What's killing off "gameified" communities (yes I made a post of my tweets, suck it)
-
-
It's not the analytics industry is asking them to do all this labor to implement something; we're just asking them to not go out of their way to block it for no reason.
You did just provide a possibly-reasonable justification: "but you can't answer, "what was it about the Address page that caused people to drop out of the funnel?""
However: if I were engaged in a PR effort, I would ban words like "Funnel". Also, people are going to see that and say "ah, you're trying to con me into buying something" because they've had a lifetime of people doing just that. Now you're coming along like Michael Jackson in Thriller saying "baby, I'm not like the other guys".
-
Yes, because knowing that unique identifiers are built into our browsers is ignorant.
I'm surprised people aren't putting more effort into defeating things like this, or abuse of local storage and the like. Defeating panopticlick seems "easy" conceptually: don't let the browser see what it's using to fingerprint you, like a complete list of fonts: "I have Times New Roman, Arial, and Consolas."
-
@zoidberg
this will, fortunately not work as the OP of this topic has been added, at their request, to the global ignore list for all SockBot instances.
-
I'm waiting for the explanation of how.
Simply repeating a claim isn't the same thing as proving a claim. Even if you use all-caps.
RTFP. (I'm surprised you didn't notice the link to it already...)
-
Etags are subject to XSS rules, AFAIK. If you know otherwise, then by all means educate me.
You know more about this than me. But if you control both the analytics web server and the advertising web server, you can do a lot more. If both servers maintain a list of pages they've served and the associated IP addresses to the same database table, it seems like you could link the two things together entirely outside the context of either server. You wouldn't even need the two things to have the same ID.
Again, I have no knowledge anyone's doing this, because I just invented the idea a few minutes ago. If I worked for Google I could certainly test whether it could work or not.
-
Oh yeah, they definitely can. The troll's "point" is that there would be now way to "tie" (i.e., there's no primary key to join on) the data together. But the troll is demonstrably wrong since browsers leak what are effectively GUIDs.
Sure, the data is anonymous to the EFF, since they only collect it on their own page. But is it anonymous to Google, who knows your name and address and phone number? Who keeps track of every page you visit and knows what you're interested in?
Also, nevermind that the NSA is known to be piggybacking on Google's tracking technology.
-
However: if I were engaged in a PR effort, I would ban words like "Funnel".
Why?
Also, people are going to see that and say "ah, you're trying to con me into buying something" because they've had a lifetime of people doing just that.
Or maybe they'll say, "good! I'm so sick of sites that have those awful CC# fields where you have to pull your credit card type from a SELECT then type in digits in groups of four! This data will prove that those suck-ass and they'll go away."
-
I just don't get how he thinks it is such a stretch? Holy shit, web requests don't just get fired off in to the ether in hopes that they get to the proper person. They have routing, they have sessions, they have cookies, they have all kinds of personally identifiable information. There is absolutely no way anyone could tell me that it is impossible to link those two sessions. It is not only possible, but likely.
-
Sure, the data is anonymous to the EFF, since they only collect it on their own page.
It's anonymous because it's anonymous data. Not just to the EFF, but to everybody who collects it. There's no way to use that data to uniquely identify a user. Their OWN WEB PAGE SAYS SO WHEN YOU RUN IT.
-
Except that Google collected your name when you signed up for Gmail.
The data is a GUID. And if you've given them your name, they can tie the GUID to your name.
-
Why [ban words like funnel]?
Or maybe they'll say, "good! I'm so sick of sites that...
Talking about that stuff as a funnel dehumanizes the people the business wants to have as customers. You don't talk about the funnel, you talk about how you've learned to make your checkout process more user friendly or whatever.
Now the old robot theory of blakeyrat is gaining some ground.
-
The data is a GUID. And if you've given them your name, they can tie the GUID to your name.
Server Sudoku!
-
The classic example is usability and funnel optimization. People enter the checkout funnel, but leave before converting-- why is that? What step do they leave-off at? Does that mean the form is too complicated?
