees will leave with an understanding of key observability concepts, become grounded in distributed tracing terminology, be aware of the components of openTelemetry, and know how to take their first steps to an open-source contribution!
Key Takeaways: Open source, vendor neutral instrumentation is an exciting new reality as the industry standardizes on openTelemetry for observability. OpenTelemetry is on a mission to enable effective observability by making high-quality, portable telemetry ubiquitous. The world of observability and monitoring today has a steep learning curve and in order to achieve ubiquity, the project would benefit from growing our contributor community.
Mitigating the Impact of State Management in Cloud Stream Processing SystemsScyllaDB
Stream processing is a crucial component of modern data infrastructure, but constructing an efficient and scalable stream processing system can be challenging. Decoupling compute and storage architecture has emerged as an effective solution to these challenges, but it can introduce high latency issues, especially when dealing with complex continuous queries that necessitate managing extra-large internal states.
In this talk, we focus on addressing the high latency issues associated with S3 storage in stream processing systems that employ a decoupled compute and storage architecture. We delve into the root causes of latency in this context and explore various techniques to minimize the impact of S3 latency on stream processing performance. Our proposed approach is to implement a tiered storage mechanism that leverages a blend of high-performance and low-cost storage tiers to reduce data movement between the compute and storage layers while maintaining efficient processing.
Throughout the talk, we will present experimental results that demonstrate the effectiveness of our approach in mitigating the impact of S3 latency on stream processing. By the end of the talk, attendees will have gained insights into how to optimize their stream processing systems for reduced latency and improved cost-efficiency.
Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...Erasmo Purificato
Slide of the tutorial entitled "Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Emerging Trends" held at UMAP'24: 32nd ACM Conference on User Modeling, Adaptation and Personalization (July 1, 2024 | Cagliari, Italy)
9. Hypothesis
At some point in the future "BlackHat Analytics" or “Faking
Conversions” might become more widespread. Because...
1. WA is becoming more important for
business decision making.
2. Automatic performance based PPC bid
management system are becoming more
widely used.
3. Increase in online competitiveness &
more revenue at stake.
10. Definition
Intentional act of distorting, deleting, unethically
using, or hijacking WA data using technical or
legal loopholes; with the goal of making financial
gains, or obtaining a competitive advantage.
Phil Pearce 2009
11. Evil tracking from pre-2010
Referral backlink log spam
(depreciated SEO technique)
Ad behavioural targeting
(Interest Based Stalking)
Remarketing Ads (Return
Visitor Stalking) - Starwars
stalker
Safari 3rd party POST
cookie (Preference
bypassing)
NEW
“Headless
Browser” spam
Flash cookie respawn
(Zombie Cookies)
Visited links CSS hack
(History Sniffing)
GA log spam
(Spider visit loading JS)
EverCookie
(all of the above+)
13. The EverCookie was
so difficult to delete:
even NSA considered using it!
Source: http://www.slideshare.net/jonbonachon/tor-stinks
But they decided
they did not need it ;)
15. Classification
Intent Accidental Malicious
Target Own website Competitors website
Data collection PurposeSame Different purpose
Scale Niche Mass effect
Impact Data uneffected GA Account deletion
Intent Accidental Malicious
Target Own website
Competitors
website
Purpose of
data
collection
Same
purpose
Different
purpose
Scale Niche Mass effect
Impact
Data
uneffected
GA Account
deletion
16. Bad/Unreliable
Measure Data
Classifications
Malintent
Cashback cookies
(e.g Quidco)
Flash Cookie
Flash Cookie
Respawn
EverCookie
CSS history
sniffing
Speed checking
robots
Google Wifi incident
Hostname spam
Google (not provided)
Phone call logs
App error logs
Fake
conversions
Referral log spam
Unintentional
or Accidental
Good/Accurate
Measure Data
19. Liability for Privacy & Security
Is the agency liable?
BUT agency is responsible for
• Uphold professional standards (e.g. GACP status)
• Pro-active client relationship
Local laws say... Website Owner is responsible
(not Agency or Vendor)
No.
22. Its all about the money! €€€
Affiliate networks looking to increase
CPA and attract new Affiliate.
Online News website looking to retain
users & sell stories (e.g. NYT)
Banner networks looking to improve
CPM & reduce cookie deletion rates
and overcome keywords “not provided”.
