This repository has been archived by the owner. It is now read-only.

Not blocking google analytics ? #298

Closed
arthurlogilab opened this Issue Feb 11, 2015 · 17 comments

Comments

Projects
None yet
8 participants
@arthurlogilab
Copy link

arthurlogilab commented Feb 11, 2015

For example on http://httpbin.org/ privacybadger only reports blocking tag.perfectaudience.com, not googleanalytics (which is also used).

@cooperq

This comment has been minimized.

Copy link
Contributor

cooperq commented Feb 12, 2015

Unfortuantely privacy badger's heuristic doesn't recognize google analytics as a tracker because they don't use any third party cookies. Google analytics relies only on first party cookies. We are working on some improved heuristics though which may start blocking google analytics.

@skorokithakis

This comment has been minimized.

Copy link

skorokithakis commented Aug 11, 2015

Is it a bug, if they don't use third-party cookies? Meanwhile, can I just block them manually everywhere?

@cooperq

This comment has been minimized.

Copy link
Contributor

cooperq commented Aug 11, 2015

Exaclty, they don't use third party cookies so this works as expected. And yes, you can block them anyway by moving the slider to red.

@cooperq cooperq removed the site-bug label Aug 17, 2015

@Garve

This comment has been minimized.

Copy link

Garve commented Aug 23, 2015

Worked for me without sliding it to red, a least in the Firefox version. In Chrome it didn't work automatically for me.
pb

@cooperq cooperq closed this Aug 24, 2015

@MichaelTunnell

This comment has been minimized.

Copy link

MichaelTunnell commented Sep 10, 2015

I do not think this is a bug they shouldnt be blocked because they are not doing third party tracking...they are doing first party tracking.

http://www.openwebanalytics.com/ looks very interesting though so I am going to look into this.

cynthiatekwe pushed a commit to cynthiatekwe/privacybadgerfirefox that referenced this issue Oct 7, 2015

Merge pull request EFForg#298 from EFForg/cookieblock
lots of domains to add to the cookie block list
@antistress

This comment has been minimized.

Copy link

antistress commented Oct 28, 2015

Sorry, I don't understand. If i go on a given site not related with Google and that Google analytics does some... analytics (=tracking), whereas I'm not a Google analytics, how could this be 1st party tracking ? Isn't the definition of 3rd party tracking ? Thanks !

@antistress

This comment has been minimized.

Copy link

antistress commented Oct 28, 2015

I wanted to write : "whereas I'm not a Google analytics user", sorry

@skorokithakis

This comment has been minimized.

Copy link

skorokithakis commented Oct 28, 2015

Third-party tracking cookies are cookies that are shared between websites. If you visit a.com and GA can read its cookie from a.com or b.com, that's third-party tracking.

@MichaelTunnell

This comment has been minimized.

Copy link

MichaelTunnell commented Oct 28, 2015

@antistress Google Analytics is not considered a 3rd Party because the website you went to made the decision to run the tracking.

Google Analytics provides usage details to websites including visitors, unique visitors, bounce rate, and much more so it is a very popular service that websites use in order to gauge the amount of users/visitors they have and their engagement with the site.

For example: if site GitHub.com wants to use Google Analytics (which it does btw) they would pro-actively put the code in their website. This means that a 1st Party (the website you visited) loaded the script for tracking data. This data is used to understand user engagement and is now a necessity in website development. (though of course it could be ran through a different service)

Google Analytics is exempt, at least for now, because it is in fact a 1st Party Tracking service.

@skorokithakis that is not what it means, any data could be shared between websites in fact some data is shared by default, such as Referrers. 3rd Party means that you chose to load some kind of script from a separate party (this is still 1st party) but that separate party decided to load more scripts that the website didn't choose to load.

A = user | B = website you wanted to visit | GA = Google Analytics | 3P = 3rd Party Scripts

If A were to go to B and B decided to use GA then that is a 1st Party decision because A chose to go there and B chose to use GA. (both A and B are 1st Parties)

If A were to go to B and B decided to use GA and then GA decided to use another service (3P) then GA would still be 1st Party, thus allowed, but that service GA tried to load would be blocked because that would be 3rd Party.

@cypherpunk

This comment has been minimized.

Copy link

cypherpunk commented Oct 28, 2015

@cooperq
Are you saying that a 3rd party website (and Google Analytics is definitely a 3rd party website for @arthurlogilab) is only considered to be a "tracker" in PB if it sets cookies?

