A lot of affiliate tech vendors ask their clients to place a tag or script across their entire website – not just the confirmation pages traditionally used y affiliate tracking. While it is often necessary to power the tech solution, this always-on approach can become a backdoor that collects far more data than necessary.
It is naive to assume that tags from tech vendors only perform the functions they tell you about. They often do much more than advertised, and features intended to reduce your workload, like site-wide tags, can introduce new risks.
In this article, I am going to share two first-hand experiences from one affiliate tech vendor that show how things can go wrong.
The piggybacking pixels
Back in 2018 (ish), managing the ecommerce team and affiliate program for an ecommerce company with ~£150m turnover, I noticed one of our sites was running very slowly. Remembering an experience years before when a rogue Struq pixel crashed a major retailer on Boxing day by fired hundreds of analytics tags I fired up a http sniffer and took a look.
What I discovered almost made me spit out my cornflakes. Our site included the standard site-wide ‘master’ or ‘advertiser’ tag from our affiliate network, ostensibly to power first party cookies and attribution.
However, that tag was triggering a number of tags which we did not recognise for a series of display, paid media and retargeting vendors. Cookies and advertising beacons were being dropped willy-nilly. We had never heard of most of these companies, but they were owned by one we knew well – a large and well-known tech vendor. The vendor was using their relationship with the network to co-opt our traffic to benefit their other businesses.
Randomly checking several other advertisers, it became clear it wasn’t just us. The same rogue tags were firing for a lot of brands on the same network, including some very large, well known brands.
Potentially hundreds of merchant sites were unknowingly dropping cookies and other identifiers to power display and retargeting ads without permission. One could go as far as saying the vendor had ‘hacked’ the network tag for their own ends.
Lack of urgency
Beyond the breach of trust, our affiliate network’s response was deeply disappointing. Despite the attack only being possible because of their own system, our account managers and even account directors refused to escalate the issue. They simply were not interested.
Eventually (after several frustrating weeks), I paid to attend an industry event to quietly raise the issue with someone more senior – the well known face of the network. I thought this was the ‘nuclear’ option, guaranteed to work, so I was flabbergasted when they too flatly refused to engage. They refused to even talk to me, exhausting all my efforts to keep it in-house.
With no other option I discretely asked the IAB for help. Suddenly the network sprung into action.
To their credit, when it finally reached the right people the affiliate network moved quickly, rebuilding their entire advertiser tag system with new security and safeguards. Within a few weeks a new permission based system and control panel was live. The new setup, which is still in use today, gives merchants granular control and requires explicit approval for every third party integration. It isn’t perfect (what is?), but it is a meaningful step toward transparency and security.
Had it gone public, and I believe a lot of people in the industry would have done just that, the headline could easily have been: “major network hacked by unicorn tech provider“. The ICO would almost certainly have been interested, and given we are talking hundreds of affected merchants and millions of visitors over a long period of time (years?), the potential penalties could have been severe.
The dashboard that said too much
Years later, the same vendor, now under new ownership after previous poor decisions came back to roost, popped up again.
During a meeting for a major travel client, an account manager shared an internal dashboard on screen. The numbers on display, especially revenue, did not ring true. They were far too high – in the tens of £millions. They were storing and processing detailed transaction data for every page view, transaction and customer who used the site. Needless to say, I was frantically taking screenshots.
While their tag probably needed to see everything to provide their service, they had absolutely no business retaining it. The vendor had built systems to store, process and examine much more data than they were ever entitled to. They probably had a better insight into the brand’s overall performance than our agency did.
We didn’t know exactly what they were using the data for, but they were well known for sharing ‘competitor insights’ with clients, and the fact they had built a dashboard in the first place didn’t speak well of their intentions.
In this instance I didn’t own the client relationship – I was working as a contractor for an agency and didn’t really have the authority to take action beyond raising the alarm. The agency chose not to escalate this with the client and the vendor continued to harvest data, possibly to this day.
Industry-wide blind spot
While I just focussed one one vendor here, these cases are not isolated. Many merchants simply aren’t aware of what each tag on their site does.
I very much doubt that the vendor I caught is the only one who behaves in this way, and as staff move around they take their knowledge and methods with them.
Just as aggressive voucher code sites were once an oddity before becoming the norm, vendors often run with the here when they see someone else ‘get away with it’.
The risk of black box vendors
Most of the risk in this space comes from partners who just don’t disclose what their tags collect, how long data is stored, or what it is used for. Some warning signs of a black box vendor include:
- Lack of technical documentation for tags or scripts
- Evasive answers when you ask about what they collect
- Reluctance to sign data processing agreements
- Claims of ‘proprietary methods’ to keep details private
- Cookies being dropped or read on non-conversion pages
- User and device fingerprinting carried out for no clear reason
In many cases, their internal priority is to collect as much data as possible and use it to benefit their own platform or other clients. You should be extremely cautious about giving any vendor sitewide access. Once embedded, their scripts are easy to overlook, and their data practices are difficult to trace.
Key risks include:
- Tags that scrape the entire page content and send it back to external servers.
- Requesting sitewide tag placement for ‘optimisation’ but harvesting more than is required.
- Affiliate performance being used to enrich other performance marketing channels
What merchants can do
- Restrict where tags fire: Only allow tags to fire on necessary pages. Generally there are two main page types – “landing pages, and “checkout pages”. Where do your vendor tags actually need to be?
- Enforce sandboxing: One for your developers – depending on your tech stack they may be able to limit third party tags access to the rest of your site.
- Enforce DPAs and contracts: Make sure your data processing agreements strictly define how vendors can use and access data.
- Audit vendor behavior: Use browser tools and to see what each vendor’s tag is actually collecting.
At a minimum, don’t just rely on vendor promises. Audit your tags to verify what is actually happening in your web browser. Think about what your app or website pages ‘know’, and how they might be of value to dishonest vendors.
For advanced users, a HTTP header sniffer or the Dev Tools in your browser (F12) can show you exactly what’s being transmitted. I use MS Edge because it is the default browser on most Windows PCs, but since they moved to the Chromium engine most chrome apps also work on Edge. This search will get you started: Chrome Web Store – ‘http header’ search results.
For a simpler starting point, a browser extension like Ghostery can identify and flag third-party scripts and trackers in a more accessible way. Avoid the ad blocking features though.