Google Analytics is a powerful tool that allows website owners to track and analyze traffic to their websites. It is understandably popular, as it provides a great deal of insight into how visitors interact with websites. This allows website owners to improve the design of their websites, which, of course, helps to improve profits.
This primarily serves to hide the fact that Google has drastically reduced the number of privacy safeguards available to website visitors.
Google Analytics is the most popular website statistics service in the world, used on 55 percent of the 10,000 most popular websites. This ubiquity dramatically compounds the danger Google Analytics poses to the privacy of ordinary internet users.
So what are these dangers? There are, in fact, two quite separate issues to consider here: The privacy threat posed by directly Google, and the privacy threat posed by Google Analytics customers (website owners).
What Google Collects
Google’s business model is to collect as much personal information about every internet user as possible, in order to sell highly targeted advertising. It is very good at this.
In theory, Google Analytics Terms of Service require that customers agree not to send any information to Google that can personally identify their users. This is a useful get out clause for Google. It places responsibility for maintaining website visitors’ privacy in the hands of its customer, rather than of Google itself.
In practice, Google provides tools that allow customers to send it personally identifiable information.
Indeed, customers need to manually set the parameters necessary to anonymize the information sent to Google. Furthermore, despite the fact that customers are contractually required not to send Google such information, these parameters are clearly labelled “Optional”!
What Google Analytics Customers know
Pretty much every website you visit leaves cookies on your browser. These are small pieces of code that record when you visited that website, which pages you looked at, which links and ads you clicked on, and more.
Google Analytics provides tools that allows customers to access these cookies in order to track how you have interacted with both its own and other websites. This can be particularly invasive when combined with its AdWords remarketing feature. This allows website owners to target visitors with ads after they have left their websites.
The main cookie used by Google Analytics, the ‘__ga’ cookie, does not collect personally identifiable information. Google is very good, however, at correlating information collected using it and similar cookies with real-world identities.
The Measurement Protocol
The Google Analytics Measurement Protocol allows website owners to makes HTTP requests, and send the raw data collected from these to Google for analysis. Website developers can set the parameters of these HTTP requests to collect a huge amount of highly personal information about their users.
This includes stuff like your IP address, your “anonymous” User-ID (used to track engagement across sessions and devices), and information collected using various browser fingerprinting parameters that can uniquely identify you (see System Info parameters)..
As noted earlier, the onus is entirely on individual website owners to anonymize this information before sending it off to Google. Anonymization parameters (such Anonymize IP) are labeled optional and are not enabled by default.
To give you some idea of just how invasive the measurement protocol can be, one of its stated advantages is that it can “tie online to offline behavior.”
In order to allay concerns of privacy, Google offers two opt-out tools.
Google’s general purpose Privacy Controls are available to every Google account holder. They can be used to limit the amount of information that Google collects about you, and prevent it from using the information it does collect to target you with personalized ads.
Most importantly, the privacy controls allow you to tell Google to turn off your Google history. This means that searches you make, location data collected from your mobile device, YouTube videos you watch, and more, are no longer recorded by Google.
Does Google really stop recording this information? Who knows? But it will stop using this information to build a detailed profile of you that is combined with information gleaned from Google Analytics.
Google Analytics opt-out browser add-on
Third party opt-out options
You can also take matters into your own hands, rather than trusting your privacy to Google. Mozilla Firefox is an open source browser that supports some great privacy extensions. These will block many of the techniques Google Analytics customers can use to track you.
Among the most notable of these extensions are:
- Privacy Badger is a free and open source (FOSS) anti-tracking add-on developed by the Electronic Frontier Foundation (EFF). It also does double-duty as an ad-blocker, and is effective against Google Analytics (and other trackers)
- uBlock Origin is a lightweight FOSS ad-blocker that also helps prevent tracking. The usual advice is to use uBlock Origin and Privacy Badger together.
- Self-Destructing Cookies - most browsers allow you to specify that all cookies should be blocked. The problem is that this will break most websites! Self-Destructing Cookies gets around this by accepting cookies temporarily, so you can use the website. When you leave the website, however, it deletes them. It also provides protection against HTML5 storage and other sneaky tracking tactics used by Google Analytics.
Google Analytics Privacy Overview Recap
Website owners’ desire to track user engagement is quite understandable and is often perfectly benign. As a website visitor, however, you should be aware that your activity is being tracked and analyzed. This is performed not only by any specific website owner but across many websites.
Indeed, it is even possible for website owners to tie information collected in this way to offline behavior.
Much of the information collected by Google Analytics is also sent to Google. This is necessary, as Google does the heavy lifting for the “analysis” bit. In theory, all information sent to Google in this way is anonymized. It is not safe, however, to assume that this is the case.
You should also be aware that even when sent data is stripped of personally identifiable information, Google is very good at matching it with other sets of collected data it collects in order to tie it to real-world identities.