The wrong way to deal with privacy concerns · 2010-05-26 14:30 by Wladimir Palant

Generally, I am not the guy to pick on Google. I think that they usually bring out very solid (often brilliant) solutions and do a good job on the privacy front (meaning: far from perfect but significantly better than the competition). All the more surprising was their release of the Google Analytics Opt-out Browser Add-on which doesn’t quite live up to the expected quality. I had a look at the Firefox version and here is what I saw:

It doesn’t do anything whatsoever to prevent the Google Analytics script from being downloaded. Even with it installed, this script is still downloaded from Google’s servers which means that Google gets some data on you. And it could theoretically still set cookies (which it currently doesn’t, Analytics generally works with first-party cookies only). The extension sets a global variable and it is up to the script to check for its existence and obey (not send additional data to Google). While it currently does that and it is unlikely that this will change — this still requires users to trust Google thus defeating the entire purpose of such an add-on. What weights more for me personally is the fact that a website can easily override the global variable. So if a webmaster is really insistent on having each single user counted, he can still do it even if some users have this add-on installed.

I expect the versions for other browsers to work in a similar way, complete with placebo functionality. I can sort of understand why they had to implement it this way — if properly blocking the Analytics script were a requirement they wouldn’t be able to implement a version for Chrome any longer. And then there is the issue of websites that rely heavily on Analytics and break if that script is blocked — can only be solved by “redirecting” the request to a minimal local copy of the script without any functionality, again something that can only be done properly in Firefox. Still, until Google can come up with something better I recommend people to use Adblock Plus with EasyPrivacy filter subscription, that’s the easy and reliable solution (check the update below).

Update: Sorry, that last part wasn’t entirely correct — EasyPrivacy doesn’t block Google Analytics script either, due to many websites being broken without it as mentioned above. It only blocks the subsequent request to Google, effectively the same as Google’s add-on (minus the part where websites can influence that behavior). If you want to have it blocked entirely you should add ||google-analytics.com^ to your filter list manually.

Commenting is closed for this article.