1 PetrBuchbauer-Lundegaard FIMUNI-PV226/LaSArIS Oct20,2022 #digital_footprint Digital footprint Where to draw the line for fair tracking of user behaviour? • Who am I and why am I here? • The world before „cookie consent“ • Tracking in the world of GDPR • Introduction of “cookie consent“ • What is digital fingerprinting and what does it bring • How to keep end users informed? • Q&A Agenda #agenda 2 Introducing Lundegaard #introduction 3 Pleased to meet you! Petr Buchbauer Chief Commercial Officer Lundegaard, a.s. #introduction 4 23 Years on the market 100+ Employees Czechia, Slovakia, Germany Praha, Brno, Hradec Králové, Košice, Nürnberg #introduction We are a consulting and technology company. Accelerating business growth by creating smart digital solutions. 5 A comprehensive approach combining business know-how and modern technologies that help companies outperform the competition. Exploring your digitalization potential • Evaluating the level of your digital maturity • Helping formulate hypotheses and vision Transforming your technical architecture • Optimizing the cloudization of your infrastructure • We assist with eliminating the technology debt Digitalizing your products and services • Bringing your services and products closer to the ”New Customer" expectations • Designing and introducing innovative methods Scaling growth with digital ecosystems • Connecting you with partners and platforms • Automating the data transfer • Accelerating your growth by engaging in a network economy 1 2 3 4 Your competition We have created our own methodology. We call it Lundegaard acceleration framework. #introduction 6 Preparing hypotheses & propositions We can turn the identified needs and "insights" into propositions that create and deepen the relationship with the customer. Verifing your technology capabilities We have a huge advantage: we understand the technology as well as the business side. Our designs are created with a thorough knowledge of your situation and are therefore feasible, including a connection to existing infrastructure. We analyze customer and business needs. We focus on the next coming 5 years. Analyzing the needs & roles We suggest propositions of the future. We create Minimal Lovable Solutions. #introduction 7 Digital ID & On-boarding Distributed / Hybrid Cloud Digital identity has been our topic since 2014. We have created a number of solutions focused on remote verification, signing and customer acquisition. We are a partner of the Czech Bank Identity. Event-driven Microservice Data Streaming Platforms Thanks to our Zoe.AI, we know more about the user's behavior in the digital environment than he himself. And we know how to use it. For example when creating UX designs and improving the customer experience. Artificial Intelligence and Machine Learning Internet of Things (IoT) We are not "toyers" who will advise you on how to call to the refrigerator or water the garden remotely. We build solutions that respond to the needs of your customers and the goals of your business. Internet of Behaviors We collect and evaluate bahavioral data from various devices. We build know-how that connects IoT, Data streaming platforms and artificial intelligence for better CX. Welcome to the future. Everyone has a lot of data today. But only if you benefit from it you have "the magic". We know ways to put them into context and share them effectively to be useful to you and your customers. Communication among individual microservices in real time? A working Multi-Vendor-Platform that generates savings? A piece of cake when you know how to do it. "Within five years, about 30% of web traffic will shift from traditional forms to Voice." Will you be faster than your competition? Voice as a New Interface Cloud solutions are constantly evolving and the approach to them is gradually changing. We have the thumb on the pulse and certified experts who will design the ideal solution for you. We monitor, test and implement innovative technological solutions. We will push you forward as well. #introduction 8 Finance Utility & Telco FMCG Healthcare Our experience from the key industries. Services and other 9#introduction We work with a wide range of modern technologies and tools. 10#introduction We work with a wide range of modern technologies and tools. 