ellipsis flag icon-blogicon-check icon-comments icon-email icon-error icon-facebook icon-follow-comment icon-googleicon-hamburger icon-imedia-blog icon-imediaicon-instagramicon-left-arrow icon-linked-in icon-linked icon-linkedin icon-multi-page-view icon-person icon-print icon-right-arrow icon-save icon-searchicon-share-arrow icon-single-page-view icon-tag icon-twitter icon-unfollow icon-upload icon-valid icon-video-play icon-views icon-website icon-youtubelogo-imedia-white logo-imedia logo-mediaWhite review-star thumbs_down thumbs_up

Tracking the Techie

VIEW SINGLE PAGE

If you work in web marketing there are some people who hate you. They hate you with a passion that's bordering on the fanatical, especially if you're involved in web metrics. 


The reason they hate you is that you count unique visitors. 


They also hate you for presenting ads online.


These people will do everything they can to avoid being counted. Some of them will also try to make your count of other people inaccurate.


These people are your techies. They are your web site administrators, your UNIX gurus, your online programmers, your IT support staff.


If you sell or market IT products, or analyze that audience, you've got a fight on your hands.


This article is about how these people are fighting you.


Background


Last month, I wrote an article that discussed different ways of identifying unique visitors. It attracted a great deal of feedback, including the creation of a forum in slashdot.org, which is the ultimate tech/geek site. Much of that feedback came from people explaining how they avoid being tracked. It revealed a mind-set, and a community, actively involved in the prevention of web tracking.


Throughout this month's column, I'll share some choice quotes, with names omitted to protect privacy:


"I'm tired of all these marketing bullshit artists trying to track my every page view and metric on what I do at their site."


"I'm no privacy nut, but I wouldn't stand for being tracked as I walk around all day; I've no great desire to accept it as I walk around the 'net either."


The mindset


Before I describe the techniques people are using to evade detection, I want to look at the mindset of these people.


First, it's important to understand these are not average web users. You need to know your online technology to apply evasion techniques. These people are in the know about the web and how it works. I've no way of knowing how many there are, but anyone working on open source software, which drives the internet, will have the skills required. There are over a million developers working on open source in the USA alone (source: Evans Data, Feb 2004).


There are two drivers to their opposition to web tracking -- poor advertising practice, and a misunderstanding of tracking. 


Advertising is evil


Online advertising is often horrible. Pop-ups are intrusive -- how is positioning an ad so that I can't read my page supposed to endear your product to me? You obviously don't care about me: you just want my money. Banner advertising is, in my view, never worthwhile -- ever. Trying to distract me with banners that have no relevance to what I'm doing only teaches me how to develop tunnel vision.


"If you want us to view your ads, make your content worth our time, and more importantly, make your ads worth viewing, unobtrusive, and not an annoying flashing noisy mess."


I've never encountered anyone objecting to Google Ads. The point about delivering search-triggered ads is relevancy. If you're presenting relevant information at a relevant time without getting in the way, no one objects.


Poor online advertising has led to the mind-set that all online advertising is bad.


"I've made it a rule to *never, ever * click on *any* ad. Period. If I really, really, want the xyz gizmo, from abc Corp., I will visit the MFGR's site directly, or a known retailer of their products."


Web metrics = spying


"Maybe if we can generate enough noise these morons will stop trying to come up with more useless ways to invade our privacy and track our every online move."


Some companies have lied about their privacy practices and sold data they promised they wouldn't. Other companies invisibly track user movements between sites so that they can profile the user and sell the data. Making money out of lying is called fraud and it's obviously immoral. Profiling people without their knowledge or permission is also immoral. Any time you secretly do something to someone that they would object to if they knew about it, you're committing an immoral act. People value their anonymity online. They don't want it taken away without their knowledge and consent.


Counting unique visitors on your site does not involve identifying someone. However, anti-metrics people don't make that distinction.


"The only thing gained by uniquely identifying users outside of financial transactions is the opportunity to violate their privacy."


Note that our friend here treated "unique users" and "uniquely identifying users" as the same thing. Identifying unique users simply means being able to tell that two visits came from different people. Nothing about this implies knowing who those people were. However, understanding the difference requires some knowledge of metrics definitions.


Here, unscrupulous web metrics practices have combined with a lack of understanding: the result is a condemnation of the entire industry.



