Loading ...
Sorry, an error occurred while loading the content.

4162Re: Odd things noted with Google Analytics

Expand Messages
  • webbanalys
    Nov 17, 2005
    • 0 Attachment
      Not upset the slightest, but a bit surprised to find an analyst who
      also is a helper. I guess it's safe to assume that you help all
      companies then, which will keep you very busy. ;-)

      If you think about it, a cookie which is named in a consistent way is
      very easy to search and destroy. The point is that the Google cookie
      is not something sent from the account users own server (this seems
      to be done in the JS code) but named as if it was. If you remove the
      __utma cookie in Firefox and select the "Don't let sites that set
      cookies to set future cookies", flush all cookies and then reload the
      same page guess what? All cookies are blocked from the domain. Result
      is opt-out is disabled since one can't reject the Google cookie alone.

      Example:

      some.com | __utma (google cookie)
      some.com | usersettings (websites own cookie)

      If the user selects the __utma cookie to be deleted and blocked as
      per above description, the "usersettings" cookie will also be
      blocked. So my point is obviously by doing this opt-out it will block
      all cookies from the domain.

      However had the collection been set up on a separate subdomain like
      stats.some.com, then that alone could be blocked by any user wishing
      to do so. But many vendors are unable to support this, and in cutting
      corners by injecting cookies as if from the same domain GA is
      effectively making opt-out impossible without impacting on ALL
      cookies from the same place. Of course these cookie can't be removed,
      the way it's implemented has an impact on the websites own cookie
      functionality. Not very smart.

      What I am saying with regards to IE having a higher level of security
      setting in the coming versions is that I would not be surprised if
      cookies called __utma (independent of domain) will be automatically
      blocked. With that setting MS would render the Google cookie useless
      given the simplicity to block it. Vendors not cutting corners by
      injecting cookies as if from the customers domain but using
      collection to a subdomain which issues FPC offer full opt-out
      functionality.

      That said, GA (and similar vendors) strategy in this regard is not
      good AND prohibits the EU law to work without having an impact in the
      websites own cookie usage. Still with me?

      My prediction is not that the web analytics industry will be hit by a
      blocking of cookies whose name starts with __, only the few vendors
      using dodgy cookie injection of this kind masking to be sent directly
      from the customer domain. I think it appropriate to name cookie
      injection as the 2nd part cookie, it comes with code on the page from
      the 1st party but is not theirs.

      No need to apologize if your intent wasn't to insult, forums are for
      exchanging views and facts.

