This morning, I woke up to a text from my sister-in-law: “I knew my phone was listening to me... Facebook is giving me all ads for homes in Colorado.”
Last night, we’d met for dinner and I told her that I was moving.
Was her phone listening? Probably not.
More likely, Facebook knew her phone had been right next to my phone, that we were related, and that I had been looking up homes in Colorado.
That’s maybe even creepier.
It’s no surprise, though: the internet runs on advertising, which is heavily reliant on tracking and analyzing user behavior on the web.
The System Outdid Itself
For years, consumers have enjoyed the products, services, and content funded by advertising, and advertisers have used tracking and analytics to improve the success of their marketing campaigns. The tremendous amounts of data collected by the websites the users’ visits are often stored in public or multi-tenant cloud environments and shared with third-party services (e.g. Facebook).
But the growing amount of personal information collected and the increasing sophistication of marketing analytics have raised serious privacy concerns.
In response, legislators around the world are introducing new regulations, which include the GDPR and the CCPA, that introduce varying restrictions on the collection, processing, and sharing of personal information and give individuals varying rights to control the way their data is collected and processed. The regulations also introduce fines for noncompliance and for any data breach or incident that exposes personal information.
Many web browsers, too, including Apple Safari, Google Chrome, and Firefox Mozilla are developing technical controls designed to reduce or eliminate the use of third-party cookies and protect user data.
Combined, these regulatory and technical controls will likely force major changes in analytics. Organizations should be less willing to entrust the personal information they collect to third-party services. Yet every year, dozens—if not more—of new and important martech and adtech tools are emerging.
The answer can’t be to stop using these and other third-party tools, can it?
The Third-Party Problem: It’s Complicated
According to Benjamin Franklin, “Three may keep a secret, if two of them are dead.”
Franklin understood that the more people who know a secret, the more likely the secret will be revealed. When it comes to Information Security, the more complex a system is, and the more organizations and individuals with access to that system, the harder it is to secure, leaving organizations exposed in two major ways:
1. Hidden Vulnerabilities in the Third Party
The first problem with third-party services is that any third-party software you use will contain defects (bugs) that may cause security vulnerabilities. If you use a service like Facebook pixel or MixPanel Autotrack, you will need to add a snippet of base code to each of your webpages, and you need to trust that code’s developer to detect and fix defects.
Those small code snippets call on open source libraries of pre-written functions that may contain millions of lines of code, and all code has defects. According to a recent scan report, the average defect density is 1 defect per thousand lines of code. Approximately 25% of those defects create serious security vulnerabilities, which means you should expect 250 security vulnerabilities for every million lines of code.
In 2018, Mixpanel fell victim to one of those vulnerabilities and inadvertently collected passwords and other hidden data for over nine months. Mixpanel had to spend time and money on a forensics investigation, security patch installation, and identification and deletion of the inadvertently collected data.
Fortunately, there is no indication that anyone at Mixpanel or any third party actually saw the mistakenly collected data, so the damage to Mixpanel’s reputation was probably limited. But there’s no guarantee the next vulnerability will clean up so neatly.
2. Total Loss of Data Governance
The second problem with giving third parties access to personally identifiable information (PII), is that you have to trust them to use that data properly—and not all third parties are trustworthy. Facebook infamously learned that the hard way when a whistleblower revealed that a researcher had given a political data firm unauthorized access to the personal information of over 50 million Facebook users.
Of course, most third parties aren’t that brazen. What’s more likely is that they suffer a breach or simply don’t map data as stringently as you’d like. Under CCPA, for example, a customer can request access to their data at any time and take recourse if it’s been compromised. If your customer requests access to data you collected but a third party can’t account for it, that’s noncompliance.
Simply put, sharing any sensitive data with third parties or even using third-party software tools introduces risk that may damage your organization and destroy your customers’ trust.
All is Not Lost!
While this seems to paint a dark picture and oppose the valuable support third-party vendors provide, that’s not the conclusion of the story. Yes, new privacy regulations and web browser privacy initiatives will necessarily change marketing analytics. But not because organizations are forced away from beloved or necessary tools.
The answer is many organizations are likely to choose the idea relative simplicity of storing and processing their own data in a private cloud environment without exposing sensitive data to any third-parties. With the right data routing deployed on their private cloud, an organization has the ability to control data from ingestion—and most importantly, choose what data goes to which partners.
That means hidden vulnerabilities or third party exposure isn’t a threat, because they don’t have any information that would put you at risk. And you can continue your personalization efforts, ideally without being creepy.
Concerned about vulnerabilities in your data ecosystem? Reach out to firstname.lastname@example.org anytime with questions.