Go to Next Page (2 of 2)>

<Return to Page 1



Tactics


A unique individual is identified by the combination of user agent and IP address, with the option of examining cookies as well. The anti-metrics community has techniques to address each of these areas.


Cookies


We all know people block or delete cookies. Around half of average users delete some cookies once a month. However, techies do it much more often:


"I will block and/or delete cookies daily, disable java, javascript, flash, and other annoyances. There are plenty of others who do the same, and your lack of respect for our privacy will drive us away from your sites."


Deleting a cookie after a visit simply throws your repeat visitor count. Other tactics can throw your stats on a more profound level. People remap their browser to send cookies to non-existent directories. Others have systems to delete cookies as fast as they're set. Either of these tactics will lead to your system setting a new cookie for each page, so this one person will look like a new visitor on every page.


Session cookies also get blocked. I researched this myself last year and found that the level of session cookie blocking is related to the visitor's operating system; less than one percent for Mac users, two to three percent for Windows users, and 10 percent for Unix users.


Anti-cookie behavior is going to become more common and more sophisticated:


"I'm developing a browser plugin to collect multiple cookies and rotate amongst them, thus making one user appear to be a number of users."


"There have been discussions about browser plugins that use a p2p method of cookie sharing, akin to grocery store loyalty card sharing, to subvert this process."


Browsers


The anti-metrics community uses different browsers to defeat being tracked. They'll switch browsers in the middle of a single visit, and access web pages with different systems.


"I use several browsers, including text browser (elinks, lynx) and command line tools (curl, wget)."


IP


I've come to believe the visitor's IP address is the least reliable element in identification.


"I'm a typical corporate user. I use several proxies (whichever is fastest, we have one or more per country. Sometimes the UK proxy is less busy than the Dutch one). Then, I visit the same page from home, sometimes using the corporate VPN."


"If my company had computers in New York and Tokyo, I could ssh between them in much less than 60 minutes. . ."


"...anonymizing onion routers, such as TOR, make one user appear to source from a large number of globally distributed IPs."


Blocking systems


Most of the tactics I've described are behavioral -- people have to do something to prevent being tracked. Doing these things requires skill and effort. There are other systems that will do this work for you.


The easiest to use is some form of anonymous surfing. This is an industry in itself, and there are plenty of sites that will let you put a URL into a form and surf that site from within theirs.


Other systems can be installed on your machine, running many of the techniques I've described automatically.


Blocking systems don't require any technical know-how; they are available to everyone.


What will the future bring?


It's clear this is going to get more intense. Anti-tracking technologies are going to spread. Many marketing people have addressed the cookie deletion issue by talking of educating people as to the value of cookies. I think the solution lies on the other side of the fence, with our industry. The problem is caused by the limited number of tracking companies who make a mess of things for the rest of us by quietly deploying tactics that they know the public would find objectionable.


We all know who they are -- the companies who use third-party cookies to profile people surfing between sites, and the marketing companies who buy that data.


This situation will get worse. The next battleground is already upon us: IP traffic analysis. This involves placing tracking technology inside the servers themselves and analyzing IP header data for destination and source information. This is completely undetectable by the browser. The growth of such practices simply increases the level of distrust amongst our users and promotes the development of systems like TOR that randomize IP data.


At this stage, most anti-metrics behavior is concentrated in the techie community, but let's remember that these are the people who write the software and install networks. They are the ones who will build systems that will make it easy for ordinary people to emulate their behavior. They are the people who will advise others on risks and tell them how to behave online.


If we don't deal with this now, it will become a pervasive issue, and in five years we'll know less about our audience than we do today.


If we want our users -- especially our techie users -- to trust us, we must act in a trustworthy fashion.


Today's reality is that the metrics community has never stopped to consider the ethics of what it does, or censure sharp practice when we see it. The result is that we are alienating our users and our marketplace. If we want them to give us the data we need, we have to ensure we only use it for purposes they would approve of.



Brandt Dainow is CEO of Think Metrics, creator of the InSite Web reporting system. Read full bio.


<Return to Page 1

Brandt is an independent web analyst, researcher and academic.  As a web analyst, he specialises in building bespoke (or customised) web analytic reporting systems.  This can range from building a customised report format to creating an...

View full biography

Comments

to leave comments.