What you don't know about "fourth-party calls" could be hurting your users

13 August 2012  -   Tags: , , ,

Contributed by Grant Ellis. 

In recent months, site owners have grown increasingly aware of the negative impact that poorly optimized third-party scripts have on site performance. 

Our research has led us to uncover a layer of performance interference one step beyond the third-party, which we'll dub "fourth-party calls" for the time being. But before delving further, let’s back up.

The job of an ecommerce marketer is not easy. As this graphic illustrates, a complicated web of technologies and intermediaries separates advertisers and publishers, and it’s the marketers to make sense of it all:

The job of an ecommerce marketer is not easy. As this graphic illustrates, a dizzying web of technologies and intermediaries separates advertisers from publishers, and it’s the marketer's job to make sense of it all:


What does this mean for the web performance landscape?


With this in mind, we can forgive marketers for sometimes not fully considering the technical ramifications of their decisions. Nevertheless, third-party scripts proliferate the number of "single line of code" requests, hampering ecommerce site performance and causing untold headaches for IT and development teams.

Here at Strangeloop, we deal with the challenge third-party interference every day, so we're keen to dig as much as possible on the subject. From our research, we've determined that fourth-party calls not only cause further disruption to the user experience, but also compromise end-user security. Let's look at two examples:


Example 1: Single third-party call ---> fourth-party calls you never authorized ---> slower page load

  1. A site owner is approached by a third-party company to add a single line of code; the site developer is asked to paste in a simple code fragment.
  2. The code implemented - a third-party script - authorizes a whole new wave of fourth-party calls.
  3. The server calls slow down the website.


Here's a waterfall to illustrate:




(If you're new to waterfalls, here's a quick rundown of how they work)


A breakdown of the waterfall:

  • The third-party tag triggered 49 unauthorized server calls to fourth-party servers.
  • Of the 49 calls, 21 are redirects (red dots), which set off ping-ponging redirects that waste valuable load time.
  • Every one of the fourth-party calls is over SSL, which impacts load time.
  • The result: an added 1.8 seconds to the page’s load time (a death sentence for many ecommerce sites)
But performance impact aside, the main concern here is that unauthorized companies are filling up their databases with detailed information on customers and products.


Example 2: Fourth-party call ---> data loss and privacy concerns

The biggest privacy concern with fourth-party calls is that they have unrestricted access to user data: they can see and capture everything about users without consent, and their information-gathering techniques are highly sophisticated.

Here's an example from the Skechers site:


After visiting this website, a later unrelated visit to the New York Times website yields a Skechers ad in the bottom right-hand corner of the page:

This is an example of retargeting, a.k.a. delivering ads to you based on your previous actions. Although Skechers pays a great deal of money to have The NY Times show this ad, the concern is that the data they authorized a third-party to use is made available to the other fourth-party calls.

A few other thoughts:

  • The nature of the data flowing out of the original site (to who knows where) is alarming. Site owners should not want their users’ entire browsing history, including what products they looked at, collected and sold by unauthorized parties.
  • The fourth-party calls could change any time at the request of the third party — or even another fourth party — as calls cascade from one company to the other.
  • This data makes Facebook's privacy setting adjustments look trivial by comparison, as these settings are something users can control. If users knew how much of their personal browsing history has already been captured and stored in countless databases, the outcry would drown out the Facebook-related complaints.


Takeaway: Seven questions for site owners using third-party tags

1. Are you aware of the fourth-party calls made from third-party tags on your site?

2. Have you talked about performance with your third parties and asked them what impact their tags will have on your page speed?

3. If your third-party vendor decides to change the fourth-party calls it references, are you notified?

4. Have you pushed your third-party vendor to optimize the way it handles calls or how it deals with fourth parties?

5. What data are the fourth parties collecting?

6. Does this usage comply with your corporate governance guidelines?

7. Do these fourth-party calls contravene your customer-facing privacy policy?

Learn more

Strangeloop uses groundbreaking technology to limit third and fourth-party interference, helping site owners maintain high web performance even while running third-party scripts. To learn more, visit our Site Optimizer or Mobile Optimizer product pages.