back to article Google 'wiretapped' tax websites with visitor traffic trackers, lawsuit claims

Google was sued on Thursday for allegedly "wiretapping" several tax preparation websites and gathering people's sensitive personal data. And by wiretapping, they mean Google Analytics code added by the tax firms themselves to their own websites to measure visitor traffic and demographics. The complaint [PDF], filed in a US …

  1. Woodnag

    The Register uses Google Analytics among other tools to keep track of readership size

    You do know that useage of Google Analytics is illegal under GDPR?

    https://noyb.eu/en/update-cnil-decides-eu-us-data-transfer-google-analytics-illegal

    1. Martin an gof Silver badge

      Re: The Register uses Google Analytics among other tools to keep track of readership size

      Haven't they just signed a new data transfer agreement?

      There is also the question of how - or indeed whether - these things work if the viewer of a website is running a JS or ad-blocker. For a site with a technical readership such as El Reg this must surely skew the analytics sommat awful.

      And El Reg has possibly better ways to track anyway - those of us who comment have accounts and many of us will be logged in across several devices - so what is the point of Google Analytics?

      M.

      1. Anonymous Coward
        Anonymous Coward

        Re: The Register uses Google Analytics among other tools to keep track of readership size

        The fact that you're running it and feeding data abroad is what makes it illegal, your ability to block it doesn't matter.

        They should use Matomo. It's been around for ages, and they have been doing it right from early on, even respecting the 'Do Not Track" browser flag, even if nobody else did. I have my own instance running which picks up the Matomo signalling from all sites I run, and even without any paid options it does a good job collecting data from those who permit it, and the tests I've run against it do suggest it's doing the right thing on "my" sites.

        Personally I think respecting "Do Not Track" is simply respecting a site visitor. That it makes it EU/GDPR compliant is a nice bonus but I think it starts with considering a visitor a guest, not a data cow, free to milk for information.

        But I'm not in the US, apparently it's OK over there.

        That said, on the monitoring side I have seen a sharp uptick in dictionary attacks over the last few days. I find that setting a trap on attempts to log in ad 'admin' or 'administrator' is a good way to throw out and blacklist those idiots early (and no, none of the sites even have that user, it's the first I remove after enabling 2FA).

        Anyway, I digress. Don't use Google other than for searches, and even then I'd consider using alternatives. If you need any reasons why, just go into the source code of their default search page and see how large a program you're actually running when you hit that innocuous, almost blank page. Or properly read the Terms you have to agree to.

      2. captain veg Silver badge

        Re: El Reg has possibly better ways to track anyway

        I would have thought that analysing the server logs would tell you everything you want to know. TBH I've never got the point (for website owners) of GA, other than slight convenience.

        -A.

        1. Doctor Syntax Silver badge

          Re: El Reg has possibly better ways to track anyway

          "I've never got the point (for website owners) of GA"

          I'm sure it produces lots of figures so that management can put them into spreadsheets and create PDFs to show each other so as to look busy. Whether they mean anything is a different matter.

        2. ThatOne Silver badge
          Facepalm

          Re: El Reg has possibly better ways to track anyway

          > I would have thought that analysing the server logs would tell you everything you want to know.

          Indeed, including number of new/returning guests over a given period, their countries, pages visited, the flow (path taken), everything. And it's free...

          But don't forget, what marketing wants, marketing gets, and Google promises the moon, a better moon, the real moon, the moon real professionals need to fly over the competition. If you don't use our patented snake oil you're but an amateur, and everybody will scoff at you.

          1. Lil Endian
            Pirate

            Google promises the moon...

            ...a better moon, the real moon...

            Google promises the real Moon better, but Samsung delivers!

            [Spoiler: it's snake oil!]

          2. veti Silver badge

            Re: El Reg has possibly better ways to track anyway

            Analysing server logs is only "free" if you have admins who are twiddling their thumbs looking for something to do.

            And Google Analytics does a considerably better job of distinguishing between genuine visitors and bots, crawlers and DDoS attacks. (Well, probably better. Certainly a lot faster and easier.)

          3. MachDiamond Silver badge

            Re: El Reg has possibly better ways to track anyway

            "If you don't use our patented snake oil you're but an amateur, and everybody will scoff at you."

