GDS’s GA Premium account contractually prevents Google from investigating the data, and Google self-anonymises with a flag in their API[1]. If you don’t trust them then that’s fine, but for functionality vs cost it seems to be the best option.
For what it’s worth, for extremely sensitive projects like GOV.UK Verify other options are fine; Verify uses a local Piwik instance.
You’re also welcome to block that specific JS or just turn off JS completely on GOV.UK properties - everything has to work without JS to go live on GOV.UK.[2]
It's not about you trusting somebody to handle the data. It's just that the data should not exist at all outside of you and the gov.
As soon as the data exists somewhere else, there is a way to misuse it and a chance it will happen. In todays word, those don't even require a lot of imagination to find because it already happened and is currently happening.
At what point is it, though? From the Client or when it hits the server. If it is the later, we can’t know if three letter agencies intercept the traffic before it gets anonymized.
Furthermore, it is often possible to de-anonymize data especially if you have an extensive knowledge of users and their data such as google. But even then, you can also de-anonymize data
The client can’t anonymise the IP as it connects to the Google server which then will implicitly know it. What the flag does is tell the server to anonymise it from that point onwards. From my original link:
When a customer of Analytics requests IP address anonymization, Analytics anonymizes the address as soon as technically feasible at the earliest possible stage of the collection network. The IP anonymization feature in Analytics sets the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros in memory shortly after being sent to the Analytics Collection Network. The full IP address is never written to disk in this case.
I still can't believe people are happy using Verify.
I very reluctantly tried to use it as I don't want to give all my data to any of the companies you listed, and yet it failed to identify me using the two companies I was allowed to pick.
I really don't see how it's acceptable to force users to give so much personal data to a handful of randomly selected private companies, on the off-chance that they already have it.
I'm in a similar situation to you. Last time I tried to verify my identity, two of the companies refused to do so because I don't have a full driving license, only provisional; and the other two didn't require a driving license but refused to accept that I exist, naturally without telling me what I should do about it.
The concerning part was what happened when I tried to cancel the process. The companies told me that they would delete all the data I had submitted to them, but when I tried again a year later, I was invited to resume my application, and all my data was still in their systems!
[edit] Just tried to go through the process again to see if anything has changed. I picked Royal Mail as an identity provider but was unable to finish because I had to upload a scan of a phone contract, which I don't have since I use pay as you go! Bloody waste of time!
>> GDS’s GA Premium account contractually prevents Google from investigating the data
And we all know that means it's safe forever, and isn't in any sort of jeopardy the moment it crosses a border, or in fact the moment it escapes to a third party at all.
It's all industry standard so it must be fine!
>> For what it’s worth, for extremely sensitive projects like GOV.UK Verify other options are fine; Verify uses a local Piwik instance.
Then gov.uk should use a local Piwik instance for everything, GDS are clearly not incapable of it.
FYI I can and do block google analytics JS. It shouldn't be there in the first place, I shouldn't have to block it when interacting with my own government.
Are you at GDS? Please can you tell your friends at HMRC that the login system is the most janky UX I've ever experienced and is prone to social engineering due to how complex it is.
Totally agreed. After I lost my login details to sign into HMRC portal to do my self assessment, it was almost impossible to recover my credentials.
Impossible over the phone as they wanted to send a paper letter to my address and I was just moving to a new place (and doing some travel before that) so I had no more access to the address HMRC had on file.
I finally gave up and just asked my accountant to do it on my behalf. He somehow managed to sort this out with HMRC.
There is no flow to recover your username and password (or generate new one) with your email address which is maddening.
> GDS’s GA Premium account contractually prevents Google from investigating the data
What's the penalty for completely disregarding that?
Is it anywhere near large enough to justify them not disregarding it?
More to the point: Pretty much the only thing a contract can do is impose a monetary penalty. Even if it's quite large, it's still only money, and Google rakes in money by the bushel basket from selling data to advertisers. Therefore, it isn't a very convincing penalty.
in this specific case they would be messing with the UK government on a controversial topic in the public view... the contractual penalty would be the least of their worries
Right, but those companies don’t know what services people are trying to use Verify for (in the same way that the services don’t know which identity provider you used). The part of Verify that uses Piwik is the hub in the middle that brokers the identity flow.
But you still have to give the Verify companies enough data that a breach of their systems would be very serious. Eg. If the Post Office (an organisation that recently falsely sent a load of employees to prison due to their own cocked up IT project) gets hacked, they have (or could have) dates of birth, 6 years of addresses, email addresses, etc. of a good number of gov.uk users.
You don’t give the majority of those details to the Post Office (or other providers), they ask you questions about the data they already hold on you. The passport and driving licence information is checked via APIs provided from the government to accredited companies, and the system is designed such that that data isn’t stored by the identity providers (beyond a flag to say that that form of identity has been verified).
For what it’s worth, for extremely sensitive projects like GOV.UK Verify other options are fine; Verify uses a local Piwik instance.
You’re also welcome to block that specific JS or just turn off JS completely on GOV.UK properties - everything has to work without JS to go live on GOV.UK.[2]
[1] https://support.google.com/analytics/answer/2763052?hl=en
[2] https://www.gov.uk/service-manual/technology/using-progressi...