Google Analytics and End User Privacy
As geeks will know already, Google Analytics is a new, free traffic analysis service for websites from Google. It’s essentially the functionality that Google acquired from Urchin, except that instead of money you pay for the service by giving Google full knowledge of all of the hits to your site.
There’s already a Google Analytics Plugin for Wordpress that lets you add Google analytics to your blog with no template editing.
The thing that’s a little bit disappointing is that Google used their standard search engine terms of service and privacy policy with Google analytics. This seems inappropriate– even the Adwords policies would have been more inappropriate.
[Update: An additional concern about the terms of service is that appear to allow Google to track users from your site to the main Google search and present competing ads there, see here for more.]
It’s one thing to give Google full access to all of the information I enter into Google. It’s another thing to share with a third party the complete session history of everyone on my site. Google’s privacy policy ought to more clearly spell out what they will do with this data. (They do promise not to give it away to a third party, but when you’re a large corporation you don’t need to give it away to extract a great deal of value.)
I know that Doubleclick and all of the targeted online advertising players do similar things to track users across the internet. The thing that bothers me a little bit in the case of Google is that they seem to be encouraging site owners to gloss over the issues by presenting the standard privacy policy as if it was adequate, and that they are targeting the least sophisticated sites which tend not to even have privacy policies for their users.
Keep in mind that Google is injecting Javascript into your page, in principle giving them access to form contents and anything else on the page. As far as I can tell, Google’s terms of service would allow them to spam every email address that users entered into my site. (Not that they would do this, but still…)
Update: I note from Tim Bray that there is 17k (!) worth of Javascript that Google inserts into the page; further work is needed to dissect this code and figure out what it does.
If I were a company, their terms of service appear to allow them to market to my customers directly or act in other ways contrary to my interest. Here are some choice quotes from the terms of service and privacy policy that seem especially ill suited.
The Google Services are made available for your personal, non-commercial use only. You may not use the Google Services to sell a product or service, or to increase traffic to your Web site for commercial reasons, such as advertising sales.
Does this mean I can’t use Google analytics on a commercial web site? Clearly not, this is boilerplate text.
We may use personal information to provide the services you’ve requested, including services that display customized content and advertising.
That’s my personal information, but what about the personal information of people who use a site that is enabled with Google analytics? Google’s Adword privacy policy promises not to correlate Google search history with adwords history, but their analytics policy does not. (Google also has the ability to track all the pages you visit through your mobile browser that are linked to from Google search results; these too could presumably be tied to the same user identity.)
Unless You notify Google otherwise in writing, You hereby grant to Google and its wholly owned subsidiaries a limited license to use Your trade names, trademarks, service marks, logos, domain names and other distinctive brand features (”Brand Features”) in presentations, marketing materials, customer lists, and financial reports
Does this mean we’re selling out not only our users but also our brand?
With great power comes great responsibility, and the requirement to go beyond the usual yada yada when doing new things.
Will I still use Google analytics? Yes, but only because this is an absolutely public blog with no commercial aspects or sensitive personal data.
9 Comments so far
Leave a comment
[…] I’ve been looking at web-site metrics services and tools lately, for projects both personal and Mozilla-related. So far, the one that looks best is the Google Analytics system, but the privacy policy they use for it is the one for the web site, and that kinda sucks. […]
By shaver » measure twice, cut once on 03.22.06 7:27 am
if you’re using Adblock on Firefox, make sure to block www.google-analytics.com . It will disable the piece of JavaScript, but it also speeds up Firefox a lot, by skipping that 17K of code (http://www.google-analytics.com/urchin.js)
By jhermans on 03.22.06 9:38 am
It is a legal requirement that users should be able to delete and/or block cookies as a method of opting out of the tracking system. Under the European Directive on Privacy and Electronic Communications (2002/58/EC) sites using cookies for tracking should provide instructions within their privacy policy documenting how to block and delete cookies set by the site. The current google policy does not supply these instrctions for the Urchin tags. Also sites using google analytics should include a privicy policy of their own that covers these requiremtns as well as informing the visiotr that data regarding their visit is being processed by a third party. I use google analytics on my site and am in the process of setting up a html policy and P3P policy to cover these issues now.
By gareth on 05.16.06 2:58 am
I was looking for a web statistic tool for my personnal web site. Knowing the Google Analytics service, I went looking after feedback from users:
- as I was finding too cumbersome to read all the info on the google site
- to see if it could be also suitable for a personal web site (I do not tend to do business, but just want to see if people have been able to navigate properly through my whole site)
I got really interested by your article :-) , but what puzzled me is :-/ :
- you seem really concern about your user privacy but…
* you are using Google Analytics on your web site !?!
* to post a comment, it is _required_ to specify an e-mail address !?! –> I did not find any mention on your web site of what you are doing with this information.
I apologise to have said it quite directly/frankly, but I would like to hear from you why you have been writing this article and why you are using the Google Analytics. It came to a big surprise for me!
Nonetheless, thank you for this really interesting articles. I really liked it, and it was really instructive! :-)
Cheers,
Huygens
By Huygens on 06.23.06 5:28 am
To the extent that Google might correlate visits to my site with visits to other sites, yes, I am part of the problem, but my readership and pageviews are sufficiently low that the impact is negligible.
The post was upfront about my dabbling in Google analytics: “Will I still use Google analytics? Yes, but only because this is an absolutely public blog with no commercial aspects or sensitive personal data.”
Regarding the requirement to specify an email address– I of course do nothing with those email addresses except for on occasion follow up with people who need technical support for Berry411… it’s a built in feature of the open source blogging software I use (Wordpress) to deter spammers. There is no requirement to my knowledge that the email address be a real one.
By philbo on 06.23.06 7:59 am
For every surfer who is concerned about his privacy: you can block google-analytics.com and other trackers via the hosts file
Check: http://pgl.yoyo.org/adservers/
By H.B. Gijs on 07.18.06 10:58 am
Your information is a bit inaccurate. If you read “Google Analytics” Terms of Service you will see it states:
“Google will not share information associated with You or your Site with any third parties unless Google (i) has Your consent; (ii) concludes that it is required by law or has a good faith belief that access, preservation or disclosure of such information is reasonably necessary to protect the rights, property or safety of Google, its users or the public; or (iii) provides such information in certain limited circumstances to third parties to carry out tasks on Google’s behalf (e.g., billing or data storage) with strict restrictions that prevent the data from being used or shared except as directed by Google.”
It also does not exclude commerical use.
http://www.google.com/analytics/tos.html
By abostongirl on 08.22.06 5:34 pm
all web tracking is evil,
run privoxy or something similar to defeat them
By time lord on 07.20.07 2:13 am
you have no right to track my webbrowsing and use it for personal gain of any sort. I am paying to have internet access because i have no choice in this matter. if you are going to track me and use this information in any way i should be informed of this fact each time i go to a new website and i should be given the choice of opting out. if you use this information for personal gain, you should be paying me instead of me paying you.
By maxine brown on 05.25.08 2:31 pm
Leave a comment