Sustained CPC bidding wars
Big data
24. Meet the new Matt Cutts ...
Google Privacy “Red” team soon to be hired in 2013
following FTC settlement.
Mission to discovering and prioritizing subtle, unusual,
and emergent privacy & security flaws
https://www.google.com/about/jobs/locations/mountain-
view/engineering/systems/data-privacy-engineer-
privacy-red-team-mountain-view.html
Hired WebSpam fighter to Force quality
improvements in 2000.
http://www.mattcutts.com/blog/about-me/
“Red team” leaderMatt Cutts
26. F@#K - GA account deleted!
You will not collect any data that
personally identifies an individual such
as a:
full name
email address
billing information
or other data which can be
reasonably linked to such
information by Google
You must post a Privacy Policy which provides
notice that your use of cookies is to collect
traffic data.
You must not circumvent any privacy features
(e.g, an opt-out) that are part of GA.
www.google.com/analytics/terms/us.html
27. Why cant GA just remove the
bad PII data?
Free WA packages unable to remove PII without
deleting whole GA accounts!
Raw logs are only stored for ~30days
Right to be forgotten was introduced after GA was
designed.
(although this might be possible with Universal
which is user-centric, not visitor-centric)
28. “Sensitive” data also is an issue
http://en.wikipedia.org/wiki/Personal_id
entifier#Examples_of_PID
29. Don’t use userID that contain PII…
R2D2
(random userID)
KennyBaker
(Full Name
used for userID)
31. Solution/Counter-measure for Accidental PII
Or use temporary robots.txt fix:
User-agent: *
Disallow: /*utm_medium=email
Disallow: /*gmail.com
Noarchive: /*utm_medium=email
Noarchive: /*gmail.com
Add exclude parameters to
GWT:
email, mail
utm_source, utm_medium,
utm_campain, utm_content,
utm_keyword, _ga
32. Legal Disclaimer: The purpose of this example is to demonstrate a hole in all Analytics
platforms, and how to patch this hole. It is used for TESTING purposes ONLY.
By reading this example you agree to NOT use this on a live website, and agree that I (Phil
Pearce) and NOT liabilities for and damage that a website owner may suffer arising out of
this example & tool.
If you are in any doubt, please seek the advice of the Google legal team
www.google.com/contact/ or your local legal counsel BEFORE testing.
Note: This issue has been raised on the GACP private discussion forum 6months ago, prior
to this event.
Disclaimer
34. Intentional Data damage
WARNING: Don’t Try this at Home!
javascript:_gaq.push(['_setAccount','UA-xxxxxx-1'],[' _addTr ans','8148350','affiliati on','-9223372036854775807' ,'-9223372036854775807','0.00','-','- ','-'],['_addItem','SKU 00001','8148350','BIG refund','-','-9223372036854775807','1'],['_trackTr ans']);
http://www.google-analytics.com/__utm.gif?utmwv=5.4.6&utms=44&utmn=393079074&utmhn=domain.com&utmt=tran&utmtid=8148350&utmtst= affiliation&utmtto=-9223372036854775807&utmttx=-9223372036854775807&utmtsp=0.00&utmtci=-&utmtrg=-&utmtco=-&utmcs= UTF-8&utmsr =1366x768&utm vp=1366x550&utmsc=24- bit&utmul=en- us&utmje=1&utmfl=11.9 r900&utmdt=TITLE&utmhid=509485053&utmr =-&utmp=/&utmht=1385061484294&utmac=UA-XXXXX-1&utmcc=__utma=251194116.2116214072.1385060410.1385060410.1385060410.1; __utmz=251194116.1385060410.1.1.utmcsr=( direct)|utmccn=(direct)|utmcmd=(none);&utmu=qjAL~
35. Solution/Counter-measure for intention Data Damage
Tool to manually fix…
bit.ly/bigintegerfix
Legal Disclaimer: The purpose of this example is to demonstrate a hole in all Analytics platforms, and how to patch
this hole. It is used for TESTING purposes ONLY.
By reading this example you agree to NOT use this on a live website, and agree that I (Phil Pearce) and NOT liabilities
for and damage that a website owner may suffer arising out of this example & tool.
If you are in any doubt, please seek the advice of the Google legal team www.google.com/contact/ or your local legal
counsel BEFORE testing.
Note: This issue has been raised on the GACP private discussion forum 6months ago, prior to this event.
