Posted March 30, 2012
high rated
I have been surprised and alarmed to find that details of every order, by every customer, has been sent to Google via their Google Analytics service. The details sent to Google are as follows:
* Order ID
* Store name (GOG in this case)
* Order total
* Country where order was placed (presumably using geotracking - I was identified as coming from the Netherlands even though I placed the order in the UK).
Further details are then included on each item in the order:
* SKU code
* Game title
* Category ("game" in this case)
* Cost
* Quantity
This transfer of data occurs on the "thank you" page that appears after confirming an order. Anyone viewing the HTML source of this page (right-click and select "View Source" or "Source" depending on your browser) can see for themselves the data sent, by scrolling down to the end and checking the code just above the <!-- social --> tag.
How to Stop This
Since (encrypted) HTTPS is used, most ad blockers will not be able to filter this traffic (including Internet security suites and firewalls). The only exception I know of is Proxomitron and that has to be specially configured to do so. Browser plugins *should* be able to filter such traffic and using them to block all access to google-analytics.com should work.
Another alternative for Opera users is to configure their browser to prompt them before connecting to any https: site - this will result in repeated prompts due to GOG now incorporating Facebook/Twitter/SellMySoul links (which also use https on order pages) but then provides a good indication of how much tracking goes on. See the Dangers of HTTPS thread at Wilders Security for more details on how to do this.
Summary
This is a clear violation of GOG's own Privacy Policy ("...We do not share your personal details with outside third parties without your consent.") since this data disclosure happens without customers being informed let alone asked and, as a long-term customer, I am outraged to see what should be private information being hawked off to one of the Internet's largest (and almost certainly the largest) data trackers. I ask that GOG puts a stop to this policy as soon as possible.
Technical Details
For those curious, the exact code sending data on my order to Google (which, due to the above procedure, I was able to block) is as follows:
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-6605418-1']);
_gaq.push(['_trackPageview']);
_gaq.push(['_addTrans',
'V92FZDJM8AH', // order ID - required
'GOG.com', // affiliation or store name
'2.99', // total - required
'0', // tax
'0', // shipping
'', // city
'', // state or province
'Netherlands' // country
]);
_gaq.push(['_addItem',
'V92FZDJM8AH', // order ID - required
'1207658829', // SKU/code - required
'Arcanum: Of Steamworks and Magick Obscura', // product name
'game', // category or variation
'5.99', // unit price - required
'1' // quantity - required
]);
_gaq.push(['_trackTrans']); //submits transaction to the Analytics servers
</script>
* Order ID
* Store name (GOG in this case)
* Order total
* Country where order was placed (presumably using geotracking - I was identified as coming from the Netherlands even though I placed the order in the UK).
Further details are then included on each item in the order:
* SKU code
* Game title
* Category ("game" in this case)
* Cost
* Quantity
This transfer of data occurs on the "thank you" page that appears after confirming an order. Anyone viewing the HTML source of this page (right-click and select "View Source" or "Source" depending on your browser) can see for themselves the data sent, by scrolling down to the end and checking the code just above the <!-- social --> tag.
How to Stop This
Since (encrypted) HTTPS is used, most ad blockers will not be able to filter this traffic (including Internet security suites and firewalls). The only exception I know of is Proxomitron and that has to be specially configured to do so. Browser plugins *should* be able to filter such traffic and using them to block all access to google-analytics.com should work.
Another alternative for Opera users is to configure their browser to prompt them before connecting to any https: site - this will result in repeated prompts due to GOG now incorporating Facebook/Twitter/SellMySoul links (which also use https on order pages) but then provides a good indication of how much tracking goes on. See the Dangers of HTTPS thread at Wilders Security for more details on how to do this.
Summary
This is a clear violation of GOG's own Privacy Policy ("...We do not share your personal details with outside third parties without your consent.") since this data disclosure happens without customers being informed let alone asked and, as a long-term customer, I am outraged to see what should be private information being hawked off to one of the Internet's largest (and almost certainly the largest) data trackers. I ask that GOG puts a stop to this policy as soon as possible.
Technical Details
For those curious, the exact code sending data on my order to Google (which, due to the above procedure, I was able to block) is as follows:
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-6605418-1']);
_gaq.push(['_trackPageview']);
_gaq.push(['_addTrans',
'V92FZDJM8AH', // order ID - required
'GOG.com', // affiliation or store name
'2.99', // total - required
'0', // tax
'0', // shipping
'', // city
'', // state or province
'Netherlands' // country
]);
_gaq.push(['_addItem',
'V92FZDJM8AH', // order ID - required
'1207658829', // SKU/code - required
'Arcanum: Of Steamworks and Magick Obscura', // product name
'game', // category or variation
'5.99', // unit price - required
'1' // quantity - required
]);
_gaq.push(['_trackTrans']); //submits transaction to the Analytics servers
</script>
Post edited March 30, 2012 by AstralWanderer
