Post Ac89ULMMfKYv59TLl2 by dside@mastodon.ml
(DIR) More posts by dside@mastodon.ml
(DIR) Post #Ac6o6Gt7LbX24GVqVc by mo8it@fosstodon.org
2023-11-23T19:50:34Z
0 likes, 2 repeats
🔪 Killing in the name of Privacyhttps://mo8it.com/blog/privacyHow an AD blocker killed my work of months and how is this related to telemetry in #FOSS#OxiTraffic #Linux #IndieWeb #Privacy #AdBlock #AdBlocker #uBlockOrigin #Blog #Telemetry #Analytics #OpenSource #Selfhosting #Selfhosted
(DIR) Post #Ac6o6KcbSwhNeCoiK8 by mo8it@fosstodon.org
2023-11-23T19:52:30Z
0 likes, 0 repeats
Related thread: https://fosstodon.org/@mo8it/111445718219040848@moanos
(DIR) Post #Ac70bKC4J1wUkNwzya by dside@mastodon.ml
2023-11-23T22:32:18Z
0 likes, 0 repeats
@mo8it there is at least one serious flaw with your reasoning: the claim that you don't collect IPs, cookies or user-agents.Your *client* script doesn't have a say in any of it. As it talks to the tracking server it *does* disclose all these because that's how HTTP works.Now, you can *choose* to not save those details on your *server*.But what's stopping anyone from pointing the same script at a much more "memorizing" server that will actually keep track of IPs, UAs and set HttpOnly cookies as it talks to the browser?So, FWIW, I think the block for the project *in its current state* is totally justified. Yes, for privacy reasons.Now, if you asked for permission and provided your reasons in a banner on the page that's shown before the post, asking readers to opt-in – that would be a different story. Mildly annoying and could land you on the annoyances list, but I don't think it's on by default, so it would still be an improvement.
(DIR) Post #Ac72tjmW6q8RE9uH3o by mo8it@fosstodon.org
2023-11-23T22:58:01Z
0 likes, 0 repeats
@dside I agree, I focused too much on the client script in the blog post. I should emphasize that the backend doesn't store this data in the database. It doesn't even read it. This can also be verfied.Yes, someone the host could log everything that the browser sends. But first, that won't be the fault of OxiTraffic. Second, it would be information that the server hosting the website can log with or without OxiTraffic.
(DIR) Post #Ac72toFNVTb94pRNbM by tennoseremel@lor.sh
2023-11-23T20:34:56Z
0 likes, 0 repeats
@mo8it Just because telemetry is useful to you does not mean we have to like or accept it.
(DIR) Post #Ac72tpAS5HFfvq8xYu by mo8it@fosstodon.org
2023-11-23T20:51:05Z
0 likes, 0 repeats
@tennoseremel You don't have to accept it. But don't force that decision on masses as long as this kind of telemetry is anonymous and harmless.Since this is my website, I think that I should be able to set the defaults as long as I don't harm my visitors. You can opt out as an individual.I am also fine with blocking this kind of telemetry on a filter list called "EasyMinimalism" or "EasyAntiBloat" that isn't enabled by default. But not "EasyPrivacy" since privacy shouldn't be subjective.
(DIR) Post #Ac72tqBYIfj55XfLuq by ATurnOfTheNut@mas.to
2023-11-23T21:04:59Z
0 likes, 0 repeats
@mo8it @tennoseremel as a member of the masses who has no stake in either your software (I haven't looked to see what it is) or any particular ad blocker, I want strict blocking by default on any telemetry that isn't strictly opt-in. That's what I expect when I install any blockers that mention having any sort of privacy focus.I frequently opt into telemetry for apps that are opt in. Anyone who doesn't ask first, I expect to be blocked.Were you opt in or opt out?
(DIR) Post #Ac72trDMTQleHRWJNI by mo8it@fosstodon.org
2023-11-23T22:04:29Z
0 likes, 0 repeats
@ATurnOfTheNut My telemetry is neither opt-in nor opt-out. It is activated and you can only disable it with a blocker. I know, this sounds alarming and awful because of the negative associations we have towards telemetry.If I would collect ANY personal data, even if just an IP address, I would be making it opt-in for sure. But my point is that it is anonymous.
(DIR) Post #Ac72ts0HXXtojAPNcu by dside@mastodon.ml
2023-11-23T22:58:03Z
0 likes, 0 repeats
@mo8it that's just a very roundabout-PR-damage-control way of saying it's opt-out. You may not have meant it like this, but that's how it comes off as.@ATurnOfTheNut
(DIR) Post #Ac72tsBcrMyPILiRJA by mo8it@fosstodon.org
2023-11-23T22:22:13Z
0 likes, 0 repeats
@ATurnOfTheNut But again, I am not against someone blocking it because it is not opt-in. I am against blocking it by default for all on a privacy list.
