The full IP makes it to Google. We don't know what Google actually does with the packets they receive; we only know what they say.
> Only the last octet of an IPv4 address is removed.
Really? Wow. They aren't even pretending to anonymize addresses with a hash. Given that there is certainly more than 8-bits of identifying data in the other data sent to GA, a unique identifier can easily be recovered. Also, the bits they mask are the least interesting part of the address. They are preserving the network part of the address, which probably gives them the AS number.
> Considering homebrew's use specifically, not just looking at GA in general
That's the point - homebrew is choosing to add data to GA, which cannot be considered in isolation. The problem with GA isn't that they collect data from any particular site. Knowing that you occasionally visit ${website} might be interesting, but it's of limited value and relevancy. A list of people that visit ${political_opponent}'s website might be very interesting, but most of the time nobody is going to care. Knowing that you installed some software isn't interesting in most cases.
All of those situations change when someone can aggregate the data. Consider all those data points combined with the other websites that send data to GA, gmail, when you loaded the Javascript, fonts, etc hosted by Google. Add in all the data that is sent to Google from Android devices, Chrome, Nest, and every other product that Google (err, "Alphabet") is involved in. In aggregate, just the timestamps and partial address information will produce surprisingly accurate profile of your life. This gets scary when you start to do an actual pattern-of-life analysis and correlate "anonymized" data back to real names.
The full IP makes it to Google. We don't know what Google actually does with the packets they receive; we only know what they say.
> Only the last octet of an IPv4 address is removed.
Really? Wow. They aren't even pretending to anonymize addresses with a hash. Given that there is certainly more than 8-bits of identifying data in the other data sent to GA, a unique identifier can easily be recovered. Also, the bits they mask are the least interesting part of the address. They are preserving the network part of the address, which probably gives them the AS number.
> Considering homebrew's use specifically, not just looking at GA in general
That's the point - homebrew is choosing to add data to GA, which cannot be considered in isolation. The problem with GA isn't that they collect data from any particular site. Knowing that you occasionally visit ${website} might be interesting, but it's of limited value and relevancy. A list of people that visit ${political_opponent}'s website might be very interesting, but most of the time nobody is going to care. Knowing that you installed some software isn't interesting in most cases.
All of those situations change when someone can aggregate the data. Consider all those data points combined with the other websites that send data to GA, gmail, when you loaded the Javascript, fonts, etc hosted by Google. Add in all the data that is sent to Google from Android devices, Chrome, Nest, and every other product that Google (err, "Alphabet") is involved in. In aggregate, just the timestamps and partial address information will produce surprisingly accurate profile of your life. This gets scary when you start to do an actual pattern-of-life analysis and correlate "anonymized" data back to real names.