2 min read

ICYMI: Dec 28 - Jan 3

ICYMI: Dec 28 - Jan 3

ICYMI is posted every Monday recapping privacy news over the last week from around the web.

86% of websites using Google Analytics are not anonymizing their users’ full IP addresses

By analyzing network traffic from the 100,000 most popular websites (according to the Tranco 1M list), this analysis observed that at least 31,639 websites use Google Analytics on their webpages. Of these 31,639, only 4,435 (14%) had enabled the "aip" parameter. The other 86% of websites did not have this query string parameter present in their HTTPS requests to google-analytics.com/collect, meaning they were sending their customer's full IP addresses to Google. As you may already be aware, an IP address can be converted into a physical geolocation through the use of services such as whatismyipaddress.com or ip2location.com.

One reason why ad/tracker blocking is a must when browsing the web, specifically uBlock Origin.

She didn't know her kidnapper. But he was using Google Maps — and that cracked the case.

Over the next few days, Google representatives helped Draeger update his warrant to allow the company to search beyond the airport, where hundreds of devices had been using the app at the time of the attack, and look for devices used in additional scenes linked to the crime, including the abduction point and a bar in Chicago where M.D.’s credit card was used the following night.
On June 20, the Google representative and her supervisor told Draeger there was only one phone in their records that met the search criteria.

“All of a sudden it shows up in my email, and I open it up and I’m staring at the screen, going, ‘I have a name and phone number for this dude we’ve been looking for for like five days,’” Draeger recalled.
Police asked his cellphone provider, T-Mobile, for an emergency tracking of his phone — which the company performs under certain circumstances — and watched in real time as he headed home, Draeger said.

While this is a story with a "good" ending (bad guy is caught), it should be a reminder as to what kind of information these large tech companies have and what kind of access and information they can give out. It's also not unheard of for the wrong person to get picked up for being at the wrong place at the wrong time.

A collaborative list of website analytics that don't use cookie, don't require consent and focus on privacy.

Just a nice, sortable list of, generally, privacy respecting website analytics.

Want to join the discussion?  Check out this post, and others, over at the CupWire subreddit and leave a comment.