      Rgds
      Fulton


      --- In webanalytics@yahoogroups.com, "Eric Peterson"
      <eric.peterson@g...> wrote:
      >
      > Fulton, see my comments >>> below ...
      >
      > --- In webanalytics@yahoogroups.com, "webbanalys" <webbanalys@y...>
      wrote:
      > >
      > > The lack of guidance is alarming, and has now put a lot of people
      > > into a position of breaking the law. I do however wonder why you
      > > would mention it, do you do consulting work for them?
      >
      > >>> I'm a helper. That's what I do. Does it upset you that I would
      > help Google? If so, why?
      >
      > > I think you are very wrong on the assumption that their cookie
      > > strategy is the least likely to be deleted. Just look at the
      naming
      > > convention, withtin a few weeks I predict that all anti-spyware
      > > applications will remove cookies containing ___ in their names no
      > > matter which domain they say they come from.
      >
      > >>> An interesting prediction. Suffice to say, I disagree with your
      > assessment but that's the great thing about this group ... it's okay
      > to disagree with each other as long as we're polite about it.
      >
      > >>> How about we wait a few weeks and see if "all anti-spyware
      > applications will remove cookies containing ___ in their names no
      > matter which domain they say they come from" (your exact words) to
      > test your prediction. That will be really easy to test since I
      > suspect that if they all did this, they would advertise "new and
      > improved to disable Google Analytics!" Or, you can visit a site
      known
      > to be using Google Analytics and then install all anti-spyware
      > applications to see if they recommend removing that site's cookie.
      > Either way, a pretty easy thing to test.
      >
      > > On the opposite a 1st party cookie with individual naming has a
      far
      > > better survavial rate, and that is a cookie that is sent from the
      > > collection point on amchine within the customers own domain. In
      > > theory all vendors can do this BUT why have so few? Simply
      because
      > > either their architecture isn't built to support it or they are
      > > cutting corners.
      >
      > >>> You lost me there. What are you arguing?
      >
      > > No matter how low the number of opt-out that occurs, it must be
      > > possible. If I were to opt-out from cookies from *.some.com then
      the
      > > regular cookies for user settings would also be disabled. Not a
      very
      > > smart move to disable the opt-out don't you think?
      >
      > >>> You've lost me there too.
      >
      > >>> I know how to opt-out of tracking by visiting the vendor's web
      > site (see for example
      > http://www.websidestory.com/privacy/cookie-opt-out.html at
      > WebSideStory) and I know how to block a cookie domain in my browser
      > (for example, using Firefox's Tools > Options > Cookies > Exceptions
      > list) but I'm not sure how to opt-out of all cookies from
      *.some.com.
      > Do you mean blocking cookies from *.some.com is not very smart? If
      > so, I agree with you, which is why I said that Urchin (and similar
      > vendors) strategy in this regard is particularly good.
      >
      > >>> In order to block Google's tracking cookie you have to also
      block
      > whatever cookie-dependent functionality the site has. Oh, allright,
      > maybe this is kinda "dodgy." Still, I suspect these cookies will be
      > removed less frequently than third-party and contractual first-party
      > cookies (but we've agreed to disagree on this point already, haven't
      > we?) That said, I'll add it to my list of things to study in 2006.
      >
      > > Finally it would not surprise me a bit if the next version of IE
      > > comes with a block on some domains as part of the medium security
      > > setting, if so then all outbound calls to the collectors running
      on
      > > domains not belonging to the customer would cause massive data
      loss.
      > > Not much love between MS and Google, is there? This could happen
      as
      > > well if companies like Websense block those domains as dodgy in
      their
      > > filtering product due to the fact that data is going to a generic
      > > collection point.
      >
      > >>> Hmm, so you're saying that Microsoft would block all any cookie
      > they determined to be from Google's tracking system? Or are you
      > saying that Microsoft might block all domains to known third-party
      > data collectors? Either way, a bold prediction, bold indeed.
      >
      > > For the customer who has used services that are using web
      analytics
      > > based on such limited solutions the massive dataloss will then be
      a
      > > nasty surprise. That if anything would put those running such
      systems
      > > out of business, not the entry of GA.
      >
      > >>> I agree with you that when companies realize how much data
      they're
      > losing from cookie deletion it comes as some surprise. But even I
      > don't think we're seeing "massive dataloss" and I'm the one writing
      > the damn reports. I think the problem is substantial and unlikely
      to
      > improve but not likely to become so aggrevated that nobody trusts
      web
