BuzzFeed is Watching You

When you visit BuzzFeed, they record lots of information about you.

Most websites record some information. BuzzFeed record a whole ton. I’ll start with the fairly mundane stuff, and then move on to one example of some slightly more scary stuff.

First: The Mundane Bits

Here’s a snapshot of what BuzzFeed records when you land on a page. They actually record much more than this, but this is just the info they pass to Google (stored within Google Analytics):

Here’s a description of what’s going on there:

The first line there is how many times in total I’ve visited the site (above this, which I’ve skipped for brevity, it also records the time I first visited, and a timestamp of my current visit).

Below that, the ‘Custom Var’ block is made up of elements BuzzFeed have actively decided “we need to record this in addition to what Google Analytics gives us out of the box”. Against these, you can see ‘scope’. A scope of ‘1’ means it’s something recorded about the user, ‘2’ means it’s recorded about the current visit, ‘page’ means it’s just a piece of information about the page itself.

There you can see other info they’re tracking, including:

  • Have you connected Facebook with BuzzFeed?
  • Do you have email updates enabled?
  • Do they know your gender & age?
  • How many times have you shared their content directly to Facebook & Twitter & via Email?
  • Are you logged in?
  • Which country are you in?
  • Are you a buzzfeed editor?
  • …and about 25 other pieces of information.

Within this you can also see it records ‘username’. I think that’s recording my user status, and an encoded version of my username. If I log in using 2 different browsers right now, it assigns me that same username string, but I’m going to caveat that I’m not 100% sure they’re recording that it is ‘me’ browsing the site (ie. that they’re able to link the data they’re recording in Google Analytics about my activity on the site back to my email address and other personally identifiable information). Either way, everything we’ve covered so far is quite mundane.

The Scary Bit

The scary bit occurs when you think about certain types of BuzzFeed content; most specifically: quizzes. Most quizzes are extremely benign – the stereotypical “Which [currently popular fictional TV show] Character Are You?” for example. But some of their quizzes are very specific, and very personal.

Here, for example, is a set of questions from a “How Privileged are You?” quiz, which has had 2,057,419 views at the time I write this. I’ve picked some of the questions that may cause you to think “actually, I wouldn’t necessarily want anyone recording my answers here”.

When you click any of those quiz answers, BuzzFeed record all of the mundane information we looked at earlier, plus they also records this:

Here’s what’s they’re recording there:

  • ‘event’ simply means something happened that BuzzFeed chose to record in Google Analytics.
  • ‘Buzz:content’ is how they’ve categorised the type of event.
  • ‘clickab:quiz-answer’ means that the event was a quiz answer.
  • ‘ad_unit_design3:desktopcontrol’ seems to be their definition of the design of the quiz answer that was clicked.
  • ‘ol:1218987’ is the quiz ID. In other words, if they wish, they could say “show me all the data for quiz 1218987” knowing that’s the ‘Check Your Privelege’ quiz.
  • ‘1219024’ is the actual answer I checked. Each quiz answer on BuzzFeed has a unique ID like this. Ie. if you click “I have never had an eating disorder” they record that click.

犀利士
In other words, if I had access to the BuzzFeed Google Analytics data, I could query data for people who got to the end of the quiz & indicated – by not checking that particular answer – that they have had an eating disorder. Or that they have tried to change their gender. Or I could run a query along the following lines if I wished:

  • Show me all the data for anyone who answered the “Check Your Privelege” quiz but did not check “I have never taken medication for my mental health”.

In BuzzFeed’s defense, I’m sure when they set up the tracking in the first place they didn’t foresee that they’d be recording data from quizzes of this personal depth. This is just a single example, but I suspect this particular quiz would have had less than 2 million views if everyone completing it realised every click was being recorded & could potentially be reported on later – whether that data is fully identifiable back to individual users, or pseudonymous, or even totally anonymous.

What do you think?

.UK Domains Launched – Sorry!

On June 10th 2014, at 8am, Nominet (the UK domain registry) launched “.uk” domains. In other words, I could now move this site to “http://barker.uk” rather than “http://barker.co.uk”.

To announce the launch – the biggest change to UK internet addresses in many, many years – Nominet have launched what they call “the world’s largest welcome sign”, visible from 35,000 feet. Here’s how the Daily Mail described this enormous sign:

威而鋼
ttp://barker.co.uk/wp-content/uploads/2014/06/2cfb6be40fbd84c17e99dd146beb73ea.png” alt=”” width=”648″ height=”138″ />

Sadly – here’s what you see if you visit the URL on the world’s largest welcome sign:

A shame to have launched the world’s largest welcome sign leading to a large “Sorry…” notice, and a nice lesson to remember to double check your landing pages when running multi-channel campaigns.

Note: If you’d like a full summary of the .uk change, what it means, and what to do about it, feel free to leave a comment and I’ll update this post later.

The John Lewis Email Spam Fine

Part of the email marketing industry in the UK is built around this phrase:

‘in the course of a sale or negotiations for the sale of a product or service’.

Those are the conditions under which – if you have collected an email address – you are allowed to send marketing emails (b2c), even if they have not explicitly opted in to receive mail from you.

Most sites assume signing up for an account, or beginning a checkout process to fall within ‘negotations for the sale of a product service’. As a result, they consider it perfectly ok to send you abandoned basket emails if you have begun checkout, and it’s fairly standard practice to email users who have registered for an account with you, as long as they have not specifically opted out.

Here’s how the Information Commissioner’s Office talk about this:

John Lewis essentially did exactly that, or considered they had. Here is how the man who took them to court (a Sky News producer) described John Lewis’ argument: (from http://news.sky.com/story/1272933/spammer-to-pay-damages-after-court-victory):

To be clear: What John Lewis were doing here is considered fairly good practice. The user signed up for an account. They had the opportunity to opt out & did not. Yet the court still considered it spam & issued a fine.