36. Fine calculator
.
Fine = (No. users effected * Scale badness * Size of Brand)
less
(Website Risk assessment
+ Vendor privacy self certification)
37. Sony €320K fine by ICO for email &
password beach.
Adobe password Breach expected to be
£ALOT more!
http://www.ico.gov.uk/news/latest_news/2013/ico-news-
release-2013.aspx
http://www.youtube.com/watch?v=2vZHg2F4u5Q
Here is a Fine example
49. Do class action lawsuits exist in Europe
or are they only in US?
Question…
50. Class Action Prosecutors:
also now active in UK!
e.g. Google UK vs Olswang Class Action
(Safari 3rd party cookie bypassing on iOS)
51. First every UK “group action” vs Google UK on
Feb 2013 claiming 10m Safari users effected
www.googlelawsuit.co.uk and www.facebook.com/SafariUsersAgainstGooglesSecretTracking
UK test case, could set
precedent for
EU class-action cases!
52. Successful class action raids in
US…
Settlement funds 50:50 between users and Class Action
Lawyers.
Previous settlements 70:30, thus smaller % cut for Class
Action Lawyers, but huge number users in claim.
€13
million hit
€13
per user
€7.5
million
53. W3C republic – A new hope for Truce
Must be UNSET by default
DNT user signal
54. Browser ignore the W3C consensus on DNT
Firefox: Talk`s about a blockade of
3rd party cookies
MS: Windows8 IE10 rollsout DNT=1
which is UNSET by default!
55. Firefox Lost battle: Too many False positive
Firefox says its Han`s
are tied for a few month
on 3rd party cookies
Dark Side too
powerful ;)
56. MS IE10 DNT=1 browser
signal
ON by default…
http://www.ypolicyblog.com/policyblog/2012/10/26/dnt/
http://www.admonsters.com/article/apache-ignores-ie10-dnt-signal
…IE10
DNT signal
grounded
…Both Apache &
Yahoo threaten to
ignore DNT=1
from IE10…
58. 2 years reign!
Infighting & disunity between
Advertisers & Privacy Advocates.
Definition of Tracking (DNT) still
not defined!
http://www.theregister.co.uk/2013/11/05/do_not_track_w3c_ads_privacy/
W3C republic
59. Group “almost”
disbanded
Peter Swire - Chief resign
Jonathan Mayer – Firefox resigns
Digital Advertisers Association –
leaves group!
Old W3C republic
Key member:
Thomas Roessler
joins Google!
61. New Imperial Advertising Principles
AdChoices proposed as
replacement for W3C`s DNT
Source:
http://www.adweek.com/news/technology/daa-convene-new-do-not-track-group-updated-153023
62. Privacy in the Universe restored!
Users have choice & freedom within
the Global Imperial Empire
64. The Dark Star
Also affiliate networks start
building Device Signature
conversion tracking tools:
We (tradedoubler.com) are looking at options such as device recognition,
using non-personally identifiable information that is freely available from a
user’s device. Using advanced matching algorithms a single device can
be recognized at the point of impression/click and conversion without the
use of cookies. http://www.tradedoubler.com/uk-en/blog/firefox-22-
cookies/ [Jun 2013]
BIG Data Centre with ability to
process:
1. Device Signature tracking
2. UserID respawn
3. Custom Remarketing
67. Browser (excluding Chrome) secretly
move to anonymise device signatures
So that all
customised devices
extensions look the
same!
Thus…
destroying any
shadow tracking
68. Facebook(Borg) & Google (Empire)
counter attack…
Use Force-browser power, to set
DNT=0 (Do Target Me)
when user signs into service (messenger/gmail)
70. Headless Browser robotic crawler
causing havok in GA data!
Impossible to differentiate from a real user!
www.webmasterworld.com/search_engine_spiders/4619880.htm
http://nodejsmodules.org/new/tags/spider
Examples of
Headless
Browsers:
• Zombie.js
• Phantom.js
• HtmlUnit
Definition: A
headless browser is a
web browser
WITHOUT a user
interface.
