Security Concerns with Google Analytics: Q&A with the Gurus

We recently received the following question from a reader:

I recently joined the Advancement/University Marketing team as the person to lead the way regarding the web. I am being tasked with improving college & department websites, and I am taking it upon myself to also enter the realm of social media, and trying to get better web analytics information. I would like to have the web development team install Google Analytics across the site. The implementation is easy enough, but I am hitting resistance. The primary reason is one of security, by allowing Google Analytics on the site we are opening ourselves up to a potential security breach where Google can read/write/record and change any of our security credentials. I had not heard this before. The question: Are the concerns of the web development team legit? What are some strong reasons to use Google Analytics?

Great question, right?

The Guru Answer

This is a real concern, and I know many universities that cannot use Google Analytics.  The reality is Google has all sorts of information about you anyway.  We have written many posts about Google over the years, but two posts stand out as relevant to this subject.

If you’ve heard of little things called Google Toolbar, Google Search and Gmail then you are probably already aware that Google can figure out a lot about a person.  Between the three of them, Google knows a lot and the least we can get back from them is some information to help us make better informed decisions.

The first thing I would tell your folks is that if issues aren’t a concern for the folks at CalTech, MIT, or RIT - some of the premiere technology institutions in the country then you are probably okay. Dozens and dozens of other top tier institutions also use the free service.  Google Analytics is used by 57% of the 10,000 most popular websites. If you feel the need to be antagonistic, you can always ask your people what they know that maybe professionals at these places don’t.  Tell them to do a security audit of the service.

Another thing you don’t see is people abandoning the service for others because of egregious security holes. With the number of sites using it, if vulnerability existed, it would be known in a matter of moments. But that hasn’t happened. There are no stories of sites being hacked or hijacked en masse because they used Google Analytics. That’s because, basically, you can’t.

Ultimately, yes, if you put trust in any third party JavaScript, there is some level of risk involved. So the risk value is not zero. But note I said ANY third party. Regardless of who you use for analytics, if you are using a third party service and hot linking their tracking script, you face the similar issues, all of which stem for the potential of the script to be hijacked. Any hijacked JavaScript can potentially be used to sniff logins, cookies, and session data from users, and also manipulate the DOM of the page the user is on.

The only “safe” thing is to just use server log analysis, but that’s also not nearly as good. And if you’re already using JavaScript on your site, then you pretty much have the same risks without Google Analytics that you would with it.

Hopefully these tips and advice compiled from emails from Director of Web Marketing and me give you a pretty clear picture.  Google Analytics as a security concern should be the least of your worries.

Check out a compilation page of everything related to web analytics for higher education that we have compiled.

3 Responses to “Security Concerns with Google Analytics: Q&A with the Gurus”

  1. Says:

    We’ve had similar push-back at our institution due to Google’s rather ambiguous privacy policy. We actually had to amend our own privacy policy to be able to use Google Analytics.

    Prior to this we were using another Google-owned entity, Urchin, for analysis. This is an option if you need to keep your data in house, though it is much less user-friendly in my opinion.

    As for using MIT, RIT, CalTech, etc. to show other schools that don’t have an issue with using Google Analytics, this has proven problematic as well in my experience. No matter how you slice it, the security and privacy issues still remain, and your IT team is likely to bring that up (as they should).

    That said there are simply no better, more user-friendly, robust (and free) services out there that can compare to Google Analytics, so don’t give up :)

    • Says:

      Good points Devin. This is one of those rare exceptions where you get what you pay for… except the only cost has no real monetary value.

    • Says:

      To truly optimize a school’s website and marketing efforts, data is critical. Working on the marketing side I have seen very similar push back, and to prove the value of analytics (Google or otherwise) I tend to structure my conversations with schools this way:

      Analytics -> Data -> Valuable User Information -> Website Insight -> Informed Decisions -> Increased ROI

      Granted this is a simple way to look at it, but it gets the message across very clearly because it defines the pain point and present analytics as the solution. By the end of the conversation we’re talking about what needs to be done for implementation, not why we can’t.

      I agree with Devin that it’s good if you get a little resistance from IT departments. It’s their job. But at the same time, it’s my job, as a marketer, to make sure that all of my clients are seeing a strong ROI. I can’t do this with out data.