unmanaged tags - data protection in the age of mindless proliferation

Unmanaged Tags Data Protection in the Age of Mindless Proliferation

14/11/2016

Digital Analytics Meetup Berlin

Digital Analytics Meetup Berlin So what is he talking about

§  Legal Guidelines, of limited usefulness

§  Tag Management, or, I think it would be a great idea

§  Should we even care, or, of course, but why

§  What do we do next, to make the world a little better

Digital Analytics Meetup Seite 2

Digital Analytics Meetup Berlin Legal Guidelines

EU Directives

Other Rules

National Laws


WTF?



Legal Guidelines

EU Directives

§  informed consent as guiding principle §  not a „cookie law“

National Laws §  Bundesdatenschutzgesetz, Landesdatenschutzgesetz §  Telekommunikationsgesetz („Datensparsamkeit“)

Other Regulations §  Vendors‘ terms of service §  Communiqués by privacy officers §  International agreements (e.g. Privacy Shield)



Legal Guidelines

Laws provide guidelines

§  It tells in broad terms what we can do or can‘t do §  If it‘s the same for all it puts us all on even footing

But there is always a but §  Figuring out specifics might take legal counsel §  Most of these rules apply only to personally identifiable data §  But definitions are unclear and prone to change (e.g.

IP-addresses might be PII or not, depending on whom you ask)

The Problem

§  Developers are missing from that description §  Marketers and even „webmasters“ are not necessarily tech savy §  Ease of use invites abuse


Digital Analytics Meetup

Tag Management



Tag Management, dangers of

TMS are Javascript Injectors

§  They have been described as „XSS as a Service“ §  This is not actually funny

Injected Tags run in the Page Context §  They have access to all page data (forms, cookies, user data) §  They can send data anywhere

Other Problems §  Tags may break SSL encryption §  They may overwrite variables §  They may load heaps of other stuff



Tag Management and 3rd party tags

§  Many marketing tags are container tags

§  They may load other tags ...

§  ... which may load other tags ...

§  ... which may load even more tags ...

§  (You see where this is going) §  Proliferation of tags makes

control of data impossible



Tag Management – Stop-gap measures

Set Permissions

§  Exclude marketing from publishing (no offense meant) §  Let developers do vetting of tags §  Listen to them when they decline a tag

Use Whitelists §  Some TMS (e.g. GTM) allow to whitelist/blacklist tags §  You should prefer whitelists §  If possible limit yourself to image tags and iframes §  But if you allow custom HTML tags and js variables you

might as well not bother

Kick Publishers Butts §  Why do they load 3rd party stuff anyway




Browser Testing

§  Step manually through your site to see which tags are loaded §  Ghostery lists all tags that are loaded §  WASP Inspector displays dependencies between tags

Continuous Testing §  Ghostery offers an (expensive) business solution §  For a homegrown solution, capture requests with

a headless browser §  (Automating everything is a PITA, so mock your page with just empty

HTML, a datalayer and the TMS code)




Content Security policies

§  CSPs originally designed to combat XSS §  But then we know TMS are XSS as a service §  CSPs set „allowed origins“ for scripts and

other ressources §  They prevent forms from being hacked, ensure SSL-encryption etc.

Problems with CSPs §  No support by IE, limited support by Edge §  Notoriously difficult to manage




Implementation of CSPs

§  CSPs are supposed to be set as http headers §  So for full support they need to set on the server §  However some features can be set via <meta> tags §  So you can do some basic prototyping within your TMS



Why do we care ?

§  Because we are fundamentally good people

§  Do unto others as you would have them do unto you Jesus (attr.)

§  Act only according to that maxim whereby you can at the same time will that it should become a universal law without contradiction Immanuel Kant

§  However in real life ethics often takes the back seat



Why do we care ?

§  „Every action has an equal and opposite reaction“ Isaac Newton

§  Ex.: A single lawsuit took down Safe Harbor

§  EU tightens regulations §  People are getting worried and

angry

§  Reaction might be very well rather disproportionate



What do we do now ?

Transparency

§  Brilliant example: http://www.bbc.com/usingthebbc/cookies/ §  Problem: people prefer complaining over educating themselves

Advocacy §  We do expert meetups. Why don‘t we do „layperson“ meetups ? §  Problem: This might be viewed as lobbyism

Doing a better job §  Do more with less data §  More respect for user preferences §  Hold up our end of the bargain



Who am I

§  Eike Pierstorff

§  Senior Implementation Consultant with e-dynamics

§  Job: [email protected]

§  Casual: [email protected]

§  Blogging about Analytics here: http://www.flesheatingarthropods.org/

unmanaged tags - data protection in the age of mindless proliferation

Data & Analytics