Why Google is really offering an opt-out …

When I first saw the news of Google’s opt-out browser plug-in spread around Twitter I thought “hmm, I wondered when we’d see this” and moved on since opt-out is more or less an non-issue — basically because in the grand scheme of things nobody really opts-out. For all the hand-wringing and navel-gazing people do on the subject of privacy online, I have never, ever seen any data that indicates that web users actively opt-out of tracking in significant numbers.

Never.

If you have it, bring it on as I’d love to see it. But in my experience the only people really truly and actively interested in browser- or URL-based opt-out for tracking are privacy wonks, extreme bit-heads, and some Europeans. The privacy wonks and bit-heads are who they are and are unlikely to ever change; the Europeans have privacy concerns for other reasons but I will defer to Aurelie to try and make heads or tails of what those reasons are.

Still, it has been interesting to see some bright folks like Forrester’s Joe Stanhope offer some explanations about why Google might be doing this and what the ramifications might be. And it has been less interesting to see some of the fear mongering and hyperbole offered by Marketing Pilgrim’s Andy Beal in his post “Why your web traffic is going to nosedive thanks to Google” although I found Econsultancy balances things out with their straightforward and tactful post “Will opt-out threaten Google Analytics?”

What Andy, Patricio, and to some extent Joe, apparently didn’t notice is that Google Analytics is about to make a big, big push into Federal Government web sites, and this browser-based opt-out is just a check-box requirement to satisfy the needs of said privacy wonks who for better or worse have the Administration’s ear (or some body part, you choose!)

Yep, the browser opt-out isn’t actually for anyone … except for perhaps the Electronic Freedom (sic) Foundation and their ilk. Google is somewhat brilliantly checking a box now so that when the Office of Management and Budget (OMB) releases all new Federal guidelines for browser cookie usage later this year any Federal site operator who wants can immediately dump their existing solution and go directly to Google Analytics.

You do remember that Google Analytics comes at the amazing deficit reducing price of ABSOLUTELY FREE. Even a Republican can get his or her arms around that price tag, huh?

You betcha.

“Hey wait,” you say, “what about the fact that Federal web sites will probably never get permission to track visitors over multiple sessions?” Good point, except did you know you can override Google Analytics _setVisitorCookieTimeout() and_setCampaignCookieTimeout() variables and set their values to zero (“0″) which effectively converts all Google Analytics tracking cookies to session-only cookies?

Yep.

Not to mention that the little birds who sing songs in only hushed tones suggest that OMB is about to take a much more reasonable stance on visitor tracking anyway. This is not a done deal, but the situation that most Federal site managers work under today — one where many sites are more or less forced to use out-of-date log file analyzers and most are hamstrung in their ability to analyze multi-session behavior — seems to fly directly in the face of President Obama’s efforts to make government more transparent and effective.

I said as much just after he was elected, and then I said it again when I pointed out that Barack Obama should not fear browser cookies! Federal managers need modern, easy-to-use tools to improve the overall quality of government web sites.

Now, I could be wrong about all of this — I am human, and like Joe Stanhope I have not heard word-one from Google about the opt-out app — but I am pretty good at connecting dots and these are big, obvious dots:

Google loves data
Feds have tons of data
Feds have requirements necessitating privacy controls
Google builds privacy controls
Google gets Feds data

This is actually pretty brilliant of Google if you think about it. Assuming you’re with me in my belief that Google Analytics isn’t about AdWords or Analytics or anything other than Google’s desire to have all the world’s data, then you’ll surely see that providing Federal web site operators a web analytics solution that simultaneously solves a multitude of analysis problems AND saves money is, well, pretty freaking brilliant.

Don’t take my word for it. Here’s a list of sites in the .gov domain that people are tracking using our free, browser agnostic web analytics solution discovery tool. We have about 100 sites total, the majority of which don’t appear to have any kind of tracking code at all, and of these:

12% are using Google Analytics exclusively already
Another 3% are using Google Analytics with Omniture (1%) or Webtrends (2%)
6% are using Omniture (one, GSA.gov in tandem with Webtrends)
15% are using Webtrends (including GSA.gov in tandem with Omniture)
63% appear to have no hosted analytics of any kind

If I’m right the evidence will be obvious as more of these “no hosted analytics” sites begin to have Google Analytics tags. Sites like Census.gov, the EPA, FCC, FEMA, HUD, and even FTC might all start to take advantage of Google’s largesse (and willingness to provide a browser-based opt-out, don’t forget that!)

