New Method of Tracking UIP Hits?

smurray writes "iMediaConnection has an interesting article on a new approach to web analysis. The author claims that he is describing 'new, cutting edge methodologies for identifying people, methodologies that -- at this point -- no web analytics product supports.' What's more interesting, the new technology doesn't seem to be privacy intrusive." Many companies seem unhappy with the accepted norms of tracking UIP results. Another approach to solving this problem was also previously covered on Slashdot.

More than just cookies

[wranlon]

ROI is mentioned, along with the 'atoms' of their metrics: page hit count, popular URL count, URL dwell time, and returning visitors. When these metrics are used to produce reports, how valuable are these reports in ascertaining how ROI is affected by said metrics? For example, getting a neat funnel report of the path people take through a site and where the traffic drops off offers insight into popular paths and locations where people bail out, but apart from listening for errors, there is no further insight into why a person bailed.

What seems to be missing is gathering insightful information into what transpires while someone is on a particular page. I'd like to know the general trends in behavior [whitefrost.com], not just the server requests. I've found it more useful to be able to see the interactions with the content than reporting where people enter, traverse, and exit a site.

The Meat of the Article

[RAMMS+EIN]

For those who can't be bothered to read through all the buzzwords, here's the actual method used:

Each of these steps is applied in order:

      1. If the same cookie is present on multiple visits, its the same person.

      2. We next sort our visits by cookie ID and look at the cookie life spans. Different cookies that overlap in time are different users. In other words, one person cant have two cookies at the same time.

      3. This leaves us with sets of cookie IDs that could belong to the same person because they occur at different times, so we now look at IP addresses.

      4. We know some IP addresses cannot be shared by one person. These are the ones that would require a person to move faster than possible. If we have one IP address in New York, then one in Tokyo 60 minutes later, we know it cant be the same person because you cant get from New York to Tokyo in one hour.

      5. This leaves us with those IP addresses that cant be eliminated on the basis of geography. We now switch emphasis. Instead of looking for proof of difference, we now look for combinations which indicate its the same person. These are IP addresses we know to be owned by the same ISP or company.

      6. We can refine this test by going back over the IP address/Cookie combination. We can look at all the IP addresses that a cookie had. Do we see one of those addresses used on a new cookie? Do both cookies have the same User Agent? If we get the same pool of IP addresses showing up on multiple cookies over time, with the same User Agent, this probably indicates the same person.

      7. You can also throw Flash Shared Objects (FSO) into the mix. FSOs cant replace cookies, but if someone does support FSO you can use FSOs to record cookie IDs. This way Flash can report to the system all the cookies a machine has held. In addition to identifying users, you can use this information to understand the cookie behavior of your flash users and extrapolate to the rest of your visitor population.

Re:UIP?

[1u3hr]

And strangely enough, this acronym isn't used in TFA at all. In fact, if the submitter did mean "Unique IP" that's not at all what the article is about (after all, that's trivial to record). They're looking for the number of unique individuals, and trying to deduce that from Cookies, IP, and other data.

Unique Individual? P???

Adjusting Macromedia Flash Settings

[buro9]

Macromedia have a page that allows you to modify what sites can do on your computer in regards to Flash:
http://www.macromedia.com/support/documentation/en /flashplayer/help/settings_manager02.html#118539 [macromedia.com]

Too much faith in humanity?

[Moraelin]

"I highly doubt anyone is THAT stupid to put THAT big of a security flaw into a system."

Read the article, and the guy is proposing to build exactly that kind of a security flaw into the system.

Flash can use, basically, some local shared storage on your hard drive. This isn't really designed as cookie storage, and doesn't have even the meager safeguards that cookies have. (E.g., being tied only to a domain.) It's really a space that _any_ flash applet can read and write, and currently noone (with half a clue) puts any important data there.

This guy's idea? Basically, "I know, let's store cookies there, precisely _because_ any other flash applet, e.g., our own again from a different page, can read that back again."

Caveat: so can everyone else. I could make a simple flash game that grabs everything stored there, just as you described, and sends it back to me. Including, yes, your session id (so, yes, I can take over your session in any site you were logged in, including any e-commerce sites or your bank) and anything else they stored there.

Since it's used to track your movements through sites, depending how clueless that's programmed, I may (or may not) also be able gather all sorts of other information about you.

So in a nutshell his miracle solution is to build _exactly_ that kind of a vulnerability (not to mention privacy leak) into the system.

So, well, that's the problem with assuming that "noone could be THAT stupid". Invariably when I say that, someone kindly offers himself as living proof that I'm wrong. Soneone CAN be that stupid.

Re:Paradigm shift ?!?

[fbg111]

And the fact that he actually felt the need to explain what a "paradigm shift" is to his audience - undoubtedly consisting of cynical techies - as if we'd never been (over)exposed to the concept before, quadrupled the BS meter. Honestly, was he born yesterday?

Oblig Dr. Evil Quote: [about his new "laser"] You see, I've turned the moon into what I like to call a... "Death Star".