8 Replies Latest reply on Nov 7, 2016 9:05 AM by Devan Mairose

    Tracking links - making prospects "nervous" about content

    Devan Mairose

      Hello, we target IT professionals including many IT security roles.

       

      We've received feedback that having the large marketo tracking link is turning people off of clicking because they can't verify the link before clicking. Is anyone else in the security space facing this issue? Is there a way around it?

        • Re: Tracking links - making prospects "nervous" about content
          Sanford Whiteman

          The tracking link represents a unique combination of lead, email, target href, and href id. You shouldn't expect to represent this key information in a smaller string (it could be done, but there's nothing technically wrong with the current implementation).

           

          But I don't understand how anyone could "verify" a link like http://click.example.com/fg849UIa any more than they can "verify" http://click.example.com/O030pcnR0100PXLQ0Z0IfYO.  How would the verification steps differ?  They still would have no idea, just by hovering over the link, what the final target page is.  (This is the same with any link: unless you're trying to combat phishing attempts against well-known banking or ecommerce sites, there's nothing inherently more trustworthy about pages.mycompany.com vs click.myothercompany.com.)

           

          In any case, the answer is: you can turn off link tracking as well as link tokenization.  Then you'll have no record of click activity or subsequent web activity unless the lead manually fills out a form. I wouldn't bother using Marketo under those restrictions but YMMV.

          • Re: Tracking links - making prospects "nervous" about content
            Grégoire Michel

            "Even Paranoids have enemies"

                                Delmore Schwartz

             

            -Greg

            • Re: Tracking links - making prospects "nervous" about content
              Iryna Zhuravel

              I ran into similar issues with our target audience (engineers), they don't like tracked links, and we had a few people making a huge deal out of forms with pre-fill enabled ("how do you know it's me? why is my data displayed publicly? why are you storing my information?")

               

              There isn't really a workaround, we send some emails without any tracking and disable pre-fill on many forms.

               

              Data is definitely important but user experience/satisfaction comes first.

                • Re: Tracking links - making prospects "nervous" about content
                  Sanford Whiteman

                  Absolutely! Didn't mean there isn't significance from a privacy perspective. A unique identifier (or alphanumeric string that merely appears to be a hash or unique key) connotes per-lead tracking. So if people are tracking-sensitive, you have to turn off both tracking and tokenization (mktoNoTok and mktNoTrack) since both create "tracking-like" URLs.  Can't have it both ways, though, was my point. Either MUA/UA click activities are tagged to the lead, or the activities are anonymous.

                   

                  But from a security perspective using a tracking domain has no direct significance. You can send people to the untracked, undecorated www.example.com/my_totally_innocent_page.html, but no amount of hovering over the link (if that's what's meant by "verification") can tell them that the link will redirect to www.malice.com/here_is_your_trojan.exe. They similarly don't know know where plain ol' www.example.com is about to lead them -- or where that place is going to redirect them next. Only if the email appears to come from an extremely well-known company like PayPal would hovering over the link and seeing the creatively misspelled www.paypa1.com provide any kind of preliminary verification. Real verification is what mail link scanners are for -- checking, in a sandboxed environment, to see if after one or more redirects, the target URL is malicious.  A security professional would know that a given domain name with numbers after it is no more or less safe than that same domain name with a good-lookin' page name, or with no page name at all.

                    • Re: Tracking links - making prospects "nervous" about content
                      Sanford Whiteman

                      But from a security perspective using a tracking domain has no direct significance.

                      I'll emend this to say that if your tracking domain is not running over SSL, or is running over SSL but is not on the HSTS preload list, while in contrast the target domain is on HSTS preload, then linking to the tracking server is indeed less secure than going straight to the target. But this isn't because it's a tracking server but because of its plaintext-ness or SSL-strippability.

                        • Re: Tracking links - making prospects "nervous" about content
                          Devan Mairose

                          Yes exactly - to some it is APPEARING like the links aren't "verifiable" even though marketo only appends a bunch of numbers/letters to the end and you can still see where the link is going as much as you could on any other link like you mentioned.

                           

                          Iryna Zhuravel -- anecdotally do you think more people are clicking? Or can you tell from your web visitors or any other metric has increased since NOT tracking certain links? I'm potentially interested in only NOT tracking our customer newsletter, for example. But want to make sure that I can defend my idea