What Are Piggybacking Tags and What Threats Do They Pose?

January 2, 2020 Jack Vawdrey

People worry.

They worry they’ll go bald. They worry they’ll drop their wedding ring down the drain. They worry they’ll swallow a spider in their sleep. Worrying is just something we do.

And something digital marketers, digital analysts, tag managers, and others worry about is piggybacking tags.

Piggybacking tags can pose a threat to the privacy and security of your website data—but the threat is very preventable if you’re willing to take the right course of action.

But first, let’s give a face to the adversary we’ve been defaming.

What Is a Piggybacking Tag?

Piggybacking tags are tags invoked by another tag (often called a container tag). Tags are those snippets of code your analytics, advertising, and other MarTech vendors have you install on your site so they can collect the data they need to operate.

One form of container tag you’re probably familiar with is the TMS container snippet. While not usually considered in the context of tag piggybacking, in reality your tag management’s container snippet deploys piggybacking tags. Any tag that acts as a container for other tags uses piggybacking.

Piggybacking tags are most prevalent in the ad-serving community as a way for one ad server’s tag to invoke tags from other servers—allowing multiple tags to collect data without having to implement each individually.

So in reality, piggybacking is common and can be quite useful, when used appropriately. But when mishandled, it can get out of control.

What Dangers Do Piggybacking Tags Pose?

Piggybacking tags can become dangerous because third parties can gain access to your website data and reduce your website's performance. And these negative consequences can snowball: one vendor deploys a container, which deploys another container, and so on. As piggybacking tags daisy-chain downward with more and more tags, the following threats increase in likelihood:

Data leakage. Data leakage is the transmission of website data to an unauthorized party. As more and more tags appear on your site, more parties have access to your data, increasing the likelihood that your data could fall into the wrong hands.

Slow load times. Each piggybacking tag means an additional request to a server somewhere, increasing the load on your visitor’s connection and constricting bandwidth. The result: a slow website. Not ideal.

Data loss. Related to slow website load times, if your tags can’t load fast enough due to blocking piggybacking tags, you risk losing customer data.

Non-compliance. Especially in the wake of GDPR and CCPA, it’s important to make sure that data collection complies with both internal and external controls. Non-compliant data collection, tags, and cookies are more likely to happen if your website is heavy on piggybacking.

Some Ways to Detect Tag Piggybacking

Like I said, not all piggybacking is bad. Still, piggybacking is worrisome mainly because of the hidden nature of it. How can you really know if piggybacking is a problem on your site?

Below are some techniques and tools you can use to identify piggybacking and other unauthorized tags on your site. For each technique, I'll break down what's good and what's missing from that option.

Using your browser's developer tools or a proxy tool

The way most website stakeholders will identify piggybacking & rogue tags on their site is using the developer tools in their browser. The Network tab in the developer tools allows you to see all network requests coming in and out of your browser, including those made by tags on your site. The network requests look something like this:

Each line in the table represents a request for a resource (in this case, JavaScript files). You would see a similar list of requests if you were using a proxy tool like Charles or Fiddler.

Good

The good thing about the report in the browser's developer tools (or a proxy tool) is that the report is comprehensive: it contains every single request for any resource, including the initial requests for a given vendor's script and subsequent image/XHR requests made by those scripts. So if there's something loading on your page, you will be able to see it in the developer tools.

Bad

As you can see, the list of requests in the developer tools isn't very human-friendly. You have to really know what you're looking for. The problem is, when you're looking for piggybacking tags, you don't know what you're looking for, so you'll have a grand old time combing through all the requests to find something that may or may not be there. 👎

On another note, you'll only find unauthorized scripts when you look for them—and you have much better things to do than spend all your time searching for unauthorized tags.

Using a tag debugger

Another alternative is to use a tag debugger. One option is, drum roll, ObservePoint's TagDebugger. The TagDebugger is an alternative to the Network tab, making those network requests more human-friendly:

Good

ObservePoint's TagDebugger is a free Chrome Extension and is a great place to start when you need to identify what tags you have on your site. The TagDebugger identifies which tags are on your site based on the unique signature of the requests, allowing you to detect piggybacking tags that ObservePoint recognizes.