If yes, is this still the case in PB v1.0.2 & v1.0.3?

That would allow a 3rd party website to run arbitary Javascript and implement pervasive Javascript/CSS/Canvas-based fingerprinting techniques and still not be considered to be "tracking" users who are probably unaware of - and certainly did not consent to - the 3rd party website's actions.

@MichaelTunnell

Google Analytics is not considered a 3rd Party because the website you went to made the decision to run the tracking.

That same argument would also permit many (any?) pernicious forms of tracking and malvertising because the website made the decision to run the tracking and/or malvertising.

Google Analytics is exempt, at least for now, because it is in fact a 1st Party Tracking service.

Google Analytics is a 3rd party tracking website. The user did not choose to visit or otherwise interact with Google Analytics.

Whether or not Google Analytics is useful (or benign) to the visited website and user is orthogonal to it's status as 3rd party website.

3rd Party means that you chose to load some kind of script from a separate party (this is still 1st party) but that separate party decided to load more scripts that the website didn't choose to load.

No. 3rd party means that the website a user visits chooses to load resources from a separate party. It is from the perspective of the user not the website.

@cypherpunk

This comment has been minimized.

Copy link

cypherpunk commented Oct 28, 2015

@skorokithakis

Third-party tracking cookies are cookies that are shared between websites. If you visit a.com and GA can read its cookie from a.com or b.com, that's third-party tracking.

The "same origin" policy means user agents such as web browsers should prevent a.com from accessing cookies set by b.com and vice versa.

Separately, GA has the concept of cross-domain tracking whereby the owner of multiple (perhaps otherwise unrelated) domains can consolidate them in GA. Relies on these domains cooperatively sharing visitor identifier data (same info contained in cookies) to bypass the "same origin" policy's restrictions.

@Osteri

This comment has been minimized.

Copy link

Osteri commented Nov 3, 2015

@cypherpunk I've found RequestPolicy + PrivacyBadger combination and in my opinion PB should include RP by default.

What is the advantage of using Privacy Badger vs. completely disabling 3rd party cookies in your browser if sites such as GA are not being blocked in PB by default?

Privacy badger name is quite misleading if you're seeking it to protect your digital rights.

@MichaelTunnell

This comment has been minimized.

Copy link

MichaelTunnell commented Nov 3, 2015

@Osteri without some kind of usage tracking, websites will have no data in order to improve their content. Are you against GA because of the tracking in general or because Google is the one doing the tracking?

@Osteri

This comment has been minimized.

Copy link

Osteri commented Nov 3, 2015

@MichaelTunnell I'm not against user analysis in websites when they are doing the analysis inside their own system. I'm against user analysis which is done by a distributed system such as GA.

@MichaelTunnell

This comment has been minimized.

Copy link

MichaelTunnell commented Nov 3, 2015

ok great so you would agree, @Osteri , that something like http://www.openwebanalytics.com/ would be ideal for both site and users?

@cooperq

This comment has been minimized.

Copy link
Contributor

cooperq commented Nov 6, 2015

@Osteri I think there are a few different ideas being conflated here, let me see if I can clear up some of the confusion.
On the web, when we talk about a third party what we mean is any resource requested from a different domain than the one that is in the URL bar.
So, for example nyt.com is loaded on newyorktimes.com it is a third party even though they are both controlled by the same entity.
And yes, when google analytics is loaded, the javascript is loaded from a first party domain (google-analytics{dot}com). However, because of the way that the script is loaded, it runs in a first party context. Meaning that all of it's cookies and any other storage are keyed to the first party domain (e.g. example.com). What this means in practice is that your google analytics cookie on example.com is not the same as your google analytics cookie on github.com. Since the cookies are all owned by the first party, this is known as first party tracking, and since privacy badger only looks at third party cookies, it does not block google analytics.
Now, if the script tries to do other things, such as canvas fingerprinting, privacy badger will identify that the script is doing such and block it. I suspect that this is why analytics is blocked in chrome but not firefox (some difference in how it treats different browsers).
You are of course always able to instruct privacy badger to block google analytics if you disagree with privacy badger's decision not to block it.

@Osteri

This comment has been minimized.

Copy link

Osteri commented Nov 7, 2015

@cooperq Yes, but still, even though they are different cookies, nothing prevents GA from tracking you based on your IP-address.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.