11#introduction Fast AI Platform Enable Fast Data and Artificial Intelligence Powered by Fast AI Platform www.lundegaard.ai 12#introduction 13 More technologies! #introduction Zoe.ai Platform Zoe.ai collects user’s online behavior during his visit on web or mobile site and provides aggregated metrics called Smart Features. Advanced data interpretation and predictions are provided by AI Machine Learning called Smart Signals. Visitor Website Zoe.ai Smart SignalsSmart Features Behavioral & Device Data Back Office Data Collector Smart Features Smart Signals 14#introduction What and why do we collect? We collect Device and Behavioral Data, device data are everything that is possible to grab from device used for web or mobile page. Behavioral Data are detailed metrics about visitor’s behavior within given web/mobile page. Detailed behavior data mean e.g., tracking any web form process workflow or customer shopping behavior. Additional device and behavior data can be effectively used for various cases from suspicious and fraudulent behavior to default prediction. Shows what visitor exactly did during filling the form or web browsing. Data are available for every visitor and contains latest intentions and user interests, can be used for real-time predictions. 15#introduction Collected Data Overview Device Fingerprint and Location Data Data about the device from which user visit web page or fill in application - like browser, language, operation system, time zone etc. Resolution, pixels ratio, battery Data are enriched by (e.g) device price, release year or geolocation Network data Behavioral and Session Data Data about the applicant’s behavior in online environment and online forms How long does it take to complete form How many errors occurred What has been changed and copy pasted Interaction with calculator, page visited, time spent Biometry - Keystroke Dynamics Mouse and Touch Tracking Form Data Data filled directly within online form Sent by separated function Open Data Available open and third-party data from Internet Registers, databases, scraping websites,… 16#introduction …but why are you here, Petr? “No offense, but how does a CCO have something to say to this?” #introduction 17 #introduction 18 #introduction 19 #introduction 20 My path #introduction 21 • Jul 2015 – BA in Econ… • Aug 2015 – Junior IT PM • Jan 2016 – Actual IT PM • Jul 2018 – Head of DevOps Solutions • Aug 2019 – Head of Delivery Management (+ MA in Econ) • Oct 2021 – CCO • Jan 2023 – CEO #introduction 22 #introduction 23 Claim settlement with NPS 64% • For BNP Paribas Cardif, together with the business, we have created a new customer journey for claims handling • NPS claims application is consistently above 60% • Record month reached over 90% • NPS is calculated including rejected cases • We helped the Czech branch of BNP Paribas Cardif to successfully launch a B2C online channel 24#introduction 24 Modern self-care zone for 14 countries • With CreditInfo Solutions we have build a brand new self-care zone for 14 countries around the globe • UX/UI was completely revamped and ushered new digital era • Front end development was completely modular and enabled deployment in all regions • JavaScript application could swap between left-to-right texts for Europe and right-to-left for Arabics • All deployments were customized only via configuration files • The source code was reused for development of a native mobile app with the same features as well. 25#introduction 25 Portal with more than 300.000 daily visits • We can bring every business need to life, as we confirmed in autumn 2020 with the new website of the Czech logistics company PPL • We launched the website just before the Christmas season 2020 • Traffic exceeded expectations by more than 50% • The Christmas pressure didn't stop throughout the spring of 2021 • The website steadily serves over 300.000 visitors per day • Website has not had a single incident in the entire 12 months of operation • We are now working with PPL to transform their B2B channels 26#introduction 26 Scaled corporate presentation in AWS • Together with Moneta Money Bank we implemented a pilot migration project to transfer the entire corporate website www.moneta.cz to an elastically scaled environment in Amazon Web Services • The aim of the migration was to enable dynamic scaling of servers to support marketing campaigns and the associated traffic • Standard solution running on 2 kubernetes pods • The portal can scale up to 10 pods and serve over 2.000 simultaneous users at any one time • Today, owing to building a solution on top of Liferay 7.2, we are working on a project for personalization of the public presentation 27#introduction 27 Underwriting mortgage insurance for DE market • In the largest integration project for BNP Paribas Cardif, Lundegaard has delivered a frontend and integration platform for underwriting mortgage default insurance products • The entire platform is equally successfully connected to the comparison portal www.check24.de where it handles more than 50 underwriting requests every hour • There is a white-labeled frontend layer on top of a powerful integration platform • The integration platform allows third party integration via API • In the coming year, the solution will also serve other parts of the Cardif DE product portfolio 28#introduction 28 What do I currently do then? • Portfolio management of approx 15k MDs p.a. (75 FTEs) • Software architecture