[HN Gopher] Is Google Analytics illegal in your country?
___________________________________________________________________
Is Google Analytics illegal in your country?
Author : james_impliu
Score : 291 points
Date : 2022-01-19 14:44 UTC (8 hours ago)
(HTM) web link (isgoogleanalyticsillegal.com)
(TXT) w3m dump (isgoogleanalyticsillegal.com)
| paulgb wrote:
| Funny enough, ublock (stock install) completely breaks the
| "alternatives" page. It must do some pattern matching on
| "component---src-pages-google-analytics-alternatives-
| js-8d1eb2b4c6482dba3dfd.js" and decide it's suspicious enough to
| deny it, even though it's a first-party request.
| melissalobos wrote:
| It is because it has google-analytics in the title of the
| resource:
|
| Rule: `-google-analytics-$script,domain=~wordpress.org`
|
| URL: https://isgoogleanalyticsillegal.com/component---src-
| pages-g...
|
| Edit: Couldn't get this formatted well, but it has google-
| analytics highlighted in the URL
| toqy wrote:
| It will block anything with google analytics string in it I
| think. We had a small google analytics image/link on an
| internal website that linked to some relevant GA dashboard and
| the image was blocked / hidden by ublock and possibly others.
| Changing the name fixed it.
| timgl wrote:
| Ha! I've renamed that page so this should work now!
| yessirwhatever wrote:
| I dislike Google and their products pretty much universally, but
| having this sort of thing done by a competitor is not just
| distasteful, I see it as verging on corporatism.
|
| Make a better product and beat them, don't use the fact that a
| government is banning them to upsell your own tracking software.
|
| All tracking is bad, from Google or not. I understand the
| "companies need to make informed decisions" argument but I
| disagree with it, mainly because tracking software is involuntary
| and it's in the interest of the tracking software maker and the
| company using it to make it as stealthy as possible.
|
| PS: What adds salt to injury is that you're using Google Fonts on
| this website. If you were privacy-conscious, you'd self-host at
| least. Read here:
| https://developers.google.com/fonts/faq?hl=en#what_does_usin...
| dmix wrote:
| Even the quote on their homepage is made me roll my eyes
|
| > PostHog is what I always wanted a Product Analytics SaaS to
| be. Private cloud option so GDPR becomes way more manageable,
| features built based on direct community feedback, focus on
| simplicity and usefulness over vanity features...Great job
| people!
|
| Mmm I dream of [Private cloud options] to make [needlessly
| complicated government legislation] easy!
|
| Yay privacy, I guess? Just add 3 more needlessly complicated
| middlemen.
| pyrale wrote:
| > Make a better product and beat them
|
| It's really hard to make that claim when Google is known for
| anticompetitive behaviour, including crippling GA competitors
| [1].
|
| We should probably acknowledge that Google is in the terminal
| phase where only forced split and divesture will help, and in
| the meantime, every action from competitors is fair game.
|
| [1]: https://forum.matomo.org/t/adwords-campaign-rejected-for-
| goo... https://matomo.org/faq/troubleshooting/antivirus-
| program-or-...
| Volker_W wrote:
| > Make a better product
|
| Their product is open source and (assuming the say the truth)
| keeps the data on the server of the website owner. I would say
| this is better.
| judge2020 wrote:
| > If you were privacy-conscious, you'd self-host at least. Read
| here:
|
| That page explicitly notes that cookies aren't sent and these
| requests aren't used for the ad machine. Is using Google Fonts
| at all the issue just on the chance they're using IP address
| matching for ads/is them having your IP too much of a risk?
| morelisp wrote:
| > cookies aren't sent
|
| Yes, it says this.
|
| > aren't used for the ad machine
|
| No, it doesn't say this.
| kerng wrote:
| Interesting, I have always assumed that Google and FB would
| use any request sent to them for tracking and profile
| building. Probably a safe assumption to be honest.
|
| Just dump all request logs in a giant Data Lake - seems like
| promotion material idea. (sarcasm).
| geysersam wrote:
| Unless the message is misleading I don't understand why you
| would find it distasteful. As mentioned elsewhere in the
| thread, a competing product being illegal is an excellent
| selling point. Why would you withold that important information
| from your customers?
| mitchdoogle wrote:
| This whole post and the website is totally misleading. It's
| marketing disguised as a helpful tool.
| geysersam wrote:
| It's clearly marketing. But marketing can be helpful. If GA
| does conflict with GDPR it is far from unlikely that more
| countries in the EU will ban or restrict it. This might be
| insignificant to an American company using GA but it
| certainly is not for a company operating in Europe.
| Meph504 wrote:
| The thing is, that site is misleading, a product that is
| legal in pretty much the whole world (currently) but against
| the law in two countries, does not make the product illegal
| anywhere else, and it seems more likely that the fault would
| be on the companies implementing it in those countries, not
| in the global service that is being provided.
|
| Then again, even though this is google, I'm not big on
| localized countries attempt to create laws that dictate the
| behavior of the internet as a whole, admittedly this is a
| different issue.
| geysersam wrote:
| The website does not say Google analytics is illegal
| everywhere in the world. Only that it might be in parts of
| Europe. I don't think this is insignificant enough to be
| considered misleading.
| Meph504 wrote:
| Its 2 countries, based on the site (which honestly seems
| low) I would say its pretty insignificant to be anything
| but an ad.
| morelisp wrote:
| It's against the law in many countries (any EU countries,
| and therefore also likely the UK) but only tested in
| court in two countries.
