Comment by eli

7 years ago

I think there are a lot of misconceptions about how Google Analytics tracking works. I'm pretty sure a vanilla GA setup does not, in fact, create profiles that track you across the web. For one thing, all the cookies it creates are first-party (on your domain).

I still get objecting to Google products on principle, but their privacy policy for GA seems pretty reasonable to me: https://support.google.com/analytics/answer/6004245

7 comments

eli

Reply
gregable  7 years ago

Agreed, the first-party cookie is pretty self-evidently not a web-wide tracker.

There are lots of config options. Here's what I like to use:

  // Google Analytics Code.
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
  window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};

  // https://developers.google.com/analytics/devguides/collection/analyticsjs/field-reference
  ga('create', 'UA-XXX-XX', 'auto', {
      // The default cookie expiration is 2 years. We don't want our cookies
      // around that long. We only want just long enough to see analytics on
      // repeat visits. Instead, limit to 31 days. Field is in seconds:
      // 31 * 24 * 60 * 60 = 2678400
      'cookieExpires': 2678400,
      // We don't need a cookie to track campaign information, so remove that.
      'storeGac': false,
      // Anonymize the ip address of the user.
      'anonymizeIp': true,
      // Always send all data over SSL. Unnecessary, since the site only loads on
      // SSL, but defense in depth.
      'forceSSL': true});
  // Now, record 1 pageview event.
  ga('send', 'pageview');

amichal  7 years ago

Also:

> When a customer of Analytics requests IP address anonymization, Analytics anonymizes the address as soon as technically feasible at the earliest possible stage of the collection network. The IP anonymization feature in Analytics sets the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros in memory shortly after being sent to the Analytics Collection Network. The full IP address is never written to disk in this case.

https://support.google.com/analytics/answer/2763052?hl=en

  • marichards  7 years ago

    Why do we trust this statement? It's coming from a company that plays loose with the law and has had some of the biggest fines ever thrown at it. Sorry, but with no way to validate this claim, it is meaningless.

    • amichal  7 years ago

      I'm just quoting them.

      I'm well aware that all we have is "certification" and "audit" programs to verify their claims. I am also that these are less then perfect and they have been found out to misleading/"lying" before and appeared to prefer large fines rather then fix the the issue. It is 100% likely that their public statements don't match reality perfectly.

      I posted the quote because there seemed to be a lack of understanding that this feature even exists in GA. The author of the Show HN post didn't even have a statement on how IP address logging (and various other PI in the GDPR sense) was handled when it was originally posted.

      BTW, I think it's great that someone is starting fresh with privacy in mind but even with them we will still no way of trusting what they do with the packets sent their way...

jandrese  7 years ago

Google doesn't need cookies. They can profile your browser and check the source IP to track you around the web. Given that Google's business is information, it seems unlikely that they aren't doing this very easy form of tracking.

  • eli  7 years ago

    That's harder than it sounds and, anyway, they say they don't do that. It would be a pretty big deal if they were lying.