Today, websites commonly use third party web analytics services to
obtain aggregate information about users that visit their sites. This
information includes demographics and visits to other sites as well as
user behavior within their own sites. Unfortunately, to obtain this
aggregate information,
web analytics services track individual user browsing behavior across
the web. This violation of user privacy has been strongly criticized,
resulting in tools that block such tracking as well as anti-tracking
legislation and standards
such as Do-Not-Track. These efforts, while improving user privacy,
degrade the quality of web analytics. This paper presents the first
design of a system that provides web analytics without tracking. The
system gives users differential
privacy guarantees, can provide better quality analytics than current
services, requires no new organizational players, and is practical to
deploy. This paper describes and analyzes the design, gives
performance benchmarks, and presents our implementation and deployment
across several hundred users.