We recently received the following question from a reader:

I recently joined the Advancement/University Marketing team as the person to lead the way regarding the web. I am being tasked with improving college & department websites, and I am taking it upon myself to also enter the realm of social media, and trying to get better web analytics information. I would like to have the web development team install Google Analytics across the site. The implementation is easy enough, but I am hitting resistance. The primary reason is one of security, by allowing Google Analytics on the site we are opening ourselves up to a potential security breach where Google can read/write/record and change any of our security credentials. I had not heard this before. The question: Are the concerns of the web development team legit? What are some strong reasons to use Google Analytics?

Great question, right?

The Guru Answer

This is a real concern, and I know many universities that cannot use Google Analytics.  The reality is Google has all sorts of information about you anyway.  We have written many posts about Google over the years, but two posts stand out as relevant to this subject.

• Getting a Grasp on Google
• Googled Over: How Promiscuous Is Your Data

If you’ve heard of little things called Google Toolbar, Google Search and Gmail then you are probably already aware that Google can figure out a lot about a person.  Between the three of them, Google knows a lot and the least we can get back from them is some information to help us make better informed decisions.

The first thing I would tell your folks is that if issues aren’t a concern for the folks at CalTech, MIT, or RIT – some of the premiere technology institutions in the country then you are probably okay. Dozens and dozens of other top tier institutions also use the free service.  Google Analytics is used by 57% of the 10,000 most popular websites. If you feel the need to be antagonistic, you can always ask yourpeople what they know that maybe professionals at these places don’t.  Tell them to do a security audit of the service.

Another thing you don’t see is people abandoning the service for others because of egregious security holes. With the number of sites using it, if vulnerability existed, it would be known in a matter of moments. But that hasn’t happened. There are no stories of sites being hacked or hijacked en masse because they used Google Analytics. That’s because, basically, you can’t.

Ultimately, yes, if you put trust in any third party JavaScript, there is some level of risk involved. So the risk value is not zero. But note I said ANY third party. Regardless of who you use for analytics, if you are using a third party service and hot linking their tracking script, you face the similar issues, all of which stem for the potential of the script to be hijacked. Any hijacked JavaScript can potentially be used to sniff logins, cookies, and session data from users, and also manipulate the DOM of the page the user is on.

The only “safe” thing is to just use server log analysis, but that’s also not nearly as good. And if you’re already using JavaScript on your site, then you pretty much have the same risks without Google Analytics that you would with it.

Hopefully these tips and advice compiled from emails from Michael Fienen and me give you a pretty clear picture.  Google Analytics as a security concern should be the least of your worries.

Check out a compilation page of everything related to web analytics for higher education that we have compiled.

This post was written by Kyle James