Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

GDS’s GA Premium account contractually prevents Google from investigating the data, and Google self-anonymises with a flag in their API[1]. If you don’t trust them then that’s fine, but for functionality vs cost it seems to be the best option.

For what it’s worth, for extremely sensitive projects like GOV.UK Verify other options are fine; Verify uses a local Piwik instance.

You’re also welcome to block that specific JS or just turn off JS completely on GOV.UK properties - everything has to work without JS to go live on GOV.UK.[2]

[1] https://support.google.com/analytics/answer/2763052?hl=en

[2] https://www.gov.uk/service-manual/technology/using-progressi...



GDS’s GA Premium account contractually prevents Google from investigating the data

Does it prevent US government from getting this data with a court order?


This guy is asking the right thing.

It's not about you trusting somebody to handle the data. It's just that the data should not exist at all outside of you and the gov.

As soon as the data exists somewhere else, there is a way to misuse it and a chance it will happen. In todays word, those don't even require a lot of imagination to find because it already happened and is currently happening.


> Does it prevent US government from getting this data with a court order?

Of course not. Also it does not prevent governments and other organizations from illegally extracting that data from Google, as it happened.


>Google self-anonymises with a flag in their API

Even if they could, they wouldn't be able to find it.


At what point is it, though? From the Client or when it hits the server. If it is the later, we can’t know if three letter agencies intercept the traffic before it gets anonymized.

Furthermore, it is often possible to de-anonymize data especially if you have an extensive knowledge of users and their data such as google. But even then, you can also de-anonymize data

https://www.cs.utexas.edu/~shmat/shmat_oak08netflix.pdf

https://www.wired.com/2007/12/why-anonymous-data-sometimes-i...


The client can’t anonymise the IP as it connects to the Google server which then will implicitly know it. What the flag does is tell the server to anonymise it from that point onwards. From my original link:

When a customer of Analytics requests IP address anonymization, Analytics anonymizes the address as soon as technically feasible at the earliest possible stage of the collection network. The IP anonymization feature in Analytics sets the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros in memory shortly after being sent to the Analytics Collection Network. The full IP address is never written to disk in this case.


I still can't believe people are happy using Verify.

I very reluctantly tried to use it as I don't want to give all my data to any of the companies you listed, and yet it failed to identify me using the two companies I was allowed to pick.

I really don't see how it's acceptable to force users to give so much personal data to a handful of randomly selected private companies, on the off-chance that they already have it.


I'm in a similar situation to you. Last time I tried to verify my identity, two of the companies refused to do so because I don't have a full driving license, only provisional; and the other two didn't require a driving license but refused to accept that I exist, naturally without telling me what I should do about it.

The concerning part was what happened when I tried to cancel the process. The companies told me that they would delete all the data I had submitted to them, but when I tried again a year later, I was invited to resume my application, and all my data was still in their systems!

[edit] Just tried to go through the process again to see if anything has changed. I picked Royal Mail as an identity provider but was unable to finish because I had to upload a scan of a phone contract, which I don't have since I use pay as you go! Bloody waste of time!


>> GDS’s GA Premium account contractually prevents Google from investigating the data

And we all know that means it's safe forever, and isn't in any sort of jeopardy the moment it crosses a border, or in fact the moment it escapes to a third party at all.

It's all industry standard so it must be fine!

>> For what it’s worth, for extremely sensitive projects like GOV.UK Verify other options are fine; Verify uses a local Piwik instance.

Then gov.uk should use a local Piwik instance for everything, GDS are clearly not incapable of it.

FYI I can and do block google analytics JS. It shouldn't be there in the first place, I shouldn't have to block it when interacting with my own government.


Are you at GDS? Please can you tell your friends at HMRC that the login system is the most janky UX I've ever experienced and is prone to social engineering due to how complex it is.


Totally agreed. After I lost my login details to sign into HMRC portal to do my self assessment, it was almost impossible to recover my credentials.

Impossible over the phone as they wanted to send a paper letter to my address and I was just moving to a new place (and doing some travel before that) so I had no more access to the address HMRC had on file.

I finally gave up and just asked my accountant to do it on my behalf. He somehow managed to sort this out with HMRC.

There is no flow to recover your username and password (or generate new one) with your email address which is maddening.


Sadly looks like there's a turf war going on. So dumb.

[1] "HMRC rejects Gov.uk Verify", http://www.computerweekly.com/news/450412927/HMRC-rejects-Go... [2] http://www.computerweekly.com/news/450301278/Revealed-The-ba...


> GDS’s GA Premium account contractually prevents Google from investigating the data

What's the penalty for completely disregarding that?

Is it anywhere near large enough to justify them not disregarding it?

More to the point: Pretty much the only thing a contract can do is impose a monetary penalty. Even if it's quite large, it's still only money, and Google rakes in money by the bushel basket from selling data to advertisers. Therefore, it isn't a very convincing penalty.


in this specific case they would be messing with the UK government on a controversial topic in the public view... the contractual penalty would be the least of their worries


> messing with the UK government on a controversial topic in the public view

Is it in the public view? How many Daily Mail headlines about Google Analytics have you read ever?


So how does the average user verify this API flag then?

This kind of stuff should be opt-in for users, but Google know that hardly anyone would want to be tracked by them if they were given a clear choice.


It's nice that Verify uses an internal analytics system, but the whole point of Verify is to outsource identifying people to private companies.


That's because there was massive protest against a centralised ID system in the UK, which led to it being shut down.

https://www.theguardian.com/politics/2010/may/27/theresa-may...


Right, but those companies don’t know what services people are trying to use Verify for (in the same way that the services don’t know which identity provider you used). The part of Verify that uses Piwik is the hub in the middle that brokers the identity flow.


But you still have to give the Verify companies enough data that a breach of their systems would be very serious. Eg. If the Post Office (an organisation that recently falsely sent a load of employees to prison due to their own cocked up IT project) gets hacked, they have (or could have) dates of birth, 6 years of addresses, email addresses, etc. of a good number of gov.uk users.


You don’t give the majority of those details to the Post Office (or other providers), they ask you questions about the data they already hold on you. The passport and driving licence information is checked via APIs provided from the government to accredited companies, and the system is designed such that that data isn’t stored by the identity providers (beyond a flag to say that that form of identity has been verified).


That's all good; but most users aren't aware of blocking Javascript on specific domains.

Privacy is opt-in, not opt-out.


I know you get asked this kind of question in every thread, but do you know where I can send questions about the judiciary.gov site?

They hold the coroner's letters to prevent future deaths, but the search is not useful.

It would be good if I could search and return every letter about eg deaths by suicide or railway deaths or etc.

It seems a shame to have all these reports to prevent future death locked away.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: