> "No one cares about you enough to "spy" on you."
Would you mind telling them that? Maybe they'll stop sending me personalised spam offering me discounts since I haven't shopped there in a while, or paying to send me phyisical advertisements through the post. From your tone, that must be giving me an inflated sense of my own importance.
> "You really think that basic web analytics is "spying on you""
No, I think web analytics is spying on me. A HTTP log is one thing, a JavaScript library which probes my browser, tracks available APIs and versions and mouse movements and sets EverCookies and behaves insidiously, is spying. If I visit example.com and example.com know I went there, that's understandable. If there's a deliberately invisible Facebook pixel telling Facebook I went to example.com, which is only vaguely disclosed in some "and our trusted 3rd parties" legalese, that's not fine.
> The only way to do analytics in a way that's respectful to the visitors' privacy is with an installable on-host software. That's it.
How is that more respectful? I can fingerprint you pretty much the same with server logs (IP, user-agent, ...), don't I? I can even use cookies without any JS.
> - See how people get to the privacy page from where they enter the site.
You don't need a 3rd party to learn the order of pages you served to any given client. That one is so simple you only need 'grep' and the server log. (aggregation into whatever statistics you want to learn is a trivial exercise left for the reader)
> - See how long people are staying on this page.
The entire point is that you do not have a right to that information, other than what you can infer from the client later loading another page. Applying technical methods to gain access to private information like this simply makes you the the spy invading people's privacy. Worse, as most people do not understand these technical details, you are a eavesdropper who is preying on ignorance.
> so that users come away with a better understanding of privacy.
...while you simultaneously violate the same user's privacy. Do you seriously not understand that you're making the "We had to destroy the village in order to save it" style of ends-justify-the means argument that ignores how you've started to act like that which you are supposedly fighting against.
> hovering over
Again, the entire point is that you don't get to know that information. That is a perfect example of the type of data the privacy-focused people are trying to protect. We really don't give a damn if that information is useful; if you're recording anything beyond the HTTP requests you receive (the explicit request from the client), then you are the spy and therefore the enemy. If you want to understand how effective your pages are, find another way to deduce that information. This is why traditional businesses pay people to participate in focus groups, to name one example.
> People get way too offended by analytics tracking when it's there for their benefit.
Strong disagree. Whether a user finds benefit from tracking is the opinion of the user, not the opinion of the site doing the tracking.
It's very arrogant for a site to say "I'm doing this to you for your benefit", especially if it's not made clear what this is. If you find yourself having to tell someone that what you are doing is for their benefit, without explaining exactly what you are doing and why, you can safely assume it's not genuinely for their benefit.
I can agree that malicious tracking cannot be prevented - but this does not mean that benign sites are implicitly permitted to maliciously track people. That is totally unethical.
> I have the right to track how people use my site.
lol no you don't. You're choosing to respond to HTTP requests to your site, you put it out in public. I'll make whatever requests I want to your site and do whatever I want with what you give me, which may include rendering some or all parts of a "web page" as I see fit. If I give you some data in turn, sure, do what you want with it.
Do Not Track is silly because it's based on trust. I don't trust you to not track me even if I ask you not to. The only privacy is when I choose not to send you data (and I shouldn't, and browsers are horrible in this regard, they have failed their users).
Ask yourself how much you actually need analytics. I found I seldom looked at it. I myself replaced Google Analytics with self-hosted Matomo for a while, but then I just dropped it altogether because I simply don’t need it. Now I do have server logs that I can look at, and from time to time I do (and they reveal things like Atom feeds consume the substantial majority of the traffic and page loads, which client-side JS logging would never have revealed!), but it wouldn’t bother me to have no analytics at all.
>> I think OP meant that once you make a request to his server, his server is free to do what it wants with that request.
I don't think they did mean that -
"But you've politely requested that I don't track you. For starters this should only ever be a polite request, not a forced rejection of any tracking scripts. I have a right to track how people use my site."
"People get way too offended by analytics tracking when it's there for their benefit."
It looks to me like they're saying that if you go to their site you have to run their scripts regardless of your own wishes, and that you're 'under his roof' and will therefore do what he says.
>> You can't possibly believe that his storing access logs is wrong.
No, I don't, that would indeed be silly!
I believe that it's rude to try to demand people run your code, and if you do demand it then we need to find a way for me to tell him up front that I'm not going to, so he can decide if he still wants to send me the page data.
> Who keeps web logs these days? It's all spyware javascript tracking for pretty graph printing.
Anyone who needs records of what has been accessed, so larger companies and organisations.
> Plus, any notifications depend on actually instrumenting any monitoring or triggers or processing to even notice your "sensitive" content has been accessed out of context.
Yup. Hence a cron job automatically emailing its result (crude (or simple?) but it would work).
> (and this is just web stuff. imagine how impossible it is to track who forwards your confidential emails or other internal documents around without your permission.)
I don't have to imagine that. This is why DRM exists; document/knowledge management systems should have the ability to allow access to information but not further dissemination. There's still the user education aspect though (and users don't like change...).
Oh, and the insistence of wanting to using external services like Dropbox... gah. "But, but, everyone else uses it!"
> People should stop using these analytics services, they're not even that good.
I agree, but that's not something that's going to happen. What do site operators care? They aren't the ones paying the price.