What does this mean for email marketing? 

If you are a business or a website owner:

  • It may mean you should relook at the wording on your website to make it clear that an account signup is considered ‘negotiation toward a sale’.
  • It may mean you need to speak to your abandoned basket email provider to ask “are we definitely covered here? If not, what do we need to do?”
  • It may mean that your ‘opt out’ box should be more prominent after signing up & that you highlight that the sign up is considered the beginning of a relationship.
  • It may mean you should check through how your existing email addresses have been acquired a little more thoroughly.
  • It may mean some sites need to watch out for scammers, putting in spam claims to try and win the fine money.
  • It may even mean you need to move to double opt-in, or more heavily confirm opt-ins, as – of course – anyone can enter anyone else’s email address on a form, it is not necessarily confirmation from the actual email owner that they wish to receive your communications.
  • It may mean you should think about not emailing users unless they have explicitly ticked a box, even though the Information Commissioner says it’s fine to do just that under some conditions.

Or, this may just be a fluke, and another court may decide a similar case entirely differently.

UKIP – Powered By Foreign Technology

The United Kingdom Independence Party (UKIP) have launched a new advertising campaign. It hinges on 2 key messages:

  1. Foreign labour is damaging the UK.
  2. Much of UK law is controlled from overseas.

Here are two of their posters covering these issues:

 

Based on this, you may think they’d be keen on UK technology. Yet here’s the technology behind UKIP’s website:

 

Even their domain name is not from the UK: the “.org” in UKIP.org is governed from the USA.

The Mirror’s Crying Child Photo – Not All That it Seems

Here’s the front cover of the Daily Mirror. A haunting image of a starving British child, crying their eyes out.

Only… the child is from the Bay Area, and the photo was purchased from Flickr via Getty Images…

Embedded image permalink

Here’s the source of the original image: https://www.flickr.com/photos/laurenrosenbaum/4084544644/ (Here’s a happier one taken the following day: https://www.flickr.com/photos/laurenrosenbaum/4086511962/. Apparently she was crying over an earthworm.)

An excellent photo, taken by the excellent Lauren Rosenbaum in November 2009, share犀利士
d on a US website (Flickr), sold by an American photo agency (Getty Images), used to illustrate poverty in Britain.

  • Does it matter that the photo is not really a starving child?
  • Does it matter that the photo wasn’t even taken in the UK?
  • Is there an ethical issue in buying a stock photo of a child – not in poverty – and using it to illustrate poverty?
  • Does it matter that the headline begins “Britain, 2014”, but the photo is actually “USA, 2009”?

I’m not sure on the answers to any of the above, but interesting to think about.

What do you think?

 


How the US Airways Tweet Happened

If you’re reading this, you will know that US Airways sent an incredibly lewd photo to one of their passengers in response to a complaint.

Here is the massively censored version of the Tweet:

The 2 Key Events:

  1. Very shortly before the US Airways tweet, the @ARTxDEALER Twitter account posted ‘the photo’, addressing the Tweet to @AmericanAir. (side-note: American Air & US Airways recently merged)
  2. US Airways posted a response to user @ElleRafter: “We welcome feedback, Elle. If your travel is complete, you can detail it here for review and follow up: pic.twitter.com/vbeYgXXXXX” (I’ve del樂威壯
    iberately changed that URL to protect the innocent).

The Actual Explanation:

  • US Airways recently merged with American Air.
  • Whoever is in control of the US Airways twitter account also monitors American Air’s brand on Twitter.
  • Having seen the lewd photo sent to American Air, the social media exec copied the URL (perhaps emailing it to someone to report it, for example)
  • When they responded to @ElleRafter, instead of pasting the URL of their complaints form, they accidentally pasted the twitter image URL. In doing that, it reattached the image to their tweet.

The key piece of information is that if you copy & paste a ‘pic.twitter.com…’ Twitter photo URL into your tweet, it reattaches that photo to your tweet.

Summary: Mystery solved. The twitter account ‘@ARTxDEALER’ accidentally caused the whole thing. (I wouldn’t recommend visiting their account – not safe for work!)

Very good luck to the poor person in charge of the US Airways/American Air twitter accounts. A tough job and – from the looks of things – an honest mistake.

How to Beat 2-Factor Authentication

You may have noticed these fake ‘Log into Google’ pages appearing more and more. They (and equivalents for other services) have very quickly become one of the main ways hackers use to steal other users’ accounts: (look carefully at the URL)

fake google login screen

The usual solution put forward to avoid falling for these is to ‘use 2-factor authentication’. 2-Factor Authentication is very, very good, and everyone should enable it where possible. But… it does not necessarily protect you from attacks using systems like the above. Here’s how a hacker could get around it if they were determined:

  1. The hacker sends an email to someone that redirects them to a fake ‘log in to Google’ page.
  2. At the point the user enters their login details, the hacker’s program automatically attempts to log into Google itself.
  3. If the hacker is presented with a ‘Please enter your code…’ screen, Google will have automatically sent a code directly via SMS to the user. The hacker should therefore present the user with their own ”Please enter your code’ box.
  4. The hacker would then wait for the user to receive the code that Google has sent, and typed it into the hacker’s own “enter your code” box.
  5. The hacker would then use that code to immediately log into Google as the user, defeating the 2-step authentication.

That’s all sneaky, and horrible, but it’s so straightforward that I’m sure it will start happening soon.

3 Factor Authentication? Or ‘Confirmed’ 2 Factor Authentication?

The obvious next step is ‘3-step authentication’ which is: After Google have sent the login code and the user has logged in, they should then text another message to the user’s phone, simply saying ‘Login successful. If you have not just successfully logged in, please reply STOP to this message’.