Embed Size (px)
Citation preview
ClickTale Privacy review by Phil Pearce
Aug-2013
Foreword This audit was conducted using publicly available data from GoogleNews, Adword KW tool, AHREF.com, MyWOT.com & other web content sources. It was designed to find any possible “holes in the armour” and thus strength these holes. You have my permission to use this template to help understand & strength other vendors tool. Phil Pearce (Aug 2013)
Positive PR is important for ClickTale
Users increasingly aware and concerned about privacy (US data)
Evidence of “user confusion”
Clicktale = Spyware?
This thing is unauthorised and… Mouse tracking
Keystroke logging Monitoring
Spyware = “Dangerous”?
Were these 4 users on previous slide a non-representative sample?
Re: Clicktale = Spyware?
Yes (At the moment) but…
Concerned users ARE searching for reassurance
Clicktale “privacy monitor”
Video privacy policy examples
• Privacy principles for Customers of ClickTale: http://www.youtube.com/watch?v=_g6BSy0yJIc&list=PL45AABD8BB96D3785&index=15
• Example of how a Government website use cookies: http://www.youtube.com/watch?v=gqDZuS0xZjE&list=PL45AABD8BB96D3785
• Funny Cookie video for users tracked by ClickTale http://www.youtube.com/watch?v=A6fV2v7LLPo&list=PL45AABD8BB96D3785
User privacy dashboard examples:
1. Do users know what ClickTale is/does? (Privacy video) 2. Example of what it stores about them? (e.g. cookie values) 3. Reasons to leave this turned ON? (Value exchange)
Lack of understanding or reassurance
= “Just disable/block it”
Result No.2 “Disable Clicktale”
Yikes! Meta description not
suitable… Disable and get 100 FREE recording?
SEO backlinks to Privacy page increasing…
Are ClickTale ToS being enforced?
Q: Do all clicktale customers have
• an opt-out link
• a link to the Clicktale privacy policy
Customers are deleting the opt-out backlink…
What are Business owners views on privacy?
Business owners increasingly concerned about privacy fines:
Large Enterprise even more concerned and at risk:
clicktale security
clicktale privacy & security clicktale privacy compliance
clicktale privacy breaches clicktale privacy ethics
clicktale privacy officer
clicktale privacy director
This is good… New Director of Security
This is good… “IP tracking removed” and no 3rd party cookies
This is good: “Gain Customers Trust article”
This is good
• "security fixes patched” in php module Release 0.23 (to allow ClickTale bot to cache pages):
• And responding to customer concerns on the forum: http://forums.clicktale.com/viewtopic.php?p=6525&sid=a15af364c3e99f84fdfdf40ab22aeb9e#p6525
This is good very good, but ONLY on Wiki not Main site!
http://wiki.clicktale.com/Article/Frequently_asked_questions#Privacy_Assured
Privacy Assured How will visitors’ privacy be affected? Your visitors’ privacy is a top priority for us. That’s why we make every effort to protect your visitors’ personal information. 1. ClickTale does not collect any personally identifiable information unless a visitor voluntarily and knowingly submits this type of
data. 2. Password fields are never recorded. During session playback asterisks are displayed instead of the input. 3. Any text that a visitor enters into a form but does not submit is hidden. You can still generate Form Analytics reports on these
fields, but you are not able to view the text. Can ClickTale be used to record sensitive personal or financial information? • We require that you block recording of any sensitive personal or financial information about your visitors by using the ClickTale
API (please see the Terms of use, section 7, for more information on this). Breaking these Terms of Use will instantly invalidate your
• ClickTale subscription and revoke your access to all past, present and future recordings. You can use the ClickTaleSensitive class to censor information entered into form fields or the ClickTaleExcludeBlock method to prevent the recording of any element on your page.
Do my visitors know they are being recorded?
• The recording process itself is completely transparent to the end user. However, all ClickTale subscribers should place a
disclaimer in their Privacy Policy letting their visitors know that they may be recorded. For more information please see our Terms of use.
Question: Over alltime (and per month) how many subscriptions have been revoke due to PII AND who reported/detected these was it the end user, the client, staff, regulator?