Bad

One of the limitations of the TagDebugger is that you won't be able to see how tags arrived on your site. For example, say you used the debugger and identified a stray ad tag that shouldn't be there. How did it get there? You'll have to uncover that answer for yourself.

In addition, it's impossible for the TagDebugger to recognize and categorize every single request on any website. The TagDebugger only recognizes a specific list of vendors, so if a rogue script with an unrecognized signature is piggybacking off one of your other tags, the TagDebugger won't recognize it.

Using Tag Hierarchy

The next level up in detecting piggybacking tags is using a tool like ObservePoint's Tag Hierarchy. Like the debugger, Tag Hierarchy has a library of recognized tags that it can easily identify and portray in a human-readable format. Tag Hierarchy can drastically simplify the process of discovering tags and seeing how they arrived on your site.

Good 

Tag Hierarchy allows you to easily identify which tags are the source of piggybacking. Once you know the source, you can either remove it or lean on your vendors to tighten up their piggybacking practices.

Bad

Like the debugger, Tag Hierarchy will only display tags with recognized signatures. As a result, the Hierarchy may not detect malicious piggybacking tags that don't match a known signature.

Don't lose hope yet. The most robust solution for identifying rogue & piggybacking tags is the following.

Setting up monitoring for any and all rogue & piggybacking tags

The optimal solution for mitigating the risk of rogue & piggybacking tags would be able to:

  • Identify any unauthorized request, regardless of its signature
  • Conduct continuous monitoring to alert you in near real-time as an unauthorized request appears
  • Easily identify the source of the unauthorized request

ObservePoint's Data Privacy & Security package answers each of these requirements. Here's how it works:

  1. ObservePoint runs a scan to identify all requests coming off your site, then exports the list and shares it with you.
  2. You, the website stakeholder, identify which request domains are authorized, creating a whitelist of approved domains.
  3. ObservePoint uploads the whitelist into their system, setting up alerts for whenever a request appears that does not match one of the approved domains.

And voilà, there you have it. Once you've set up monitoring, you can rest easy knowing that whenever a tag appears whose signature doesn't match one of your approved domains, you will receive an alert immediately.

The only missing piece is being able to identify where the rogue tags came from. That's where ObservePoint's Remote File Map feature comes in. Remote File Map enables you to block specific requests so you can systematically identify where piggybacking tags are coming from. Here's the basic methodology:

  1. Block your TMS container code.
If the unauthorized tag still appears, then it must be hardcoded on the page or be piggybacking off a tag hardcoded on the page. If the unauthorized tag disappears, then its source must be one of the tags coming through your TMS.
  1. Block a tag you suspect to be the culprit.
  2. Determine if the unauthorized tag failed to appear.
  3. Repeat until you find the true culprit.

Protecting Your Site from Unauthorized Data Collection

The most common way data breaches occur is through a vulnerability in a third-party vendor. Don't let your vendors be a vulnerability to you. Make sure to set up proper governance to ensure no unauthorized tags appear on your site.

ObservePoint can help you stop worrying about piggybacking tags. To learn more, schedule a demo.

 

About the Author

Jack Vawdrey

A former student and present enthusiast of the humanities, Jack Vawdrey uses his love of language to explore the role of marketing and analytics technology in business. Jack joined the ObservePoint marketing team in August 2016 and serves as Managing Editor. Adamant about automation, Jack writes to educate the analytics and marketing community about the role of tag auditing and data governance in the enterprise.

LinkedIn More Content by Jack Vawdrey
Previous Article
7 Cases Where You Can't Afford to Skip Analytics Testing
7 Cases Where You Can't Afford to Skip Analytics Testing

Learn how to find a world where insights are trustworthy and tracking technology always works like you expe...

Next Article
The Data Layer: What Is It and Why Do I Need One?
The Data Layer: What Is It and Why Do I Need One?

This blog post pulls the data layer out of obscurity and into the light, exposing both the technical compon...

Free Website Audit

START NOW