Is Google Analytics tracking you through your favorite open source application

I was playing around with an open source video editor named OpenShot when I suddenly felt a familiar shiver going down my spine. I felt the unmistakable presence of evil, and it was coming from inside my own computer. ‘You will know me as the Google Analytics measurement protocol’ the beast answered upon detection.

By having a closer look at the data OpenShot was trying to deliver, it’s clear that the software is only collecting usage metrics and even instructs Google to anonymize our IP address (aip=1). Refer to the protocol parameter reference for an explanation of the additional parameters. The data below is captured by mapping google-analytics.com to localhost.

"GET /collect?cd4=5.5.1&av=2.1.0&aid=org.openshot.openshot-qt&an=OpenShot+Video+Editor&cd1=0.1.2&t=screenview&cd2=3.5.2&cd=initial-launch-screen&cd5=unknown-gnu-linux&v=1&cd3=5.5.1&ua=Mozilla&tid=UA-4381101-5&aip=1&ul=en&cid=ae4g11 HTTP/1.1" 404 456 "-" "

Unfortunately Google only masks the last octet of an IPv4 address so you’ll achieve the same level of anonymity by sticking your head in the sand. Neither will there be any anonymity concerning the actual connection you’ll establish with the Analytics server. In short, “anonymity” is only related to the metrics data stored on Google’s service, you know, the data they’ll make their profit off.

OpenShot Metrics

OpenShot metrics screen

The main issue I have with OpenShot is not the use of Google Analytics but the fact that the software collects metrics and ships it off to Google without offering any notice or a way to opt-out. You may disable the metrics collection if you are able to track down the right setting from within the application, but what makes it problematic is being enabled by default.

The developer should also make sure to adhere with Google’s stated policy:

You will give your end users proper notice about the implementations and features of Google Analytics you use. You will either get consent from your end users, or provide them with the opportunity to opt-out from the implementations and features you use.

I don’t believe I’ll be spending any more time with this particular piece of software.