and consulting • DevOps & networking, containerization • Leading Sales, PM and Analytical Teams Relevant bio: • Generali Česká Pojišťovna – Web + Self-care zone • BNP Cardif – Multitenant CEE portal • ČSOB pojišťovna – Multi-vendor platform • Moneta Money Bank – AWS AKS Web portal • PPL – Web portal, Self-service + Azure DevOps Chief Commercial Officer 29#introduction 7 years in IT, 25+ clients, 90+ projects helped me become a good and believable sales person, as well as a decent storyteller… 30#introduction …and we are going to start with a story from not so long ago. 31#introduction #nolimit 32 The world before “cookie consent” No limits… • The past decade brought two major legal limitations to the current internet applications • General Data Protection Regulation • Regulation (EU) 2016/679, April 27, 2016 • Entered into force on May 25, 2018 • Guidelines 05/2020 on consent under Regulation 2016/679 • EDPB elaboration of GDPR from May 4, 2020 • Effective de facto immediately, however enforced a widespread opt-in approach from Jan 1, 2021 • For this lecture, we will stick to the web-based applications, as the data siphoning on native (mobile) apps is even more extensive 33#nolimit 34 What this meant to the end-users? • Common end users had no idea what information was being gathered • Noone had to be informed about what processing is applied to their personal data • User data was stored ad lib, without permissions, without any enforced timeframe, without any mandate over them • Users were not eligible to request anything regarding the data that was gathered #nolimit Users had neither any control of their data nor any rights to request any action of any kind with relation to what they had submitted… 35#nolimit Question – how long a customer journey would have been for a tailored mortgage offering in mid 2018? 36#nolimit Answer – 13+ years (worth of data…) 37#nolimit 38 Data- and/or event-driven life • Events create data, but we are more focused on so called „business events“ in the event-driven company concept • Not to be confused with data driven architecture vs. event driven architecture in development • Business events trigger main responses, based on the analytical data and (user) research • Overall event context is the most valuable variable in the equation, always look at data in broader scope, not as atomic units #nolimit Accountcreation 39#nolimit Age 15 352520 30 Firstincome Movingout Firstrefinancing– retentionactions Movinginwitha partner Vacationwitha partner Wedding Mortgage! Accountcreation 40#nolimit Age 15 352520 30 Firstincome Movingout Firstrefinancing– retentionactions Movinginwitha partner Vacationwitha partner Wedding Mortgage! Scoutingforflats Scoutingforinternships Lookinguptickets,savingupmoney Scoutingrentals–twosharedpatterns Clearingupcredit Scoutingrealestate Savingupinitialcapital Lookingupnewjobs(relocation) Scoutinglocations–movingabout Scoutingweddingrings/dresses Romanticgetaway Payingoffcarloan-creditworthiness Expensesfocusonkidstuffprimarily Focusonhomedécoretc. Settlingin,increasedspendingoverall Firstchild… Owing to the liberal utilization of cookies, we were able to identify an anonymous user based on 3 actions with over 60% success rate. 41#nolimit How was that possible? • Utilization of Google ID, Facebook ID, custom client unique ID and pairing extID • EXTID was given to any user for a duration of one session • Through everysession a matching of posisble profile was executed • The cookie session info was a rudimentary device fingerprint • With sufficient dataset of such external IDs, pairing algorithms and computing power • Keep in mind that this banking institution had hundreds of thousands of users… Keeping the matching data pool rather extensive 42#nolimit The worst part about this was that you, as a customer / end-user could: a) do nothing about it b) whatever data was collected was not yours anymore, but a property of whoever took it 43#nolimit #gdpr 44 Evening out the game field 45 What is GDPR? • General Data Protection Regulation aiming at giving back the ownership of users‘ data back to the persons, who willingly submitted these • The difference between regulations and directives from the EC is that regulations are directly binding to all member states • Directives only enforce ends, with means left to member states for their respective implementations • GDPR introduced the mandated implementations of anonymization and pseudonymization of data #gdpr Question – what is the driving factor differentiating anonymized and pseudonymized data? 46#gdpr Answer Anonymized data cannot be linked to a particular person no matter the effort Pseudonymized data retain their linkability to other data and can therefore identify the individual with very little effort involved 47#gdpr Key concepts of GDPR Personal data may not be processed unless there is at least one