search

kotmyrevich / analytics-issues

Automatically exported from code.google.com/p/analytics-issues
0 stars 0 forks source link

Disable/enable measurement protocol switch on property level #628

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
---------------------------------------------------------------------------
NOTE: This issue tracking system is for Google Analytics developer products
only.
If you are not a developer/programmer visit:
http://www.google.com/analytics/support.html
---------------------------------------------------------------------------
Name of related component: Measurement Protocol

Request summary:
Everybody is aware to the breach caused my measurement protocol (a.k.a MP), 
enabling people to push random hits to your account and add spam referrals to 
your referrals list. An on/off switch on property level will stop this spam 
from being collected to 99% of websites which do not use MP at all.

Original issue reported on code.google.com by as...@quickwin.co.il on 5 May 2015 at 8:07

GoogleCodeExporter commented 8 years ago 
Default value should be "Off" of course.

Original comment by as...@quickwin.co.il on 5 May 2015 at 8:09

GoogleCodeExporter commented 8 years ago 
I suggested the same via security google bug form.
Normal analytics.js library make request in the same way as measurement 
protocol.
Measurement protocol used almost everywhere (in GA too. Google measure what 
users do in the GA in their GA...).

Possible solution:
hash parameters (you are already using hashes in Google search to measure data)
Add switch in the GA settings on/off (some unique secret key + enable, disable 
switch)
Recognise source (from js library, direct request etc and allow to filter by 
this in the GA view)

BTW.
In Google Tos "Google Analytics customers are prohibited from sending personal 
information to Google."

In google measurement protocol policy "
You will not upload any data that allows Google to personally identify an 
individual (such as certain names, Social Security Numbers, email addresses, or 
any similar data), or data that permanently identifies a particular device 
(such as a unique device identifier if such an identifier cannot be reset), 
even in hashed form.
If you upload any data that allows Google to personally identify an individual, 
your Google Analytics account can be terminated, and you may lose your Google 
Analytics data."

so it's a one of the attack/abuse scenarios.

Original comment by Kosmowsk...@gmail.com on 31 Jul 2015 at 10:30