What do you think?

As always I welcome your thoughts, observations, reaction, and even anti-tracking-pro-privacy rants. If you are you a Federal site manager with insight to share but unable to voice your position publicly then out of respect I am happy to have you post anonymously as long as you provide a valid email address that I will confirm and then convert to “anon@anonymous.gov” to protect your identity.

Posted Saturday, March 20th, 2010 | 25 responses | Add a Comment | Share, Save or Email

Steve Jackson

Hi Eric,

You could be right about US govt sites, all sounds reasonable.

My immediate thought was that this might be a covering action by Google with regard to the possibility that the EU may enforce cookie opt-in.

Google has never had an opt-out function until now and by doing this they can say “well hey people can opt out from any GA tracking via their browser” where they couldn’t before.

If there are other added benefits like federal data access then it is indeed a smart move by Google.

My perspective on European privacy concerns is that it’s all about the education and Internet maturity of different markets. In Europe some markets fear it breaks their laws (Germany) or is invasive (UK – Phorm). High profile privacy violations and leaks make the news in Europe because standard tech journalists don’t understand the difference between a cookie and deep packet inspection with browser history mirroring tied to a cookie (phorm). The panic comes from the same variable….COOKIE!!!

When this makes the news it sensationalizes things and it gets out of hand. Politicians get written to and use privacy to serve their own political careers rather than acting sensibly in some cases.

It’s a cultural thing as well. I mentioned the UK & Germany – just comparing them to the US for a second shows the differences and why the problems exist.

The US is multi-cultural but you’re all US citizens and value freedom and competitiveness at the core of your nature (in my opinion). If privacy makes you less competitive then privacy will be adjusted where possible to suit competitiveness (like what Google or Facebook are doing – is that fair? again my opinion).

The Germans are detail orientated and if their laws or regulations are being compromised then they will either change the laws or enforce them depending on what is the most practical thing to do. The point being if the Germans have had a regulation then there had better be a superb reason to change the rule. This will be scrutinized carefully by detail orientated Germans. The information age makes that a global concern but the Germans have been doing that since they were German! And quite successfully thank you very many!

The Brits are a bit like the US but fiercely proud of their independence and resist the EU on all matters cultural, from losing the pound note to following the metric system (we still talk inches and ounces). Our American cousins lead the way but we follow cos it’s best for the Empire to follow; God save the Queen!

Getting legal & political agreement on anything in Europe takes a lot of discussion, has a variety of cultural values and legal history as hurdles. Getting agreement in the US is simply a matter of whether it makes financial sense to everyone concerned and doesn’t do any real damage (or real damage can be circumvented by introducing a new law).

I know it’s not as simple as that and I’m not saying the US is always driven by financial reasons but culturally speaking you don’t have multiple ancient histories or borders to worry about.

My hope is that by taking a stand on privacy concerns as Google have done (even if it’s for selfish reasons) they will help pacify the European markets and stop stupid laws like one I linked to (WSJ above) ever needing to be passed.

Best,
Steve

Fravælg at blive sporet af Google Analytics - Analytics Opt-out på vej | Webanalytiker.dk

[...] Ved at tilbyde en opt-out imødekommer Google altså potentiel kritik, uro og debat i både ud- og indland. Læs mere om denne del i Eric T. Petersons blogindlæg [...]

Lars J

I do think all vendors should offer the possibility to opt out, but I also believe that the only ones actively opting out are the ones who 1) has enough technical understanding and 2) are more or less paranoid. The vast majority of users don’t even consider that possibility that their actions may be analyzed.

Still, I definitely respect everyone’s right to privacy.

For that reason, and due to the fact the Germany was giving GA a ridicullously hard time, we built a small piece of code that website owners could use to offer their visitors the possibility to opt out.

Google Analytics opt out already available:
http://goo.gl/61mW

Personally, I’m confused that GA has been pointed out to be more “evil” than the rest. If anything their TOS limits the privacy risk more than most vendors.