            If you don't pay us for keywords or place ads, your web site will never rank.

        3. chivo243 Silver badge

          Re: El Reg has possibly better ways to track anyway

          Is using Reg.com* when testing new distros/browsers/VMs messing with the googley analytics?

          I think using GA for some web owners, who aren't server jockeys, makes life easier, trawling through web logs can be tedious?

          *(we all know the old El Reg wouldn't touch Google with a bargepole)

          1. John Brown (no body) Silver badge

            Re: El Reg has possibly better ways to track anyway

            "I think using GA for some web owners, who aren't server jockeys, makes life easier, trawling through web logs can be tedious?"

            Back in the day when I used to herd a few websites running on Apache, I used Webalyser(??), which gave me pretty summaries and graphs of more than I really needed to know direct from the Apache log files. I'm sure that or similar log analysers are still available. Ut not as if some non-technical person needs to manage it. That will be set up by the person(s) setting up the site for them. Of course, this may not apply those who think a professional website is a something on facebook or using one of the "build your own website" services such as Wordpress.

            1. Lil Endian
              Devil

              Re: El Reg has possibly better ways to track anyway

              ..."build your own website" services such as Wordpress.

              Even worse, by far IMHO, are offers like Wix. Talk about vendor lock in! Websites are not my main thing, although I've done a "few" over the years. But I do like helping start-ups. The number of times I've heard "I've got so far with my site, but I'm stuck, and time's running short! Can you help...?". "Ah feck! You're using Wix. We cannot migrate that, and it won't go further towards your needs. Your many weeks of effort are for nought." And that hurts when a start-up is banging out 95+ hours a week.

              [Disclaimer: I've not tried migrating from Wix for a couple of years. I'm *cough* sure *cough* they've sorted that out by now...]

              1. MachDiamond Silver badge

                Re: El Reg has possibly better ways to track anyway

                "I've not tried migrating from Wix for a couple of years. I'm *cough* sure *cough* they've sorted that out by now..."

                Those large web hosts are not sorting that out. They WANT to lock people in. It's dead simple to use their templates and tools to build a very good looking web site rather quickly, but, you're correct, they don't have much depth to their functionality so if you hit a wall with their services, you have to start from scratch again. You also have to hope that whoever did the signing up in the first place didn't subscribe to the plan where that host owns the domain name. I've seen that happen to a few people and all they could do was pay the increased pricing for that service for a couple of years while they worked to get their new domain name established while forwarding people from the old one they never owned.

                It's more work to not use those big hosting companies and their tools, but I find it worth it to avoid them in the long term. I also avoid hosts that advertise a low first year price that doubles or triples afterwards. If they want to kick down free migration assistance some more space, great, but I'd rather have a much more level monthly/annual hosting cost. I also want the freedom to be able to pick up my site and take it someplace else in an hour or so.

        4. MachDiamond Silver badge

          Re: El Reg has possibly better ways to track anyway

          "other than slight convenience."

          That's what's being sold for many things. Look at the Google push for people to "log in with Google" at all sorts of web sites even when the user already has a L/P for that site. It's more convenient just like one-click purchasing is more convenient. Auto-pay, auto-unlocking key fobs that obviate needing to use a physical key, etc.

          I'm a big believer in inconvenience. It makes me stop and think about what I'm doing or it makes me more secure. I don't need to have a car that unlocks for me when I get close. I'd have my car unlocking and locking all day long as I worked around the garden/house. It could also open me up for a relay attack. I do like my wireless fob, but it's doing nothing until I press a button and it's attached to a physical key that works when the battery in either the fob or car goes flat. With bills, I've had auto-pay cost me a load of money and I find paying my bills manually makes me understand where my money is going.

      3. Anonymous Coward
        Anonymous Coward

        Re: The Register uses Google Analytics among other tools to keep track of readership size

        <blockquote>those of us who comment have accounts and many of us will be logged in across several devices - so what is the point of Google Analytics?</blockquote>

        What do you suppose the advantages would be of tracking users at that level of granularity rather than, say, tracking more broadly where incoming traffic is coming from (by social media links, by country, etc.)? Knowing what individual users are up to is of much narrower use to publishers than knowing where a broader set of readers come from, how long most tend to spend on various pages, etc.

