Without commenting on Google Analytics itself, why on earth would we wait until after something bad happens? If real risks can be identified, then one should think seriously about whether they outweigh the gains.
If the gains are worth the risk, then that's fine, but there's nothing "scaremongering" about pointing out things that could go wrong. That's at least half of engineering as a discipline.
That's a good point and I would like to read a good risk analysis. The problem is that when large companies are involved, you get very superficial risk analysis. Something analogous to:
"The worst thing that could happen if I put my money in a bank is they take all my money. So, we shouldn't put money in banks."
If you point out that this generally doesn't happen people will talk about what the company could do.
How do we get beyond fully general arguments that you can never trust any company to do anything (or alternatively that theoretical risks don't matter)? I guess to really understand the risk you'd have to understand a company's internal controls, and those generally aren't public.
If the gains are worth the risk, then that's fine, but there's nothing "scaremongering" about pointing out things that could go wrong. That's at least half of engineering as a discipline.