| [deleted]
| jsiepkes wrote:
| > Make a better product and beat them,
|
| It's going to be hard when your own hands are tied by
| legislation but your competitor just does as they see fit.
|
| Also them having the resources to drag out any court ruling for
| years and years ensures there is no level playing field
| whatsoever.
|
| So yeah, maybe companies should be called out for thinking they
| are above the law just because they can afford endless legal
| battles.
| usbqk wrote:
| Google analytics is against the law because they are American
| which means that they have to give up any data the us
| government asks of them. That's the only illegal thing they
| do, and they are not better just for being American. They are
| better because they are better.
| dylan604 wrote:
| There is so much wrong with this. There are legal processes
| for the US gov't to request that data legally. Any other
| means of obtaining that data is illegal even if it is done
| by an entity within the gov't. This isn't the CCP.
|
| Google Analytics isn't better at anything other than their
| marketing has convinced everyone that it is a must have. If
| you believe 100% of the data from GA is accurate, then I
| have a bridge to sell you.
| martin8412 wrote:
| Giving EU customer data to the US government is literally
| illegal for a company. There's not any process that
| somehow makes it legal without the collaboration of an EU
| member state.
|
| The problem is that companies with a presence in the US
| can be forced to break the law of either the US or the
| EU. It's illegal to hand over the information to the US
| government, but it might also be illegal not to.
| dylan604 wrote:
| How does that work exactly if there is no international
| branch of a company in the EU? If a company is online
| with a presence large enough to attract European
| visitors, are they required to open an office in the EU?
| If not, are they supposed firewall visitors? That's
| assinine sounding.
| morelisp wrote:
| They could not collect unnecessary personal data.
| dylan604 wrote:
| Who's stopping them?
| morelisp wrote:
| I don't understand.
|
| Do you mean, who's stopping them from not collecting
| personal data? No one, that's the point. If you're not
| collecting personal data none of this applies and you can
| serve whatever you want to people in the EU.
|
| If you mean, who is stopping them from handing over data
| to the US government? That's exactly what this court case
| is about. They can't conduct commerce in the EU unless
| they have a mechanism to avoid that, and progressively
| more strict enforcement gets imposed by courts if they
| keep trying. (Eventually, presumably being detained if
| they try to enter an EU country, though I seriously doubt
| it would escalate that far in practice.)
| SAI_Peregrinus wrote:
| > There are legal processes for the US gov't to request
| that data legally.
|
| Only legally for the US. Those processes aren't legal for
| the EU, so the transfer is illegal (for an EU web site).
| kevin_thibedeau wrote:
| > Any other means of obtaining that data is illegal
|
| The government can always just ask. Very little data in
| the US is protected.
| trasz wrote:
| Some of those "legal processes" involve secret kangaroo
| "security courts". It's not really any different from CCP
| in that regard.
| remram wrote:
| You can be American without having your company transfer
| all the personal information of people visiting your
| customers to America.
|
| edit: but you can be required to by law. You're right.
| onli wrote:
| No, you pretty much can't - not as an US-american company
| at least. That's what this problem is all about, and why
| the privacy shield deal between the US and the EU failed.
| heartbeats wrote:
| Google could trivially re-domicile to Ireland if they
| wanted to. Just do a reverse merger, and have the
| services within the US provided by Google LLC, which
| becomes a subsidiary of Google Ireland Limited.
| remram wrote:
| Oh, I see what you mean. Being American you can be
| _required_ to bring that data back, no matter your
| preferred data processing setup. Right, apologies.
| heartbeats wrote:
| > That's the only illegal thing they do
|
| What about the cookie popups, with the "accept" vs. "more
| info" choices? Is that legal, then?
| morelisp wrote:
| Those are consent popups, not cookie popups, and no
| they're probably not. (There needs to be a "Reject"
| option.) But the larger issues with bigger players get
| pursued first.
| moron4hire wrote:
| corywatilo wrote:
| Sadly not supported by TailwindCSS!
| KronisLV wrote:
| > PS: What adds salt to injury is that you're using Google
| Fonts on this website. If you were privacy-conscious, you'd
| self-host at least.
|
| I get what you're saying, but i feel like that's probably a
| sliding scale of how much people actually care about these
| things vs how much they want to just easily get things done.
|
| For example, right now my personal website serves the following
| files, just to get Open Sans working:
| /fonts/open-sans-latin.woff2 /fonts/open-sans-latin-
| ext.woff2 /fonts/open-sans-latin-bold.woff2
| /fonts/open-sans-latin-ext-bold.woff2
|
| What's the CSS for displaying just one of those fonts? It's the
| following: /* latin */ @font-face {
| font-family: 'Open Sans'; font-style: normal;
| font-weight: normal; font-display: swap; src:
| local('Open Sans'), url(/fonts/open-sans-latin.woff2)
| format('woff2'); unicode-range: U+0000-00FF, U+0131,
| U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F,
| U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF,
| U+FFFD; }
|
| Of course, depending on the browsers that you want to support
| and how efficient you want things to be, you might end up using
| more than just the WOFF2 format or just adding a TTF font and
| calling it a day, which will further inflate the amount of
| configuration that you need.
|
| Furthermore, the characters that you'll want to show on your
| site will also make you write more code, just look at what
| Google does for Open Sans:
| https://fonts.googleapis.com/css2?family=Open+Sans&display=s...