As a sidenote, The Swedish Data Inspection Board has been using Google Analytics on its website for years. Their mission statement: “The Data Inspection Board is a public authority. Our task is to protect the individual’s privacy in the information society without unnecessarily preventing or complicating the use of new technology.”

Lars Johansson

Steve,

Two things to remember:

1) The Germans have singled out Google specifically. I don’t know that it’s about analytics as much as it is about finding any way possible to take a hit at Google. There are are other vendors who do not offer the possibility to opt out.

2) Authorities in the US seem to have *stricter* rules than their European counterparts (that I’m aware of) for their own websites.

Lee Isensee

Eric,

Interesting article but you are assuming that the government is focusing on hosted solutions where page tagging is utilized.

While GA does provide a very appealing offering – who can argue with free? – the government is still a data driven group and the idea of aggregated/sampled data is not very attractive in that model.

It is fair to assume that an opt-out solution such as Google’s recent addition is to help “check a box” but Omniture, Coremetrics and other vendors have made these available for years (http://www.omniture.com/en/privacy/2o7 or http://www.coremetrics.com/company/privacy.php#optout). The move by a giant like Google does provide visibility to this matter but we have seen this in everything they do.

-Lee Isensee
Unica Corporation

Lukas Oldenburg

Here’s one of those strange Europeans (Germans) that is fighting with privacy fears and authorities that called Google Analytics and similar tools illegal. Your post is great, I agree with most, but you might speak a little less condescendingly about the privacy wonks, because they might look at this as a proof that web analysts don’t really care about privacy.

The fear remains that Google joins the cookie and IP data obtained through Analytics with the data obtained through its other services (Gmail etc.). With the mass of websites using Google Analytics, they COULD get pretty much complete and personal user browsing profiles. And the way you wrote it, this is the reason why Google has Google Analytics.

The way you put it, I don’t think anymore that the European “privacy wonks” (to use your terms) are the reason anymore why Google comes up with this browser plugin.
I was hoping for Google to react to the privacy authorities outlawing GA here.

But a browser plugin is not an answer to that. That will only make European privacy authorities laugh, and I don’t think Google is so stupid that they wouldn’t know about that.

Why is a browser plugin laughable?
1. There are already browser plugins that block Google Analytics cookies already, so if someone knows how to install browser plugins (which I think is a clear minority of users) can use Customize Google (downloaded by 10 million people already)) or (Counterpixel).
2. Asking the user to install a browser plugin if he doesn’t want his IP address and browsing behavior sent to Google – that is really plain ridiculous in the eyes of the privacy authorities, to whom tracking should have to be opted in.

Although I am not a privacy wonk, I also do not think that requiring a browser plugin to opt out is a user-friendly way to do it.

So I am still hoping for Google to react to this privacy stuff around here before the German lawyers start admonishing. Why don’t they just stop storing IP addresses for example?

Lars Johansson

Lukas,

Thank you for adding to the discussion. I assume you don’t find the possibility to opt out offered by Omniture and Coremetrics (mentioned above) sufficient either. Correct?

Maybe the best thing for people who are that afraid would be to avoid Gmail and Google search? There’s a search engine called Altavista that would really appreciate some traffic. ;)

On a more serious note, what would be an acceptable solution (in Germany)? Are Webtrends, Omniture, Coremetrics, Unica, etc. living up to it?

Cheers,
Lars Johansson

Alvin

The true victims of this “GA Opt-out” plan are those small-medium business who wants to optimize website and improve business through this free solution.

If Google truly care about user’s privacy, it should also allow users to opt-out of GMAIL, CHAT, GOOGLE SEARCH ENGINE through one click too.

I can see that once regular (non-technical) users are educated on this “opt-out” option, they will definitely go for it. If we trace back to the history of firewall and other security settings, we know that majority of these regular users try hard to protect their privacy. This ten-year-old article below showed that majority of American internet users wanted privacy but did not understand the mechanism. If Google starts educating its users and making it easy to opt-out through one click (without deleting cookies, etc), GA will lose its business value very soon.

(http://articles.sfgate.com/2000-08-21/business/17657687_1_internet-users-internet-companies-pew-internet)

Steve Jackson

@Lars

On your first point I don’t have evidence that Germany wants to bash Google but if you have more info then I’m all ears. I believe it’s because Google have the majority of Analytics implementations and Germans have focused their efforts on what they consider to be the biggest problem (rather than smaller vendors). The ubiquity of Google in Germany and as Lukas mentioned the possibility (all be it faint) to tie IP to Gmail which brings in potential PII problems.