(DIR) Post #Ac73q9Nx4ac9QqGndA by mo8it@fosstodon.org
2023-11-23T23:08:36Z
0 likes, 0 repeats
@dside @ATurnOfTheNut OxiTraffic is definitely not opt-in, b I won't say that it is opt-out because I don't offer an option to opt-out. You can use a third party tool like a blocker to opt-out though.
(DIR) Post #Ac74SzVJkFIW50EgQS by dside@mastodon.ml
2023-11-23T23:15:38Z
0 likes, 0 repeats
@mo8it ah. In that sense yeah. It's not opt-out because it's just "in", no "opts".In privacy circles opt-out/opt-in have grown kinda synonymous with on/off-by-default, which I reckon is what the question was actually about.@ATurnOfTheNut
(DIR) Post #Ac75ICzZMB1egFoAsa by dside@mastodon.ml
2023-11-23T23:24:53Z
0 likes, 0 repeats
@mo8it well, no, this cannot be verified. Not by the end-user anyway. The backend lives on the server the end-users (normally) have no access to. Once the data has been sent to remote server, all bets are off.So the user just has to take your word for it. That you're running the code you say you are. Trust-wise it's not any better than a privacy statement. And privacy-conscious folks just aren't very trusting in that regard :blobcatshrug:
(DIR) Post #Ac77A4HK4OEvFOMHIm by mo8it@fosstodon.org
2023-11-23T23:05:08Z
0 likes, 0 repeats
@dside For my website, you can know that I don't log such data because I would have to mention it in the GDPR notice since I am in the EU.Showing a pop-up is something that I would prefer not to do. I would rather prefer not having telemetry over showing an annoying pop-up. I developed OxiTraffic to have a privacy preserving option that eliminates the need for the user to opt-in because I don't collect personal data.
(DIR) Post #Ac77A5EWWHawD03YZs by dside@mastodon.ml
2023-11-23T23:45:49Z
0 likes, 0 repeats
@mo8it it doesn't have to be a pop-up or be annoying. It's a question of design more than anything.It can be a block at the top of the page that can easily be scrolled past (so doesn't impede the user's reason for the visit), stands out *a little bit* (so that it works at all) and asks for permission like:"⏱️ Hi, would you mind sharing with me how long you spend reading my posts? It helps me decide what to focus on going forward."[Sure!] [No, thank you.]…it would in the very least be surprisingly considerate in the landscape of the modern web. I know I'd probably accept.
(DIR) Post #Ac79qXs2dXAX63upwu by ATurnOfTheNut@mas.to
2023-11-24T00:15:54Z
0 likes, 0 repeats
@dside @mo8it funny enough, that feature and wording alone would actually make me more likely to return to the site intentionally in the future. And if someone asked that way, I would almost certainly always approve and allow.
(DIR) Post #Ac89UKOSG4dk5LRVNQ by mo8it@fosstodon.org
2023-11-24T11:29:57Z
0 likes, 0 repeats
@ATurnOfTheNut @dside I really like your suggestion and the wording of the request. But I have some problems with it:1. Either I have to ask on EVERY page, even after you reload it. Or I have to use a cookie. Which means that I need to explain more and add a GDPR notice etc. Personally, if a website asks me for cookies, I always say no.2. EasyList would block it on EasyPrivacy following the same "logic" anyway.
(DIR) Post #Ac89ULMMfKYv59TLl2 by dside@mastodon.ml
2023-11-24T11:46:35Z
0 likes, 0 repeats
@mo8it *if* you use a cookie to decide whether to track the visit on the server or not – yes, you're running into the exact same problem, deferring the decision to the server, and thus would be subject to the same blocking policies.But the key decision is whether the *client* was allowed to make these tracking requests, the server doesn't need to be involved. Thus the recorded decision can reside purely client-side, say, in localstorage, and never be available or sent to the server at all.I'm not very well versed in GDPR requirements, but in technical terms not accepting or rejecting such a request shares *literally no information* with the server. So no privacy concerns to speak of.As I said before, it might be classified as an "annoyance" depending on how intrusive it is, but that's a question of design and it's still a different list.Also, notice that uBlock does *not* block cookie prompts by default.@ATurnOfTheNut
(DIR) Post #Ac89UMMOwgBaBYUtSC by mo8it@fosstodon.org
2023-11-24T11:35:10Z
0 likes, 0 repeats
@ATurnOfTheNut @dside So what do I get out of it?1. I annoy everyone, if they use a blocker or not.2. Currently, I still receive anonymous statistics from people not using an AD blocker. If I add this opt-in with a cookie, I would loose even more people because people want to read my blog post and would just click "no" because they don't want to read why OxiTraffic is not like the alternatives.3. I complicate self-hosting OxiTraffic A LOT.
