Yes! You read that right. Google Analytics has a wide open unauthenticated open API called Measurement Protocol (MP). What does this mean?? It's means that anyone can direct post Analytics data to your GA account and almost every aspect of a GA account can be manipulated. Theres good and bad here. The bad first. All that a person needs to do this is, your GA tracking ID (ex: UA-12345678-1). Which anyone can collect when they visit your website with Googles free Chrome browser extension, Tag Assistant. Take a look here: https://developers.google.com/analytics/devguides/collection/protocol/v1/parameters and see everything in the right hand rail. Those are the items a person / vendor can push into any GA account and manipulate. A couple of the things that caught my attention are: Sessions (start and stop), IP override (can show hits from literally anywhere), User Agent Overide (can show hits from any type of device they see fit), Document Referrer(Show referral traffic from any website), Campaign Data and Google Ad ID's (make traffic appear it's coming from google ads campaigns), Server data (Content load times, page load times, DNS time). With all the chatter going on right now about Google Analytics, not once have I heard any of the folks making the chatter, bring up MP or how to help reduce bogus data from MP. We all know there's spam in GA. Thats a given. It's very obvious and easily detected. We set up filters for it, remove it from our data sets and move on. Let me pose this question to you. What if the spammer is familiar with your business and website?? They know your URL, your URL structure for your SRP's and VDP's, the top 10 referrers for automotive dealers sites, avg. site times for dealers websites and avg. page views? They know your general conversion metrics like your confirmation page url for form submissions, hours and directions urls and even avg. bounce ratios. How do you filter that? Well, I'm going to give you some pointers to help you filter out some of this bogus crap. But, there isn't a solid way to completely block MP hits to your GA account. The only way for that to happen would be for Google to install a authentication (API token or Key) process for the API. Until that happens, it's simply the wild west. One thing you could do to help reduce spam is, add another property (middle section in the GA admin section) or two in the GA account. If you notice the end number on UA codes is normally a "1". Most spammers will randomize the accounts ID's (number between the hypens) and post a hit to that UA ID and leave the end number a "1". If you add another property, that last number in the UA account ID number changes to a "2". It goes in numerical order with the more properties you add into that account. Use the UA ID ending in "2" or something other than "1". Thats one way to help reduce MP spam. Another thing that you can do is add a custom dimension. That will help more than the first suggestion. An easy way via GTM is, in the tag that contains the Tracking code, add a CD. In the Index field, add a number like "1" and in the value field, insert a unique value. Save and publish. Now, each time the tag fires for what ever reason, that CD value will be included in it. In GA, you can create a seperate view or report and only show data with that specific value in the CD. That will help. But... It's doesn't make your GA's account full proof. Unfortunately, there isn't a way to do it. Not with the current structure and setup. Now some good! There are some awesome things that can be done with MP. Any web enabled device can send data into MP. You can data from a cash register from your service drive if you wanted to. Or, a motion activated camera thats connected to the web. Literally anything connected to the web!!! Where it would be really strong is if CRM platforms actually used it. Simply include the GAID thats generated on the site in a hidden form field and when the form is submitted the GAID comes over with the other data and it can be properly mapped to a field in the CRM. Heres an example diagram: Talking about floor traffic! Think about this for a sec! You could track mobile devices that enters the range of a detection device regardless if they're on your WiFi or not and push that data into a GA account via MP with a little bit of setup effort. http://www.libelium.com/products/meshlium/smartphone-detection/ That would be pretty strong huh?? What scares me more isn't the spammers. We can handle those MoFo's. Its the vendors that know about and use this feature and have failed to mention it to anyone. Thoughts???