Back in the day when I had my personal site hosted on my ISP's server, they had a tool (I don't remember what it was called; it was a long time ago) that provided that kind of information from the server logs — no need to get 3rd-party tracking images and stuff involved.
What does the third party add except the ability to mine that sort of information for a uniquely-identified visitor to any and all of the 3rd-party's clients' web sites?
-
What does the third party add except the ability to mine that sort of information for a uniquely-identified visitor to any and all of the 3rd-party's clients' web sites?
..... can i answer your question with your question?
-
The data is a GUID. And if you've given them your name, they can tie the GUID to your name.
How can they do that? #BrokenRecord
Talking about that stuff as a funnel dehumanizes the people the business wants to have as customers.
Only if your customers ever hear it...
You don't talk about the funnel, you talk about how you've learned to make your checkout process more user friendly or whatever.
Yeah, exactly.
But I don't see any point to banning the term in the industry.
-
By collecting the GUID when you sign in to Gmail.
-
-
How can they do that? #BrokenRecord
I put a direct link to the paper describing their research method and results in this thread, and then you still ask how they're doing it?
-
But how could you do that? The enforcement is on the browser, not on the server-side.
Analytics server says "I just sent a page to 1.2.3.4". Ad server says the same thing a fraction of a second later. In some circumstances, (e.g., in the absense of NAT, for one thing) you can probably assume they're talking to the same person. So both of them create an ID, and both of them write their own IDs to a database table. There's literally nothing stopping that and you or I could probably write code that did it. You could enhance it, probably, by careful embedding of snippets of indentifying information elsewhere (like I said, changing up the order of form fields in a submission provides a small amount of uniqueness, and is the first thing I came up with, someone with a lot of experience could probably come up with more). Again, you probably couldn't make this totally unique, but if you're serving up the number of ads Google is, you probably don't need it to be totally unique.
-
Verizon certainly was doing some weaselly shit. Note they got caught almost immediately. And the web analytics community were the first to gripe against it.
Literally all I know about that header thing was the discussion here, and the fact that Ars Technica mentioned something about it a few weeks ago, but I've forgotten what the followup was. I think it was VZ saying "oh, we're totally not tracking you with that cookie even though we put it back if you delete it".
-
Until recently (CORS) it was literally technically impossible
I totally get that. I'm saying that I think you could work around it, as I describe in other posts. I doubt it's actively being done, and I don't have the resources to see if it's feasible, but Google, MS, Apple, etc., certainly do.
-
All I know is that when I go in to my Spam mail folder in Gmail, there is always an ad for Spam recipes. That alone is proof that they are doing it.
<Yes, I know it is a joke. So is this. Also, it is blakeybait.>
-
Even in the US, IP addresses are PII. (personally identifiable information.) There are a lot of restrictions on what you can do with them.
-
Access to customer-level account data may be granted on a strict need-only basis to employees who require the specific access to perform their jobs. Employees requesting access must explain why they need the access, demonstrate familiarity with the access policy and agree to its terms and conditions, and receive approval before they can access the data.
Read: we routinely use PII internally.
-
I've never worked for Google. Generally that clause is meant to refer to fixing technical issues.
If you have evidence Google is using PII for anything else, take it to the New York Times. You'll be famous.
-
Generally? Nonsense. Everybody who has to work with PII for the performance of their jobs is covered by a clause like that.
CSRs at call centers are covered by the same clause.
But note that it doesn't say what the "job" is. Any job is covered by the clause.
-
The webpage that specifically says it collects only anonymous data is somehow claiming that... magically... someone can use the same mechanism to collect non-anonymous data? Huh? TDEMSYR.
Even though it is anonymous (it does not identify you as a person), it is unique (it identifies you as a unique — distinct from any other — visitor to any web site you visit). If some big analytics provider collected that information from enough web sites, they could build a pretty detailed picture of your browsing habits. Even if* they cannot connect that to you as John Smith, 123 Main St., it's still pretty intrusive.
* The ability to make that connection is not all that far-fetched. Connect these dots:
- This unique web browser was used to visit purpledildos.com.
- This unique web browser accessed what.thedailywtf.com/users/$name/preferences, which can only be accessed by someone logged in as $name.