72. Polarisation
Dark get darker
(e.g. IE fav icon 3rd party
cookies bypassing browser
hole/exploit)
White get whiter
(e.g. duckduckgo.com
& ixquick.com, mezzobit.com
increase in usage)
73. Return of the Jedi Strike
2015 invasion of Privacy officers
Forced 5% global revenue power
(max €100 million)
University Research divisions
expand use of Taint Droids
Note: Anti-train droid link:
http://gsbabil.github.io/AntiTaintDroid/
source: bringyourownit.com/2014/04/09/eu-data-protection-reform-the-100-million-euro-fine/
& www.bbc.co.uk/news/technology-25825690
74. $ Fines/Lawsuits
Low Chance of
Blackhat
Detection
High Chance of
Blackhat
Detection
Balance of Power
Ad Revenue $
Browsers Neutral
(in the middle)
Google Data Empire
Facebook Borg
Class Action
Prosecutors
Jedi Enforcers
83. That’s means YOU need to agree
not break the analytics code of honour
AND make sure no one else abuses the system!
Good Bad
Report any
thing that
looks a bit
“Grey”
84. Standards & Self regulation
• Vendor built-in privacy & miss-use protection
• Adwords & Adsense ToS levels
• Affiliate network guidelines
• WAA Code of Conduct
• GA qualified individual
• GAP certified partner
• WAA Certified Ethical Analyst
• Risk assessment / Compliance audit
• Third party reviews & compliance automated monitoring
87. ONE exception…
(false U.i.O sighting)
Track
me!
If user..
Reads tracking message &
they still say… YES, track me!
Then its not UiO
Just Quantitative
self – tracking
agreement
88. Need for Industry standards and Honey
pots / seeds tests.
Forced Training & Accreditation (e.g.
Certified Analyst or MOWA member)
Google Adwords privacy cpc tax and
Google organic SERP ranking bonus
(SSL as ranking signal is a start)
89. Fixes (GA profile filters)
GA profile filters:
Hostname include filter: (^|.)yourdomain.com$
ISP location exclude Ask.com bot: ^(inktomi corporation|iac search
and media europe ltd|iac search media inc|yahoo! inc.|facebook
inc.|stumbleupon inc.|dub6 ec2|site confidence test agent servers|site
?confidence|apache ltd.|nielsen netratings|affinity internet inc|microsoft corp)$
Top content report - Contains box:
(email|add|postcode|zipcode|tel) or [?&](.+)=(.*)gmail.com
Weekly scheduled report to check for the above
Check data stored in
utm_content, User-defined, CustomFields & Event fields
Check all GA profiles including Raw Data profile for
PII`s, and add exclude parameters where necessary.
90. Fixes (process changes)
Account protection
Training for developers and marketers
Check Scheduled reports not sending to
unknown users.
Limit number of Number of Admin users
Enable 2 stage authentication if possible.
Looks for unusual variances of data spikes in
GA (especially new visits to homepage)
CPA audits (GA vs Affiliate report)
93. I`ll be track-ed (still)
No! California just asks for DNT visibility
(i.e. Does your server read the DNT signal?)
94. Prevention
Use a tag management system, that is configured with
digitalData layer privacy features enabled (see appendix)
Try to use POST request rather than GET request where
possible, or a form action=/thankyoupage.html
Keep pdf reader, flash & java updated
Lockdown FTP to fixed set of static IP`s, use long passwords,
and ideally use 2stage Authentication for GTM write-access.
95. Recent development… Privacy Vigilantism
Good:
• Egypt Gov “disconnected the
Internet” to control decedents
• Anonymous coordinated with
decedents to re-setup internet
communications in Egypt
Bad:
• They ignore the law!
• Young & inexperienced
• “Splitter groups” & “out of control”
- hacking random websites!
Small Group of Users are revolting: Anonymous
96. This is how things should be…
(Closing Remarks)
Google acts even
more responsibly
Facebook introduces a more
human(friendly) privacy interface
Users should not needing to rely
on despicable class action lawyers
Enforcers become just watchers
not needing to intervene
97. May the Data be on your side!
Party Tonight:
19:30 NVMERI
20:10 MyCool King +
DJ Trush
21:00 Charlie Straight
22:15 midi lidi
98. May 4th be with you!
Party Tonight:
19:30 NVMERI
20:10 MyCool King +
DJ Trush
21:00 Charlie Straight
22:15 midi lidi
But.. be careful of the 5th November!
