The Blog

Javascript libraries that conflict with Google Analytics

Google Analytics custom implementations are fragile. This may be hard to hear but it’s true. When you use some custom functions of the ga.js library they can affect the format of the Google Analytics cookies (__utma, __utmb, __utmz, ..), if another implementation on the same page tries to read or write to those cookies and it’s configurations are different, chances are that the second one will delete the old cookie and create a new one. When it does so, you lose the reference to the unique visitor and the current session. If you have multiple conflicting trackers on the same site, chances are that at each pageview the cookies are reset spawning a new visitor and a new visit with a (direct)/(none) source/medium. No one wants that.

Google doesn’t recommend the usage of multiple trackers on the same page for that reason. If you are not an expert on the subject it’s very easy to shoot yourself on the foot. And even the experts are messing things out every now and then.

But recently a couple of popular Javascript libraries out there started to include GA trackers on your site. The primary intent is to monitor the usage of their libraries. The problem is that these libraries inject a Google Analytics tracker on your site and are not careful about it. These GA implementations run on your site and share the same cookie as your implementation. They tend to use default configurations for their trackers and if you also have a default configuration you should be safe. But if you were smart enough to customize your GA implementation chances are that yours and the library implementation will be conflicting and things will get ugly.

Right now we’re aware of only 3 libraries that do this:

TypeKit gives you the option to disable this functionality under the TypeKit Editor > Kit Settings. But it’s on by default.

It’s highly recommended that you disable this tracking.

Add to Any currently doesn’t support disabling the Google Analytics code injection. So the only available workaround is to stop using it and move to a similar library, that are a couple out there.

ShareThis allows you to opt out tracking on their privacy policy.

Privacy Implications

I only talked about the technical issues that may arise for these libraries. But you have to keep in mind that while they are gathering data to “monitor usage of their libraries” they are also receiving all your website usage data. Add to Any even have the following statement on their Terms of Service:

Data Rights
In order to provide certain Services, you must allow us to use raw data related to the use and distribution of Your Content (“Data”) that will be collected as part of the Services. You hereby grant AddToAny a non-exclusive, perpetual, worldwide and irrevocable right and license to utilize the Data to track, extract, compile, synthesize, aggregate, and analyze such Data, including, but not limited to, the creation of anonymous and promotional tracking data (“Tracking Data”). We reserve the right to use, reproduce, distribute and display Tracking Data, in our sole discretion.

If you know about any other tool or library that is injecting Google Analytics trackers please let us know on the comments, we’ll update this post and will try to contact the library authors.

This entry was posted in Technology, Web Analytics and tagged , , , , . Bookmark the permalink.
  • http://twitter.com/AnalyticsNinja Analytics Ninja

    ShareThis also injects GA trackers.

    • http://eduardo.cereto.net/ Eduardo Cereto Carvalho

      They’re not really injecting a tracker inside your page. But instead they open an iframe on your site with a tracker inside of it. They can’t mess with your setup this way, but they still receive your stats via their referral so there are some privacy concerns. They are at least more clear about it on their privacy policy and even offer an option to opt-out and you won’t be tracked anymore by the extension. But this is done on a user basis, rather than on a installation basis.

      But thanks for the feedback, I’m adding this to our hall of shame.

      • http://twitter.com/AnalyticsNinja Analytics Ninja

        Thanks for the clarification, Eduardo.  I had only noticed the gif requests but didn’t dig down into the how ShareThis functions.

        Regarding their privacy policy, I dunno, it still seems pretty lame, though it is still way better than Add To Any.  If the opt-out is on a user basis, that means that they are still tracking all other users to my site (and by extension, my site itself) via GA, no?  

        I also just happened to go over to their privacy page just now and opt-out, but I still see gif requests being sent.  The way GA describes *their* opt-out plugins is, “The add-on communicates with the Google Analytics JavaScript (ga.js) to indicate that information about the website visit should not be sent to Google Analytics.”  So I’m not sure what the ShareThis opt-out is actually accomplishing.  Certainly doesn’t appear much from the publisher side of things.

        Lastly, I’m not really understanding how the Add To Any injecting trackers thing works, perhaps you could shed some light on it?  I noticed that gif requests to Add To Any’s tracker have a different domain hash.  If Add to Any was acting as a regular 2nd tracking object, I would expect it to behave like any other 2nd tracker and have the same domain hash, no?  Without the same domain hash, I would think that either a).  Cookies would not be written to the browser because the domain hash is wrong or b). Cookie reset issues happen regardless of additional modifications to cookie settings (_setAllowHash / _setDomainName).  Where were the cookie integrity issues you were noticing Add To Any?  I’m not doubting they exist, I’m just not fully grasping how their JS is working.