Continued…
http://wiki.clicktale.com/Article/Frequently_asked_questions#Privacy_Assured
Privacy Assured … Can ClickTale track visitors after they leave my site? • No, ClickTale can only track visitors on the specific web pages that contain your ClickTale tracking code. Can my visitors choose not to be recorded? • Yes, we offer an opt out option for anyone who does not want to be recorded. This inserts a cookie within your visitor's browser
that will prevent them from being recorded by any ClickTale customer. How secure is my data? • Very secure. ClickTale takes several steps to ensure your data’s security. • We restrict employees’ access to your data. ClickTale employees cannot access your data unless you provide us with your
password and specific permission to access your account. • HTTPS page data is passed to the ClickTale servers via SSL and is fully encrypted. • Our servers are hosted at SAS/70 Type II certified data centers. • We use firewalls to limit access to the ClickTale servers. • We regularly apply updates to servers, OS, firewalls and all software to prevent security vulnerabilities.
Technical errors
Doh! Not a good idea to use this screenshot in the wiki /[email protected]
is being tracked
Link to page: http://wiki.clicktale.com/Article/ActivePlayback_API#Debugging_your_ActivePlayback_code
Yike! Is this a depreciated feature??
http://clicks.skem1.com/preview/?c=537&g=987&p=e240e16b504c7714ea27a5618baa08cb&utm_medium=email&utm_source=contactology&utm_campaign=2010_10_21_110&ct=enable,t(2010_10_21_110),t(Customer Name=Eul lee) http://clicks.electionemail.com/preview/?c=2155&g=781&p=4209474eb0aff8e0b98b1bd1fc2e4b4b&utm_medium=email&utm_source=ElectionMall Technologies Inc.&utm_campaign=Hinojosa&ct=enable,t(Arpaio),t(Zip = 23888)
http://blog.clicktale.com/2009/01/22/announcing-clicktale-email-tracking-extreme-visibility-into-your-email-campaigns/
Broken Privacy policy link on affiliate signup page
http://aff.clicktale.com/scripts/signup.php
Broken link on Privacy policy
http://www.clicktale.com/privacy-policy
404 handler needs updating www.clicktale.com/privacy >>
/page-cannot-be-found
Note: www.clicktale.net/bla
is not redirecting to
www.clicktale.com/bla
Note: www.clicktale.com/disable.html
is not redirecting to
www.clicktale.net/disable.html
Wiki - Change the form action form POST to GET could have privacy
implications
http://wiki.clicktale.com/Article/POST_pages#How_ClickTale_handles_POST_pages
http://redant.com.au/blog/clicktale-review-technology/
Is ClickTale bot a Backdoor/Firewall security risk?
• Bypass companies firewalls by whitelisting our servers IP ranges which are 75.125.82.64/26 and 50.97.162.64/26 and opening a network connection (normally port 80/443) for the ClickTale bot from these IP's to the sites ports on your server(eg. 8080)
http://wiki.clicktale.com/Article/Offline_recordings
Concerning Auto-Refill_Data captured by ClickBot & FetchFromWithCookies
• Auto form restoration when ClickTale bot tried to cache a page with websiteSessionIdToken=1234 or FetchFromWithCookies
http://wiki.clicktale.com/Article/Sensitive_data#Preventing_Auto-Refill_Data_In_Playback http://wiki.clicktale.com/Article/ClickTaleFetchFromWithCookies Excluding/removing website sessionID would be advisable (if possible). • Also client-side HTTP content upload should be used with caution: http://wiki.clicktale.com/Article/JavaScript_API#ClickTaleUploadPage
Question: When using FetchFromWithCookies is data always sent over SSL back to Clicktale server?
Database append risks
• Lots of integrations with other tools: http://www.clicktale.com/why-clicktale/partners
http://wiki.clicktale.com/Article/Help_talk:GA_Integration#I._Import_ClickTale_IDs_into_GA
Too much data = increase risk
Of identifying the user in the
real world, or capturing sensitive
Data.