      > analytics data.
      >
      > >>> My position on cookie blocking and deletion is and has always
      been
      > "accept that it is happening, correct for it if possible, quantify
      the
      > rate of deletion and get the hell back to work." My goal is to help
      > companies quantify the rate of deletion, something we're very close
      to
      > for third-party cookies and I'm working on for first-party cookies.
      >
      > > Must say I am a bit surprised you don't see this coming Eric.
      >
      > >>> Perhaps your predictions are a touch too bold for my flavor of
      > analysis. Let's touch base soon to test your prediction
      that "withtin
      > a few weeks I predict that all anti-spyware applications will remove
      > cookies containing ___ in their names no matter which domain they
      say
      > they come from" and see if the bottom has fallen out on the web
      > analytics industry. If this happens, I'll gladly apologize for
      > disagreeing with you in this public forum.
      >
      > > Rgds
      > > Fulton
      >
      > >>> All the best,
      > >>> Eric
      >
      > >
      > > --- In webanalytics@yahoogroups.com, "Eric Peterson"
      > > <eric.peterson@g...> wrote:
      > > >
      > > > I'm not up-to-date on cookie legislation overseas but it goes
      > > without
      > > > saying that any company deploying ** any ** analytics
      application
      > > that
      > > > depends on cookies needs to update their privacy policy
      > > accordingly.
      > > > I poked around at the Google Analytics site and didn't find any
      such
      > > > guidance but will suggest it next time I chat with those
      folks.
      > > >
      > > > Based on my research on cookies, the strategy Google Analytics
      is
      > > > using is the least likely to be deleted. It is not a third-
      party
      > > > cookie, it is not a contractual or mapped first-party cookie,
      it is
      > > a
      > > > true first-party cookie. Whether the cookie comes from the
      > > collection
      > > > domain or the site domain is a technical decision that each
      vendor
      > > > makes and is theoretically able to change.
      > > >
      > > > Perhaps from a transparency standpoint this is dodgy, but from
      a
      > > data
      > > > accuracy standpoint, this strategy is the recommendation.
      > > >
      > > > I have not seen any published data regarding how many Internet
      users
      > > > are opting out of tracking domains but given that opting-out
      > > requires
      > > > you at accept a cookie (so the system knows not to track your
      > > browser,
      > > > right?) and given that cookies are being deleted at some rate, I
      > > > suspect opting-out is far less likely than consumer use of
      > > > anti-spyware to "protect" themselves or occassional manual
      > > deletion.
      > > >
      > > > I mean think about it ... if you don't want to be tracked you
      have
      > > to
      > > > visit dozens of different opt-out pages (at each of the
      vendors) and
      > > > every time you delete your cookies you have to repeat that
      action?
      > > >
      > > > Unlikely, in my opinion.
      > > >
      > > > If the GA code is removed, the cookies may remain but are
      certainly
      > > > rendered useless.
      > > >
      > > > Eric Peterson
      > > >
      > > >
      > > >
      > > > --- In webanalytics@yahoogroups.com, "webbanalys"
      <webbanalys@y...>
      > > wrote:
      > > > >
      > > > > I've found some odd things going on with Google Analytics
      (GA),
      > > and
      > > > > one of them is connected to the statement Eric made that GA
      uses
      > > 1st
      > > > > party cookie (FPC). It seems that GA DOES NOT send FPC from
      the
      > > > > collection domain at all. Instead the code will perform the
      > > function
      > > > > of sending cookies looking as if they were from the website
      > > domain
      > > > > itself! If I am wrong then please correct me.
      > > > >
      > > > > It seems as if a massive amount of websites not using cookies
      > > before
      > > > > now are sending out 4 new ones and thus as a result not
      following
      > > the
      > > > > law which states the following (at least for us in Europe):
      > > > >
      > > > > EU-directive 5.3 on integrity and communication, every
      visitor to
      > > a
      > > > > website containing cookies is entitled information:
      > > > >
      > > > > * that the website contains cookies,
      > > > > * how these cookies are used,
      > > > > * how cookies can be avoided.
      > > > >
      > > > > Even worse is that if users select to opt out to avoid the GA
      > > > > generated cookies then ALL cookies from the domain in
      question
      > > will
      > > > > be blocked, even the ones that are used to keep user details
      and
      > > > > enhance website functionality!
      > > > >
      > > > > If the GA code is removed the created cookies will remain,
      and
      > > one
      > > > > actually is set to last until 2038. Given the recent coverage
      on
      > > > > users deleting cookies this adds fuel to the fire, sending
      > > cookies in
      > > > > this fashion is rather dodgy.
      > > > >
      > > >
      > >
      >
    • Show all 20 messages in this topic