        I did notice the existence of a __utma_a2a cookie in my browser.  A brief look at Add To Any’s JS does indicate that they are setting this cookie, though they aren’t using the _setNamespace method explicitly. It seems like they are “manually” building out their gif request, including creating domain hashes and unique ideas using a random number generator, and then sending the gif request to GA and writing the __utma cookie as __utma_a2a.  This would theoretically mean that 2 sets of GA cookies could exist and “play nicely” with each other, no?  

        That said, the values in the __utma_a2a cookie in my browser aren’t matching what I’m seeing in their gif request.  Different domain hash, different unique ID.  I also have no idea where they are getting the their utmz campaign values.  In their javascript they explicitly have it set to Direct.  In my gif request, I see a referral from the Cardinal Path blog.  But I’m pretty sure I’ve never clicked on a link from here to my site.  :-)  Finally, they aren’t writing a utmz cookie, which is fine I guess, but that just makes it even more murky where they are getting the info for the utmcc section of the gif request.

        Thanks,

        Yehoshua

        • http://eduardo.cereto.net/ Eduardo Cereto Carvalho

          addToAny at first seem to work just like ShareThis. The GA code is executed on an iframe with hostname “.static.addtoany.com”, that’s why the domain hash is different. So in theory it won’t run on the same page and shouldn’t mess with your cookies. But it seems that they also cache cookies on your domain, and those are the __utma.a2a cookies you mentioned. I ran some tests and depending on the way you choose to use the library the tracking can be different. 

          I’ve seen at least one case where addToAny broke customer implementation. And from all I’ve seen so far the method used by addToAny is the most complicated and aggressive, not to mention the perturbing quote from their policy I highlighted on the post. They also don’t offer any option to disable tracking.

          I see what you mean by cookies not matching. From my tests the __utma.a2a cookie doesn’t match my page’s cookie or their page’s cookie. I assume ignorance, I think they don’t know what they are doing and with all this acrobatics I think they end up with broken tracking. Google Analytics is hard, and if you are not an expert it’s easy to break things. 

          There are plenty of options similar to addToAny, share This being one of them, and although shareThis also uses GA to track their implementation it probably won’t break yours. So I’d rather advise people not to use addToAny than try to workaround the mess they create.

          I tried the shareThis opt-out functionality and it worked for me (on Chrome at least). It probably uses 3rd party cookies so It may not work when you have that disabled. My only complaint about it is that webmasters should have an option to disable it sitewide. 

          If the privacy of your data is you biggest concerns both addToAny and shareThis can be a problem. But shareThis will be much better.

  • http://www.franchise-info.ca michael_webster

    Does Add This have the same problem?

    • http://eduardo.cereto.net/ Eduardo Cereto Carvalho

      No. Add This also has his own analytics platform that can give you insights in realtime about the usage of the sharing buttons on your site. I’m a huge fan of AddThis. They won’t inject google analytics code into your website.

  • http://brandingme.tumblr.com/ Adrian Palacios

    I think this commenting tool (Disqus) adds their tracker to the page–can’t say I’ve seen it interfere with anything though…

  • http://twitter.com/aworkinglibrary Mandy Brown

    As of this week, Typekit has removed Google Analytics from all new kits; older kits will strip out GA upon a republish. If anyone has any questions about this, they can reach out to support@typekit.com.  

    • http://eduardo.cereto.net/ Eduardo Cereto Carvalho

      Thanks for letting us know Mandy. I’ll give it a spin and will update the post once I confirm it has been fixed. 

    • http://eduardo.cereto.net/ Eduardo Cereto Carvalho

      Thanks for letting us know Mandy. I’ll give it a spin and will update the post once I confirm it has been fixed. 

  • http://twitter.com/timflint Tim Flint

    Thank you so much for this. You confirmed what I was suspecting on a site I am working on.

  • http://twitter.com/timflint Tim Flint

    Thank you so much for this. You confirmed what I was suspecting on a site I am working on.

  • Fabiolune

    Hi, first of all thanks for this.
    There’s another possibility: the custom javascript injection from swf, because the official GA implementation is not complete (no custom variables available). This may be more difficult to see or disable, anyway a simple traffic inspection can show the track calls with different accounts.

    fabiolune

Copyright © 2014, All Rights Reserved. Privacy and Copyright Policies.