Matt Stannard, CTO, 4Ps Marketing
In the last month, Tesco came under criticism from security experts for not using the Secure Socket Layer (SSL). This idea that passwords may be being stored insecurely by such a prominent household name raises the question as to how much emphasis firms put on data security and sanity as a whole.
In the Tesco example, security experts argue that if a system can email a user’s password to them, it is stored with reversible encryption (if, indeed, it is encrypted) making user data somewhat vulnerable, and that one-way cryptographic hashes should be used instead. Google have tried for some time to encourage users to use multi stage authentication.
SSL is something Google has been pushing and its search engine now defaults to the secure version for signed-in users, preventing keyword data being passed to websites.
So where else may sites be compromising on data security?
As strategic digital marketers we regularly look at data collected by web analytics packages such as Google Analytics, Omniture, DC Storm or CoreMetrics, as do millions of other users. Just how reliable is this data and how secure is it?
Looking at it from a security perspective is interesting. In terms of the actual Analytics account itself, it is probably pretty secure unless an unsuitable password is used. The data collected, on the other hand, is perhaps less secure. The reason for this is the way in which tracking beacons work.
The code below is a typical Google Analytics signature, one for the 4Ps Marketing website in fact. On the face of it, this doesn’t look insecure. I can, however, paste this code and execute it on any website, and if the analytics profile wasn’t set up correctly, the 4Ps Marketing website would start recording information that was not relevant, thus making reports inaccurate.
var _gaq = _gaq || ;
ga.src = (‘https:’ == document.location.protocol ? ‘https://ssl’ : ‘http://www’) + ‘.google-analytics.com/ga.js’;
var s = document.getElementsByTagName(‘script’); s.parentNode.insertBefore(ga, s);
On the 4Ps Marketing website, we can pause the Google Analytics code using the built-in Script Debugger:
Add our own additional analytics code:
Which, after executing, feeds through to Google Analytics:
So, if this is the case with page tracking, does this hold true for e-Commerce tracking? Using the same technique as above, we can add some eCommerce tracking code:
Which, after executing, is recorded in Google Analytics:
On face value, it is quite unlikely that most individuals would take the time to pause code execution and edit the data passed back to Google Analytics, but it does show that it is possible. Should a hacker wish to do so, they could distribute a plugin to maliciously “skew” data by injecting erroneous page views or orders.
Many organisations regularly report on the information within their Analytics package, which is why the web analytics team at 4Ps Marketing works with clients to review and sanity-check their data.
When reviewing your data, ask yourself; does it make sense? In the ecommerce example, does dividing the item revenue by quantity give us the price of the item? This sounds like a simple sanity check but there have been examples of reports showing items retailing for £10.00 and being reported in a dashboard as worth £100.00.
As we rely more and more on data to facilitate and aid our decision-making processes, it is important that we understand shortcomings in collection mechanisms and are able to understand and check the picture it is painting. Technology will provide us with the raw data, but there will always be a need for the human question; does it make sense?