On your second point I haven’t really seen the stricter regulations you’re talking about but again am all ears. Ok Privacy policies seem to be longer and have more lawspeak I’ll give you that but aside from that I don’t see it. Interested in a US opinion here.

Regardless though it doesn’t really matter whether they are stricter than Europe at the moment, the fact is that the US have unanimous agreement on privacy at a legal level, something Europe has still to settle.

How many legal perspectives do we have in Europe? 26? 27? Just getting the right people in the same room will take years! :)

I think the discussion should change to what we as analytics folks want in Europe actually rather than what individual nations or the EU are doing (or trying to do).

Personally I’d want Europe to accept cookies and IP tracking across sessions as the defacto standard whilst keeping complete privacy for PII. The only time PII should be passed is when the user has consciously logged in (IE Amazon).

Do Analytics people in Europe agree with the above?

Judah

Re: bitheads. One has always been able to opt-out of GA (or any other page tag based WA solution) on a PC by setting http://www.google-analytics.com to your loopback address (127.0.0.1) in your hosts file… ;)

Tim Evans

WebTrends offers the curiosity of an opt-out that uses a persistent cookie to remember not to remember the visitor on their next visit.

Alvin

@Tim – Do you have any info about that persistent cookie used by WebTrend?

I always wonder how the opt-out “immediately” take effect once users check that opt-out box. Persistent cookies for visitor (_utma) has two-year expiration period.

Thank you

Anonymous

For years, in internal communities federal web managers have been clamoring for persistent cookies to improve site metrics. A few have even succeeded in obtaining the high-level approval OMB requires to do so. And we never have enough budget to pay for something we can get for free – which is as much a reason as any other why so many federal agencies are still using web log analyzers. There’s no question that there will be a large movement to GA as soon as there is no longer any prohibition against using it. And those currently selling analytics solutions to feds have are well aware of this.

Google Analytics Opt-Out: Watching But Not Worried | Ask Enquiro

[...] had probably the most complete coverage of the issue, with some astute observations regarding Google’s privacy motives being tied to their interest in collecting data from US federal government [...]

Josh Braaten

Well I have to say I think you’re onto something. I’ve been waiting for someone really to cover this story but there hasn’t been a lot of fanfare. Mostly just the stuff that Beal and other have posted.

Google is always a few steps ahead of the game so I suspect you’re probably dead-on. Great post and insight!

Don’t do evil or follow the money? | Aurelie Pols at Web Analytics Demystified

[...] I read Eric’s blog post about why Google is really offering opt-out, it made me smile. As usual, he is controversial like no one can be – makes me kind of proud [...]

Brian Katz

Hi Eric

The fact that Google Analytics is not publishing comments on their announcement blog post is fuel for all sorts of speculation.

I wondered if it served to reduce the heat for Google’s refusal to obfuscate IP addresses in its databases (a separate issue from the fact that IPs are not reported and probably not stored by GA)

The crux of the German Laws is the transmission of IP addresses to 3rd parties and in some cases to foreign 3rd parties. I wondered if this opt-out plugin was a means of dealing with that issue.

As regards the Government Sites, it’s amusing to juxtapose their use of anonymous tracking with other types of surveillance all governments do.

I would suggest that no Government funds should be spent on web sites that are NOT tracked since it deprives citizens from voting on site content – Tracking sites is dEMOCRATIC:

http://blog.vkistudios.com/index.cfm/2009/2/23/Web-Analytics-Tracking-Website-Visitors-is-democratic

Thanks for your insights

Brian

Lukas Oldenburg

@Lars: Sorry, I didn’t read your post earlier. I am (unfortunately) not familiar with too many other web analytics tools, but I do know that there ARE certainly companies that offer solutions that are according to the German privacy law (Nedstat, etracker etc.).

Like Brian says, as long as the IP address is not being handed over to third-party companies outside the European Union (like Google), everything is fine (I am not a lawyer, but that’s how I understand it…). If you take this thought further, it makes it even illegal embedding a YouTube video on a web page, because that way the IP address is also being sent to a third-party outside of Europe (Google again). But I guess with youtube it is not that bad because it’s not on every page and probably doesn’t serve you as much as Analytics data if you want to generate a user profile based on browsing behaviour.