|
| Oh, and more styles? Well, be ready to add all of those as
| well, since most of the fonts out there won't necessarily be
| variable: https://fonts.google.com/specimen/Open+Sans#standard-
| styles
|
| In comparison, Google Fonts just lets you choose what you want
| and copy something like the following: HTML:
| <link rel="preconnect" href="https://fonts.googleapis.com">
| <link rel="preconnect" href="https://fonts.gstatic.com"
| crossorigin> <link href="https://fonts.googleapis.com/css
| 2?family=Open+Sans:wght@400;700&display=swap" rel="stylesheet">
| CSS: font-family: 'Open Sans', sans-serif;
|
| While we're on the topic of fonts, it's a shame that we don't
| think more about how heavy the fonts we choose to use are,
| since right now serving my own fonts eats up around half of the
| bandwidth on my non-image-heavy site. The single article that
| i've found on the topic so far as been this, "Smallest (file
| size) Google Web Fonts":
| http://www.oxfordshireweb.com/smallest-file-size-google-web-...
|
| In my opinion, those sizes should also be readily available in
| the web UI of Google Fonts, or most other sites that recommend
| fonts out there!
| judge2020 wrote:
| To add, it might not even be illegal; the Netherlands quote is:
|
| > The Dutch Data Protection Authority warns that the use of
| Google Analytics 'may soon no longer be allowed', after a
| ruling by the Austrian privacy regulator. A definitive
| conclusion is said to come at the beginning of 2022.
|
| As for the Astria ruling, this is part of it:
|
| > The fact that Google LLC argued that Google Analytics was
| allegedly provided by Google Ireland Ltd since April 2021 was
| not considered relevant, as the violation occurred in August
| 2020.
|
| So it might be illegal to have used GA before April 2021, but
| it very well might now be legal given that GA is now provided
| by 'Google Ireland Ltd', which was a move explicitly done by
| Google to comply with GDPR.
| tehwebguy wrote:
| Using Google Fonts on this is hilarious and bad, otherwise
| though this post makes no sense. Pointing out your competitors
| flaws is part of competition and, I'd guess, an important
| driver for fixing or eliminating those flaws market wide.
| nyellin wrote:
| Agreed. We've thought of trying out PostHog in our open source
| platform for Kubernetes and this is a bit of a turn off.
|
| We'll probably try it anyway, to be honest, but I'm not crazy
| about this type of advertising.
|
| There is so much room to beat Google Analytics on UX alone. Is
| this really necessary?
| tokai wrote:
| That your competitors product is illegal is an _excellent_
| point to showcase for potential users. We 're not even
| talking real mudslinging, just pointing out reality. Being
| offended over this is baffling to me.
| saimiam wrote:
| Yeah, fight with whatever tool you have including going
| negative.
|
| I don't for a second think Google would hold back if their
| own behemoth was in under mortal threat and their main
| competitor had been found guilty of illegal acts.
|
| The invisible hand of the market (fwiw) relies on free flow
| of information. Educating the public about Google's illegal
| acts is an act of service, though self serving.
| yessirwhatever wrote:
| Allowing yourself to engage in immoral/shady activity
| just because your competitor is doing it actually helps
| your competitor by legitimizing their methods, it's an
| endless cycle of "but they did it first".
| [deleted]
| mitchdoogle wrote:
| The title of this post is just the website url - there's no
| indication it's actually an advertisement. The whole thing
| is designed to trick people, and I'd say most people don't
| like being tricked by marketers
| samhw wrote:
| Nor is there any indication that whoever posted it here
| had _anything to do with_ PostHog (which, to be clear, is
| apparently an open source project, not a paid service
| like everyone seems to have assumed).
| mrtranscendence wrote:
| PostHog is absolutely a paid service, with features only
| available in non-free tiers.
|
| https://posthog.com/pricing
| lupire wrote:
| Doesn't matter. The entire website iandesigned to mislead
| and manipulate SEO, and the sponsor is only mentioned in
| a small blob on bottom.
| yessirwhatever wrote:
| It's posted by the cofounder. Click on their username.
| [deleted]
| deepstack wrote:
| >PS: What adds salt to injury is that you're using Google Fonts
| on this website. If you were privacy-conscious, you'd self-host
| at least. Read here:
| https://developers.google.com/fonts/faq?hl=en#what_does_usin...
|
| Thanks for pointing that. Don't know how many time have met
| privacy advocates, etc has made a such a strong point against
| google, and still embedded youtube video or google font on
| their site. Is there are github page where one can block all
| google or fb used domains or ips? Would be very useful!
| yessirwhatever wrote:
| You can use Privacy Badger by EFF
| https://addons.mozilla.org/en-US/firefox/addon/privacy-
| badge...
|
| Edit: Please note that they seem to have removed the link to
| Google fonts from the website now.
| sensanaty wrote:
| LocalCDN blocks all Google Fonts by default, causes lots of
| sites to display default sans-serif system fonts instead
| though
| dylan604 wrote:
| Seems like you're looking for a browser extension. Something
| like uBlock, NoScript, etc will all do the blocking of the
| evils
| BlueTemplar wrote:
| It's even more ironic that you (and the owners of that
| website, and PiHole) would then rely on _Microsoft 's_
| servers (GitHub) to store and work on that code and data !
| Melatonic wrote:
| Lots of different methods but for most the easiest is to just
| use something like NextDNS or a pihole. Pihole being
| potentially cheaper long term and NextDNS having the
| advantage that you can use it when off your home network.