- $name.com exists.
- Whois says $name.com is registered to John Smith, 123 Main St.
- John Smith, 123 Main St. is interested in purple dildos.
-
Analytics server says "I just sent a page to 1.2.3.4". Ad server says the same thing a fraction of a second later. In some circumstances, (e.g., in the absense of NAT, for one thing) you can probably assume they're talking to the same person.
Don't forget the user agent, I believe that's up to 21 bits of entropy nowadays?
-
Mine came in at 13, but with all of the other stuff the browser leaks, I leaked 22.24.
-
I believe the hardest to identify are those behind corporate firewalls with locked-down computers, because they'll all be using the same IE at the same patch level with the same (probably no) plugins. Or firefox, but same thing apart from that.
-
Even though it is anonymous (it does not identify you as a person), it is unique (it identifies you as a unique — distinct from any other — visitor to any web site you visit).
Not true.
Maybe in concert with an IP address, but IP addresses are PII and joining those two data sets would lead to heavy fines.
$name.com exists.
What percentage of people do you think own domains of their own name? I can't even imagine a situation where this would be a worthwhile thing to implement.
-
What percentage of people do you think own domains of their own name? I can't even imagine a situation where this would be a worthwhile thing to implement.
Only the most hardcore narcissists. Of those, there might be a subset of people that have domain names related to their screen name. They are usually the worst. Just real narcissistic assholes. So yeah, probably not worthwhile to implement.
-
I can't even imagine a situation where this would be a worthwhile thing to implement.
Resume hosting. I own [my last name].com and I put my husband's resume at [hisname].[mylastname].com and mine at [myname].[mylastname].com. I also put a small tech blog there to showcase my ability to write about technical concepts. It makes for a nice easy business card to hand out.
Everything else I do on the web is branded separately, mind, including www.janebaileybooks.com
-
2) If Google tried to do it by implementing CORS, they'd be caught instantly. Since it shows right there in the web traffic.
You're only replying to point 1. But both points 1 & 2 contribute to my "it can't be done" statement.
Naw. Like I said: analytics server writes identifying information including IP to a database. Ad server does the same. A third process links the two identifiers in the database. The two web servers never talked to each other, but now they have access on the back end to each others' data.
-
Ok? That doesn't answer my post (which I suspect you misread).
-
I probably did. You weren't asking for a situation in which it'd be worthwhile to implement owning your name.com? Oh, you were asking for a situation in which it'd be worthwhile to implement that level of cross-referencing. Nevermind then, I got nothing.
-
The webpage that specifically says it collects only anonymous data is somehow claiming that... magically... someone can use the same mechanism to collect non-anonymous data? Huh? TDEMSYR.
No, they're saying that in theory "anonymous data" like "the specific set of fonts you have on your system and the other shit I'm too lazy to type" can be used to create a unique identifier. Read the claim on the front page: "Is your browser configuration rare or unique? If so, web sites may be able to track you, even if you limit or disable cookies."
-
Google doesn't need "that level" because it just unified its user authentication system. And browsers leak what are effectively GUIDs. So, all they have to do is join up a GUID (made up of components which are not, individually, PII) to your name and they are ready to build a profile of you.
That's the whole point of Google.
-
Uniquely identifying users across two different domains is the hard part.
I'm not disagreeing with you as such, I'm saying I don't think it's as hard as you think, or as hard as I thought it was an hour ago.
-
I'm waiting for the explanation of how.
It's in close to plain english and I've made it plainer, twice. "Is the list of information I can get about your system from your browser different enough for me to distinguish you from everyone else?" that's as far as they took it.
-
"Is the list of information I can get about your system from your browser different enough for me to distinguish you from everyone else?"
Right; but it's not. The answer to your question is no.
-
Yes. It is. As the eff web page demonstrated.
My browser leaked 22 bits of entropy. That means that one in 4 million people have the same browser config as me.
So I'd expect about 125 people in the country to have the same one. How many of them are going to be in the same city? How many of them are going to be indistinguishable with respect to all of the other data Google collects?
