This audit was conducted using publicly available data from GoogleNews, Adword KW tool, AHREF.com, MyWOT.com & other web content sources.
It was designed to find any possible “holes in the armour” and thus strength these holes.
You have my permission to use this template to help understand & strength other vendors tool.
Thanks
Phil
2. Foreword
This audit was conducted using publicly available data
from GoogleNews, Adword KW tool, AHREF.com,
MyWOT.com & other web content sources.
It was designed to find any possible “holes in the
armour” and thus strength these holes.
You have my permission to use this template to help
understand & strength other vendors tool.
Phil Pearce (Aug 2013)
9. Video privacy policy examples
• Privacy principles for Customers of ClickTale:
http://www.youtube.com/watch?v=_g6BSy0yJIc&list=PL45AABD8BB96
D3785&index=15
• Example of how a Government website use cookies:
http://www.youtube.com/watch?v=gqDZuS0xZjE&list=PL45AABD8BB9
6D3785
• Funny Cookie video for users tracked by ClickTale
http://www.youtube.com/watch?v=A6fV2v7LLPo&list=PL45AABD8BB9
6D3785
11. 1. Do users know what ClickTale is/does? (Privacy video)
2. Example of what it stores about them? (e.g. cookie values)
3. Reasons to leave this turned ON? (Value exchange)
Lack of understanding or reassurance
= “Just disable/block it”
18. Large Enterprise even more concerned
and at risk:
clicktale security
clicktale privacy & security
clicktale privacy compliance
clicktale privacy breaches
clicktale privacy ethics
clicktale privacy officer
clicktale privacy director
22. This is good
• "security fixes patched” in php module
Release 0.23 (to allow ClickTale bot to cache
pages):
• And responding to customer concerns on the
forum:
http://forums.clicktale.com/viewtopic.php?p=6525&sid=a15af364c3e99f84fdfdf40
ab22aeb9e#p6525
23. This is good very good,
but ONLY on Wiki not Main site!
http://wiki.clicktale.com/Article/Frequently_asked_questions#Privacy_Assured
Privacy Assured
How will visitors’ privacy be affected?
Your visitors’ privacy is a top priority for us. That’s why we make every effort to protect your visitors’ personal information.
1. ClickTale does not collect any personally identifiable information unless a visitor voluntarily and knowingly submits this type of
data.
2. Password fields are never recorded. During session playback asterisks are displayed instead of the input.
3. Any text that a visitor enters into a form but does not submit is hidden. You can still generate Form Analytics reports on these
fields, but you are not able to view the text.
Can ClickTale be used to record sensitive personal or financial information?
• We require that you block recording of any sensitive personal or financial information about your visitors by using the ClickTale
API (please see the Terms of use, section 7, for more information on this). Breaking these Terms of Use will instantly invalidate
your
• ClickTale subscription and revoke your access to all past, present and future recordings. You can use the ClickTaleSensitive
class to censor information entered into form fields or the ClickTaleExcludeBlock method to prevent the recording of any
element on your page.
Do my visitors know they are being recorded?
• The recording process itself is completely transparent to the end user. However, all ClickTale subscribers should place a
disclaimer in their Privacy Policy letting their visitors know that they may be recorded. For more information please see our
Terms of use.
Question: Over alltime (and per month) how many subscriptions have been revoke due to
PII AND who reported/detected these was it the end user, the client, staff, regulator?
24. Continued…
http://wiki.clicktale.com/Article/Frequently_asked_questions#Privacy_Assured
Privacy Assured
…
Can ClickTale track visitors after they leave my site?
• No, ClickTale can only track visitors on the specific web pages that contain your ClickTale tracking code.
Can my visitors choose not to be recorded?
• Yes, we offer an opt out option for anyone who does not want to be recorded. This inserts a cookie within your visitor's browser
that will prevent them from being recorded by any ClickTale customer.
How secure is my data?
• Very secure. ClickTale takes several steps to ensure your data’s security.
• We restrict employees’ access to your data. ClickTale employees cannot access your data unless you provide us with your
password and specific permission to access your account.
• HTTPS page data is passed to the ClickTale servers via SSL and is fully encrypted.
• Our servers are hosted at SAS/70 Type II certified data centers.
• We use firewalls to limit access to the ClickTale servers.
• We regularly apply updates to servers, OS, firewalls and all software to prevent security vulnerabilities.