|
| If you want to get extra fancy you need to also worry about
| Doh and Dot (encrypted DNS) and hardcoded IP's (mainly for
| actual applications like mobile apps or smart devices).
| Encrypted DNS is a great thing but companies also use it to
| bypass things like pihole or NextDNS by hardcoding their DNS
| IP into an application and then sending all requests to that
| IP using Doh and Dot so that the end user has no control.
|
| What you can then do is use any kind of edge router /
| firewall / networking equipment (virtual or physical) to
| block all the common DNS IP addresses directly and only allow
| addresses of your choice (such as NextDNS or other). This way
| when the application tries to make a connection using Doh or
| Dot to that specific IP address it ensures that it is blocked
| and everything must fall back to whatever DNS you have setup
| (which can also be running Doh or Dot for privacy /
| security). Some home routers have this functionality or you
| can setup a pfsense box relatively cheaply to achieve this.
| Unfortunately I have not yet found an easy / cheap solution
| for mobile devices if anyone has any suggestions.
| samhw wrote:
| > Is there are github page where one can block all google or
| fb used domains or ips?
|
| Are you asking for a repo - for software? Or instructions? Or
| something to do with GitHub Pages? I may be able to help, but
| I don't quite follow.
| filoleg wrote:
| I believe they are looking for something like PiHole, but a
| fully software solution. Not sure whether they are looking
| to go the open-router-firmware route or the route of some
| ublockOrigin config though.
| andai wrote:
| Maybe just a hosts file? Though that only works for
| domain names, not IPs, and in my experience Chrome
| (-based browsers) bypasses it somehow.
| mcdonje wrote:
| Matomo makes the same case, but in a much more tasteful way:
| https://matomo.org/google-analytics-alternative/
| rapnie wrote:
| Here's the comparison of Plausible Analytics:
| https://plausible.io/vs-google-analytics
| mcdonje wrote:
| Also well done.
| 5evOX5hTZ9mYa9E wrote:
| How do you compete fairly with somebody that engages in
| monopoly abuse and anti-competitive behaviour?
|
| It has been more than 3 and a half years since GDPR was
| implemented, yet it took concentrated efforts of non-profits
| and individuals to come to this extremely obvious
| interpretation that EU-US Privacy Shield is nonsense.
|
| Maybe if EU and member countries actually made any enforcement
| efforts, a viable competitive space would emerge.
| franklampard wrote:
| Isn't a legal product a better one than an illegal counterpart?
| kerng wrote:
| Only if the user (in Google's case the product) would be the
| one liable.
| amelius wrote:
| Nope. It's because the illegal product has lower cost
| (because complying to regulations costs money one way or the
| other).
| [deleted]
| IanCal wrote:
| It may not be cheaper when you have to deal with the
| repercussions of breaking the law though.
| amelius wrote:
| Those are usually just slaps on the wrist.
| whimsicalism wrote:
| Sure, if the products and companies are identical in every
| other fashion, which is never true in real life.
| amelius wrote:
| Are you suggesting that legal products/services always
| win over illegal products in a capitalist market? Think
| again: Uber, AirBnb, etc.
| whimsicalism wrote:
| No, you are the one claiming that illegal products are
| always cheaper. I am saying it is murky.
| amelius wrote:
| The question was about otherwise identical products.
| throwhauser wrote:
| If it pushes all companies to be clear about their potential
| GDPR issues, I'm all for it. Let them compete on ease of
| compliance.
|
| As it is, it's very difficult to tell if something you're using
| is gathering data that you don't intend to gather (e.g. your
| hosting provider logging IP addresses for your hand-coded
| blogging software). I don't want to have even the tiniest
| possibility of being on the receiving end of one of those
| theoretically huge GDPR fines just by self-publishing some code
| and putting it on the internet.
| axiosgunnar wrote:
| If their product does not violate the GDPR, their product _is_
| a better product.
|
| It's just that website creators were defaulting to "just use
| Google Analytics" because it's convenient and they didn't care
| about their user's human right to privacy, and were thus
| externalizing human rights violations onto them.
|
| The government is simply preventing externalization of harm,
| which even libertarians will agree if the governments job (of
| course agreeing on what level of spying is harmful is where the
| debate will be).
| mitchdoogle wrote:
| This kind of marketing is pretty common on HN. Provocative
| title and a blog post (written as if they're an independent
| observer) that presents a 'problem' and conveniently their
| product is perfect for solving it. The worst is these things
| get tons of upvotes.
| dylan604 wrote:
| The readers of HN are human after all, unless you're all bots
| and I'm the last human. Oh gawd, what if I'm not human
| either. Oh crap, now I'm going to be fretting over that all
| day.
|
| If you see a title, you have no idea it is from a 1st party
| or 3rd party until you read the article. Or, you could just
| come to the comments an diatribe away. That's the internet
| way, and claiming to be morally better than the internet is
| the HN way.
| djrogers wrote:
| > unless you're all bots and I'm the last human
|
| Checks out - I'm a bot.
| BlueTemplar wrote:
| At least, unlike for the overwhelming majority of articles,
| the title is by the author himself.
| slothtrop wrote:
| > don't use the fact that a government is banning them to
| upsell your own tracking software.
|
| This isn't very convincing.
| hotgeart wrote:
| This will help you: https://google-webfonts-
| helper.herokuapp.com/fonts
| dannyw wrote:
| Let's say company A uses a toxic, life threatening material
| that is illegal and banned by the FDA. However, the FDA lacks
| sufficient funding against a trillion dollar company to
| actually take it off their shelves.
