Table of contents of the article:
The story is distant, but the implications are quite recent, especially close to the initiative taken by that activist named Federico Leva who decided to automatically send a few million emails requesting the removal of private and confidential data from Google Analytics which according to the Italian Privacy Guarantor is illegal because it exports data to the united states and without an adequate guarantee of security.
We will not focus on that Federico Leva and to what seems to all intents and purposes a deliberate provocation, but we will focus without taking it too long on the technical aspects of data security, data export and so on, to show and demonstrate how careless, trivial, inconsiderate it can be , insipid, the technical reasoning of the Privacy Guarantor that makes water on all sides.
This is the text of the email sent by Federico Leva
Subject: Illegitimate use of Google Analytics: removal request pursuant to art. 17 GDPR
Date: Wed, 29 Jun 2022
Sender: Federico Leva
Dear owner of the processing of personal data, esteemed data protection officer, I am writing to you as a user of the site ......... .. to request the removal of my personal data, pursuant to art. 17 ("Right to cancellation") of EU regulation 2016/679. Please respond within 31 days of receiving this letter to confirm compliance, as detailed below. Your site incorporates Google Analytics, which transfers the personal data of all your visitors to Google in the USA. By provision of 9 June 2022 (9782890), this was declared illegitimate by the Guarantor Authority for the protection of personal data, as announced in the press release:
- I specify that the personal data subject of this request are those deriving from my visit to your site in recent days, identifiable by my IP address (51.158.xy) and user-agent ("Mozilla / 5.0 (X11; Linux x86_64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3803.0 Safari / 537.36 "), and any data connected or deriving from them;
- I request the deletion of such personal data from the information systems of your data controller and from any backups and wherever they have been transmitted due to your use of Google Analytics, as: a) such processing is unlawful and b) such personal data are not necessary for any legitimate purposes, as described above; c) to the extent that the processing could possibly be lawful by virtue of my consent, I deny having given my informed and valid consent, which in any case I expressly revoke with this; d) if the data were allegedly processed on the basis of a legitimate interest, this takes the value of opposition to the processing as well as a request for cancellation;
- in particular, I request the removal of any records or copies of the aforementioned personal data by Google and any other person in charge of such processing or other person who has received them, including all data sent by my browser at the time of the visit, as well as any pseudonymized version of the same and any aggregate data attributable to the same or to my other personal data, such as classification in cohorts or any type of unique identifier;
- I also request, pursuant to art. 18 (1) (d) of regulation 2016/679, to immediately stop any processing of such personal data connected to my past and future use of your site, for example by providing for the complete removal from it of Google Analytics (in any version and configuration ) and stopping any use of the data produced by Google in relation to the users of your site;
- if you deem it necessary, I declare myself available to provide further data useful to identify me as the person to whom the above personal data refer, such as the exact IP address and the date and time of the most recent visit, as well as cookies and others identifiers exhibited by Google in correspondence with the same;
- I request to respond to the above primarily via the form linked below, provided via free LimeSurvey software hosted in the EU (and respectful of privacy), within 31 days of receiving this; my email address for this matter is email@example.com.
We will not focus too much on Federico Leva, first of all because those who do not realize the damage it creates to society for the exercise of one of their rights does not deserve the slightest consideration, secondly because regardless of his it was not a real human navigation, but rather an automated navigation through BOT that makes all your requests and any related rights useless, but assuming that the same was instead done manually, we will wonder why we did not use the incognito mode, accepted cookies by clicking on the cookie consent e why we shouldn't charge him 50 euros plus VAT to remove what he believes is personal data (his IP), and who tells me it's really his IP and not someone else's?
Someone is glossing over some dutiful questions by saying, let's remove Analytics and install an equivalent like Matomo, and it is precisely here that the donkey falls, first of all because Matomo serves to measure and not decide, secondly because the problem is of principle, or when the bureaucracy meets the technical people that shows that even in this case we are faced to purely bureaucratic nonsense that does not benefit anyone, much less the user's privacy.
But let's start from the beginning.
Is the IP a personal data?
No it is not. I don't say it, Managed Server Srl doesn't say it, but 2 court sentences say it. The first who acquits a Deputy Mayor of insults towards some political forces, the second who acquits two defendants for a trial for defamation of a former minister of the Italian republic.