    2. The man with a spanner
      FAIL

      Re: The Register uses Google Analytics among other tools to keep track of readership size

      How can a respectable technical website in all conciousness run a story critical of Google Analytics whilst also using it.

      We really do need less hypocracy in this world.

      How about setting an example of good practice.

      1. John Brown (no body) Silver badge

        Re: The Register uses Google Analytics among other tools to keep track of readership size

        I would guess that El Reg don't have that power and it's a mandate from "on high" at Situation Publishing.

      2. veti Silver badge

        Re: The Register uses Google Analytics among other tools to keep track of readership size

        The article mentions El Reg's position.

        And the story isn't "critical of Google Analytics", it's a factual report of a legal proceeding, the likes of which happen all the time.

        Personally, I think the plaintiffs will find themselves completely unable to demonstrate that Google is holding any data about their tax information, beyond possibly a record of the times and dates they visited these sites (and I wouldn't bet on even that much), and the case will go nowhere, like so many others before it.

      3. Malcolm Weir

        Re: The Register uses Google Analytics among other tools to keep track of readership size

        To be fair, this article is critical of GA in the context of financial transactions (say, tax preparation) which is not really the business El Reg is in!

        At the end of the day, I'm pretty sure this website is running on one of Intel or AMD CPUs.... does that mean they can't be critical of Intel and AMD?

        Fundamentally, as I see it, the dishonesty lies in not disclosing what you're doing, not the doing itself.

      4. Billy Twillig

        Re: The Register uses Google Analytics among other tools to keep track of readership size

        “Hypocracy”…I think that is rule by addicts.

    3. Anonymous Coward
      Anonymous Coward

      Re: The Register uses Google Analytics among other tools to keep track of readership size

      Let's face it people... Almost everything Google does is designed to liberate us from OUR data. They go about it in the most nefarious ways.

      On my own blog, (not in my name so don't try to find it), the firewall protects data from going to Google, Facebook, MS and a host of others (most of the chinese and indian IP ranges are blocked as well)

      One commentator complained that the Facebook Icon that they tried to add to one of their comments did not work. FB is blocked... that user was disabled soon after.

      Google is the personification of EVIL and the sooner that people wake up to it the better. Just say NO to anything from Google.

    4. Barrie Shepherd

      Re: The Register uses Google Analytics among other tools to keep track of readership size

      "You do know that useage of Google Analytics is illegal under GDPR?"

      From a UK perspective the ICO infers it's all OK so long as you get permission - The usual ICO fob off "Get the client to tick a box about cookies and all will be OK"

      The ICO is, IMHO, another Quango, not fit for service, who spends more time allowing industry to do suspect tings than outright protecting it's paymasters (the UK Taxpayers) by banning all tracking.

      The ICO apparently have teeth lets see them digging them into some flesh then.;

      The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

      The ICO has specific responsibilities set out in the Data Protection Act 2018, the UK General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information

      Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

      Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover.

      The DPA2018 and UK GDPR gave the ICO new strengthened powers.

      1. Bendacious Silver badge

        Re: The Register uses Google Analytics among other tools to keep track of readership size

        When the ICO fairly quickly decided that 'soft opt-in' to marketing is fine, I lost all faith in them. GDPR says 'informed consent' to marketing. ICO says 'well you did buy a widget from them'. Take a look at ICOs published advice on CC-TV - "yes your neighbour's Ring doorbell pointed at your driveway is illegal - no we won't help you with that'.

  2. Lil Endian

    Sue You, Jimmy!

    Okay, so Google could be sued for holding data illegally, but did they design those sites and place the beacon poxels there? Shirley it's the website stakeholders (eg "H&R Block, TaxAct, and TaxSlayer, among others") that are liable for the inclusion of the facilitating intercept[1] code on their sites, sue them FFS!

    [1] Nope, can't even put wiretap in quotes.

    1. Gene Cash Silver badge

      Re: Sue You, Jimmy!

      I'm sure they're being sued as well in a separate action, but "suing Google" is the newsworthy bit here, and they have the deepest pockets.