Be especially careful in Health and Finance sectors to avoid capture
sensitive personal data
Vertical risks
http://cseweb.ucsd.edu/~d1jang/papers/ccs10.pdf
Behaviour Tracking: The dynamic nature of JavaScript allows a website to construct a high-fidelity timeline of how a particular user interacted with a web page including, for example, precise information about the user's mouse clicks and movements, scrolling behaviour, and what parts of the text were highlighted, simply by including JavaScript event handlers that track mouse and keyboard activity. This information can then be sent back to the server to compute statistics about how users interact with a given web page. Several web-analytics companies sell products that exploit these to track information about users. For example, ClickTale allows websites to precisely track their users' mouse movements and compute aggregate heat maps based on where users move their mouse, and tynt allows websites to track what text is being copied from them. Services allow websites to gather fine-grained information about the behaviours of their users without any indication to users that additional information gathering is taking place. We believe that users understand that page navigation (as a result of clicking on a link) causes information to be sent to the server, but do not believe they understand that other actions, like mousing over an image, can silently do the same. Verifying this belief will require a user study. We hope that the data we have collected will help inform the broader discussion about the privacy implications of such. Privacy-violating information are not merely theoretical possibilities of academic interest. Indeed, the possibility of history sniffing has prompted a discussion spanning 8 years and over 261 comments in Bugzilla about preventing history sniffing in Firefox [3], which has culminated in a recent fix [2]. This lengthy process illustrates the importance of privacy-violating for Web 2.0 users and the difficulty of designing defences against them without breaking legitimate websites. Despite the knowledge that privacy-violating are possible and even likely, little is actually known about their occurrence in the wild. For example, how many websites extract this kind of information from their users? Are there any popular sites that do this? Do websites use pre-packaged solutions like Tealium, Beencounter and ClickTale? Or do they construct their own implementations? Are these implementations obfuscated to evade detection, and, if so, how? The lack of empirical data about the prevalence of privacy violating has hampered the development and deployment of effective defences against this increasingly important class of attacks. The main contribution of this paper is to provide concrete data to answer such questions through an exhaustive empirical evaluation of several privacy-violating in a large number of popular websites. We have carried out this study in three steps. First, we have designed an expressive, fine-grained information policy language that allows us to specify and detect different kinds of privacy-violating in JavaScript code (Section 2.1). In essence, our language allows us to describe different privacy-violating by specifying sites within the code where taints are injected and sites from which certain taints must be blocked. For example… To specify a cookie stealing, we inject a "secret" taint into the cookie, and block that taint from owing into variables controlled by third-party code. To specify a location hijacking , we inject an "untrusted" taint onto any values originating third-party code, and block that taint from owing into the document's location field. To specify a history sniffing we inject a "history taint" on the fields containing the style attributes of links, and block that taint from owing into the parameters of methods that send messages over the network. To specify a behaviour tracking we inject behaviour" taint to the inputs of the handlers registered for events triggered by user behaviour.
Monitor this follow-up user study
Be careful… Cited in privacy research paper
Be careful… The vulture are circling
Questions?
Appendix: Ghostery page incorrect?
Digital Analytics Association
Is Data Sharing this correct?
No category for mouse tracking, or keystroke logging.
Links to privacy polices Privacy FAQ`s
http://wiki.clicktale.com/Article/Frequently_asked_questions#Privacy_Assured
Privacy policy (site)
http://www.clicktale.com/privacy-policy
http://wiki.clicktale.com/Article/ClickTale_Wiki:Privacy_policy
Privacy policy (service)
http://www.clicktale.com/privacy-service
http://www.clicktale.com/enterprise-terms
ToS
http://www.clicktale.com/terms-use
http://www.clicktale.com/enterprise-terms2
Debug mode – shows if user has opt-out and rate of recording (e.g. 1 in 334 on www.conrad.de/ce/?ct=debug)
http://www.cbsnews.com/?ct=debug
Hosted tracking scripts:
https://clicktalecdn.sslcs.cdngc.net/www/ptc/5d9396e0-fb55-443d-8209-b5eb60af50e2.js
http://cdn.clicktale.net/www/ptc/5d9396e0-fb55-443d-8209-b5eb60af50e2.js
http://s.clicktale.net/WRd.js
http://s.clicktale.net/XHRWrapper.js (AJAX)
Appendix – digitalData layer notes
Need for standardised field names or classes e.g. class="digitalData_sensitive" or class="ClickTaleSensitive" http://wiki.clicktale.com/Article/JavaScript_API#ClickTaleSensitive_CSS_Class http://wiki.clicktale.com/Article/Sensitive_data#ClickTaleSetAllSensitive dataLayer object can be used to disable all field tracking, but this greatly reduces the insight gained from the Customer Experience Analytics tools. Here is an example disabling of this technique: http://wiki.clicktale.com/Article/JavaScript_API#ClickTaleEventsMask e.g. ClickTaleEventsMask-=4; or
{
"visitor": {
"isKeystokeTrackingDisabled": true
}
}
Monitor AdBlocker lists and report false positives for spyware
• http://easylist-msie.adblockplus.org/easyprivacy.tpl