legal basis to do so. These are as follows: • If the data subject has given consent to the processing of his or her personal data; • To fulfil contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract; • To comply with a data controller's legal obligations; • To protect the vital interests of a data subject or another individual; • To perform a task in the public interest or in official authority; • For the legitimate interests of a data controller or a third party, unless these […] are overridden by interests of the data subject or […] according to the Charter of Fundamental Rights (especially in the case of children) 48#gdpr Source - https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN 49 What did it bring effectively? • Users were eligible for data transfers and the „right to be forgotten“ • Users could opt-out from being tracked • „Opt-out must not be more difficult than opt-it“ (Article 7-3) • Data collection transparency must have been achieved, and all information must have been relayed in more layman‘s terms • No more super-difficult laywer-speak that noone understands… • A lot of business for IT companies… #gdpr Main loopholes of GDPR • Opt-in into tracking was never fully enforced • A simple cookie memo was sufficient for web applications to function as they did • Pseudonymization was mostly sufficient for all use-cases (and legally defendable) • And let‘s be honest – how can you ever ensure that the datadeletion request has been executed in its full scope… 50#gdpr #cookie_consent 51 Fulfilling the vision (better) 52 Closing the loopholes • In May 2020 a defining ruling of the European Data Protection Board brought a very explicit interpretation of the GDPR that impacted all member states‘ legislation • The goal was to enforce informing the end-users of the relevant data processing and gather their consent • I.e. acceptance „by omission“ (or, opt-out) was no longer sufficient • Furthermore, cookie-walls were banned completely #cookie_consent The GDPR is clear that consent requires a statement from the data subject or a clear affirmative act, which means that it must always be given through an active motion or declaration. It must be obvious that the data subject has consented to the particular processing. 53#cookie_consent “New” rules on the block • Article 64 of the EDPB ruling • the EDPB is of the opinion that at least the following information is required for obtaining valid consent: I. the controller’s identity, II. the purpose of each of the processing operations for which consent is sought, III. what (type of) data will be collected and used, IV. the existence of the right to withdraw consent, V. information about the use of the data for automated decision-making in accordance with Article 22 where relevant, and VI. on the possible risks of data transfers due to absence of an adequacy decision and of appropriate safeguards as described in Article 46 54#cookie_consent Source - https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf A “clear affirmative act” means that the data subject must have taken a deliberate action to consent to the particular processing. Recital 32 sets out additional guidance on this. Consent can be collected through a written or (a recorded) oral statement, including by electronic means. 55#cookie_consent Source - https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf 56 A few examples • Example 14: When installing software, the application asks the data subject for consent to use non-anonymised crash reports to improve the software. A layered privacy notice providing the necessary information accompanies the request for consent. By actively ticking the optional box stating, “I consent”, the user is able to validly perform a ´clear affirmative act´ to consent to the processing. • Example 15: Swiping a bar on a screen, waiving in front of a smart camera, turning a smartphone around clockwise, or in a figure eight motion may be options to indicate agreement, as long as clear information is provided, and it is clear that the motion in question signifies agreement to a specific request (e.g. if you swipe this bar to the left, you agree to the use of information X for purpose Y. Repeat the motion to confirm.”). The controller must be able to demonstrate that consent was obtained this way and data subjects must be able to withdraw consent as easily as it was given. #cookie_consent Source - https://edpb.europa.eu/sites/default/files/files/file1/ edpb_guidelines_202005_consent_en.pdf Impact on the field • This ruling drove the need for update of EU member states’ legislation and include the explicit cookie-consent • It elaborated on the differentiation of “technical” or “functional” cookies and those that are/were utilized for marketing and/or personalization purposes • Furthermore, it sped up the adoption of “Do Not Track” features in web browsers 57#cookie_consent 58 User experience • For the end-users this meant the introduction of the omnipresent cookie banners that would not let you use the application without explicit action. • For applications this meant that unless a consent was given, the content could not have been personalized based on your particular history and personalization was never paired to a concrete user profile/account • No more front-end based content tailoring (overriding “default” settings, as is the case of for example https://www.abtasty.com/client-side-experiments/ ) #cookie_consent So this means that unless we give a clear consent, we are in the clear, right? 