Basic Google Analytics Automated Traffic Mitigation

Google Analytics is the fundamental way that most online systems track traffic. As currently deployed, however, Google Analytics easily allows for fake traffic to propagate through their platform. We have produced two reports that highlight these issues - first, we provide an example of how traffic can be faked at scale to manipulate operators and viewers of analytics. Second, we provide a further example to show that this issue is systemic to the entire web analytics industry

The problems that can ensue are manifold - attackers could manipulate site operators into various false beliefs - making them believe users are taking certain actions when in fact it is automated, manipulated traffic. In other situations, bad-faith site operators can exploit the fact that Google does not protect their users by boosting their own traffic internally, making it seem as if people are doing things on their site that they are in fact not, and by making such misrepresentations, inflate the perceived value of their site.

To mitigate this issue, we provide below a simple snippet developers can use to ensure that automated traffic is verifiably omitted from their traffic reports. As development continues, we will provide further fixes at this URL going forward as they are detected. To make your services robust against these types of attacks, please modify your Google Analytics tracking code as shown below:

<script async src="https://www.googletagmanager.com/gtag/js?id=G-ID"></script>
<script src="https://cdn.jsdelivr.net/gh/International-Persuasion-Machines/verification/basic_js_check.js"></script>
<script>
  if (isAutomatedTraffic() == false){
      function gtag(){dataLayer.push(arguments);}
      gtag('js', new Date());
      gtag('config', 'G-ID');
    }
</script>

If you have any questions about implementation, our research, or how to determine if any other system you operate may be manipulated by sociotechnical flaws, please do not hesitate to get in touch.