Google Analytics is a powerful tool that allows website owners to track and analyze traffic to their websites. It is understandably popular, as it provides a great deal of insight into how visitors interact with websites. This allows website owners to improve the design of their websites, which, of course, helps to improve profits.
Naturally, all this tracking of website visitors has important privacy implications. There was a time when Google published a simple Google Analytics Privacy Policy, but this has now been rolled into its general Privacy Policy or is spread over a number of jargon-heavy pages.
This primarily serves to hide the fact that Google has drastically reduced the number of privacy safeguards available to website visitors.
Google Analytics is the most popular website statistics service in the world, used on 55 percent of the 10,000 most popular websites. This ubiquity dramatically compounds the danger Google Analytics poses to the privacy of ordinary internet users.
So what are these dangers? There are, in fact, two quite separate issues to consider here: The privacy threat posed by directly Google, and the privacy threat posed by Google Analytics customers (website owners).
What Google Collects
Google’s business model is to collect as much personal information about every internet user as possible, in order to sell highly targeted advertising. It is very good at this.
In general, Google combines all information it collects from users of its services (including the contents of emails sent via Gmail and search terms) with information it collects from tracking internet users as they surf the web. This is clearly laid out in its Privacy Policy.
In theory, Google Analytics Terms of Service require that customers agree not to send any information to Google that can personally identify their users. This is a useful get out clause for Google. It places responsibility for maintaining website visitors’ privacy in the hands of its customer, rather than of Google itself.
In practice, Google provides tools that allow customers to send it personally identifiable information.
Indeed, customers need to manually set the parameters necessary to anonymize the information sent to Google. Furthermore, despite the fact that customers are contractually required not to send Google such information, these parameters are clearly labelled "Optional”!
Unsurprisingly, few Google Analytics customers bother to anonymize the information they send. As a side-note, Google Analytics customers are required to have a privacy policy displayed on their website that warns users that Google Analytics is being used to track them. Again, however, this is widely ignored.
What Google Analytics Customers know
Cookies
Google Analytics primarily uses first person cookies and "similar technologies” to allow website owners to track what their users get up to on the internet. Note that this is not just what they get up own on their own websites, but with also on other websites that their users have visited.
Pretty much every website you visit leaves cookies on your browser. These are small pieces of code that record when you visited that website, which pages you looked at, which links and ads you clicked on, and more.
Google Analytics provides tools that allows customers to access these cookies in order to track how you have interacted with both its own and other websites. This can be particularly invasive when combined with its AdWords remarketing feature. This allows website owners to target visitors with ads after they have left their websites.
The main cookie used by Google Analytics, the ‘__ga’ cookie, does not collect personally identifiable information. Google is very good, however, at correlating information collected using it and similar cookies with real-world identities.
Thanks to the privacy issues associated with use of cookies, the EU legally requires websites to offer EU citizens the ability to opt out of accepting cookies. This requirement is usually ignored by non-EU companies. Even when it is implemented, users are usually left with the stark choice to accept cookies or not accessing a website at all.
It is important to note the "similar technologies” bit I mentioned earlier. Google also uses canvas fingerprinting, JavaScript (for example analytics.js ), the Measurement Protocol, and other techniques to collect user interaction data without the need for cookies.
The Measurement Protocol
The Google Analytics Measurement Protocol allows website owners to makes HTTP requests, and send the raw data collected from these to Google for analysis. Website developers can set the parameters of these HTTP requests to collect a huge amount of highly personal information about their users.
This includes stuff like your IP address, your "anonymous” User-ID (used to track engagement across sessions and devices), and information collected using various browser fingerprinting parameters that can uniquely identify you (see System Info parameters)..
As noted earlier, the onus is entirely on individual website owners to anonymize this information before sending it off to Google. Anonymization parameters (such Anonymize IP) are labeled optional and are not enabled by default.
To give you some idea of just how invasive the measurement protocol can be, one of its stated advantages is that it can "tie online to offline behavior.”
How private is Google translate?
Google translate is a service that the majority of us have used before, however, Google is able to store the text that you put into the service. This raises some serious privacy questions. Check out our is Google translate private guide for more information about the privacy issues with this service.
Opting out
In order to allay concerns of privacy, Google offers two opt-out tools.
Privacy Controls
Google’s general purpose Privacy Controls are available to every Google account holder. They can be used to limit the amount of information that Google collects about you, and prevent it from using the information it does collect to target you with personalized ads.
Most importantly, the privacy controls allow you to tell Google to turn off your Google history. This means that searches you make, location data collected from your mobile device, YouTube videos you watch, and more, are no longer recorded by Google.
Does Google really stop recording this information? Who knows? But it will stop using this information to build a detailed profile of you that is combined with information gleaned from Google Analytics.
Google Analytics opt-out browser add-on
Users of the Google Chrome browser (only) can install the Google Analytics opt-out browser add-on. This "prevents the Google Analytics JavaScript (ga.js, analytics.js, and dc.js) that is running on websites from sharing information with Google Analytics about visit activity.”
Third party opt-out options
You can also take matters into your own hands, rather than trusting your privacy to Google. Mozilla Firefox is an open source browser that supports some great privacy extensions. These will block many of the techniques Google Analytics customers can use to track you.
Among the most notable of these extensions are:
- Privacy Badger is a free and open source (FOSS) anti-tracking add-on developed by the Electronic Frontier Foundation (EFF). It also does double-duty as an ad-blocker, and is effective against Google Analytics (and other trackers)
- uBlock Origin is a lightweight FOSS ad-blocker that also helps prevent tracking. The usual advice is to use uBlock Origin and Privacy Badger together.
- uMatrix is developed by the same team as uBlockOrigin, and blocks all kinds of web scripts. This includes the JavaScripts and other scripts used by Google Analytics. If using uMatrix you do not also need to run Privacy Badger and uBlock Origin. It is worth noting that NoScript is even more powerful than uMatrix, but for most people the hassle of using it will outweigh the benefits.
- Self-Destructing Cookies - most browsers allow you to specify that all cookies should be blocked. The problem is that this will break most websites! Self-Destructing Cookies gets around this by accepting cookies temporarily, so you can use the website. When you leave the website, however, it deletes them. It also provides protection against HTML5 storage and other sneaky tracking tactics used by Google Analytics.
Google Analytics Privacy Overview Recap
Website owners’ desire to track user engagement is quite understandable and is often perfectly benign. As a website visitor, however, you should be aware that your activity is being tracked and analyzed. This is performed not only by any specific website owner but across many websites.
Indeed, it is even possible for website owners to tie information collected in this way to offline behavior.
Much of the information collected by Google Analytics is also sent to Google. This is necessary, as Google does the heavy lifting for the "analysis” bit. In theory, all information sent to Google in this way is anonymized. It is not safe, however, to assume that this is the case.
You should also be aware that even when sent data is stripped of personally identifiable information, Google is very good at matching it with other sets of collected data it collects in order to tie it to real-world identities.