Want Better Data Security and Privacy? Disable Atlassian Analytics

With the introduction of Atlassian Cloud, Atlassian’s privacy policy received an overhaul.  Most of the big changes refer to the data collected by Atlassian Analytics, more specifically in their SaaS (Cloud) products. But some of the changes also affect server versions of Atlassian products.

Atlassian Analytics - Privacy policy warning in JIRA

Atlassian Analytics

Of course, Atlassian wants to collect usage data – they do this to focus their development and bug-fixing on the areas that are most used. They also use this data to target and optimize both their marketing campaigns and sales processes.

Aggregate data – data that has been anonymized – is collected by a huge number of companies, and doesn’t usually negatively impact your data security or privacy.  But as specified in their privacy policy, Atlassian also collects identifiable, specific data.

What data is logged and sent to Atlassian?

Both JIRA and Confluence data are collected for analysis. Here are a few examples:

  • When a new project is created in JIRA: numeric project ID, project key, template used to create the project, and the name of the project.
  • When an issue is edited in JIRA: numeric issue ID, issue key, if it was a user edit or an automatic system edit, and whether an email notification is to be sent.
  • When a new page is created in Confluence: numeric page ID, blueprint used to create the page, space key, page title.
  • When a new blueprint is created in Confluence: numeric blueprint ID, space key, blueprint name and description.

Atlassian Analytics collects much more information than these examples. You can see a sample of what is collected in your own instance when you are logged in as a global administrator.

JIRA: Go to  > System > Advanced > Analytics, and click on Sample Data to see a list of events that are collected.

Confluence: Go to  > General Configuration > Analytics.

Atlassian Analytics - Sample of logged events

Does this affect me if I’m not using Cloud?

Of course, if you are concerned about data security, you will be using downloadable versions of Atlassian products, in your own system, behind your own firewall.

But the short answer is, yes.

The range of data collected from Server instances is less than from Cloud instances, and elements that Atlassian believes may contain sensitive or personal information are removed. Content elements are discarded, unless they contain words that are “on a list of common business and IT terminology” – but this list has not yet been publicized.

Avoid storing highly sensitive data in Atlassian software

In several places in their privacy policy, Atlassian warns users against storing sensitive data in their software products and services:

As such, the analytics information we collect may include Personal Information or sensitive business information that the user has included in Content that the user chose to upload, submit, post, create, transmit, store or display in an Atlassian Service.

The data collected is automatically shared with Google, because Google Analytics underpins Atlassian Analytics (as at the time of writing this in June 2017). This means that when you agree to use Atlassian Analytics, you also automatically agree to Google’s privacy policy.

Tip: You can block the Google Analytics tracking easily with their opt-out browser add-on, available for all of the common, recent browser versions.

Turning off Atlassian Analytics in Server products

You can easily disable Atlassian Analytics in recent Server products in the administrator settings.

JIRA: Go to  > System > Advanced > Analytics, select Disabled, and Save your changes.

Confluence: Go to  > General Configuration > Analytics and turn off analytics collection.

Atlassian Analytics - Enabled in JIRA

I’m a European customer, and Europe has strong data-protection regulations

True. But when you purchase a Cloud service, you agree to transfer your personal information, content and communications to Australia and the US. This means you are governed by the Privacy Shield Framework, which complies with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.

This does not change how “Atlassian will share your personal information with third parties” as mentioned in the Privacy Shield notice in the privacy policy. This obviously includes Google, for data analytics purposes.

Can I opt out of Atlassian Analytics if I use Cloud services?

Right now, data is always collected in Confluence Cloud and JIRA Cloud.

And in fact, Atlassian connects “personal Information to information gathered in our log files as necessary to improve Atlassian Services for individual customers” who are using Cloud services.

If you are concerned about your data privacy and security, it may be better to use downloadable versions of your Atlassian products that you can run on your own servers.

Questions or concerns?

We strongly urge our customers to consider their data security and privacy requirements when comparing the pros and cons of Atlassian Cloud products against their Server versions.

If you would like help or advice when evaluating Atlassian software products, we are here for you! We are one of the largest Atlassian Partners in the world, and we can use our extensive experience with hundreds of successful Atlassian projects in companies from large to small, to help you find the product that is the best fit for your requirements. Please contact us!

Further information

Atlassian’s privacy policy
Google’s privacy policy
Atlassian Cloud (formerly OnDemand) – advantages and disadvantages
A comparison of our Confluence and JIRA hosting services

 

Share article:Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someonePrint this page