59#cookie_consent Wrong… 60#cookie_consent 61#cookie_consent :authority: www.xyz.com :method: GET :path: /complete/search?q=t&cp=1&client=gws- wiz&xssi=t&hl=cs&authuser=0&psi=QvdLY7Dh D-O6xc8Prb2cgAI.1665922882490&dpr=2 :scheme: https accept: */* accept-encoding: gzip, deflate, br accept-language: cs cookie: CONSENT=PENDING+811; SOCS=CAESNQgEEitib3FfaWRlbnRpdHlmcm9udGV uZHVpc2VydmVyXzIwMjIxMDExLjA2X3AyGgJjcyA CGgYIgJOtmgY; AEC=AakniGMKJzGbuQ3Rwf6xR- NL6MDf5vaA0C51_cv8FksYrnQAVCWb37-zqA; __Secure- ENID=7.SE=sB57dyxDjWEvOh23vLg_rZjT9J_yE- 23qRdFzQNwE61hkfGfLUVgP5tUzkYQbax1d3YD9d IEJnWVC0FWbowNox5Y08pIQmEwTODnXo0ngWRlS5 - fVuG92votDZmutEBf2hC8uVt54E_BAvre5qctbqJ mftQ49LgsCEXK73TB0Hw dnt: 1 referer: https://www.xyz.com/ sec-ch-ua: "Chromium";v="106", "Google Chrome";v="106", "Not;A=Brand";v="99" sec-ch-ua-arch: "arm" sec-ch-ua-bitness: "64" sec-ch-ua-full-version: "106.0.5249.119" sec-ch-ua-full-version-list: "Chromium";v="106.0.5249.119", "Google Chrome";v="106.0.5249.119", "Not;A=Brand";v="99.0.0.0" sec-ch-ua-mobile: ?0 sec-ch-ua-model sec-ch-ua-platform: "macOS" sec-ch-ua-platform-version: "12.6.0" sec-ch-ua-wow64: ?0 sec-fetch-dest: empty sec-fetch-mode: cors sec-fetch-site: same-origin user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 62#cookie_consent :authority: www.google.com :method: GET :path: /complete/search?q=t&cp=1&client=gws- wiz&xssi=t&hl=cs&authuser=0&psi=QvdLY7Dh D-O6xc8Prb2cgAI.1665922882490&dpr=2 :scheme: https accept: */* accept-encoding: gzip, deflate, br accept-language: cs cookie: CONSENT=PENDING+811; SOCS=CAESNQgEEitib3FfaWRlbnRpdHlmcm9udGV uZHVpc2VydmVyXzIwMjIxMDExLjA2X3AyGgJjcyA CGgYIgJOtmgY; AEC=AakniGMKJzGbuQ3Rwf6xR- NL6MDf5vaA0C51_cv8FksYrnQAVCWb37-zqA; __Secure- ENID=7.SE=sB57dyxDjWEvOh23vLg_rZjT9J_yE- 23qRdFzQNwE61hkfGfLUVgP5tUzkYQbax1d3YD9d IEJnWVC0FWbowNox5Y08pIQmEwTODnXo0ngWRlS5 - fVuG92votDZmutEBf2hC8uVt54E_BAvre5qctbqJ mftQ49LgsCEXK73TB0Hw dnt: 1 referer: https://www.google.com/ sec-ch-ua: "Chromium";v="106", "Google Chrome";v="106", "Not;A=Brand";v="99" sec-ch-ua-arch: "arm" sec-ch-ua-bitness: "64" sec-ch-ua-full-version: "106.0.5249.119" sec-ch-ua-full-version-list: "Chromium";v="106.0.5249.119", "Google Chrome";v="106.0.5249.119", "Not;A=Brand";v="99.0.0.0" sec-ch-ua-mobile: ?0 sec-ch-ua-model sec-ch-ua-platform: "macOS" sec-ch-ua-platform-version: "12.6.0" sec-ch-ua-wow64: ?0 sec-fetch-dest: empty sec-fetch-mode: cors sec-fetch-site: same-origin user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Noconsentgiven 63#cookie_consent :authority: www.google.com :method: GET :path: /complete/search?q=t&cp=1&client=gws- wiz&xssi=t&hl=cs&authuser=0&psi=jvlLY7LK NoLBxc8PtoOrIA.1665923473636&dpr=2 :scheme: https accept: */* accept-encoding: gzip, deflate, br accept-language: cs cookie: AEC=AakniGMH3tr4s46He7wSNVQihJ2Gzn3ouxuM jPVlpuggxZ-ju7fG29LFwYo; CONSENT=PENDING+801; SOCS=CAISHAgBEhJnd3NfMjAyMjEwMDYtMF9SQzM aAmNzIAEaBgiAk62aBg; NID=511=TsQo7NTmRVM8s- S3QJuWLo6owET2hUyADi0gP2cJNsQZ6IzhLJ45km afH8HlsZsIk5bbQ0HBS3BiaKLSELo1eZnJb8J5cp A8nivylRWNi6yofcw5pEHChZvW- XfXSJT4APYjd32Ox3vbT9oNuKD9IsWgJiEf_U7Yl Yfby3_rcd0 dnt: 1 referer: https://www.google.com/ sec-ch-ua: "Chromium";v="106", "Google Chrome";v="106", "Not;A=Brand";v="99" sec-ch-ua-arch: "arm" sec-ch-ua-bitness: "64" sec-ch-ua-full-version: "106.0.5249.119" sec-ch-ua-full-version-list: "Chromium";v="106.0.5249.119", "Google Chrome";v="106.0.5249.119", "Not;A=Brand";v="99.0.0.0" sec-ch-ua-mobile: ?0 sec-ch-ua-model sec-ch-ua-platform: "macOS" sec-ch-ua-platform-version: "12.6.0" sec-ch-ua-wow64: ?0 sec-fetch-dest: empty sec-fetch-mode: cors sec-fetch-site: same-origin user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Fullconsentgiven So we have more loopholes • Consent essentially does nothing, most cookies are deemed “functional” and therefore retained • The frontend processing might have been in decline, but backend has not been impacted at all • Do Not Track features provide anonymized data that can (with sufficient algorithms and insights) still provide a pseudonymized/individualized user profile • Informing end-users is a nice concept, but there is one key variable missing – user experience and user laziness 64#cookie_consent #digital_fingerpriting 65 Tracking