|
| Is it distasteful for competitors to say, hey, company A is
| illegal?
| Permit wrote:
| The linked page is closer to https://lobste.rs (or maybe
| ProductHunt) hosting a scary-looking webpage with the words
| "Hacker News is Illegal" on the front of it.
|
| Why? Because Hacker News does not indicate that the login
| cookie provided to you with be persistent.
|
| From: https://ec.europa.eu/justice/article-29/documentation/o
| pinio...
|
| > Persistent login cookies which store an authentication
| token across browser sessions are not exempted under
| CRITERION B. This is an important distinction because the
| user may not be immediately aware of the fact that closing
| the browser will not clear their authentication settings.
| They may return to the website under the assumption that they
| are anonymous whilst in fact they are still logged in to the
| service. The commonly seen method of using a checkbox and a
| simple information note such as "remember me (uses cookies)"
| next to the submit form would be an appropriate means of
| gaining consent therefore negating the need to apply an
| exemption in this case.
|
| I think this situation is much closer to what's going on in
| the original post. No one's life is threatened, but the
| letter of the law has been broken.
|
| Would it be tasteful to put up such a site?
| zauguin wrote:
| > I think this situation is much closer to what's going on
| in the original post. No one's life is threatened, but the
| letter of the law has been broken.
|
| I strongly disagree.
|
| First, it's not just the letter of the law which is
| violated. The basic intent of the law is at odds with the
| actions of Google Analytics.
|
| Starting with Safe Harbour, Privacy Shield and now the
| standard contractual clauses, the courts consistently
| decided that no matter how precisly it is formulated, data
| is just not sufficiently protected by current US laws to
| allow sharing.
|
| Also the important difference with Hacker News is that
| Hacker News violating these rules mostly affects Hacker
| News itself, while GA violating the rules leads to
| liability risks for web developers who keep transmitting
| third party personal data to it.
| whimsicalism wrote:
| No, I think it would be as if Hacker News had already lost
| a case that their cookies are illegal.
| Meph504 wrote:
| If Company B is doing the same thing, but not known by name,
| yes.
| stickfigure wrote:
| Why stop at mere hyperbole? You could compare with gas
| chambers and invoke Godwin's law directly!
| remram wrote:
| Godwin's law says "someone will invoke a comparison to the
| Nazis". You fell to it, not GP.
| StreamBright wrote:
| How exactly you propose of doing that? I cannot convince
| frontend devs to not use Google fonts directly and upload it to
| their own CDN.
| foxfluff wrote:
| > I dislike Google and their products pretty much universally,
| but having this sort of thing done by a competitor is not just
| distasteful, I see it as verging on corporatism.
|
| Don't shoot the messenger? I think everyone should have the
| right to voice opinions and point out problems with products,
| competitors or not. As long as the claims are factual and not
| FUD and bullshit. (I'm reminded of fud campaigns made e.g. by
| big corporations against open source, backed by their own shady
| fudfactory studies)
|
| If a company can -- without lying or twisting facts -- point
| out that their competitor's product is
| dangerous/illegal/unsuitable/{whatever is relevant to me}, I'm
| all open.
|
| Of course, the line between a fud campaign and plain good old
| information is sometimes very thin.
| Sebb767 wrote:
| > Make a better product and beat them, don't use the fact that
| a government is banning them to upsell your own tracking
| software.
|
| I love that you casually put _not being illegal_ on the same
| level as a dashboard or a convenience feature.
| woah wrote:
| This is a bad take. The problem with Google analytics is that
| it allows Google to surveil everyone's movements around the
| entire internet. This is enabled by the fact that for a long
| time, Google analytics was the best analytics product and it is
| free. I've been in the position myself with personal project
| websites of trying to decide whether I'm just not going to know
| anything about what my users are doing, whether I'm going to
| try to hook up some janky open source alternative, or whether
| I'm going to give in to the surveillance machine.
|
| The competitor that put up this site appears to be a company
| that provides analytics that are not centrally collected and
| analyzed to serve ads across the internet. Their entire selling
| point seems to be that they do not engage in mass surveillance.
| Equating this to what Google analytics does (if this
| competitor's claims are accurate) is a false equivalency.
|
| To me, this is no more objectionable than a foam insulation
| manufacturer capitalizing on asbestos bans.
| hn_throwaway_99 wrote:
| Totally agree. I really don't have any objections to
| analytics that are run _solely by the website provider_ , as
| long as those analytics are only used to investigate usage
| and issues _on that website_. I don 't have any problem with
| coffeegrinders.com knowing all about how I use their site to
| find good coffee grinders, but I DON'T want that correlated
| with my choice of mildly NSFW Tumbler videos. It's pretty
| inherent to the way the web works in any case, where you're
| not just being broadcasted to but are having a back-and-forth
| conversation with the website.
|
| The primary problem with surveillance capitalism is when your
| movement _across_ the entire Internet is gobbled up, sliced,
| and aggregated for the largest bidder.
| whimsicalism wrote:
| What about a social media service recommending you
| advertisements solely based off of analytics derived from
| your actions on that website?
| melissalobos wrote:
| I like the scrolling banner on the side reminiscent of a news
| ticker being used for static data, it adds some vibrancy to the
| presentation. It might be nice to have more of the globe shown on
| the front, since it isn't "isgoogleanalyticsillegalintheEU". I
| really like the color scheme too, nice job!
