That is disturbing. I've had *.google-analytics.com nullrouted ever since I heard of GA.
> SHA-1 of the machine's MAC address.
There's only 2^48 MAC addresses, there are 2^160 SHA-1 hashes. With computing power at where it is today, a bruteforce over the MAC space wouldn't take long.
On the other hand, spoofing the data is also an alternative way of opposition...
> a bruteforce over the MAC space wouldn't take long
Indeed, best supercomputers are running today around 10 petaFLOPS (= 10^16 FLoating-point Operations Per Second) and there are 2^48 ~= 10^15 possible MAC addresses.
A FLOP is quite a lot simpler than a SHA-1 hash, however.
The Bitcoin network might be a better comparison since it uses doubled SHA-256; currently it's at around 3e16 hashes per second, or 6e16 SHA-256 operations per second. That's enough to hash all possible MACs in less than a second.
> SHA-1 of the machine's MAC address.
There's only 2^48 MAC addresses, there are 2^160 SHA-1 hashes. With computing power at where it is today, a bruteforce over the MAC space wouldn't take long.
On the other hand, spoofing the data is also an alternative way of opposition...