in 2022 and Digital Fingerprinting 66 What was that now…? • The ”issue” at hand for companies is to have a reliable source of data • Users are primarily lazy and will give consent, but what if they don’t? We don’t want to lose the precious data • Online data (with increasing computing capabilities, broadband internet, and other technologies millennials deem “standard” and common) increases in value by the minute #digital_fingerpriting By 2025, nearly 30% of data will be generated in real-time. 67#digital_fingerpriting (Source: IDC) 68#digital_fingerpriting 69#digital_fingerpriting 70#digital_fingerpriting What’s the difference? • The current problem is primarily facing 3rd party tools (such like ours) that need to log events as ”external actor” – cookies are saved on the side of client (browser), but fingerprint is server- side • Therefore, all AJAX actions that have a server-side processing can be further analysed, collated, and combined to create the persona model necessary • Whenever there is an input field or any action involved, the server will know. Even with SPAs, all calls are (usually) promoted to the server for further processing • Backend operations and tracking mechanisms have not been impacted by either of aforementioned legal instruments 71#cookie_consent 72#digital_fingerpriting Source - https://understandingdata.com/what-is-a-digital-fingerprint/ Who here uses DNT actively? 73#digital_fingerpriting What about TOR / Brave? 74#digital_fingerpriting 75 How wide is the scope of tracking? • The standard set handled by browser includes the following attributes: #digital_fingerpriting • IP address • Device MAC address • User-agent string • Clock information – used to cross-verify your location alongside your IP address • Web browser plugins • TCP stack variation • Installed fonts on your device • JavaScript objects • Internal application programming interfaces (API) • Device information such as screen resolution, touch support, OS and language • Flash data • List of mime-types • Timestamp • CSS information • Hypertext Transfer Protocol (HTTP) headers All the individual attributes bear very little identification value, but combined, these create an incredibly powerful mixture that enables most of prior personalization scenarios. 76#digital_fingerpriting Intermezzo - check yourself https://coveryourtracks.eff.org/ 77#digital_fingerpriting …and now back to real life application 78#digital_fingerpriting Fast AI Platform Enable Fast Data and Artificial Intelligence Powered by Fast AI Platform www.lundegaard.ai 79#digital_fingerpriting Usage of Behavioral and Device Data Visitors are lying in announced facts. It can be recognized whether user is often changing inputs or even changes facts over time. 11% of visitors lied at least in one of attributes in application process. People most lied in their education level, income level or whether they own their living property. Visitors show their interest or problems with user flow in particular part of workflow during filling. Visitors trying hard to minimize loan installment on calculator has more probability of default. Visitors interested in detailed product description are less price sensitive. #digital_fingerpriting Usage of Behavioral and Device Data Visitors can be segmented in real-time into groups based on mobile type and price, or up-to-date devices used for accessing web/mobile page. For instance, next-best-phone offer can be adjusted by information about specific mobile device type or price. Advanced fingerprinting can help with identifying visitor from anonymous browser mode or detect misuse of personal data within same device. Lundegaard is continuously evaluating changing accuracy and stability rate of fingerprint. “device_mobile_brand":"Huawei", "device_mobile_price":160, "device_mobile_release_date":"2017", "device_mobile_screen_size":"121.8 x 68.5", "device_mobile_size":"153.6 x 76.4 x 8.4", "device_mobile_type":"Huawei Y7", "device_mobile_weight":165, #digital_fingerpriting Usage of Behavioral and Device Data Fraudulent behavior of visitors can be recognized. When visitor is filling his name several times or actual keystroke dynamics does not correspond to alleged age, or same personal identification number is being used frequently, this could be a strong signal of false identity. Accessing web/mobile page from suspicious or blacklisted networks or odd distance in several visitor locations can lead to successful detection of frauds. Also frauds can be detected when stolen information are being used at same time on various sites. Access from suspicious network has high impact on fraud prediction High distance between living address and Geo IP can lead to fraud signal #digital_fingerpriting Smart Features A few examples (more than 200 attributes total) Accessible instantly after collector probe is installed device_mobile_price - Manufacturers suggested a retail price [EUR] at the release date of a device. device_mobile_release_date - Release year of mobile device. device_city - City name based on IP. device_vpn or device_tor - identification of VPN or TOR network behavior_application_changes - Number of changes (different input) between separate applications (48 hours window). behavior_correcting_mistakes - Amount of delete and backspace button used during session. location_difference - The distance between Geo IP location and user address in km. data_district_crime_index - Index of criminality, is derived from the overall level of crime in a given district. person_insolvency_isir - Indicates that the person was found in the insolvency register (regional feature). person_credible_email - The level of quality and credibility of the user's email address. #digital_fingerpriting Smart Predictions A few examples of AI interpretations lying_behavior_score – Indicates whether user is lying during process fraud_score – Indicates whether user has fraudulent behavior anomaly_behavior - Detected unusual patterns in behavior for given person anomaly_typing - Detected unusual patterns in typing behavior for given person (based on age, education and other factors) loan_default - Predict whether user default (feedback necessary, target variable e.g. DPD60) loan_approval - Predict default for user (feedback necessary, target variable approved) suspicious_access_score - A score number representing suspicious access from IP address/location to website returns_score - Probability whether user returns ordered product items or not, feedback is needed. … #digital_fingerpriting JSON Example Provided through API >{ > "application_id":"4jg8giu73u81ln9gj0ht5d53m2x1554271729", > "features":{ > "behavior_application_changes_count_bn_2d":0, > "behavior_application_changes_count_sa_2d":0, > "behavior_applications_count_all_max":1, > "behavior_duration_form":122732, > "behavior_duration_web_said":520397, > "behavior_emails_count_bn_1m":1, > "behavior_events_count":35, > "behavior_events_count_said":5, > "behavior_landing_page":"https://www.urlpage.com/category/" "behavior_pages_visited_count_said":5, > "behavior_pages_visited_said":[ > "/cash/", > "/online-request/step1", > "/online-request/pre-approved/"], > "behavior_slider_move_count":2, > "behavior_slider_move_time":158, > "behavior_time_between_events_max":15713, > "behavior_typing_backspace_count_fields":{ > "personal_identificator_part1":1 > "behavior_typing_correcting_mistakes_count":1, > "behavior_typing_correcting_mistakes_count_fields":{ > "personal_identificator_part2":1 > }, > "behavior_typing_paste_count":0, > "behavior_typing_speed":159, > "data_district_crime_index":0.4503105820373843, > "data_district_crime_rate":142.60579131005278, > "device_browser":"Safari 12", > "device_browser_do_not_track":false, > "device_category":"Phone", > "device_character_encoding":"UTF-8", > "device_cookies_enabled":true, > "device_ip_address":"91.245.11.00", > "device_isp":"SPCOM", > "device_isp_country":"CZ", > "device_java_enabled":false, > "device_language":"cs-cz", > "device_mobile_brand":"Apple", > "device_mobile_price": 350 > "device_mobile_release_date": 2015, > "device_mobile_type":"Apple iPhone 6,6S,7,8", > "device_mobile_weight":138, > "device_net_name":"NET-NAME", > "device_operating_system":"iOS 12.1.4", > "device_operating_system_versions_behind_latest":null, > "device_orientation":"portrait", > "device_screen_color_depth":32, > "device_screen_resolution":"375x667", > "device_screen_size_height":667, > "device_screen_size_width":375, > "device_tor":false, > "device_viewport_size_height":553, > "device_viewport_size_width":375, > "device_vpn":false, > "fingerprint_audio":CnHKv0HGmStw0DKQnI0FTw, > "fingerprint_browser":"0:-:0:1:cs-cz:UTF-8:-120", > "fingerprint_canvas":74GgRSZeLRT3piimhD9qg, > "fingerprint_cookie_sa":"SA1.rEVDJF2r.1545205368", > "fingerprint_cookie_said":"SA1.x941U6nO.1554271716", > "fingerprint_fonts":ucm1gy2E9e3OWI9a8mpjg, > "fingerprint_plugins":4SthwAMWQdGZWq8xeeA, > "fingerprint_screen":["1600x900:xxx:24:1:1583x786"], > "fingerprint_webgl":zp6jC1rx6TBLE4JdmQ89Og, > "location_address_county":"Pardubický", > "location_address_district":"Pardubice", > "location_address_lat":49.9833, > "location_address_lon":15.6, > "location_distance_address_and_geoip":33, > "location_distance_to_district_statutory_city":11, > "location_geoip_city":"Hradec Králové", > "location_geoip_lat":50.2333, > "location_geoip_lon":15.85, > "location_time_zone":"UTC+02:00", > "person_age_in_months":282, > "person_date_of_birth":"1995-10-03", > "person_email_credible":3, > "person_email_disposable_domain":false, > "person_gender":"female", > "person_insolvency_isir":false >... > }, #digital_fingerpriting Our product CustomerEnvironmentCloudEnvironment Visitor Website Zoe.ai Smart SignalsSmart Features Behavioral & Device Data Back Office Data Collector Smart Features Smart Predictions API Feedback Admin User Dashboard #digital_fingerpriting Digital Body Language captured by Behavioral Signals helps understand shopper’s intent 87 visitor Visitor leaves many behavior signals during shopping Low-grained behavior data signals improves “user’s resolution” and his intents Past behaviors can predict visitor during shopping leaves many behavior signals Time distances between product interests Using Samsung Galaxy S20 phone for shopping Product was added to cart or to wishlist/favorites Interest in product shown in list, watched for 4s and interacted with image by mouse Viewing product parameters more than 5s Additional Advanced Behavioral Signals Alternative identification of anonymous users by device fingerprint Advanced Bot/Crawler detection improving models Enriched data about devices, mobile types Soft-biometry data like keystroke dynamics and mouse movements #digital_fingerpriting Evolution of recommendation engines Behavioral data is a key factor to understand shopper’s preferences Lack of solutions self-learning from low-grained behavioral data 88 generation 0 2000+ 2010+ 2025+ Trending or bestsellers Simple and working, but not reflecting shopper interests generation 1 Do not adapt well, expert segmentation Manual effort needed without additional gain next generation Learning from behavior data Real-time shopper’s behavior is used Automation and self-adaptation Basic recommendations and no personalization Basic personalization, no real-time behavior Self-learning Deep AI recommendations #digital_fingerpriting Zoe.ai outperforms generic AI engine We’ve compared Zoe.ai results against Amazon Personalize AI engine Performance has been tested on a real-world use case Recommendation performance is measured by many offline metrics Zoe.ai outperformed Amazon Personalize in almost all metrics 89 #digital_fingerpriting One of the largest marketplaces, shopping portals and product comparators in CEE region More than 5M users daily choosing from 29M products in tens of thousands of online shops. Over 150 employees, generates annual turnover in billions of CZK. Zoe.ai enables individual recommendations for anonymous users based on their preferences Case study Outcome by Zoe.ai Revenue per session increased +5% #digital_fingerpriting #discussion 91 The ethics… Question – Should we stop tracking people and why? 92#discussion What if I told you that tracking enables lower prices to end customers? 93#discussion There is nothing like a free service. 94#discussion There is nothing like a free service. If you feel like you get something for free, you are the product that is being traded – and your data. 95#discussion How to cope? • We will always be tracked. No matter the legislation, new loopholes will be found and commercial sector will be more flexible and faster than public sector with its regulation. • Personal data is one of the most precious things in our lives (just like our time) that we can choose (not to) trade for other things • It is just as appealing to our counterparts as it gives them a better insight into our consumption behaviour - and therefore helps them to target us better with their offerings. 96#discussion Well, that did not really help… 97#discussion 98 Tracking is here to stay • As controversial as it might sound, we must adapt. • Users will never read licence agreements, cookie consents, any information that is longer that 2-3 paragraphs. • We must educate people and adjust to the new tracking paradigm – because it can ultimately benefit us as well. • This is not saying that we would be capable of altering our lifestyles to „milk the system“ better, but we can do more to protect our privacy. #discussion The line cannot be drawn, only stronger education of public regarding data collection can be introduced. Everyone should be capable of making their own informed decisions. 99#discussion Remember – once you lose your private life, you will hardly ever get it back… 100#discussion #wrap-up 101 Key takeaways What should you remember? • European Commission brought in good instruments for endusers to reclaim their ownership of data they give away. • However, the perception of this being an ultimate lifesaver is flawed. Private sector will always come up with new ways how to collect more data and process it in real time. • Big data is currently something taken as “given”, but the main focus is and will be on fast data – hyper-personalization and personas modelling and profiling • Keep your personal data close and disclose only what you explicitly want – once you let something go, it is near impossible to reclaim back. 102#wrap-up Thank you for your attention! 103 Petr Buchbauer Chief Commercial Officer E-mail: petr.buchbauer@lundegaard.eu LiN: https://www.linkedin.com/in/petr- buchbauer/ Twitter: @petrbuch #bye