Web Analytics: A Fancy Way of Saying You Have a Blue Ribbon Winning Bloodhound Tracking You
June 18, 2020
DarkCyber is easily confused. Every day brings more incredible cyber security marketing hoo-hah. And each day more incredible security issues come to light. A good example was the Wall Street Journal’s story “Russian Hackers Evaded Firms’ Detection Tools”, Wednesday, June 18, 2020. Yeah, those cyber tools are special.
The story “Lightweight Alternatives to Google Analytics” is a helpful round up of digital bloodhounds. If you are looking for ways to make sense of Web site log files, you can work through the snapshots of such systems as GoatCounter, Plausible, Simple Analytics, and Fathom.
The intriguing segment of the write up is, in DarkCyber’s opinion, this statement:
Google tracks and stores a huge amount of information about users.
A 2018 paper [PDF] by Douglas Schmidt highlights the extent of Google’s tracking, with location tracking on Android devices as one example:
Both Android and Chrome send data to Google even in the absence of any user interaction. Our experiments show that a dormant, stationary Android phone (with Chrome active in the background) communicated location information to Google 340 times during a 24-hour period, or at an average of 14 data communications per hour. The paper distinguishes between “active” and “passive” tracking. Active tracking is when the user directly uses or logs into a Google service, such as performing a search, logging into Gmail, and so on. In addition to recording all of a user’s search keywords, Google passively tracks users as they visit web sites that use GA and other Google publisher tools. Schmidt found that in an example “day in the life” scenario, “Google collected or inferred over two-thirds of the information through passive means”. Schmidt’s paper details how GA cookie tracking works, noting the difference between “1st-party” and “3rd-party” cookies — the latter of which track users and their ad clicks across multiple sites: While a GA cookie is specific to the particular domain of the website that user visits (called a “1st-party cookie”), a DoubleClick cookie is typically associated with a common 3rd-party domain (such as doubleclick.net). Google uses such cookies to track user interaction across multiple 3rd-party websites. When a user interacts with an advertisement on a website, DoubleClick’s conversion tracking tools (e.g. Floodlight) places cookies on a user’s computer and generates a unique client ID. Thereafter, if the user visits the advertised website, the stored cookie information gets accessed by the DoubleClick server, thereby recording the visit as a valid conversion. Because such a large percentage of web sites use Google advertising products as well as GA, this has the effect that the company knows a large fraction of users’ browsing history across many web sites, both popular sites and smaller “mom and pop” sites. In short, Google knows a lot about what you like, where you are, and what you buy. Google does provide ways to turn off features like targeted advertising and location tracking, as well as to delete the personalized profile associated with an account. However, these features are almost entirely opt-in, and most users either don’t know about them or just never bother to turn them off. Of course, just switching away from GA won’t eliminate all of these privacy issues (for example, it will do nothing to stop Android location tracking or search tracking), but it’s one way to reduce the huge amount of data Google collects. In addition, for site owners that use a GA alternative, Google does not get a behind-the-scenes look at the site’s traffic patterns — data which it could conceivably use in the future to build a competing tool.
A paywall may be protecting this write up. Nevertheless, if the information in the passage quoted above is accurate, Google’s senior management may have to do some explaining as the company executes some “Dancing with the Stars” footwork if regulators decide to dig into such assertions.
And the bloodhound, “Who me?” Woof.
Stephen E Arnold, June 18, 2020