Google Analytics Code Integrity



2010-02-19 - I've made several unsuccessful attempts at contacting the Karnataka Government in India and the Webmasters responsible for copying our Google Analytics Code. It has now been 60 days since we started receiving detailed analytics for the Karnataka Government website. I wonder how much more information they'd like to arm us with? Anyone over there in India listening?

The Google Analytics corruption carnage continues...

19,709 Visits

2010-02-04 - On Monday, December 21, 2009 while reviewing Google Analytics for the SEO Consultants Directory, I noticed a significant increase in referrers to the site.

16,499 Visits

Referring Sites - The Government Copied My GA!

I performed a quick check to see where these referrers were coming from and this is a small sampling of what I found...

Referring sites sent 14,230 visits via 3 sources
Filtered for sources containing "Karnataka"

Referring Sites

As I drilled down deeper into GA, I kept finding referring URIs that were 404 Not Found. At the time, I was/am involved in other projects that restrict my time to perform proper research into this so I let it slide thinking that someone, somewhere, had a link to one of our pages. We've seen spikes like this before when an educational resource links to our site during one of their presentations.

You're probably thinking, Edward, just check which pages they are referring to. Well, it was not as simple as that.

This page was viewed 299,779 times via 72 sources

Top Content Pages - /Pages/default.phpx

http://www.Karunadu.gov.in/Pages/default.aspx

The above is not a document on our site. It is a page from the Karunadu.gov.in website that contains an external js file with our Google Analytics code in it.

<script src="/Style_Library/cegdropdownmenu-ga.js" type="text/javascript"></script>

Back to Previous

How Did This Happen?

Over the years, we've published a few tutorials on various website design tips. One of those is our CSS Menus Tutorial which was put together years ago by myself and Claire from Tanfa. (SuzyUK at WebmasterWorld). We still utilize these types of CSS Menus today for smaller websites, there is no need for all the fancy JavaScript that most menus incorporate.

In those tutorials, we've provided complete instructions for implementation of the Menus along with individual files for the CSS. The Webmaster of Karnataka.gov.in/Karunadu.gov.in copied from our source (not from the tutorial files) and left the references intact. I'll assume that they didn't have time to read the tutorial, nor did they have the time to inspect the files they copied. They copied (not hotlinked) two javascript files from our site and one contains our Google Analytics code.

Back to Previous

Contacting Google - Their Response

At the beginning of this, I sent an email to GA support alerting them to a potential issue. I of course received what looked like a canned response and replied with my thoughts on their reply. I was pleasantly surprised that I received an email back from a real human being, thank you Google. In the most recent reply, after submitting my above findings, I had asked if this is something they found to be common and their response was...

As you may know, any webpage that has the tracking code of your Analytics account installed on it will be tracked by your Analytics account. This is irrespective of whether it is your domain or not. The only way to stop tracking the page would be to remove the code from it, which you may have to contact the website owner for. Please be assured that this borrowing/displaying of tracking code is not common. In such cases, to avoid corruption of your own reports, you can use filters, as I mentioned in my previous email.

Emphasis above mine. Call me dense if you wish but I was under the impression that Google Analytics Code ONLY worked when served from the domain(s) that it is verified for?

Back to Previous

? Questions and What Ifs

After reading the above response from Google, my mind immediately started racing. The main question I have is, could this have an impact on the original website?

What if someone were to copy my GA and place it on a domain serving malware? Since that code is tracked by Google irrespective of whether it is your domain or not, is there an association formed in the process?

Could someone sabotage my Internet presence by corrupting the metrics via the associations that Google is tracking irrespective of whether it is your domain or not? Negative SEO

New Term: GA Corruption - The process of corrupting one's Google Analytics by inserting your confirmed GA Tracking Code into other documents outside of your verified websites. This corruption leads to inflated and inaccurate statistical data.

I have to wonder just how many instances of our GA may be out there. Our tutorials generate a bit of traffic and we've seen them put to good use. In all the time I've been monitoring analytics at this level, I never thought about my GA being used on another website. Why? I always thought the Google Analytics code is ONLY valid when served from the verified domain. As stated above by Google, that is not the case.

GA Sabotage?

Conspiracy Theories - Can you fathom how this might be used by an SEO Saboteur? How about by a shady SEO company selling traffic to an unsuspecting SEO Consumer who relies on their Google Analytics to determine the basics in traffic measurement? I see a plethora of loopholes in this whole process and I'm really surprised it is just now sinking in.

Back to Previous

Who's Sleeping With Your Google Analytics?

I think this is worth repeating...

As you may know, any webpage that has the tracking code of your Analytics account installed on it will be tracked by your Analytics account. This is irrespective of whether it is your domain or not. The only way to stop tracking the page would be to remove the code from it, which you may have to contact the website owner for. Please be assured that this borrowing/displaying of tracking code is not common. In such cases, to avoid corruption of your own reports, you can use filters, as I mentioned in my previous email.

What are the implications of this? Is there nothing to worry about?

Back to Previous

Karnataka Government

Karnataka Government

Out of respect for the Karnataka Government, and of course acting with common sense, I will not post any detailed analytics. I can tell you that I have a full 45 days (and counting) of statistics that are rather revealing. For those of you who are familiar with the Google Analytics drill down, you'll understand just how much information I have access to.

These are Government Websites - I would say this is a major security breach and someone is going to be held accountable. Which one of your Webmasters is responsible for copying our GA code? That's like giving me the keys to the castle, isn't it? Let's see how long it takes for the Karnataka Government Webmaster(s) to realize what they've done and remove our Google Analytics tracking code.

Contacting the Karnataka Government

2010-02-05 Addendum: I've made several unsuccessful attempts at contacting the Karnataka Government using publicly available methods to alert them to the above issues. I'm guessing the Webmaster responsible for copying our Google Analytics tracking code is also responsible for email. What kind of Government website provides contact information that doesn't work? Don't answer that!

This is an automatically generated Delivery Status Notification.
Delivery to the following recipients failed.
psegov-dpar@karnataka.gov.in; pio@karnataka.gov.in

Back to Previous


 

SEO Consultants Directory