In both cases it was enough to say that the comment written by their Facebook profile was not written by them but by unknown persons to obtain the most complete acquittal.
Besides wanting to start going a little more on the technical side the IP is assigned or rather rented for hours / days / months by the customer based on the duration of the modem connection to the control panel and the reassignment via DHCP, and in no way is it possible to trace the holder of the IP except through a request from the judicial authority to the company that allocates the range of the IP in question, normally Internet Service Provider.
Of course, someone may disagree and point out that there are business profiles with allocated IPs and it is possible to query the RIPE to trace the organization. Of course, but it goes back to the organization itself and not to the individual of the organization itself who at that moment may have searched for something on Google.
If this were not the case, then the number of the butcher would also be a personal data given that in turn it is an identification data and instead assumes an anonymization function in the hospital and health care settings for example.
It allows you to identify and anonymize at the same time, as without the right interpretation it is not possible to make a unique correspondence (1: 1 in relational algebra) between the number and the name, for example.
However, the European Court ruling ILLOGICALLY ruled that in the general regulation on the protection of extracted data (GDPR) è it has been established that the addresses IP, are part, as so-called online identifiers, of the extracted data personal, which therefore must be adequately protected.
The problem arises here precisely:
Article 4 of the GDPR says: "any information relating to an identified natural person or identifiable also indirectly by reference to any other information ..."
So a name, an address but also the license plate of the car are all personal data.
It does not matter that the data is visible to everyone (think of the car plate for example), it is the combination of the plate number to the person who forms the personal data.
And here comes the problem with the propagation of the error. An article 4 of the law that does not make sense and here is that the judgment of the European Court (in compliance with article 4) vomits nonsense without any sense, and the member states are obliged to acknowledge the nonsense and treat it for good, that is to admit that the IP is a personal data and legislate, sanction accordingly.
It is useless to discuss the fact that the name and surname cannot be traced from the plate except by consulting the bodies in charge that allow themselves to be consulted (see civil motorization or PRA), for them it is the exact same thing, although for example the anonymization of the plates of the car removing the province made it possible to mitigate vandalism phenomena during football events and damage to the cars of non-local teams.
Remaining on the subject of the IP discourse instead, the Privacy Guarantor is able to answer and technically motivate what happens or could happen when an IP (deliberately out of range for demonstration purposes) 260.261.262.263, after a week it is reassigned from the user Adam / man 40 years to the user Eva / woman 30 years? Will Google continue to profile, target and carry out marketing and remarketing operations using the same criteria as Adama for the new user Eva, perhaps offering racing cars, beard razors, and rugby balls?
Let alone if the last octet is even anonymized, that is, send instead of 260.261.262.263 , this 260.261.262. * Where the last octet could correspond to as many as 253 matching IPs (we remove 2 IPs from the real 255, one for the network and one for broadcast). Each IP probably infinite people, imagine an IP on a public PC at the airport for example.
You readers already know the answer, the Guarantor has never posed the problem, because the bureaucracy doesn't care to ask sensible answers to equally sensible questions.
Is it all a factor of Cookies?
I was attending the Degree course in Information Technology at the University of Camerino, it must have been the second or third year, we are talking about 2002 - 2003 and there was already talk in the technical field of the danger of Cookies in the field of data security. For me, who at the time was approaching security through exploiting techniques, buffer overflow, heap overflow, return in libc, with texts of a certain thickness like Phrack and the very Italian Butchered From Inside, Vana Imago, Newbies, I found it rather absurd that remarketing advertising could be a security issue.
It took some time, with the evolution of the Internet and the World Wide Web, to understand that perhaps profiling could be a problem not only commercial but also of the confidentiality of everyday life, imagining the classic PC shared with family level, in which someone searches for topics, sites, situations that deserve confidentiality (illnesses, extramarital affairs, adult sites and so on) and the user who arrives later, perhaps browsing a site that has nothing to do with the visitor previous user is targeted for the searches and interests of the previous user.
Is this really the problem everyone is discussing today?
Obviously not. Because this phenomenon would still happen if, for example, Google decided to bring the Analytics servers to Italy, or rather to split and divide the advertising part with a likely Analphabet Srl Italy and allocate some server room in some datacenter in via Caldera in Milan, not only in Europe but perfectly in Italy.
And the law on the consent of cookies then what is it for?