(DIR) Post #Ac89UPsPs6Zr5iV0Gu by mo8it@fosstodon.org
2023-11-24T11:42:57Z
0 likes, 0 repeats
@ATurnOfTheNut @dside Even if lovely people like you that care about creators want to click "yes", if you have your blocker activated, then you said yes and wasted your time for nothing. EasyList doesn't give a fuck about your attempt to support privacy preserving creators.So I would need to make this request even longer to convince you that you need to disable your AD blocker.So we are back to this:https://s.yelvington.com/@steve/111270031321368597Do you still believe that this would support me as a creator?
(DIR) Post #Ac8BLgAE98quuJn89A by mo8it@fosstodon.org
2023-11-24T12:07:27Z
0 likes, 0 repeats
@dside @ATurnOfTheNut I meant local storage then. I would need to store a boolean variable on the client side about whether to activate OxiTraffic or not.As far as I know, I need an additional consent to store that.I am not talking about the "annoyance" regarding the pop-up/banner. I am talking about the script that I would need to run AFTER your consent. This script would be blocked on EasyPrivacy following the same "logic" even if you want to opt-in.
(DIR) Post #Ac8CVJyna94MxCbj2O by dside@mastodon.ml
2023-11-24T12:20:24Z
0 likes, 0 repeats
@mo8it do you *know* that or are you *assuming* and giving up in advance? You can ask them. Actually ask, without insistently asserting that your policy is ok, because they clearly disagree.Consent to store this tidbit doesn't have to be verbose or complicated either, it can be a single sentence summarizing the situation next to the request: "The answer will be recorded solely in your browser's local storage and will not be disclosed to anyone." Or is that not legally enough?@ATurnOfTheNut
(DIR) Post #Ac8DBQet8lYNpYNC08 by dside@mastodon.ml
2023-11-24T12:28:00Z
0 likes, 0 repeats
@mo8it 1. Um-m… then don't? Like I said, annoyance or lack of it a question of design.2. Well, that's entirely up to you to judge – whether you're happy to have stats only from people without a blocker or you want the audience with the blocker installed as well.2.1. In all likelihood, the audience doesn't want to know what exactly you use for tracking in full detail. Maybe somewhere in the footer for the exceptionally curious.3. The only additional complication is providing context-integrated markup for the prompt. The rest still resides in the library and can interface with the page with a few ids and classes (hide by default, show if unanswered, handle button clicks). Whether the complication is worth it, see (2).@ATurnOfTheNut
(DIR) Post #Ac8E3Z0CKofxLU9b96 by mo8it@fosstodon.org
2023-11-24T12:37:47Z
0 likes, 0 repeats
@dside @ATurnOfTheNut The section that people reference here is this: https://github.com/easylist/easylist/#easyprivacyIt doesn't differentiate whether it is opt-in or opt-out.I also read about many similar cases with Plausible and Fathom. EasyPrivacy is just too aggressive and has the naive mindset "telemetry/analytics = bad" although it might not be a problem towards privacy. This is my main problem.
(DIR) Post #Ac8EUajpzJRGY5OCKe by mo8it@fosstodon.org
2023-11-24T12:42:39Z
0 likes, 0 repeats
@dside @ATurnOfTheNut You assume here that EasyPrivacy would remove the block if I make OxiTraffic opt-in. This will not happen. I could ask, as you suggested, but I don't want to waste my time since the maintainers already showed a disinterest in communication. Their policy is clear towards any kind of telemetry. I criticize this discriminating policy that "kills/blocks in the name of privacy".
(DIR) Post #Ac8FSv6VOjoV5Ql6uG by dside@mastodon.ml
2023-11-24T12:53:35Z
0 likes, 0 repeats
@mo8it no, I don't. But if you're so sure then I guess there's nothing else to discuss on the subject.Best of luck with your protest. :tone_genuine:@ATurnOfTheNut
(DIR) Post #Ac8HV7Lb32ljXvzdfk by mo8it@fosstodon.org
2023-11-24T13:16:23Z
0 likes, 0 repeats
@dside @ATurnOfTheNut To be completely sure, I asked here:https://github.com/easylist/easylist/issues/17826#issuecomment-1825661977I will post their reply.