Unfortunately it's attitudes like this that usually end up making Government projects so eye-wateringly expensive.
Assuming they listen to your suggestion and act on it as you suggest, it seems the only option open to them is to design their own in-house (In UK for that matter) version of Google Analytics to do their own analysis. Regardless of the cost and time this would add to the project, it's unlikely that it would be anywhere as good as Google's offering.
The other, more likely, option would be to decide it's too expensive to implement a different, more complicated, solution; so they don't bother. They don't get the feedback and analysis on how to improve their services and the customer experience declines until you're back where you started with a poorly designed product offering hard-to-find information and people are posting angry comments on HackerNews about how bad gov.uk is and how they would never run a start-up like that... I'm almost certain someone would say "Why don't they use google analytics to improve things, like everyone else".
Instead, we need to be applauding a massive operation like Gov.uk for taking a dose of reality and thinking, "we're not doing anything amazingly special here, we're providing people with a quick way to check their council tax, or bin collection dates, or maybe pay their car tax. let's just get the job done as best we can."
I'm sorry what? F*ck privacy, this way is more expedient? Is that what you're saying in effect?
That's not what I want from my government.
--edit-- I also didn't make any suggestions, I would have accepted a reasonable explanation of the legal and technological measures that were in place to protect my data from rampant proliferation through US corporate and government systems.
Instead I got (and this is a direct quote) "We don't allow Google to use or share our analytics data.", and a zendesk reference number. Fobbed off, basically.
And with the zendesk link, now my actual communication with a UK government team is being processed in the bay area.
This is unacceptable.
--edit 2-- Somehow other large UK web-based institutions manage without GA as well. The BBC for instance. Perhaps they could talk to each other.
Before you start the lynch mob, ask yourself this: what on earth can one do with non-person-identifiable data stored on a server?
"Next on BBC - Terrorist organisation finds out too many British people forget to update their MOTs"
That's not what I want from my government.
Be very very fortunate you can even get a somewhat usable site, much less a very user friendly site. There are citizens of the other nations that would kill for easier access to public information.
Someone in another country, not subject to the same laws about how that sort of data is collected and used.
Actually it's not even equivalent then. It's more like them recording the conversation you have with the public services folk. And you haven't actually gone there, just called on the phone.
This is where I'm really failing to understand your logic. Your activity is very different from what you converse. If I fill out a web form and that data gets logged, fine, I can see how privacy may be an issue. Unless someone can correct me, Google analytics does not have that capability, it only tracks how you navigate.
If I walk around a public library and check out 6 books and someone follows me around watching me look at 6 books, then again I ask "so what?"
In the largely broken analogy, you might phone the DVLA, ask to speak to a certain department (driver licenses, vehicle tax), then perform a specific task (apply for a new license). This maps to your navigation around the pages. Previously you would not really expect a third party in another country to be informed you were doing this, and I don't think it's necessary now.
>> If I walk around a public library and check out 6 books and someone follows me around watching me look at 6 books, then again I ask "so what?"
They compile a dossier on you, including everything you read, all of the shops you go to, food you like. They sell this data to whoever wants it and leak it out the back door to overseas government agencies.
But I guess you've nothing to hide from anyone eh? Good for you.
>In the largely broken analogy, you might phone the DVLA, ask to speak to a certain department (driver licenses, vehicle tax), then perform a specific task (apply for a new license). This maps to your navigation around the pages. Previously you would not really expect a third party in another country to be informed you were doing this, and I don't think it's necessary now.
But that's the point I think he's trying to make: Why is this an issue? If I open up a page on the site that say tells me what the VAT rate is and that gets timestamped and sent to google, why should it matter?
The site is purely for information. They could - as you say - get wind of the fact that I want to apply for a new passport. So what? That (at least in my mind) isn't a privacy issue.
Well, not really, it directs you to portals for various services.
>> They could - as you say - get wind of the fact that I want to apply for a new passport. So what? That (at least in my mind) isn't a privacy issue.