So the practical result is that we have to protect ourselves from the web sites. I do this by blocking domains that belong to analytics providers, and don't allow most Javascript to execute in my browser.
As a user, I dont see tracking by specifically google being the problem; what I'm against is being tracked _at all_ - by anyone, self hosted or not.
There's "caring about privacy" in the subheadings, yet there's a whole section in docs about collecting private data [1]. Empty words.
I've used goaccess [2] in the past to provide traffic analytics. It reads from nginx/apache logs. You only get access to what browsers send anyway, and users who alter their user agents are in the minority, so they wont affect analytics much.
They use telemetry to spy on people, allegedly to
"improve their products" but god knows what they
do with this mass surveillance data. Since Google
also pays to Mozilla (funding agreement; I don't
know the actual percentage share but it is a LOT),
Mozilla is dependent on Google.
So we have a network of spying going on here, with
Evil corporations and Evil organizations claiming
that they "only spy for the greater good".
> I hope you love using Caddy, and if you don't,
> you don't have to use it.
I don't use it, but the topic of privacy, spying,
net neutrality etc.. is important.
Why should we accept any organization that spies
on people, no matter how they call it? Be it
"telemetry" or any other fancy propaganda term
that is coined by them for this malicious activity.
> in practice i'm pretty sure the web apps i'm using are much more tracking me than any of the native apps i've ever used.
...because you're not seeing a link in your dev console to google analytics?
You're giving a company a trove of information about your local device that can't be easily found and somehow you find that to be "less" invasive? that's a real spicy take.
Feigning ignorance. People in or adjacent to the tech surveillance industry (either working in it or having a substantial portion of their net worth invested in the industry) whine about cookie consents constantly, but nobody else gives a shit.
Are you telling me that you have no financial or professional stake in the matter? You haven't worked for or invested in a company that profits from tracking people online? Nor any of your friends or family?
> But the majority of Firefox users aren't choosing it for privacy reasons
I'd like some stats on that please. Given the market share Firefox has why are people installing Firefox?
> so these privacy-preserving features are not a good signal that the user actually wants that privacy.
I consider installing privacy protecting software a pretty good signal but maybe I'm being generous.
> It was worse for do-not-track, as all the major browsers enabled it by default, making it not at all a signal of user preference.
Seems like a pretty strong signal that people don't want to be tracked to me, if a browser impliments something as a default then it would suggest to me that they know more than 50% of their userbase would think not being tracked online is a pretty fucking good idea.
> you need to be more transparent and up front about what how and why you're using analytics
That's a new one to me. Is this Facebook changing the landscape right now, or have you been expecting this for a while? Do you have sites in mind that warn about GA?
Pretty much all websites use GA or something like it, and in my experience it's extremely rare to be warned about it. It always goes in the privacy policy, which you should be able to find. But I'm not sure I've ever seen an advance warning that analytics was taking place. I suppose it's assumed, but in any case appears to be normal and acceptable to not warn people that logging and searching of those logs exists.
Cookies are a different story, since the EU passed legislation requiring notice of their presence.
>> I have a right to track how people use my site.
> But you don't have a right to say what runs on my computer, or make it tell you what I'm doing. This is where our perceived rights collide.
Exactly! But you also don't have the right to tell him not to send tracking info either. You do, however, have the right not to execute it. For instance NoScript, Ghostery,and AdBlock+ will prevent the requests for this content from being made and executed.
> No, my computer, my browser, my roof, my rules.
I think OP meant that once you make a request to his server, his server is free to do what it wants with that request. I agree with this line of thought because most if not all others are silly.
> No, people get offended when you try to turn their computer into a device that spies on them. And we get more offended that this sort of stuff happens without most people even being aware its going on. They may or may not object to it, but right now they don't even know.
Again, you have the ability to not let your computer send these types of requests for special analytics packages &c. You can't possibly believe that his storing access logs is wrong.
> This is about the only thing we agree on. It's pointless and it was never going to achieve anything.
> I still find it creepy that they gather data this specific
I personally have never cared—there is nothing that can be learned about me (aside from being a power user, which I don't care about being public knowledge) from technical features I use. I absolutely block everything personal using uBlock Origin + Privacy Badger + FF's built in stuff, but I definitely see the value in tracking feature use.
>As a user, why the hell do I want third party applications to be able to access my browser's history, bookmarked sites, and cookies?
>That's an obvious privacy leak!
No it's not. It's only a leak if they access that data without your permission. There's nothing wrong with them being able to request that data, with you-the-user being able to respond to that request "fuck no".
Would you mind telling them that? Maybe they'll stop sending me personalised spam offering me discounts since I haven't shopped there in a while, or paying to send me phyisical advertisements through the post. From your tone, that must be giving me an inflated sense of my own importance.
> "You really think that basic web analytics is "spying on you""
No, I think web analytics is spying on me. A HTTP log is one thing, a JavaScript library which probes my browser, tracks available APIs and versions and mouse movements and sets EverCookies and behaves insidiously, is spying. If I visit example.com and example.com know I went there, that's understandable. If there's a deliberately invisible Facebook pixel telling Facebook I went to example.com, which is only vaguely disclosed in some "and our trusted 3rd parties" legalese, that's not fine.
reply