• Stop being a LURKER - join our dealer community and get involved. Sign up and start a conversation.

Sit down and buckle up. Lets talk about Google Analytics Open API.

Rick Buffkin

Sausage King of Chicago
Oct 29, 2009
729
830
Awards
8
First Name
Rick
PS1BF.png


Yes! You read that right. Google Analytics has a wide open unauthenticated open API called Measurement Protocol (MP). What does this mean?? It's means that anyone can direct post Analytics data to your GA account and almost every aspect of a GA account can be manipulated. Theres good and bad here. The bad first. All that a person needs to do this is, your GA tracking ID (ex: UA-12345678-1). Which anyone can collect when they visit your website with Googles free Chrome browser extension, Tag Assistant. Take a look here: https://developers.google.com/analytics/devguides/collection/protocol/v1/parameters and see everything in the right hand rail. Those are the items a person / vendor can push into any GA account and manipulate.

A couple of the things that caught my attention are: Sessions (start and stop), IP override (can show hits from literally anywhere), User Agent Overide (can show hits from any type of device they see fit), Document Referrer(Show referral traffic from any website), Campaign Data and Google Ad ID's (make traffic appear it's coming from google ads campaigns), Server data (Content load times, page load times, DNS time).

With all the chatter going on right now about Google Analytics, not once have I heard any of the folks making the chatter, bring up MP or how to help reduce bogus data from MP. We all know there's spam in GA. Thats a given. It's very obvious and easily detected. We set up filters for it, remove it from our data sets and move on.
Let me pose this question to you. What if the spammer is familiar with your business and website?? They know your URL, your URL structure for your SRP's and VDP's, the top 10 referrers for automotive dealers sites, avg. site times for dealers websites and avg. page views? They know your general conversion metrics like your confirmation page url for form submissions, hours and directions urls and even avg. bounce ratios. How do you filter that? Well, I'm going to give you some pointers to help you filter out some of this bogus crap. But, there isn't a solid way to completely block MP hits to your GA account. The only way for that to happen would be for Google to install a authentication (API token or Key) process for the API. Until that happens, it's simply the wild west.

One thing you could do to help reduce spam is, add another property (middle section in the GA admin section) or two in the GA account. If you notice the end number on UA codes is normally a "1". Most spammers will randomize the accounts ID's (number between the hypens) and post a hit to that UA ID and leave the end number a "1". If you add another property, that last number in the UA account ID number changes to a "2". It goes in numerical order with the more properties you add into that account. Use the UA ID ending in "2" or something other than "1". Thats one way to help reduce MP spam.

Another thing that you can do is add a custom dimension. That will help more than the first suggestion. An easy way via GTM is, in the tag that contains the Tracking code, add a CD. In the Index field, add a number like "1" and in the value field, insert a unique value. Save and publish. Now, each time the tag fires for what ever reason, that CD value will be included in it. In GA, you can create a seperate view or report and only show data with that specific value in the CD. That will help. But... It's doesn't make your GA's account full proof. Unfortunately, there isn't a way to do it. Not with the current structure and setup.

Now some good!
There are some awesome things that can be done with MP. Any web enabled device can send data into MP. You can data from a cash register from your service drive if you wanted to. Or, a motion activated camera thats connected to the web. Literally anything connected to the web!!! Where it would be really strong is if CRM platforms actually used it. Simply include the GAID thats generated on the site in a hidden form field and when the form is submitted the GAID comes over with the other data and it can be properly mapped to a field in the CRM. Heres an example diagram:

crm-2.png


Talking about floor traffic! Think about this for a sec!
You could track mobile devices that enters the range of a detection device regardless if they're on your WiFi or not and push that data into a GA account via MP with a little bit of setup effort.

http://www.libelium.com/products/meshlium/smartphone-detection/
bluetooth_street_wifi_bt_shops_big.png


That would be pretty strong huh??

What scares me more isn't the spammers. We can handle those MoFo's. Its the vendors that know about and use this feature and have failed to mention it to anyone. Thoughts???
 
Last edited:
Great write up Rick, but the Cool Kids have known about this for a long time. It's kind of a pain, but it does make integration with iOT easier. And even if Google tightened it up, it's still not going to stop even unsophisticated bad actors from faking traffic with bots. Bottom line, you have to know what you're doing and/or have somebody who does in charge of your GA.
 
  • Like
Reactions: Alexander Lau
Thanks for the reply Chip. I've been using MP for a little over 3 yrs now for a few diff Windows applications that I built. Hopefully this will make people aware of MP and that their analytics dashboard can be manipulated very easily. Ya know, so many people in the industry are talking about this platform (GA) right now. I honestly think that most of the folks promoting it, consulting and training dealers (Including OEM's) on it don't even know about Measurement Protocol or it's capabilities. Dealers are making financial decisions based on this data that resides in the GA reporting dashboard. Let me pose this question to everyone. Do you think dealers would be happy with a CRM platform with an open API? Or, a DMS? Out of all the tools that dealers use, which other ones have an open API like MP??? Off the top of my head, I can't think of another single tool. Also, I think Dealers aren't aware of other reporting dashboards that are out there that are FREE as well. Maybe not quite as nice of a UI as GA but, its a closed reporting dashboard.
 
  • Like
Reactions: Alexander Lau
@Alexander Lau, it is pretty scary to think about the abuse and one could drive themselves crazy trying to figure out a way to block this. To put it plain and simple, you cannot block measurement protocol hits if the person sending them is familiar with your website. Period. It's very easy to open Dev Tools or use a tool like Fiddler to record and see any and everything thats being passed via the analytics tag thats on any web property. If the person / vendor thats abusing this has or had access to your GA account, your screwed. Plain and simple!

On a side note...

With all the talk about measurement protocol, I started wondering what other API's does Google have available.

HOLY FREAKING MOLY!!!!!!!

Now most of these (If not all of them. I didn't test all of them) require authorization. But... I started looking at these and my idea cup started overflowing like crazy!!!

Example: Google Tag Manager has an API. You can do anything with the api that you can do in the GTM dashboard. Add or remove Folders, triggers, tags, containers, variables, users and the list goes on and on. Take that API and the Google Analytics Management and Reporting API and combine them and you could programmatically structure / setup a GA Account and GTM account with the running of a single script with all the events, goals and custom metrics for both accounts.

Did you know theres an API for the Google Proximity Beacon??
https://developers.google.com/beacons/proximity/get-started

Check out this page. Theres roughly 150 diff Google APIs that one could use! It's pretty wild!
https://developers.google.com/apis-explorer/#p/
 
  • Like
Reactions: Alexander Lau
Welcome to the party. GTM is potentially the scariest of them all if you know what you're doing. You could call/run anything. But here's the deal, you have to know what you're doing with any of these tools. I don't care what reporting tool you use, you have to know what you're looking at and what you're doing to interrupt the data and make wise decisions. It's like reading an X-ray or MRI scan. Anybody can look at and see the picture, but if you don't know what you're doing you don't really know what you're looking at.