Sunday, January 25, 2009 snafu around a web bug

Even the best of intentions are often incorrectly brought to life. Here are some random quotes & opinions about the InformationWeek article entitled "White House Web Site Revisits Privacy Policy".

Note: in this post, emphasis in quotes are mine...

Privacy Policy

1st mistake: forgot to update privacy policy. The whole thing seems to have started because 3rd party cookies from WebTrends were found while the privacy policy didn't mention it.

Of course, stating "attorney" and "web bug" in the same sentence is nothing to reassure casual users and those not educated about web analytics (emphasis mine): "an attorney, warned [...] the site contains a Web bug."

"Certain details"

The long article continues and mention "in the process of receiving the remote request from [...] WebTrends also receives certain details". "Auerbach observed [...] that while he recognized some of the data requested [...] the other data gathered by WebTrends was unclear." Then the article goes on to (try) to explain "what" is being collected and fail miserably. Why? Because most web analytics vendors do not provide detailed breakdown and disclose usage of each of the parameter data they are collecting.

Using WASP would easily reveal most of value-pair information sent to WebTrends. While most tags are documented in vendors implementation guides, some of them are not. Getting information about their specific use is very difficult. And this is not specific to WebTrends, other vendors are also very reluctant in letting end-users know exactly what each tag is being used for as I found out myself.

Is it legal?

I don't want to put oil on the "is it ethical" fire. To me, that's a waste of time. However, suggesting  web analytics (in general) might be illegal is a whole other story: "I would suggest that since the collection, aggregation, and conveyance of the data to WebTrends is from the user's computer and not from that a very strong argument can be made that the data belongs to the user, not".

However, "Auerbach concedes that the data sent to WebTrends may not be clearly categorizable as personally identifiable information."

Case closed.

JavaScript Security?

"[JavaScript] is not a particularly safe practice or good for privacy, although most major sites still do it anyway, using WebTrends, Omniture, or Google Analytics". We've been arguing about that for years, yet, I still talk to a lot of people who think JavaScript and cookies are evil. As with any other technology, they can be used to make our lives better... or turn them into nightmares. Such bold statements, like any radical opinion, is never good to foster discussion and advancement.

My take

My takeaways from this story:
  1. The privacy policy of should be reviewed.
  2. WebTrends should also be configured to use 1st party cookie (although, in the end, the data would still be sent to WebTrends anyway).
  3. I will continue to talk with vendors to provide full disclosure about the exact use of each of the parameter they receive and include that information in WASP
  4. Privacy advocates and casual users certainly needs to be better educated about web analytics