Google Analytics is bad for security and privacy
News broke the other day that the Italian data protection agency has declared Google Analytics to be illegal in Italy as it breaches the GDPR:
The Italian SA came to this conclusion after a complex fact-finding exercise it had started in close coordination with other EU data protection authorities following complaints it had received. The Italian SA found that the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the USA. In determining that the processing was unlawful, the Italian SA reiterated that an IP address is a personal data and would not be anonymised even if it were truncated – given Google’s capabilities to enrich such data through additional information it holds.
the full article can be found here.
This is a very important aspect as it opens some sort of box of Pandora with this ruling as most companies transfer traffic data overseas and still store logging data overseas. I was just checking my Twitter account the other day and noticed that it still stores IP data from 2009 when I first created the account and all of this information is being stored in the US.
The problem itself is not concerned to the location of the data, but actually to the risk of eavesdropping through MitM attacks.
I am pretty sure at this point that a lot more countries will follow up on this and will eventually ban Google Analytics unless Google moves all EU data in Europe.