@Steve Jackson:
“How many legal perspectives do we have in Europe? 26? 27? Just getting the right people in the same room will take years! :) ”

==> This is true. Even within Germany, there are courts that have ruled GA and saving of IP addresses illegal and Courts that haven’t.

“Personally I’d want Europe to accept cookies and IP tracking across sessions as the defacto standard whilst keeping complete privacy for PII. The only time PII should be passed is when the user has consciously logged in (IE Amazon). Do Analytics people in Europe agree with the above?”

==> Well, the problem is that it seems like the opinion that probably has a slight majority of followers, at least in German law, is that IP addresses ARE Personally Identifiable Information. That’s why the whole problem occurs of sharing IP addresses with third parties without previous user consent. To me, that’s kind of hilarious, but then again, there are cases where criminals could be identified through to their IP address, so that is a tough question.

Best,
Lukas

Brian Katz

Tracking criminals with IP addresses requires a LOT more than even Google has:
See Paranoia, Murder and Google Analytics Cookies
http://blog.vkistudios.com/index.cfm/2009/2/3/Paranoia-Murder-and-Google-Analytics-Cookies

Google Analytics Opt-Out | BrettMBell.com

[...] Eric Peters suggests that Google are merely doing it merely to meet US government requires so Google Analytics can be used on federal websites. I suspect he may be correct. [...]

eric

Wow, I have been too busy to comment on folks comments but you folks are all excellent and thanks for your thoughts. I wanted to make sure you saw this:

http://techinsider.nextgov.com/2010/03/new_cookie_and_subaward_reporting_rules_april_7.php?oref=latest_posts

Basically the U.S. Office of Management and Budget (OMB) will be announcing the new cookie rules on April 7th. I can’t say for sure but I suspect this will be the beginning of the “Googleization” of analytics in the Federal Government. Time will tell.

nic

Hi,

another approach: A Google opt-out plugin for browsers offers Google the opportunity to install software on lots of computers.
If you use the Google toolbar, you probably have no concerns about privacy. But other people could be convinced to use maybe another Google service, if it’s convinient enough to do so.
So I assume, the plugin will get more and more different features regarding whatever services Google is offering.

so long
nic

Eric Feinberg

Fascinating post, Eric, and I believe accurate. Our government – and those little birds – deserve behavioral web analytics. If this is how 63% of our government agencies begin that journey then we are moving happily towards a culture of measurement.

That the OMB is “about to take a much more reasonable stance on visitor tracking anyway” is motivated in part by Obama’s memo from 1/21/09 about creating a Transparency and Open Government: http://bit.ly/dipBhM

And for those of us interested in tracking satisfaction with government agencies, there is the recent inaugural E-Government Transparency Index was published by ForeSee Results. Social Security Website Better Than Amazon, Google and Netflix! (Not kidding) http://bit.ly/aC525O

Phil - from London, UK

@Eric

Re: Why GA offering an opt-out…

I agree this is fulfilment of “tick boxes”;
* provide additional protection for users of Federal sites,
* pre-empt EU cookie laws, by adding opt-out (or opt-back-in) functionality,
* minimise exposure to privacy lawsuits

But, I would go further to say that it is necessary to ensure:
* user-trust
* user-choice
* user-transparency

Google only has one brand & the loss of trust in one Google product (e.g. Google Buzz) could have collateral damage on other products, such as Gmail, GA or the hole grail… Google Search.

Any plug-in or tools that re-enforce the walls around Google`s paid search cash cow is to be expected. The privacy dashboard was another step in this direction & more add-on such as this will follow.

