About a month ago, the web counter and stat tracker for this site went under. No hit counter, no log of IPs, no search engine stats, nothin’.
A friend of mine once mentioned Google Analytics for use at our workplace as a way of tracking site views and such. So, I decided to try this out.
Now, being the (bored) geek that I am, I peruse license agreements before accepting them, and looking at this particular license agreement gave me pause when I came to this section (emphasis mine)…
3. MEMBER ACCOUNT, PASSWORD, AND SECURITY . To register for the Service, You must complete the registration process by providing Google with current, complete and accurate information as prompted by the registration form, including Your e-mail address (username) and password. You shall protect your passwords and take full responsibility for Your own, and third party, use of Your accounts. You are solely responsible for any and all activities that occur under Your Account. You agree to notify Google immediately upon learning of any unauthorized use of Your Account or any other breach of security. From time to time, Google’s (or its wholly-owned subsidiaries’) support staff may log in to the Service under Your customer password in order to maintain or improve service, including to provide You assistance with technical or billing issues. You hereby acknowledge and consent to such access.
As a user of the search engine, gmail and blogger (all of which use a single Google account), this statement was the deal-breaker. The agreement doesn’t say that support will be going into my account after first contacting me or only when I request it. “From time to time” could mean tomorrow for all I know, and what’s more, the agreement has no mention of how I’ll know support was in my account.
What makes giving Google carte blanche access to the account a dangerous risk is that the credentials I would use to access the analytics service are the exact same credentials I use to access my gmail account and my blogger account. The wording of the agreement seems to indicate that Google support would actually log into your account using your Google account username and password in order to provide support. So, should I agree to the User Agreement, I essentially say “yes, because I agree to have your software count web page hits and usage data on my site, you can fully access my gmail account and one of my blogs.”
As someone whose job entails providing support to users for their Active Directory user accounts, logging in as someone else is only done with the users permission, and I always change the password to allow myself temporary access. GA’s license agreement does not specify in what way access would occur, and I’m not going to assume that the access I’m granting to Google is not going to be somehow abused by a technician with a vendetta or massive indifference. I’m looking at this with the worst possible scenario in mind, that being that there is a Google support technician out there that has access to either user’s passwords or the ability to change passwords, or has some other kind of “skeleton key”-type access into any arbitrary account and also has malicious intent. Should it ever come down to a breach of privacy occurring and some unfortunate Google user taking legal action against Google, Google’s lawyers would simply deny accountability by flashing this license agreement all over the courtroom, then take the rest of the day off.
I sent Google a note via their Privacy Form on 8/10/2007 and this is what I wrote…
Hello…
I have a concern about Google Analytics. While reading the User Agreement for Google Analytics, I came across this statement in the 3rd section:
“3. MEMBER ACCOUNT, PASSWORD, AND SECURITY . [...] From time to time, Google’s (or its wholly-owned subsidiaries’) support staff may log in to the Service under Your customer password in order to maintain or improve service, including to provide You assistance with technical or billing issues. You hereby acknowledge and consent to such access.”
Since my Analytics account has the same credentials as other Google services I use (GMail, blogger), this essentially means that I am granting Google support carte blanche access to all of my Google services and the information contained therein. This is of great concern to me. Could you clarify the access that support has in regards to accessing my account, and give an overview as to what your procedures are in support actually accessing my account? Thank you.”
One minute later, I got a useless auto-reply which contained no useful information.
6 days later, I got no response from Google.
So, in light of all this, I won’t be using Google Analytics, simply on the basis that their license agreement is either unintentionally and poorly worded or grants them access to too much information.
If I’ve somehow got this wrong, let me know.