Date post: | 12-Apr-2017 |
Category: |
Data & Analytics |
Upload: | eike-pierstorff |
View: | 183 times |
Download: | 0 times |
Unmanaged Tags Data Protection in the Age of Mindless Proliferation
14/11/2016
Digital Analytics Meetup Berlin
Digital Analytics Meetup Berlin So what is he talking about
§ Legal Guidelines, of limited usefulness
§ Tag Management, or, I think it would be a great idea
§ Should we even care, or, of course, but why
§ What do we do next, to make the world a little better
Digital Analytics Meetup Seite 2
Digital Analytics Meetup Berlin Legal Guidelines
EU Directives
Other Rules
National Laws
Digital Analytics Meetup Seite 2
WTF?
Digital Analytics Meetup Berlin
Digital Analytics Meetup Seite 4
Legal Guidelines
EU Directives
§ informed consent as guiding principle § not a „cookie law“
National Laws § Bundesdatenschutzgesetz, Landesdatenschutzgesetz § Telekommunikationsgesetz („Datensparsamkeit“)
Other Regulations § Vendors‘ terms of service § Communiqués by privacy officers § International agreements (e.g. Privacy Shield)
Digital Analytics Meetup Berlin
Digital Analytics Meetup Seite 5
Legal Guidelines
Laws provide guidelines
§ It tells in broad terms what we can do or can‘t do § If it‘s the same for all it puts us all on even footing
But there is always a but § Figuring out specifics might take legal counsel § Most of these rules apply only to personally identifiable data § But definitions are unclear and prone to change (e.g.
IP-addresses might be PII or not, depending on whom you ask)
The Problem
§ Developers are missing from that description § Marketers and even „webmasters“ are not necessarily tech savy § Ease of use invites abuse
Digital Analytics Meetup Berlin
Digital Analytics Meetup Page 6
Tag Management
Digital Analytics Meetup Berlin
Digital Analytics Meetup Seite 7
Tag Management, dangers of
TMS are Javascript Injectors
§ They have been described as „XSS as a Service“ § This is not actually funny
Injected Tags run in the Page Context § They have access to all page data (forms, cookies, user data) § They can send data anywhere
Other Problems § Tags may break SSL encryption § They may overwrite variables § They may load heaps of other stuff
Digital Analytics Meetup Berlin
Digital Analytics Meetup Seite 8
Tag Management and 3rd party tags
§ Many marketing tags are container tags
§ They may load other tags ...
§ ... which may load other tags ...
§ ... which may load even more tags ...
§ (You see where this is going) § Proliferation of tags makes
control of data impossible
Digital Analytics Meetup Berlin
Digital Analytics Meetup Seite 9
Tag Management – Stop-gap measures
Set Permissions
§ Exclude marketing from publishing (no offense meant) § Let developers do vetting of tags § Listen to them when they decline a tag
Use Whitelists § Some TMS (e.g. GTM) allow to whitelist/blacklist tags § You should prefer whitelists § If possible limit yourself to image tags and iframes § But if you allow custom HTML tags and js variables you
might as well not bother
Kick Publishers Butts § Why do they load 3rd party stuff anyway
Digital Analytics Meetup Berlin
Digital Analytics Meetup Seite 10
Tag Management – Stop-gap measures
Browser Testing
§ Step manually through your site to see which tags are loaded § Ghostery lists all tags that are loaded § WASP Inspector displays dependencies between tags
Continuous Testing § Ghostery offers an (expensive) business solution § For a homegrown solution, capture requests with
a headless browser § (Automating everything is a PITA, so mock your page with just empty
HTML, a datalayer and the TMS code)
Digital Analytics Meetup Berlin
Digital Analytics Meetup Seite 11
Tag Management – Stop-gap measures
Content Security policies
§ CSPs originally designed to combat XSS § But then we know TMS are XSS as a service § CSPs set „allowed origins“ for scripts and
other ressources § They prevent forms from being hacked, ensure SSL-encryption etc.
Problems with CSPs § No support by IE, limited support by Edge § Notoriously difficult to manage
Digital Analytics Meetup Berlin
Digital Analytics Meetup Page 12
Tag Management – Stop-gap measures
Implementation of CSPs
§ CSPs are supposed to be set as http headers § So for full support they need to set on the server § However some features can be set via <meta> tags § So you can do some basic prototyping within your TMS
Digital Analytics Meetup Berlin
Digital Analytics Meetup Seite 13
Tag Management – Stop-gap measures
Digital Analytics Meetup Berlin
Digital Analytics Meetup Seite 14
Tag Management – Stop-gap measures
Digital Analytics Meetup Berlin
Digital Analytics Meetup Page 15
Why do we care ?
§ Because we are fundamentally good people
§ Do unto others as you would have them do unto you Jesus (attr.)
§ Act only according to that maxim whereby you can at the same time will that it should become a universal law without contradiction Immanuel Kant
§ However in real life ethics often takes the back seat
Digital Analytics Meetup Berlin
Digital Analytics Meetup Page 16
Why do we care ?
§ „Every action has an equal and opposite reaction“ Isaac Newton
§ Ex.: A single lawsuit took down Safe Harbor
§ EU tightens regulations § People are getting worried and
angry
§ Reaction might be very well rather disproportionate
Digital Analytics Meetup Berlin
Digital Analytics Meetup Seite 17
What do we do now ?
Transparency
§ Brilliant example: http://www.bbc.com/usingthebbc/cookies/ § Problem: people prefer complaining over educating themselves
Advocacy § We do expert meetups. Why don‘t we do „layperson“ meetups ? § Problem: This might be viewed as lobbyism
Doing a better job § Do more with less data § More respect for user preferences § Hold up our end of the bargain
Digital Analytics Meetup Berlin
Digital Analytics Meetup Page 18
Who am I
§ Eike Pierstorff
§ Senior Implementation Consultant with e-dynamics
§ Job: [email protected]
§ Casual: [email protected]
§ Blogging about Analytics here: http://www.flesheatingarthropods.org/