| [deleted]
| Cyberdog wrote:
| I disagree about the "ticker." Items moving on a page without
| my request and particularly without any purpose are annoying to
| me at the best.
|
| Sadly, such nonsense is quite common in modern web design.
| toqy wrote:
| Plenty is wrong with the modern web, but this is harmless and
| seems to fit the theme well
| alpaca128 wrote:
| I'm usually the first to complain about things like that as
| well as I'm very easily distracted, but in this case I think
| it's not that bad and looks kinda nice.
|
| I still wish websites would not only respect the disabled
| autoplay setting but also stop animations completely in that
| state. But right now it seems crashing video player UIs are
| the best we can get.
| toqy wrote:
| There's prefers-reduced-motion[1] but I don't think many
| sites actually implement anything for it. This one is open
| source though so someone that cares could submit a PR
|
| 1. https://developer.mozilla.org/en-
| US/docs/Web/CSS/@media/pref...
| alpaca128 wrote:
| Great to know, maybe one day this stuff catches on.
|
| tl;dr for enabling this in Firefox: _about:config_ > add
| numeric _ui.prefersReducedMotion_ field > set value to 1
| BlueTemplar wrote:
| Geocities might disagree about the "modern" part...
| donkarma wrote:
| reminds me of PAYDAY 2
| calpaterson wrote:
| How do they decide to pick what towns to show in maps like this?
| Aberdeen is neither the capital not the largest town in Scotland
| and anyway is smaller than Cardiff which is the capital and
| largest town in Wales. Republic of Ireland doesn't get a single
| town but NI gets Belfast? There has to be a reasonable
| explanation, surely?
| hericium wrote:
| Very specific domain name. Is Tag Manager different from
| Analytics? Have you seen Fonts' TOS?
| 101008 wrote:
| I have a few blogs with visitors from around the world hosted in
| NYC in a shared hosting. What's a legal alternative to Google
| Analytics that would be as easy to setup? I dont want to host
| anything myself, just replace the JS that Analytics provide and
| that's all. If I can import my historic data from GA to the new
| service that would be perfect. Does such a service exist? We
| can't ask bloggers who install Wordpress to run a instance of
| Matomo, PostHog, Plausible or whatever.
| ceejayoz wrote:
| Frankly, "hosted in NYC" probably has the same issues as "uses
| Google Analytics". Data on EU citizens is leaving the EU for a
| country without similar privacy protections.
| 101008 wrote:
| What's the solution then? Block my website for European
| visitors? It is not a bussiness, just a blog.
| BlueTemplar wrote:
| I've seen websites do just that. But why analytics would be
| more important to you than readership itself ?
| pyrale wrote:
| In that case, you probably don't have to respect GDPR, as
| personal or household activities are exempted from its
| scope [1].
|
| In any case, I would recommend looking up how to make sure
| your users' privacy is respected, it's always nice to make
| sure that, should their data be leaked, people are safe.
|
| [1]: https://www.fff-legal.com/the-household-exemption-in-
| gdpr/
| taubek wrote:
| If it is illegal in one country does it make illegal in all other
| EU countries as well or is this left to individual law systems of
| each EU member state?
|
| BTW. your site looks great. I like the running ticker on the
| side.
| jacquesm wrote:
| As mentioned in another thread on this subject: EU privacy law
| is harmonized, there may be local exceptions but these are
| increasingly rare and over time I would expect them to fade
| away completely.
|
| Note that the ruling confirms the GDPR, the EU legislation.
| lmkg wrote:
| As a USAian, my rough impression is that it's similar to
| circuit splits in Federal courts. GDPR is a Regulation (not a
| Directive), so it's law in all EU states. But each country's
| court may interpret its requirements slightly differently. A
| ruling from the Court of Justice of the European Union (CJEU)
| would be binding on all member states. And in fact most rulings
| around Google Analytics are dealing with the boundaries of a
| CJEU ruling, Schrems II.
| roblabla wrote:
| this kinda depends. I'm not 100% sure what kind of "law" the
| GDPR, but if it's a directive (which I think it is?), then each
| member state must implement a law that satisfies the GDPR
| requirements. Member states may chose to pass stricter laws
| than the GDPR technically requires, which could make something
| illegal in one EU country but not all the others.
|
| Also, enforcement may be very inconsistent, since it is mostly
| left to each member state to handle.
|
| EDIT: NVM, GDPR is a Regulation, not a Directive, so it's
| automatically law everywhere in Europe.
| freshpots wrote:
| Your connection is not private Attackers might be trying to steal
| your information from isgoogleanalyticsillegal.com (for example,
| passwords, messages or credit cards). Learn more
| NET::ERR_CERT_AUTHORITY_INVALID
|
| No thanks.
| justsomehnguy wrote:
| And this is why all that scary pages _without_ explanation
| sucks. There is needed too many clicks to actually see the
| chain and certs.
| alpaca128 wrote:
| Especially because you can get errors like that just from
| having an incorrect date/time set on the device. Confused me
| a few times.
| RedShift1 wrote:
| It's a Let's Encrypt certificate issued by R3, perhaps your
| root certs are not up to date?
| wila wrote:
| In particular because of this issue:
|
| https://letsencrypt.org/docs/dst-root-ca-x3-expiration-
| septe...
| melissalobos wrote:
| Huh, it is working for me. It looks like a valid cert from
| Let's Encrypt to me. Do you have any more details? So maybe the
| author can fix it.