I think it is and I would be upset about (for instance) my library browsing habits being supplied to people as well, particularly if they were based in places with far less in the way of data protection law.
You may as well say "Why would anyone care about PRISM? Who cares who knows I call my mom every week?", yet it's the biggest story around at the moment.
I certainly understand where you are coming from, I just think that the issue of having this data supplied to Google isn't really that important to warrant spending a tremendous amount of the budget to do an in house system.
The fact is that the web is not anonymous in its nature. If I browse to a random site I've never heard of, how do I know they aren't using a third party image? If they are, then my IP/Location will be broadcast to that third party.
>> I just think that the issue of having this data supplied to Google isn't really that important to warrant spending a tremendous amount of the budget to do an in house system.
Well I think they probably have a tremendous budget, and a variety of FOSS or third party (but running in-house) solutions have been mentioned in comments here, that could likely do the job.
>> The fact is that the web is not anonymous in its nature.
It's not really about anonymity though, it's about who the government is (deliberately) sharing data with or leaking data too. I'm not asking for anonymity in who I intend to interact with (UK government services), I'm asking them to think about who they share that data with.
>> If I browse to a random site I've never heard of, how do I know they aren't using a third party image? If they are, then my IP/Location will be broadcast to that third party.
When it is a page run by one's own government, one can have different expectations and even ask for things to be changed not to leak such data. Or at least ask if they've thought about it.
However this is also why I tend to block things like social media buttons, I have no desire for FB or Google to be informed every time I read ... well just about anything online these days.
>> Before you start the lynch mob, ask yourself this: what on earth can one do with non-person-identifiable data stored on a server?
How do we know it's non-person-identifiable? It's certainly clear that the analytics data comes from a set IP address, and when correlated with all the other data that big G collect from all over the web, who knows what can come out of it.
>> Be very very fortunate you can even get a somewhat usable site, much less a very user friendly site.
1. It's not just an information site.
2. Why should Google (and by extension the US government) be informed that I'm looking up (for instance) legal advice, business law or anything else?
Again, this is my interactions with my government being published to another nation.
--edit-- removed accusations of laziness, I'm sure the gov.uk folks aren't that.
Right, so because we haven't got a full and complete legal framework and associated consensus driven moral framework in this area, we should just relax and give up on the whole idea?
We already have data protection frameworks in the UK and at the EU level. I would like to see them adhered to in spirit, and I would also like to know that someone involved in the gov.uk has at least given this a moment's thought.
Clearly not give up. But we should have at least a clear idea of where we want the debate to go to. You say you want the DPA adhered to in spirit - great. It is adhered to in the letter of the law, and there are many interpretations of the spirit of that law.
My view is that the spirit of the law needs to be codified for a new world, and it is healthier to have that clear (and so open for debate) than to say someone is violating my idea of what the law should be.,
My starter for 10:
* Privacy is merely a politeness, and does not actually "exist". The expectations of privacy are the expectation for data to not be exploited without our consent.
* All digital communications and associated metadata are made in a public domain, and should have very limited expectations of privacy.
* If digital communication is encrypted, or marked as anonymous, then it should be legally viewed as having an expectatin of privacy and similar penalties applied for interfering with that as with post.
* Any monitoring of digital activity that can be linked to an individual human must be publically acknowledged by the monitoring organisation and the data released / published unless the individual has given consent for identifying data to be stored and processed to that organisation.
>> All digital communications and associated metadata are made in a public domain, and should have very limited expectations of privacy.
This is where we depart. Just because it is a public network does not mean that people somehow naturally consent to monitoring by anyone and everyone, nor that they should have to consent to this stuff. The telephone network is a good example of public and private infrastructure in which one still has the expectation of privacy.
>> If digital communication is encrypted, or marked as anonymous
And what if someone, mostly without notifying us, loads a script into our browser that tracks everything we do and reports back to mother?
This is not a case of people marking data private, nor is it 'digital communication' this is intrusion.
Which part is unacceptable - the fobbing off part, or the some data gets sent to a country that tortures people, spies on all its citizens indiscriminately and has not signed up to common international treaties.