Sith
May the force
And 25th December - I feel your presents
99. Please Sign up to be a force for good…
Google for “DAA code of ethics” or “MOA code of conduct” Please Sign!
www.digitalanalyticsassociation.org/codeofethics
www.moaweb.nl/Richtlijnen/internationale-gedragscodes-en-richtlijnen/2012-09-17%20GRBN%20Code%20Comparison.pdf/view
102. DISCLAIMER – I`m not a lawyer
GA terms of service
http://www.google.com/analytics/terms/us.html
http://www.google.com/analytics/learn/privacy.html
Privacy Trouble shooter
http://support.google.com/bin/static.py?hl=en&ts=1291807&page=ts.cs
Report a privacy concern
http://www.google.com/contact/
Contact Google Analytics
http://support.google.com/analytics/bin/request.py?hlrm=en&contact_type=contact_policy
https://support.google.com/adwords/answer/8206?contact=1&rd=1
Report a security concern
security@google.com
http://www.google.com/security.html
103. Discussion Questions
How much is your data worth?
Can you afford to drive traffic in the dark with no
insight?
Is PII or sensitive data or urls being accidentally
tracked?
Can competitors detect that PII data is being sent
into GA?
Are you in a very competitive industry?
When was the last time you audited your WA
installation?
Are you capturing data that easily allows an
individual to be “linked” or “re-identified” by Google
(e.g. detailed demographic data example, or
Netflix.com + IMDB.com example1 or example2)
104. Related presentations & resources
.
CookieTAB virus screenshots
https://www.dropbox.com/s/w0gprycb23ajguw/2011_03_18%20CookieTAB%20virus%20scr
eenshots%20.pptx
Effect of EU Cookie law on US
businesses: https://www.dropbox.com/s/ces1m53mm7o4gmm/2012-10-
04%20GAUGE%20Boston%20-
%20Effect%20of%20EU%20Cookie%20law%20on%20US%20organisations.pptx
Recipe for a Cookie Law
https://www.dropbox.com/s/l9n3gchusdv57bm/2011_03_18%20Recipe%20for%20a%20Co
okie%20Law%20by%20Phil%20Pearce%20.pptx
Cookie law Implementation Examples
https://www.dropbox.com/s/7q8qfxesk44tpkc/Implimentation%20Examples%20by%20Phil
%20Pearce%202012_03_18.pptx
Cookie compliance Audit - Example.docx
https://www.dropbox.com/s/idyrql6c1aniaw6/01%20UK%20Cookie%20compliance%20Audi
t%20-%20Example.docx
CookieLaw research in 90mb Dropbox:
https://www.dropbox.com/s/uapu90d7rc2uxl1/2012_Cookie_Law_Resources_Folder_40mb
_Download.zip
105. Appendix
External privacy feedback mechanisms:
safeharbor.export.gov/companyinfo.aspx?id=16626
feedback-form.truste.com/watchdog/request?url=www.google.com
www.bbb.org/sanjose/business-reviews/internet-services/google-in-mountain-view-ca-
214105/file-a-complaint
www.networkadvertising.org/contact-support/report-problem/i-would-report-violation-of-nai-
code-nai-member-company-2
www.snapsurveys.com/swh/surveylogin.asp?k=133707671186 [ICO.gov.uk form]
addons.mozilla.org/en-US/firefox/addon/privacy-dashboard/ [W3C feedback mechanism]
www.google.com/trends/explore?hl=en#cat=0-14-54-1281&geo=US&date=today%203-
m&cmpt=q [user web searches in category of “privacy” per country]
Security & Privacy prize of upto £13K offered by Google for detecting holes:
www.google.com/about/appsecurity/reward-program/
blog.chromium.org/2012/08/announcing-pwnium-2.html
Example XSS hole in GA found in 2008: derkeiler.com/Mailing-Lists/Full-Disclosure/2008-
12/msg00200.html
Open Source feedback techniques
fourthparty.info/data
appanalysis.org/download.html
Free to check cookie databases:
www.cookielaw.org/cookie-search.aspx?domain=http://www.facebook.com
www.cookiecert.com/cookies-for-facebook.com
privacyscore.com/score_details/2a03b4fe8d9d4eb8b4fb0ccf356cbaaa/showcase
Editor's Notes
Welcome :)
Fun fact
Definition: A headless browser is a web browser WITHOUT a user interface. They are frequently used for quality control or to extract data from pages, but have the power to be used for other purposes. Headless browsers, are able to parse JavaScript. They can click on links and even cope with downloads.