So...back in April 2020 when I released my research "The 2020 URL Querystring Data Leaks"

This section:

“Since the original test, several new advertising companies were found receiving the user data including http://LiveRamp.com , SkimAds, and Tapad”  https://link.medium.com/R0s4QPvQN9 

When this querystring data breach research was released impacting numerous enterprise companies and dozens of advertising & analytics companies, the @Nytimes covered my research @ https://www.nytimes.com/2020/04/29/business/media/quibi-jetblue-email-breach.html -- I also spoke with the team at Quibi after the research was released....

I alluded to this problem at the time, but I decided not to explain because Quibi was doing a good job at cleaning up their website & I wanted to make sure they were 100% clean (it's actually quite impressive now imo)

Snapchat did Quibi dirty, still does it to other orgs...

Screen shot attached - View a scan of the WSJ to see the SnapChat pixel piggybacking Tapad @ https://trackermap.evidon.com?token=FWOQXOtrackermap.evidon.com/?token=FWOQXO 

You can see in the other screen shot how Snapchat uses a "location" response header to redirect the user data to the Snapchat partner SkimResources (classy name)

After my research was published, and Quibi basically started investigating everything - they didn't expect to see ANY Quibi user data going to:

LiveRamp, SkimAds, or Tapad

... but we soon realized that Snapchat piggybacked each of these partners to ingest Quibi email data...

And Quibi likely got mad at Snapchat -- because in just a few short weeks, the Snapchat pixels (all of them?) stopped firing LiveRamp and SkimAds --- they even removed those from https://map.snapchat.com/  & all Snapchat Maps embeds (a huge source of data for Liveramp/SkimAds)

But this episode was never public, so Snapchat apparently didn't stop all of their data sharing -- they are now, still today, piggybacking Tapad into ~all or most client websites

From the WSJ to Sephora - still using the "location" response header to redirect user data...

I have a motto for audits: Your Partners Take You Out of Compliance

This couldn't be further from the truth for everyone who works w/ Snapchat, embeds their pixel, but doesn't

1) Audit what companies Snapchat invites into your website
2) Ban piggybacking partners in contracts

At an upcoming webinar w/ @Crownpeak, I'll be talking more about Partner Auditing + User Data Side Channel Exfiltration + Snapchat's Ad Partners + Why this is a BIG risk due to the recent Schrems II decisions... .

Want to get the inside scoop?

RSVP @ https://www.crownpeak.com/resources/webcasts/data-privacy-marketing-series-how-schrems-ii-is-raising-the-privacy-risk-stakes

If you find an existing on-page advertising partner who syncs data to new companies, do you also check if that same data is synced in Europe?

Well SnapChat.... for some reason... does NOT sync their partners typically in Europe... as though they know it's a GDPR violation..

Geographic pixel auditing w/ country-based proxies is **essential** to any Schrems II data audits... yet many auditors still don't parse by country.

@martingund 's reported exposé in December 2019 involving Zeta Global + Disqus used this method @ https://nrkbeta.no/2019/12/18/disqus-delte-persondata-om-titalls-millioner-internettbrukere-uten-at-nettsidene-visste-om-det/

Some folks may remember a thread of mine from March 2019 on my argument that "Piggybacking Javascript is the Subprime Crisis of the Internet" due to overlapping risk - here @ https://twitter.com/thezedwards/status/1112568863621668864

100% of the screen shots from this thread use @Crownpeak's Trackermap software..

There will be a 2nd Crownpeak webinar I'm hosting w/ them, which will still be very much about auditing in the Post-Schrems II world -- you can RSVP for that one @ https://www.crownpeak.com/resources/webcasts/data-privacy-marketing-series-the-tipping-point-for-global-regulation-risk

I'll be talking about piggybacking Risk + getting into more details on geo data audits

disclaimer, i'm not paid by Crownpeak for co-hosting these webinars. I've used their Trackermap software for 5+ years...

After some convos, we decided to host these free webinars on October 6 & 8th to talk about auditing in 2020

https://www.crownpeak.com/resources/webcasts/data-privacy-marketing-series-how-schrems-ii-is-raising-the-privacy-risk-stakes
&
https://www.crownpeak.com/resources/webcasts/data-privacy-marketing-series-the-tipping-point-for-global-regulation-risk