Also because returning to the previous discussion, we remind you that the Guarantor wanted a user to be informed of which cookies he will accept and to be absolutely free in accepting and refusing them.
In short, I tell you clearly that we have technical cookies, perhaps to manage the shopping cart at the session level and the products you are going to insert, but I also tell you that we have analytical cookies that will be used by Google perhaps to retarget that product category if not you arrive to complete the purchase and arrive on the thank you page.
You decide explicitly maybe to accept the technical ones but not the analytical and profiling ones and therefore you will not simply be profiled or retargeted.
What does the Guarantor want, what does he have to say and argue? Anything. Pure hysteria without a minimum of knowledge of the facts between what he has done and what he is doing. First it forces you to implement a granular consent cookie system, then it says that there are personal data such as IP that is exported abroad and therefore not good.
Incognito browsing. The de facto by design solution to all problems.
All browsers offer incognito browsing.
In this way the life of the Cookie will be that of the duration of the incognito browsing session. Imagine that in short, Adam connects to the merchandise site for adults and takes 10 minutes to place the order for new items, and then closes the browser, the cookie is born when the site is connected and dies when the window with the incognito session is closed. . In any case, it is IMPOSSIBLE for Google to profile and propose remarketing actions once that session is closed.
And here, with this awareness, combined with the discourse of the cookie, the anger rises a little. Are there tools that allow 100% protection of the visitor and his privacy and are we really making Google Analytics illegal because users decide not to use a tool that would guarantee them what they may not even want?
We ban se55o, because people don't wear condoms. Let's make it illegal.
We ban cars and road traffic because someone does not wear a seat belt.
The concept is practically identical and you don't need to be a genius with a 140 IQ to come to understand that this privacy that is so longed for is mostly a colossal bounce carried out by Nazis (better known as activists) on the basis of sentences without logic and technical validity.
Could replacing Google Analytics be the solution?
Many are asking this question and some are considering switching to alternative tools like Shinystat or self-hosted products like Matomo.
The thing is serious and worrying above all having to read insiders who have not yet understood that Google Analytics is not a simple measurement tool for the end user (i.e. the owner of the site) but it is a tool to measure to decide, and the one who decides is obviously also Google.
Analytics informs us of the type of user who browses the site, a user who has previously browsed on Howtoforge, StackOverflow, Amazon AWS and then spends 30 minutes on 3 articles of our blog is a user that Google will use to evaluate and validate the goodness of our site, the validity of the contents, and the relevance with our ideal audience. He is a user who has read, who has searched and probably found our technical articles useful unlike those who may open the site and exit after 3 seconds because he immediately understood that we were dealing with something else.
In the era of measuring to decide, removing Analytics, especially when the site is going strong and well, means removing the tool that is able to enhance the work being done.
Let's take an example and imagine that you have studied a lot during the summer and have become real dragons of mathematics, of geniuses, and have developed total mastery over the entire school program. Would you be questioned to prove your worth and to be very good and get excellent grades or would you hide away hoping not to be questioned?
It is undisputed that behind the efforts you also want to get recognition and the recognition of Google is mainly that of positioning you by keywords, or improving your positioning in the SERP.
We always remember that Google Analytics was born and lives within an ecosystem made up of Google AdWords, Google AdSense for what concerns the advertising circuit. The spread of AdSense on sites around the world is the determining factor in the success of Google AdWords.
You cannot retarget if you are not present with your display advertising banners on your customers' sites.
Would you remove Google Analytics aware that it could be not only a valid tool for your decision-making activity, but also to obtain advantages? Again, the answer is obvious.
Is the problem exported to the us IPs?
We could open an encyclopedia on this point or a series of questions.
For example, what changes if a guy searches for "dog food" on Google and when he clicks on the result that inspires him the most, Google collects his search key, his IP and his Google Cookie?
This is standard behavior that doesn't require Google Analytics to be implemented. Google, for example, uses it to understand the relevance of a particular search result. If many click on the result on the third page rather than the one on the first, it means that perhaps the result on the third page deserves to be proposed on the first page for that particular search criterion.
Some contrary bastian like Ferico Leva, will say that maybe the user will not search for "dog food" on Google but will simply go directly to pappapercani.com, what is the problem, then, if with Google Analytics which is incorporated within the code HTML and loaded as JS is activated and the webserver is able to recognize the source IP and any referral through the environment variables and log it?