      1. Doctor Syntax Silver badge

        Re: Sue You, Jimmy!

        They also have the deepest pockets to pay lawyers.

        1. Anonymous Coward
          Anonymous Coward

          Re: Sue You, Jimmy!

          .. and, umm, encourage law makers to leave some juicy loopholes..

      2. Woodnag

        Re: Sue You, Jimmy!

        Also, Google serves ads, so it has every website categorised by type. They could easily disallow calls by their tools from certain URLs. They choose to pretend that they are not a party.

        1. Anonymous Coward
          Anonymous Coward

          Re: Sue You, Jimmy!

          Google Analytics no doubt hoovers up a lot of stuff we would rather that it didn't - which we know about because it is widely known and we would laugh derisively at anyone claiming to be a "professional website creator" who had not found that out.

          A website chooses to embed Google Analytics into its pages, despite all the information and accusations about what those Analytics do, and you think that this makes Google responsible?

          > it has every website categorised by type

          So do you also believe Google must figure out which pages are corporate advertising or basic information ("FAQ: yes, you must pay taxes") - which, if you have decided to use the analytics, are reasonable pages to track - and which pages are involved in the collection of information to go into the tax returns? You don't believe that that is the responsibility of the people putting up the web pages?

          Obviously you can have your own opinion about whether you like Google Analytics - or even whether you totally despise Google and all it stands for - but how does make them a suable party? Where is the gun that Google is presumably holding to the head of the people who wrote those websites?

          1. Gene Cash Silver badge

            Re: Sue You, Jimmy!

            > A website chooses to embed Google Analytics into its pages ... and you think that this makes Google responsible?

            Yes, and it's not either/or here. They're both responsible:

            1. The website designers for using GA

            2. Google, for abusing the f*ck out of the data, and railing it up the back alley as hard as it can, for every last possible penny. They should be sued on general privacy grounds, but the US doesn't really have the concept of "privacy" except in certain special cases, and this is one of them.

            That's why I hope they're both getting sued.

            > do you also believe Google must figure out which pages are ... involved in the collection of information to go into the tax returns?

            Yes, with the currently written law.

            In an ideal world, Google wouldn't be taking all our data and selling it to the highest bidder. But they do, and with that comes responsibilities and consequences.

            1. Anonymous Coward
              Anonymous Coward

              Re: Sue You, Jimmy!

              > In an ideal world, Google wouldn't be taking all our data and selling it to the highest bidder. But they do, and with that comes responsibilities and consequences.

              At the risk of being repetitive:

              Google are not *taking* any data from Google Analytics.

              They are being explicitly *given* our data by the deliberate action of the person responsible for putting Analytics on their web pages. We all know this.

              As you probably do, you can avoid most of the other ways Google gather your data by avoiding things that are explicitly labelled "Google", such as their search page. That way, you can reduce the amount of your data that you are explicitly giving them.[1]

              [1] yes, *you* would be giving them that data - you are very well aware what using Gogle services mean (Joe Bloggs may not, but anyone reading this does).

            2. veti Silver badge

              Re: Sue You, Jimmy!

              Google does not "sell" our data. For the same reason as the army doesn't sell its guns.

              1. Anonymous Coward
                Anonymous Coward

                Re: Sue You, Jimmy!

                Let me introduce you to the Civilian Marksmanship Program: https://thecmp.org/

        2. Anonymous Coward
          Anonymous Coward

          Re: Sue You, Jimmy!

          "[Google] could easily disallow calls by their tools from certain URLs"

          ... while simultaneously flagging that you have visited one of the sites on their blacklist

    2. John Brown (no body) Silver badge
      Thumb Up

      Re: Sue You, Jimmy!

      "the beacon poxels"

      Poxels? Deliberate or serendipitous typo? :-)

      1. Lil Endian
        Happy

        Re: Sue You, Jimmy!

        Serendipity dumped me a long time ago! Fond memories though!

    3. This post has been deleted by its author

    4. Dog11
      Black Helicopters

      Re: Sue You, Jimmy!

