Privacy Policy Violation: Improper Web Analytics / User Tracking

VERIFIED FIXED in 2.5

Status

VERIFIED FIXED
7 years ago
6 years ago

People

(Reporter: amuntner, Assigned: craigcook)

Tracking

unspecified
x86_64
Linux

Details

(Whiteboard: u=user c=security p=1)

Attachments

(1 attachment)

** Summary: Privacy Violation - Improper Web Analytics / User Tracking


** Reproduction Steps: 

1. Visit HTTP://developer.mozilla.org/en/HTML/Canvas

2. View source

3. Search for the string "UA-68075-16" to navigate to the affected code. (reproduced below)

</div><script type="text/javascript">$(function() {var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");$.getScript(gaJsHost + "google-analytics.com/ga.js", function() {try {var pageTracker = _gat._getTracker("UA-68075-16");pageTracker._setDomainName(".mindtouch.com");pageTracker._trackPageview();} catch(e) {}});});</script>


** Recommended Remediation: Remove the javascript
Whiteboard: u=user c=security p=
Target Milestone: --- → 2.5
Can you point to what's actually violating any policy? Is it the ".mindtouch.com", or the fact that we're using GA at all? Do we have any other analytics on MDN?
(Reporter)

Comment 2

7 years ago
UA-68075-16 is a google analytics cookie owned by mindtouch.com. Mozilla doesn't get these analyitcs, they do. 

I looked further, and it appears to be on every page of MDN under Docs. 

A web search turned this up: http://forums.developer.mindtouch.com/showthread.php?9620-Google-Analytics-default-Account-ID

indicating this is likely a widespread issue for all mindtouch customers. 

Anyone know who has a relationship with Mindtouch/can put me in touch with someone there?
(Reporter)

Comment 3

7 years ago
http://developer.mindtouch.com/en/kb/Configuration_keys_and_values

Configuration of the MindTouch API service is handled a startup xml file (/etc/dekiwiki/mindtouch.deki.startup.xml) and the database table 'config'. [SNIP]

ui/analytics-key	UA-68075-16

It's a default mindtouch configuration, it sounds like their installation docs probably don't mention changing this value.
I left a comment on http://forums.developer.mindtouch.com/showthread.php?486-Google-Analytics but we'll remove this from the footer code ourselves if there's no way to disabled via configuration.
(Reporter)

Comment 5

7 years ago
Luke - nice find! On the page you linked to, I saw one to http://developer.mindtouch.com/Deki_Wiki/Features/Google_Analytics - based on this page, it looks like the answer is to just blank the field in the config.

Are there any other Mozilla sites using this wiki software? They may have the same issue.
(In reply to Adam Muntner :adamm from comment #5)
> Are there any other Mozilla sites using this wiki software? They may have
> the same issue.

Absolutely not. :)

We do have a support contract with MindTouch if we need it, but hopefully this is something we can change via configuration or a template.
There is a Google Analytics entry on the MDN control panel: https://developer.mozilla.org/deki/cp/analytics.php

The UA string is currently empty. (Maybe somebody just flipped it)
the config change didn't affect local so I think we'll have to do this with a template/skin change.
Whiteboard: u=user c=security p= → u=user c=security p=1
Assignee: nobody → lcrouch
Created attachment 604604 [details] [diff] [review]
remove analytics call
Attachment #604604 - Flags: review?(craigcook.bugz)
Assignee: lcrouch → craigcook.bugz
(Assignee)

Comment 10

7 years ago
Comment on attachment 604604 [details] [diff] [review]
remove analytics call

Patch applied in r102846
Attachment #604604 - Flags: review?(craigcook.bugz) → review+
(Assignee)

Updated

7 years ago
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
qa-verified-trunk https://developer-stage9.mozilla.org/en/HTML
verified fixed https://developer.mozilla.org/en-US/
Status: RESOLVED → VERIFIED
Component: Docs Platform → Editing
Product: Mozilla Developer Network → Mozilla Developer Network
You need to log in before you can comment on or make changes to this bug.