explore downsides of Google Analytics on cve.org

[ElectricNroff]

A recent CVE program meeting had a discussion about click tracking that was, originally, completely unrelated to the cve.org website. However, at the end of that discussion, the conversation briefly considered whether use of Google Analytics on the cve.org website is consistent with the CVE program's values regarding user tracking.

Visits to the cve.org website normally result in sending data to www.google-analytics.com during page loads. No part of the cve.org website documents this behavior. The related documentation seems incorrect in some ways, e.g.,

https://www.cve.org/Legal/PrivacyPolicy

The https://www.cve.org/ and cveform.mitre.org websites do not presently use cookies.

but, in practice, multiple _ga cookies are used.

Also, https://policies.google.com/technologies/partner-sites says, in part,

For example, when you visit a website that uses ... analytics tools like Google
Analytics ... your web browser automatically sends certain information to
Google. ... Google uses the information ... to ... personalize content and ads
you see on Google and on our partners' sites and apps.

In other words, information about visits to the cve.org website apparently becomes part of the profile that Google stores about a user's interests or activity. This profile would often be associated with one person or a very small number of persons (such as users of one Google account or one residential IP address).

If this is not desired, then Google Analytics might be replaced with a different solution for capturing usage metrics. The new solution could, for example, be one that offers a similar feature set (the simpleanalytics.com service might be one of these but this is not a recommendation and it's not necessarily a good match for the cve.org use case).

If prospective CNAs in other parts of the world (Europe, etc.) perceive that the main purpose, or one of the main purposes, of submitting CVE Records is for viewing on the cve.org website, and Google Analytics remains in use on the cve.org website, then it's possible that they would be less interested in joining the program, or might feel that joining the program poses a future regulatory risk in their jurisdiction.

[lanodan]

Would warn that usage of Google Analytics is considered illegal by France and other countries: https://www.cnil.fr/en/use-google-analytics-and-data-transfers-united-states-cnil-orders-website-manageroperator-comply

[andrewpollock]

(Full disclosure, I work for Google and IANAL)

Drive-by comment...

The related documentation seems incorrect in some ways, e.g.,

https://www.cve.org/Legal/PrivacyPolicy

The https://www.cve.org/ and cveform.mitre.org websites do not presently use cookies.

Based on https://www.cookielaw.org/the-cookie-law/ and the fact that the CVE Program is of global significance, complying with the EU ePrivacy Directive is probably something it wants to do...

[lanodan]

IANAL as well, that said: What they call the "Cookie Law" is a bit outdated or at least seems a bit irrelevant for Google Analytics.

The reason why Google Analytics went illegal at EU-scale comes from the GDPR. Where automated processing of personal data typically needs consent and adequete level of personal data protection[1], latter of which USA cannot get thanks the Cloud Act and Patriot Act.

1: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en/