: What are the security implications of using Google Analytics? I'd like to start using an analytics tool (namely Google Analytics) to collect information on how my web app is used, by whom, and
I'd like to start using an analytics tool (namely Google Analytics) to collect information on how my web app is used, by whom, and what our user's technical capabilities are. As part of the introduction of this tool, I'm going to be asked what the security implications are.
Does using Google Analytics pose any security concerns? Are there any PCI compliance issues that it might introduce? And if there are no unreasonable concerns, how can I document this? I have searched Google Analytics website, and have found a privacy statement, but not a specific statement of what information their tool collects, or how it is stored.
More posts by @Lee4591628
3 Comments
Sorted by latest first Latest Oldest Best
Do not use GA or any 3rd party script source if I-security would be a concern. Don't be a follower, don't take the easy solution route, and don't rationalize that it would be alright if it 'probably' would be alright.
The bottom-line reason is that you yourself cannot guarantee your website's security when using a 3rd party script reference. This is the Federal standard as well as that of almost all, if not all, State web security policies. Do not be sidetracked from State/Federal government statements making it appear as though GA would be safe or acceptable. Look for the core policies, note contradictory policy statements, and keep your commonsense in the forefront. That is what I had to do for my State as a website manager and have gotten support from our agency's chief of security after referencing policy. He was IT-savvy enough that I neither needed to fill in many gaps nor connect many dots to win his understanding and support.
The data officially is owned by the Google Analytics account administrator, as stated on support.google.com/analytics/answer/6004245?hl=en under account administrator control over data section.
When working on this similar initiative for an enterprise, I have utilized their IT information management ISO certifications 17021 and 27006. You can grab a valid certificate at storage.googleapis.com/support-kms-prod/8E2BD7B74E99E08E0E4F9FA870E49092BFE4
When considering Google employee's own access to user data, it's covered under their "Employee Access Controls and Procedures" document, but I assume is internal use only and can't find a copy. The closest supporting document I found is in reference to their Google Apps for Business product, found here static.googleusercontent.com/media/www.google.com/en/US/work/apps/business/files/google-apps-security-and-compliance-whitepaper.pdf
To use Google Analytics, you have to insert a JavaScript snippet into the page that is served by Google. This gives Google the technical opportunity have this JavaScript do anything to your page or with your visitors. You certainly have to trust Google. You also have to then trust that this code isn't altered in transit. You have to trust that Google secures its infrastructure.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.