I suspect that Google is trying to fend-off the FTC investigation into Buzz, they do not want this to expand into other products such as GA, orkut, youtube or Adwords:
“Federal Trade Commissioner Pamela Jones Harbour said technology companies are setting a dangerous precedent of publicly exposing consumer data”…”spokesman for Google said that the company cares about privacy, citing its creation of tools to help users understand & control information online”
blogs.wsj.com/digits/2010/03/17/google-buzz-exemplifies-privacy-problems-ftc-commissioner-says/

I have seen GA being used in 3rd party cookie mode, via an iframe increasing the need for an easy to use opt-out method:
status.twitter.com (utmz cookie domain gets set to tumblr.com not twitter.com)
http://www.tumblr.com/dashboard/iframe?src=http%3A%2F%2Fstatus.twitter.com%2F

Plus, their is a cross-domains cookie functions build into GA, which if combined with secondTracker can also be used in a similar way to a 3rd party cookie:
code.google.com/apis/analytics/docs/tracking/gaTrackingSite.html#multipleDomains

I suspect if GoogleWebSiteOptimiser is upgraded to allow for targeting of return visitors via the cookie (or optimising for visitor segments) then a stronger GA cookie the opt-out will be necessary.

Additionally, the new getVisitorCustomVar function allows for onpage behavioural targeting via the native ga.js
pageTracker._setCustomVar()
pageTracker._getVisitorCustomVar()
pageTracker._deleteCustomVar()
pageTracker._visitCode()

Anti-virus & anti-malware companies have historically not blocked or deleted the GA cookie, if the cookie starts being used for targeting they could flag it as a “bad cookie”… unless GA brings out options to easily control the cookie in the browser.

The FF add-on may be a prequel to browser integration; I wonder if the next version of Chrome or FireFox will come with a GA opt-out screen built into the software? (not just via the incognito mode)

Google have a FireFox extension for the DoubleClick opt-out, so the GA extension is probable a just re-purposed version of this code.
* google.com/ads/preferences/plugin/

Many other WA vendors already offer web-based opt-outs, so GA could be seen to just playing catch-up:
* DoubleClick: optout.doubleclick.net/cgi-bin/dclk/optout.pl
* YahooAnalyics: reports.web.analytics.yahoo.com/optout,OptOut.vm (analytics.yahoo.com 3rd party cookies only)
* Omniture http://www.omniture.com/optout (2o7.net & omtrdc.net 3rd party cookies only)
* Webtrends: ondemand.webtrends.com/support/optout.asp (script broken?)
* Coremetrics: data.cmcore.com/privacy/getCoreStatus.php
* NetworkAdvertising (DoubleClick + YahooBanners + other 3rd party cookies) http://www.networkadvertising.org/managing/opt_out.asp

Note: With the exception of Yahoo Accounts login, these preferences are lost if cookies are cleared. Hence the need for a FF extension, Browser integration or google toolbar method.

I have not seen the Beta FF extension, but I am interested to know…

* is urchin gif also blocked?
* is it a global setting or are individual sites blocked?
* does the FF extension also show the contents of the cookie, in an easy to read way (like wasp) or is it just an on or off button?
* is a new ga.js functions to deleteTrafficforVisitCode() going to be added to ga.js to prevent processing of a visitor gif request prior to opting-out, or it this technically not feasible?
* Is GA moving towards using the customerID rather than cookieID for tracking sessions visits across multiple browsers & devices, and would it integrate the opt-out with google accounts as Yahoo have done?
* How many ga-to-adwords imported conversion will be lost by introducing this tool & will this result in GoogleConversionOptimiser automatically reducing bid prices as a result?
* Will all GA webmasters need to update their privacy policy with a link to the opt-out FF extension, and would GA need to set-up a spider to check for the existence of this link?
* Would GA every be forced to introduce an adopt opt-in extension rather than an opt-out, and is this plugin a means to half-way silence the German bureaucrats?

Thanks

Phil (from London, UK).

Other Notes:

* Impact of the Buzz privacy crisis according to viralheat.com social analysis: (positive vs negative tweets over time)
cdn.mashable.com/wp-content/uploads/2010/02/googlebuzzprivacy.jpg
mashable.com/2010/02/22/google-buzz-graph/

* Slightly off topic, but I notice that within:
Internet Web Services Web Stats & Analytics

There has been a rise in searches for “google analytics login” over the last 30days in the UK. I saw a similar rise in “google adwords logins” last year, around the time when their was a bunch of adwords phishing emails sent out. So the tracking opt-out might be part of a wider policy to protect the google account login which uses the same username & password to access GA.
google.com/insights/search/#cat=675&geo=GB&date=today%201-m&cmpt=q

Making Better Decisions with Web Analytics | ePublish Media

[...] Why Google is really offering an opt-out … [...]

Add a Comment