Anatomy of a data heist

I was doing a daily Twitter scan to look for articles and information relevant to our business. I came across a link to an article about a partnership between Hilton Worldwide and Uber. The nature of the partnership was such that if you were taking an Uber from the airport and staying at the Hilton, then you could see hotel and check-in information from the Uber app and also make room or other requests/adjustments, notify the hotel and perform other functions through the Uber app.

Cool stuff.

The link is here, but given what happened to me, I’d urge you enable an ad-blocker.
http://www.businesswire.com/news/home/20160330005332/en/Hilton-Uber-Expand-Partnership-Unveil-App-Integration
I read this article some time in the late morning or noonish EST on Wed 3/30. I am not a Hilton Honors (HHonors) member. At least not as far as I know.  I’ve never received an email from the Hilton Honors program email address… Until 2pm on 3/30 after I read the above article on businesswire.

image

So what happened here? I have an email account set up for commercial solicitation, potential spam and other non-personal communications. This is the email account in which I received the Hilton Honors email.

It would have to be a coincidence of epic proportions to have received an email for the first time ever, from a solicitor (Hilton), who’s article I read for the first time a couple hours earlier.

So I navigated back to the site and used ad-blocker/tracking-tracker Ghostery to see which prying eyes were festering on this site:

image


Ding ding ding. Looks like we have a winner! Look on the right side of the image, and see the 4 entities tracking me. Pardot. Lead gen/Marketing automation platform within Salesforce. I can’t be 100% sure, as there are other possible leak points in the ad-tech chain. Perhaps my cookie was sent to a DMP (Data Management platform) when the inventory was being bid on, and the DMP matched my cookie with my email, and notified the solicitor (Hilton) to send me an email.

So how did this work? I have not deleted my cookies in a while on my work laptop, so it’s very likely that somewhere along the way in my internet activities (buying stuff, using social media, perusing and reading content), my cookie was triangulated to match my solicitation email address. With that info, Pardot (or any other perpetrator) knows that every time I browse certain subject matter, or certain articles that may contain content about one of their clients (Hilton Honors, for example) they can alert their client of the viewing and share my email with the client without my consent. It’s possible that my cookie was sent to a DMP (Data Management platform) when the inventory was being bid on, and the DMP matched my cookie with my email, sold it to Pardot (or some other lead/gen platform), who notified the solicitor (Hilton) to send me an email. It’s hard to be totally sure what happened. And THAT’s a large part of the problem. I have so little control and insight into what’s happening with my data. 

When I clicked on that article, I did not sign anything that granted the perpetrator rights to sell my email. While they probably did not break any laws, they certainly broke with societal norms, and general consumer expectations.  

It’s short-sighted for the ad-tech and advertiser community to operate this way. This is the kind of stuff that pisses people off:
I don’t know who has my data 
I don’t know what they are doing with it 
I don’t know how much they are profiting from it 
I don’t know if they are continuing to sell my contact information

Do any consumers like this? Ad-tech and their advertiser overlords continue to cut off their nose to spite their face. Like an addict, the ad-tech community appears to be sated by only amassing more personal data about us. Eventually, consumer sensibilities will be so impinged upon, that a revolt is imminent. You can argue it’s already started (200mm ad-blocker downloads world-wide ring a bell?) 

Apple, Intel, Unilever, Facebook (yes, Facebook) and others are talking about and preparing for a world where the consumer exerts far greater control over their data. 

If it’s what the consumer wants, then as a business, you’d be crazy to not be planning for this future.