-
Even in the US, IP addresses are PII. (personally identifiable information.) There are a lot of restrictions on what you can do with them.
Not quite. Wikipedia has them in the list as:
- IP address (in some cases)
I'm actually surprised IP addresses are on the list at all because there aren't enough to go around until IPV6 is really a thing, so a lot of ISPs just pass them around as needed. And that's just for home use. If you're browsing from Starbucks, that's a different IP that you're also sharing with whoever else is browsing there.
-
The troll's "point" is that there would be now way to "tie" (i.e., there's no primary key to join on) the data together. But the troll is demonstrably wrong since browsers leak what are effectively GUIDs.
Nah, his point is that you have two different systems that he claims you can't connect: even if you could uniquely identify a person vis a vis the ad network and indepentently uniquely identify them vis a vis the analytics network, you couldn't connect those two independent ids.
I don't think I agree, but that's not the same as saying I think someone's doing it, or that I think it's easy. There, Blakeyrat makes the mistake of assuming too much into what I say.
Generally, unless I'm trying to be a wiseass, I try to act a little like the Witnesses from Stranger In a Strange Land in that you should assume nothing beyond what I say. (If you're not familiar, they are paid to only report on what they have personally observed. The example was "see that white house on the hill over there? If you asked most people if the house was white, they'd say yes. If you asked [a Witness], they'd say 'it's white on the side I can see.'"
-
What percentage of people do you think own domains of their own name? I can't even imagine a situation where this would be a worthwhile thing to implement.
You're probably right that it's a small minority, and possibly not worth the analytics company's effort. My point, though, was that it's possible. For example, I know of at least one user here who has a domain name that matches its user name. I don't remember most of the PII from a whois lookup on that domain, because I don't care, but it is trivially easy to make that connection.
However, domain names are not the only vector for making that connection. Accessing private pages on a social networking site ties your unique browser to the owner of those pages. Accessing email through the web ties your individual browser to a specific email account. If the analytics company also happens to be the email provider, they have the information to connect that to the owner of the account.
-
Why?
Because (among other uses of the word) you can funnel prey into a trap, and someone might misunderstand it to mean "ah, they think I'm a sucker they can manipulate into ordering their product."
Don't spend a lot of time thinking about it. I was just using it as a minor subpoint on the topic of "if you are in an industry that has a bad odor in the general populace and you want to change that, you should at least consider choosing your words carefully so as not to say something people could easily misconstrue."
Or maybe they'll say, "good! I'm so sick of sites that have those awful CC# fields where you have to pull your credit card type from a SELECT then type in digits in groups of four! This data will prove that those suck-ass and they'll go away."
Snort. Can you actually tell that? I HATE websites that have dropdowns for the month/year where I can't type into them (or are Flash or something and I can't even tab into them!)
-
There is absolutely no way anyone could tell me that it is impossible to link those two sessions. It is not only possible, but likely.
From the client side it may well be impossible: as blakey said, the browsers won't blindly pass information from one web site to a different one.
I was talking about collusion on the back end, though, where you can do a lot more, because you're not stuck with the browser's limitations. Databases don't know what XSS or CORS is and don't honor it, they just give out data when asked.
-
There's no way to use that data to uniquely identify a user.
I don't think you read the same site I did:
"Your browser fingerprint appears to be unique among the 4,963,282 tested so far.
Currently, we estimate that your browser has a fingerprint that conveys at least 22.24 bits of identifying information."
-
Talking about that stuff as a funnel dehumanizes the people the business wants to have as customers. You don't talk about the funnel, you talk about how you've learned to make your checkout process more user friendly or whatever.
Heh, that's a better explanation than I gave. But I'll be honest, (and maybe it's from watching too much The Walking Dead and Man Vs Wild-type shows, but the first thing I thought of when I saw the word funnel was "funneling the prey into the trap, i.e., buying something." It didn't actually bother me in the context of this discussion, but I could see how someone else in a different context might hear that and decide that not only would they never buy from a place that thinks of them as prey, but they would also tell all their friends to stay away, because that what people do.
Personal data - Wikipedia