Privacy and cookie policy

Opinion: Google Analytics – security and sanity – is yours telling the truth?

by NMA Staff 19 October 2012 00:00 0 comments Print

Matt Stannard, CTO, 4Ps Marketing

In the last month, Tesco came under criticism from security experts for not using the Secure Socket Layer (SSL). This idea that passwords may be being stored insecurely by such a prominent household name raises the question as to how much emphasis firms put on data security and sanity as a whole.

In the Tesco example, security experts argue that if a system can email a user’s password to them, it is stored with reversible encryption (if, indeed, it is encrypted) making user data somewhat vulnerable, and that one-way cryptographic hashes should be used instead. Google have tried for some time to encourage users to use multi stage authentication.

SSL is something Google has been pushing and its search engine now defaults to the secure version for signed-in users, preventing keyword data being passed to websites.

So where else may sites be compromising on data security?

As strategic digital marketers we regularly look at data collected by web analytics packages such as Google Analytics, Omniture, DC Storm or CoreMetrics, as do millions of other users. Just how reliable is this data and how secure is it?

In terms of reliability, it is important to stress that some of this does depend upon how well the tracking code has been set up on a site and, indeed, whether there are any JavaScript syntax errors.

Looking at it from a security perspective is interesting. In terms of the actual Analytics account itself, it is probably pretty secure unless an unsuitable password is used. The data collected, on the other hand, is perhaps less secure. The reason for this is the way in which tracking beacons work.

Let’s look at Google Analytics for example. Google Analytics is a JavaScript package; this means it runs client side. By this, I mean the code is downloaded and executed by a user’s web browser.

The code below is a typical Google Analytics signature, one for the 4Ps Marketing website in fact. On the face of it, this doesn’t look insecure. I can, however, paste this code and execute it on any website, and if the analytics profile wasn’t set up correctly, the 4Ps Marketing website would start recording information that was not relevant, thus making reports inaccurate.

<script type=”text/javascript”>

var _gaq = _gaq || [];

_gaq.push([‘_setAccount’, ‘UA-4532898-1’]);

 _gaq.push([‘_trackPageview’]);

(function() {

var ga = document.createElement(‘script’); ga.type = ‘text/javascript’; ga.async = true;

ga.src = (‘https:’ == document.location.protocol ? ‘https://ssl’ : ‘http://www’) + ‘.google-analytics.com/ga.js’;

var s = document.getElementsByTagName(‘script’)[0]; s.parentNode.insertBefore(ga, s);

  })();

</script>

Perhaps of more interest is that rather than maliciously “spoof” traffic from site to site, JavaScript can be interrupted or executed in line with simple plug-ins for Google Chrome. This enables us to manipulate and even add additional information to be recorded by Google Analytics.

On the 4Ps Marketing website, we can pause the Google Analytics code using the built-in Script Debugger:

Add our own additional analytics code:

Which, after executing, feeds through to Google Analytics:

So, if this is the case with page tracking, does this hold true for e-Commerce tracking? Using the same technique as above, we can add some eCommerce tracking code:

Which, after executing, is recorded in Google Analytics:

On face value, it is quite unlikely that most individuals would take the time to pause code execution and edit the data passed back to Google Analytics, but it does show that it is possible.  Should a hacker wish to do so, they could distribute a plugin to maliciously “skew” data by injecting erroneous page views or orders.

Many organisations regularly report on the information within their Analytics package, which is why the web analytics team at 4Ps Marketing works with clients to review and sanity-check their data.  

When reviewing your data, ask yourself; does it make sense? In the ecommerce example, does dividing the item revenue by quantity give us the price of the item? This sounds like a simple sanity check but there have been examples of reports showing items retailing for £10.00 and being reported in a dashboard as worth £100.00.

As we rely more and more on data to facilitate and aid our decision-making processes, it is important that we understand shortcomings in collection mechanisms and are able to understand and check the picture it is painting. Technology will provide us with the raw data, but there will always be a need for the human question; does it make sense?

Elearning - digital training Find out more

The NMA Archive is the new home for new media age archived content.

Read more
Advertise here »

Job of the week

Most popular posts this month

Top Jobs

Most commented posts this month

Popular blog tags (by posts)

View all tags »

Register for FREE to get:

  • Free-market-research

    Free market research on digital marketing

  • Daily-pulse

    Daily Pulse: award winning newsletter

  • Career-guides

    Careers guides

It takes 30 seconds to register

Register for free