| Volker_W wrote:
| For me, the cert has a fingerprint of 8C:5A:9F:E3:03:A2:C5:31:0
| D:42:C0:AF:41:E6:61:48:8A:C4:EF:91:CD:41:83:90:D1:86:AF:DA:47:4
| 7:00:16 signed by 67:AD:D1:16:6B:02:0A:E6:1B:8F:5F:C9:68:13:C0:
| 4C:2A:A5:89:96:07:96:86:55:72:A3:C7:E7:37:61:3D:FD signed by 96
| :BC:EC:06:26:49:76:F3:74:60:77:9A:CF:28:C5:A7:CF:E8:A3:C0:AA:E1
| :1A:8F:FC:EE:05:C0:BD:DF:08:C6 and gets accepted.
| bastardoperator wrote:
| LGTM, sure you're not having an issue on your side? I even see
| http redirect to https. Cert was also issued yesterday.
| falcolas wrote:
| In my case, this was caused by a corporate "keep our internet
| clean" (lol) install of Cisco. Check what the cert actually is.
| cardosof wrote:
| In the old world, a company would build the television, another
| would broadcast shows, another would measure the audience and
| another would measure sales to compare with media investments.
|
| Which of those steps Google does today? All of them, from browser
| to YouTube to shopping to audience data and sales measurements.
| This is not a case of "old people ranting about how the old world
| was simpler and better", it's a case of conflict of interest. But
| this isn't something new, everyone in the industry has been
| seeing that for two decades now, it's just something no one cares
| enough to pick a fight.
| ArtemZ wrote:
| GranPC wrote:
| Meta: this website consistently crashes my browser (Firefox on
| Linux) if I move the mouse in and out of the map a couple of
| times. Does this happen to anyone else?
|
| (edit: demo video url:
| https://dabbleam.com/jesus/Screen%20record%20from%202022-01-...)
|
| Edit 2: doesn't crash on a fresh Firefox profile. Crashes upon
| enabling gfx.webrender.all, gfx.webrender.compositor and
| gfx.webrender.compositor.force-enabled. Very intriguing stuff,
| I'll file a bug.
| spicybright wrote:
| FF under macos. The entire page lags like crazy when hovering
| in or out of the map. What are they even doing to make that
| happen lol
| jacquesm wrote:
| Checked, also FF on Linux, works here, no crash.
| melissalobos wrote:
| Latest stable Firefox on Arch, it doesn't crash but the person
| stops moving after a few times.
| smoyer wrote:
| FF 97.0b4 on Xubuntu 20.04 (up-to-date) - no crash mousing over
| the map (whether it's a highlighted country or now).
| rickstanley wrote:
| Doesn't crash on Windows, but boy it uses CPU to the last
| register; it goes up to 95% usage.
| alpaca128 wrote:
| Nope, FF 95.0.1 on Linux doesn't crash for me.
| thinkindie wrote:
| I think this page is pretty misleading
| https://isgoogleanalyticsillegal.com/alternatives/
|
| they are listing PostHog as a valid alternative that would be
| GDPR-friendly but as per their terms of use PostHog is based in
| the US and they would be bound by the same Cloud Act as Google
| Analytics.
| tobyhinloopen wrote:
| Nice clickbait url with misleading information on the website.
| AtNightWeCode wrote:
| Is this accurate?
|
| We have the Schrems II ruling that made some countries think they
| could not use services like Cloudflare and Azure. Still
| Cloudflare and Azure are widely used within EU. (Germany is an
| outcast). One should as always be transparent about what data is
| collected. From the GA projects I been involved in (in EU) GDPR
| has never been a concern.
| vorticalbox wrote:
| that side bar gives me <marquee> nostalgia.
| ianbutler wrote:
| So the reason people do emotionally charged marketing like this
| is because it generally works. We on HN are probably not
| (entirely) the same group that this is getting sold to, we may
| see the BS here a little more clearly or have a more principled
| view on things like this.
|
| BUT most people do not have the same distaste towards this type
| of marketing so -- don't hate the players, hate the game. If you
| want things like this to stop then it's probably up to government
| regulation to curtail it otherwise, for smaller competitors where
| it's already difficult enough to establish a market position,
| they would just be hamstringing themselves by not playing to the
| same emotionally charged marketing style.
|
| If you're a business and you deliberately stay away from
| marketing like this -- that's great, honestly I'm personally more
| likely to try your product and I'd like to think I'd do the same
| in my own work but I really can't blame companies who take this
| route either.
| [deleted]
| adhesive_wombat wrote:
| Nice to see something happening in the GDPR compliance areas,
| because well over 90% of cookie banners are noncompliant with
| GDPR because they don't give "allow" and "reject" equal
| prominence (or they load cookies before you click accept).
|
| For example, OneTrust gets it right on their website, but I have
| never seen a client of theirs get it right. So either OneTrust
| doesn't use their own software, or all their clients are
| specifically configuring it in a non-compliant way.
|
| I have yet to hear of any general enforcement of this, despite
| noyb.eu's reporting of hundreds of websites to regulators.
| l30n4da5 wrote:
| Years ago, I remember using GA on a project. Was unhappy with
| GA's realtime availability, so we wrote our own backend for it
| and stored all the analytics on our own infrastructure.
|
| Worked without any real issues. Didn't have to stop using GA on
| the frontend, either. Just had to point the frontend GA at our
| own endpoint.