      Exactly. It's not like web designers are forced to put this privacy-invading javascript on their websites. They do it on purpose, so they are the ones responsible for the data sharing. I've had it with the attitude that "just because you're on my website doesn't mean I'm responsible for the contents, that's somebody else whose identity and privacy policy I will not tell you about".

      Back in the day, it would often turn out that people who had viruses/malware regularly used yahoo. It wasn't yahoo themselves doing the dirty work, it was being done via syndicated advertising that they didn't bother to monitor.

  3. Pete Sdev Bronze badge

    Unless these web apps are leaking tax info in the GET parameters or Google Analytics is recording the values of all submitted forms, it's unlikely Google has tax info, at least not through the tracking code.

    Incidentally, recently at work migrated a major client from GA to a Matomo (The Analytics Tool Formly Known As Piwik) instance, in order to prevent being sued under the GDPR. This after last year removing all google-hosted font imports from all client's websites.

    1. DevOpsTimothyC

      You don't need to read the value of forms to get some really useful meta info.

      Different pages manage different parts of your tax return. Adding additional sections or pages to stocks and shares portion, property, or employer give lots of useful info without ever saying what people earn. Not to mention how long they spend on each of those pages.

      1. MachDiamond Silver badge

        "Different pages manage different parts of your tax return. Adding additional sections or pages to stocks and shares portion, property, or employer give lots of useful info without ever saying what people earn. Not to mention how long they spend on each of those pages."

        As long as I can, I am going to submit my returns on paper filled out by hand. With reports from my accounting software, my business stuff it just a matter of transferring the data from one piece of paper to another. All of my personal stuff is rather easy to do. Even if it takes a day, it's going to take an auditor more work to digitize and analyze over returns that are submitted digitally and can be machine scrutinized.

    2. alain williams Silver badge

      This after last year removing all google-hosted font imports from all client's websites.

      Well done. Many do not realise how things like google fonts is just another source of data to google.

    3. Randesigner

      Any piece of javascript can read any content on a displayed page.

  4. uqrxur

    why sue Google?

    Just asking: why sue Google? Web agencies gladly put Google Analytics code in all their websites, sometimes without their client's approval.

    I don't see the logic in suing Google instead of the tax services companies, and the article seems to miss this point, too. Any help?

    1. veti Silver badge

      Re: why sue Google?

      If you want to get $SHEDLOAD_OF_MONEY, step 1 is to identify where it's going to come from.

      Step 2 is to find a way of moving it from that place to your pocket.

  5. avilacha

    cat 0.0.0.0 analytics.google.com > /etc/hosts

    1. Peter Gathercole Silver badge

      Huh? @avilacha

      You want to wipe out the contents of your /etc/hosts file?

      Did you mean ">>" rather than ">"

    2. Empire of the Pussycat

      I do hope ChatGPT et alia learn this.

    3. alain williams Silver badge

      blocking off google

      echo is what you want here ... unless you have files called 0.0.0.0 & analytics.google.com

      1. captain veg Silver badge

        Re: blocking off google

        Probably need a sudo (or similar) too.

        -A.

  6. hayzoos

    Google is nearly everywhere

    An informal survey of my important bookmarked sites has google in various hostnames on over 90% of them. I use a handful of tools manage third party content on sites I visit. I have seen functionality of sites requiring more and more of Google hosts' content. Google has a multitude of products/services for the website operator to integrate.

    P.S. also present on www.irs.gov

  7. FuzzyTheBear
    Black Helicopters

    Hopefully you knew better ..

    If Google has it so does the American government.

    Google is a nice front gives it legitimacy.

    1. stiine Silver badge
      Facepalm

      Re: Hopefully you knew better ..

      You're an idiot. Google CHARGES the government by the request and by the byte for data.

  8. RyokuMas
    Facepalm

    Oh what a difference...

    Wow. I must be getting old - it feels like it wasn't that long ago that when someone mentioned this sort of thing on here, the stock response was "don't like Google tracking you? Don't use their stuff!" - despite how at the time approximately two-thirds of websites in regular use incorporated analytics...

  9. elsergiovolador Silver badge

    One rule for me and another for thee

    If Google was a small business, they would have been closed down ages ago.

    Just shows how corrupt our institutions are.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like