I think that before Snowden most people, myself included, would have thought not using google analytics for the above reasons was paranoia.
Now, I think that all digital data should be treated as public and until we change the law to have a public / private demarcation, we need to accept it and deal.
(I see this as a pollution issue, until we get a clean air act, everyone will walk around with cloths across their mouths)
edit: little less troll like:
We have no framework for digital privacy, and until we see an emergent consensus there will not be one.
Here, on this site, we have informed, reasonable people disagree on fundamental definitions of online privacy.
So the first step here is to ask, "privacy in the US is based on two things, actions in ones own home are protected by default, and written communications between yourself and others are protected, and publishing is an explicit act"
What do those things now mean in a world of mobile phones, internet and metadata?
Pretending it's a non-issue and not addressing concerns AND then using an overseas helpdesk service, such that now not only are analytics being sent to the US, but actual communication between a UK citizen and the UK government.
But particularly the latter half.
>> I think that before Snowden most people, myself included, would have thought not using google analytics for the above reasons was paranoia.
Most people haven't been paying much attention then.
>>Now, I think that all digital data should be treated as public and until we change the law to have a public / private demarcation, we need to accept it and deal.
Cool, if that's your attitude to this. Some of us would prefer to prevent our government being complicit wherever possible. They may already be in breech of various regulations and I do intend to be in contact with the ICO soon.
This just sounds like a paranoid rant. If you have a problem with it, either don't visit the site or block the analytics. The reason they are using it is pretty obvious, like everyone else that builds digital services, they want to look at how it gets used. It is a non issue, that's not pretending, it's just putting on a rational hat and taking off the silly rhetoric of paranoia.
Personally, as someone who left the UK in the 90's for silicon valley, I'm blown away that the UK government has even heard of the internet, let alone built a decent digital service.
>> It is a non issue, that's not pretending, it's just putting on a rational hat and taking off the silly rhetoric of paranoia.
I'm glad you're happy to publish all the details of your interactions with government services to an advertising company in another country with far less in the way of data protection law.
I'm saying I'd like to know what sort of privacy analysis was done here, whether it's in compliance with EU and UK privacy and data laws, and whether it's a good idea at all.
Just because I know how to block analytics doesn't mean everyone else has a clue they even exist, nor that we should allow our government to export data about us in this way.
As a proportion of the whole development cost, using either an EU based analytics service or in-house server shouldn't really be significant.
But even before that I'd like to have some indication that someone has actually thought about what they're doing, rather than just stuffed in GA because that's what you do in the private sector.
Yes, yes, yes. The only time we should consider these attitudes is when real keep it from everyone security matters (you know MI5 style security, not pentest security)
And frankly my view on that is now: want to keep a secret? Keep it away from computers.
What if I don't want everyone in the world to know everything about what I do with a computer?
They're more and more part of everyone's life and not everyone is of the mindset that it doesn't matter if corporations and governments get to look at every little detail of their online interaction. Car tax, criminal law, the weekly shop at tesco.com ... all going to the profilers.
I know this is happening. I know how to stop some of it. But everyone else?
Assuming they listen to your suggestion and act on it as you suggest, it seems the only option open to them is to design their own in-house (In UK for that matter) version of Google Analytics to do their own analysis. Regardless of the cost and time this would add to the project, it's unlikely that it would be anywhere as good as Google's offering.
The other, more likely, option would be to decide it's too expensive to implement a different, more complicated, solution; so they don't bother. They don't get the feedback and analysis on how to improve their services and the customer experience declines until you're back where you started with a poorly designed product offering hard-to-find information and people are posting angry comments on HackerNews about how bad gov.uk is and how they would never run a start-up like that... I'm almost certain someone would say "Why don't they use google analytics to improve things, like everyone else".
Instead, we need to be applauding a massive operation like Gov.uk for taking a dose of reality and thinking, "we're not doing anything amazingly special here, we're providing people with a quick way to check their council tax, or bin collection dates, or maybe pay their car tax. let's just get the job done as best we can."