If A Mouse Clicks in A VM, Will Anyone Measure It?



"Imagine, for instance, if you can make sure that any link that is in an email didn’t actually get executed on your local computer but instead got executed in an isolated browser, which was running out at our edge. We have all the components to be able to do that. And if you look back at all of the security incidents that have happened across the space, that one technology closes the biggest hole in most enterprise IT spaces.”

—Matthew Prince, CEO, Cloudflare (2021 Q3 Earnings Call Transcript)  

Cloudflare, if you’re not familiar with them, is a fast-growing company whose stated goal is to build a better Internet. They’re an interesting and innovative company; that aside, the point in highlighting Matthew Prince’s quote is to look a bit farther ahead in the email space. Proxied pixel opens won’t be the last change to shake things up! (Cloudflare has also launched an email-address routing service)

The wake and turbulence of Apple’s MPP — slower off the mark than worry would have had it — prompted some re-thinking of the end-to-end data flow of email. I’d like to suggest, we’re not done yet. Getting “clickstream” data in place may seem like a solution — but read that top quote again, and reconsider. Will your clickstream solution provide the metrics you’re after if (or, more likely, when) that click opens a cloud-based browser session instead?

Viewed coldly, hyperlink clicks that open a browser are an incredibly invasive technology. The Web browser — call it what it is, “my” browser and “your” browser — is the major juncture between your private world and the world of commerce. A hyperlink in an email message doesn’t just open the page linked. That page, in turn, runs several dozen scripts (on average) that gather, log, and report your data to dozens of other endpoints.

Case in point; Apple’s made some hay (or Hey.com) out of Mail Privacy, but an email from Apple with a hyperlink to Apple.com fires up, among others:

  • Omniture SiteCatalyst (usage statistics)
  • Adobe Marketing Cloud (usage statistics)
  • Adobe Target Standard
  • Adobe Target 2.0
  • Adobe Analytics
  • Okta
  • Microdata for Google Shopping
  • Facebook Domain Verification
  • Akamai CDN

That’s not an Apple-specific knock. Hey.com and CampaignGenius.io also run 3rd-party scripts that glean data from browser sessions. I’d bet your company website does as well.

Somewhere along the way, we internalized a notion that pixels in email are “spying”, but scripts on websites are OK. The walls are starting to go up on “spy pixels.”  Do you think there won’t be a similar mindset shift around web browsers, which are inherently far more invasive? (Browser: Javascript; email: dumb.)

Matthew Prince & company are already thinking about solutions.

Imagine the impact if hyperlink clicks always launch an isolated browser session on a cloud-based VM. Every click would spin up a new, history-free machine with no location, no cookies, no history, no meaningful user-agent, and so on. Every visit, every visitor = blank slate & start over.

It may sound like a stretch, but it’s not. Amazon started experimenting with virtual browser sessions a decade ago ( ‘Amazon Silk’ on Wikipedia.)  AWS sells corporate VM-instead-of-PC solutions today; Google Cloud developers have a cloud shell for every GCS tab.

To put that in more plain language — we’ve gotten accustomed to the fat-on-cookies browser application living and running on our devices, but that doesn’t mean it’s going to stay there. There are substantial benefits to moving the browser session out to the cloud (or the edge) — privacy, security, malware, performance, maintenance, and storage to name a few.

If that scenario seems too far-fetched for now, there’s a half-step that’s similarly problematic for marketing — proxies, VPNs and other intermediaries.

Apple’s working out the kinks in the massive technical challenge of caching half of the world’s email images — a huge Web/HTTP infrastructure challenge. Is the logical next step for Apple to make Safari and Webkit proxy-by-default for full browser sessions? 

Likewise...Google added the Google One VPN (Virtual Private Network) to the Google One subscription storage service a few months ago. User traffic is tunneled; the browser is no longer a direct portal from your desktop/mobile to my website.

In short, there will probably come a time when that simple hyperlink click does not spin up “your” browser on “your” device — or when the “device” itself becomes little more than a connecting point for your personal cloud of virtual devices.

With my former-CIO propellor beanie on...Yay. If I were (shudder) responsible for a zillion company computers today, I’d do my best to virtualize the whole shooting match. The device-and-operating-system model sucks; it’s impossible to secure, insanely expensive, a nightmare to administer and probably worse for the planet in the bargain. (To be fair, I’d hide a high-powered Mac in the closet because of course no da** VMs for me. Do as I say…)

Bringing that back to Earth...the point in relation to email and marketing is that the marketing-data fallbacks from pixels-and-opens are themselves vulnerable to the same dynamics, and might change just as abruptly.

If or when such shifts occur, I’d rather bank on email than on other media. What becomes of Facebook Meta’s ecosystem when devices, OSs, apps, and browsers flick in & out of existence at will, with little persistence or connection?  I suspect that each of us will be a more elusive attention target.

Email will still be around, and we’ll still have control over what we elect to receive and what we decide to read. Marketers will have the same root opportunity as today — the opportunity to earn interest and trust based on the content they provide. The metrics of success will change, and we’ll have to adapt.

Something to think about.

drew beamer xU5Mqq0Chck unsplash 600Photo by Drew Beamer on Unsplash