The webserver already by default is able to collect IPs, referrals, search keys, etc.
We are really sure that on a technical level there is a sending of data abroad or that simply incorporating any external resource into the application allows in turn, through the HTTP protocol specifications, to trace the IP that is calling the resource and any referral?
This thing goes for jpeg images, for txt content and whatever else.
Could it be that those who have worked with web servers for decades know perfectly well that the pappapercani.com page does not need to send data to Google Analytics but that Google Analytics is simply able to obtain them by itself?
Are we really talking about exporting data, when we are talking about the basis of the HTTP protocol?
When I connect to the website of the White House or the Vatican State (by the way, but is it Europe or not?), They know that I am able to read my connection and log the data on the webserver in that file that is normally called access .log?
Because the problem seems to be the exported IPs, which according to the technicians of the privacy guarantor are personal data.
You understand the absurdity of the problem and the ridiculousness for those who chew networks, servers and networking since 1996 having to interface in talking about Google Analytics when the "IP export" function is the basis of TCP / IP and the three way handshake useful for establish a connection?
Is the problem Google Analytics which is illegal? Then the state applies a state filter
It has been practically always done as a practice, for the fight against piracy, the fight against child pornography, the fight against gambling, when something is wrong and the state wants to protect it, prevents access through the so-called state filters. to certain resources.
At the state level, internet service providers (ISPs) are simply given a list of domain names which must respond with empty results, null to the DNS request.
You are trying to connect to a gaming site that does not comply with the Italian regulation, you will find a blank page or a hijacking from a monopoly notice for example.
In spite of net neutrality of course, but this has been done and has been done as a practice for over a decade and instead for Google Analytics it is not done.
On the one hand the guarantor who says that Analytics is illegal, on the one hand no practical remedy to obstruct it with state filters (we are in worse shape than China but you do not realize it yet).
So what to do?
It is self-evident that all this farce of the GDPR is an exclusive way to protectism and avoid, for example, that a US competitor can grab 90% of hosting services for example. The problem arises when the use of US instruments jeopardizes a significant economic damage to European companies. To make it clear, to some products that are not European, there are no valid alternatives, which does not mean that there are no alternatives (attention), but precisely that there are no valid alternatives or with the same goodness, quality and characteristics of the market leaders.
Banning Google Analytics only means worsening the business objectives of companies and the ability to bring together supply and demand in a healthy and natural way.
In short, avoid that the man sees banners of sanitary towels and lipsticks, and that the woman sees banners of razors and ties. Because if you still don't understand it and are considering how Google Analytics profiling as who knows what conspiracy, Google's purpose is only to propose purchases and maximize sales.
If this opportunity is taken away, we will all suffer in a society based on good or evil in what is called consumerism.
Consumers will be shopping for it
One concept must be clear, which we have already seen with the advent of Apple iOS privacy features. If advertising is difficult, advertising will be much more expensive.
Apple's decision to change the privacy rules for users using its new operating system with iOS14.5 has disrupted the world of online advertising as we know it today. The real impact of these changes is being felt as large numbers of Apple users update their operating system on their iPhone or iPad or purchase new devices.
Facebook does not stand still, runs for cover and has been working on this revolution for several months, but despite the efforts of the social giant, ad costs have increased over 100%. An increase noticed, and confirmed by all social media managers and insiders, so much so that Facebook itself has inserted a warning on the impact that Apple is having on sponsored companies in the "ads management". Obviously, the alert speaks of "estimates that may vary negatively with the implementation of the update by Apple users", but the "low tones" still highlight a real problem due to the significant increase in ADS costs.
In short, if first to sell a product worth 20 euros, you needed a cost per lead of 1 euro, at the end of the process the retail price went out at 21 euros.
If today to make the same sale it takes a cost per lead of 5 euros, because profiling and targeting becomes very inaccurate, the product will go on sale for 25 euros.
Are we sure that the privacy of our tastes and our research justifies the increases of hundreds of euros per family every month? Yet, when you go to the supermarket, swap the card for 1 euro discount.
We tend to say that if something is free then you are the product, but no one says that if something costs less, maybe you have to be the product too.
With the hope that Google will set up a beautiful engine room in Europe and move the management of Analytics also in Europe, for now we do not feel in any way to recommend removing Analytics especially sites that are obtaining positive results.
Be hungry but don't be crazy.
CTO / Managed Server Srl