Impact of Google privacy policy on web tracking

Google Analytics and DoubleClick

Since 2012 Google’s privacy policy does not prevent Google from using Google Analytics data  for its own business purposes. This means that Google can combine an IP address and User agent to track someone visiting several websites using Google Analytics. Google analytics covers up to 60% of the web and relies purely on first party cookies, IP address and user agent. This means that Google can track users on 56% of websites with a fairly good accuracy. If Google were able to combine tracking on websites using Google Analytics and DoubleClick, it could cover up to 80% of the web [1].

Changing Google Analytics domain name

Since October, Google offers a new service to Google Analytics customers allowing them to obtain aggregated demographic data about their visitors. To enable this feature a website only has to add a line to its privacy policy and to modify the URL of the script called by Google Analytics. The script shall no longer be called from “google-analytics.com” but from “doubleclick.net”. On any site that enables this feature, Google will be able to track users, and to associate data obtained by observing behaviour on other websites.

This small feature has a huge impact on Google’s tracking capabilities. Google is now capable of tracking users on many websites using its DoubleClick ID.

Deleting cookies won’t solve the problem

It means that if you delete your third party cookies, Google will still be able to re-establish the link between your old DoubleClick cookie and your new simply by using your analytics cookies which are first party cookies.

In October 2012, Goolge announced “Universal Analytics”, an upgrade of “Google analytics” enabling cross device tracking (I’d recommend reading this description of Universal Analytics features). With Universal Analytics, deleting first party cookies might not help either because Google could recognize you if you log in into a website.  Indeed, Universal Analytics assigns the same cookie to a user when they sign-in on a website. The cookie id is not set by Google but by the website editor, it means that Google will recognize you when you log in on a Universal Analytics website. Interestingly, the website can also transmit non-personally identifying information to Google such as your age and gender. In that case, Google could combine information you provided on your Google profile with information provided by a website using Universal Analytics. So Google will be able to compare information that you provided on your Google Web profile with information provided on Universal Analytics websites.

Thanks to Frederik Borgesius for reviewing a draft of this post.

[1] “Lukasz Olejnik, Tran Minh-Dung, Claude Castelluccia” , Selling Off Privacy at Auction

 

Leave a Reply

Your email address will not be published. Required fields are marked *