26. Doh! Not a good idea to use this screenshot in
the wiki /page.aspx?email=sono@client.com
is being tracked
Link to page:
http://wiki.clicktale.co
m/Article/ActivePlayba
ck_API#Debugging_you
r_ActivePlayback_code
27. Yike! Is this a depreciated feature??
http://clicks.skem1.com/preview/?c=537&g=987&p=e240e16b504c7714ea27a
5618baa08cb&utm_medium=email&utm_source=contactology&utm_campaig
n=2010_10_21_110&ct=enable,t(2010_10_21_110),t(Customer Name=Eul lee)
http://clicks.electionemail.com/preview/?c=2155&g=781&p=4209474eb0aff8e
0b98b1bd1fc2e4b4b&utm_medium=email&utm_source=ElectionMall
Technologies Inc.&utm_campaign=Hinojosa&ct=enable,t(Arpaio),t(Zip=
23888)
http://blog.clicktale.com/2009/01/22/announcing-clicktale-email-tracking-extreme-visibility-into-your-email-campaigns/
30. 404 handler needs updating
www.clicktale.com/privacy >>
/page-cannot-be-found
Note: www.clicktale.net/bla
is not redirecting to
www.clicktale.com/bla
Note: www.clicktale.com/disable.html
is not redirecting to
www.clicktale.net/disable.html
31. Wiki - Change the form action form
POST to GET could have privacy
implications
http://wiki.clicktale.com/Article/POST_pages#How_ClickTale_ha
ndles_POST_pages
http://redant.com.au/blog/clicktale-review-technology/
32. Is ClickTale bot a
Backdoor/Firewall security risk?
• Bypass companies firewalls by whitelisting our
servers IP ranges which are 75.125.82.64/26
and 50.97.162.64/26 and opening a network
connection (normally port 80/443) for the
ClickTale bot from these IP's to the sites ports
on your server(eg. 8080)
http://wiki.clicktale.com/Article/Offline_recordings
33. Concerning Auto-Refill_Data captured by
ClickBot & FetchFromWithCookies
• Auto form restoration when ClickTale bot tried to cache a page with
websiteSessionIdToken=1234 or FetchFromWithCookies
http://wiki.clicktale.com/Article/Sensitive_data#Preventing_Auto-
Refill_Data_In_Playback
http://wiki.clicktale.com/Article/ClickTaleFetchFromWithCookies
Excluding/removing website sessionID would be advisable (if possible).
• Also client-side HTTP content upload should be used with caution:
http://wiki.clicktale.com/Article/JavaScript_API#ClickTaleUploadPage
Question: When using
FetchFromWithCookies is data always
sent over SSL back to Clicktale server?
34. Database append risks
• Lots of integrations with other tools:
http://www.clicktale.com/why-clicktale/partners
http://wiki.clicktale.com/Article/Help_talk:GA_Integration#I._Import_ClickTale_IDs_into_GA
Too much data = increase risk
Of identifying the user in the
real world, or capturing sensitive
Data.
35. Be especially careful in Health and
Finance sectors to avoid capture
sensitive personal data
Vertical risks
40. Appendix: Ghostery page incorrect?
Digital Analytics Association
Is Data Sharing this correct?
No category for
mouse tracking,
or keystroke
logging.
41. Links to privacy polices
Privacy FAQ`s
http://wiki.clicktale.com/Article/Frequently_asked_questions#Privacy_Assured
Privacy policy (site)
http://www.clicktale.com/privacy-policy
http://wiki.clicktale.com/Article/ClickTale_Wiki:Privacy_policy
Privacy policy (service)
http://www.clicktale.com/privacy-service
http://www.clicktale.com/enterprise-terms
ToS
http://www.clicktale.com/terms-use
http://www.clicktale.com/enterprise-terms2
Debug mode – shows if user has opt-out and rate of recording (e.g. 1 in 334 on www.conrad.de/ce/?ct=debug)
http://www.cbsnews.com/?ct=debug
Hosted tracking scripts:
https://clicktalecdn.sslcs.cdngc.net/www/ptc/5d9396e0-fb55-443d-8209-b5eb60af50e2.js
http://cdn.clicktale.net/www/ptc/5d9396e0-fb55-443d-8209-b5eb60af50e2.js
http://s.clicktale.net/WRd.js
http://s.clicktale.net/XHRWrapper.js (AJAX)
42. Appendix – digitalData layer notes
Need for standardised field names or classes e.g.
class="digitalData_sensitive" or class="ClickTaleSensitive"
http://wiki.clicktale.com/Article/JavaScript_API#ClickTaleSensitive_CSS_Class
http://wiki.clicktale.com/Article/Sensitive_data#ClickTaleSetAllSensitive
dataLayer object can be used to disable all field tracking, but this greatly reduces the
insight gained from the Customer Experience Analytics tools.
Here is an example disabling of this technique:
http://wiki.clicktale.com/Article/JavaScript_API#ClickTaleEventsMask
e.g. ClickTaleEventsMask-=4;
or
{
"visitor": {
"isKeystokeTrackingDisabled": true
}
}
43. Monitor AdBlocker lists
and report false positives for spyware
• http://easylist-
msie.adblockplus.org/easyprivacy.tpl