|
| Theoretically, this would make usage of GA compliant with GDPR,
| too, I beleive.
| keewee7 wrote:
| >PostHog
|
| lol that is funny. "post hog" is a term that originated from the
| radical left r/ChapoTrapHouse subreddit.
|
| Are there other tech companies founded by openly anti-capitalist
| leftists?
| mfer wrote:
| > The safest solution is to use an analytics provider that keeps
| data on your own infrastructure.
|
| People don't want to run their own infrastructure anymore.
| Everything outside of their own business differentiator they want
| to outsource. Whether they "should" do it debatable and a long
| conversation with context like business value, cost
| effectiveness, velocity, and other non-technical things as part
| of the conversation.
|
| This would be a great advertising moment for an EU based
| analytics provider. A SaaS.
| openplatypus wrote:
| There are many alternatives. Some are purely EU enterprises,
| some use hosting by US entities. But it appears that more than
| ever, there is a lot of to choose from.
|
| Just search in your search engine of choice and you will find
| plenty. Lots of comparison online. Some are more, some are less
| complete or accurate. With advent of affiliate marketing among
| vendors, the reviews start resembling VPN market.
|
| Not listing anything specific. My company has a product in this
| space, but I will spare you self-promotion.
| tupac_speedrap wrote:
| The detail is quite interesting. The Austrian interpretation
| seems to hinge on the US intelligence agencies having access to
| data as a third-party at any time because their surveillance laws
| are so broad and the fact that UUIDs are being used between
| cookies and therefore the anonymised data is actually not very
| anonymous if you slurp data like the NSA and can combine that
| with IPs addresses.
| [deleted]
| Cenk wrote:
| Brought to you by PostHog. See also this tool by Fathom:
| https://illegal.analyticsscanner.com
| blibble wrote:
| I for one am overjoyed that the <marquee> tag seems to be coming
| back
| hrdwdmrbl wrote:
| GDPR has gone too far. Privacy yes. Encryption yes. Data
| portability yes. Permissionless selling of personal data no. But
| the rules are nonsensical at this point.
| pgalvin wrote:
| Could you elaborate? Which parts of the GDPR do you disagree
| with?
| TekMol wrote:
| The EU and especially Germany make it harder and harder for
| startups and indie makers to survive.
|
| Now when you start a project in Germany, not only do you have to
| have an "Imprint" on your site which shows your private address
| (if you work from home or are a digital nomad) but you also are
| at a disadvantage because you cannot use all the free tools that
| startup founders outside of the EU can use.
|
| Has anybody here in Europe considered moving to another country
| or setting up a company in another country because of this?
|
| How do all the famous indie makers from Europe handle this? I
| never find any information on their sites with an address and
| they all use Google Analytics.
| mrweasel wrote:
| So because you want it to be easier to start a business, you
| want users to have less privacy and less legal protection?
|
| Google Analytics is free for businesses, but not because Google
| feel line they need to help small business get started.
|
| Also consider that starting a business in countries like
| Denmark is easier that starting one in the US. Ease of doing
| business isn't the only thing holding back EU startups.
| openplatypus wrote:
| Germany is making it hard, but on tax level. Not even talking
| about the amount you pay, but the complexity of the system. But
| that's it.
|
| EU/Germany might not encourage a haphazard hodgepodge of poorly
| vetted services as squashed into a start-up. And it is a good
| thing.
|
| Some regulation might have got a bit extreme. Granted. I think
| they will be revisited as the time goes by. But really, this
| feels like a reaction to contempt that many businesses have
| towards protecting their users.
| nerdawson wrote:
| I'm generally in support of website owners having to publish a
| certain amount of information about who operates the site.
| Especially when the site is commercial in nature or collects
| visitor data.
|
| If you're publishing ads, sending people to affiliate links,
| selling products, whatever, you're operating a business. All
| businesses should be held to a minimum standard of
| accountability.
| Animats wrote:
| _you have to have an "Imprint" on your site which shows your
| private address_
|
| That's been the law in the EU since 2001.[1]
|
| _1. In addition to other information requirements established
| by Community law, Member States shall ensure that the service
| provider shall render easily, directly and permanently
| accessible to the recipients of the service and competent
| authorities, at least the following information:_
|
| _(a) the name of the service provider;_
|
| _(b) the geographic address at which the service provider is
| established;_
|
| _(c) the details of the service provider, including his
| electronic mail address, which allow him to be contacted
| rapidly and communicated with in a direct and effective
| manner;_
|
| _(d) where the service provider is registered in a trade or
| similar public register, the trade register in which the
| service provider is entered and his registration number, or
| equivalent means of identification in that register;_
|
| The definition of "service provider" is (b) "any natural or
| legal person providing an information society service".
|
| This is a basic requirement of European Union trade. It's
| intended to encourage cross-border trade, by insuring that, if
| there is a problem, the customer can find the seller. So,
| anonymous online businesses are illegal in the EU.
|
| [1] https://eur-
| lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX...
| lawtalkinghuman wrote:
| > you cannot use all the free tools that startup founders
| outside of the EU can use.
|
| You can use the ones that don't infringe on user privacy.
| [deleted]
| j_san wrote:
| I don't think the imprint is really hindering.
|
| Not using SASS services (e.g. Firebase) just really sucks
| though.
|
| We still use it (started with it before privacy shield was
| demolished) but we will have to migrate eventually. Don't know
| what we'll use exactly, maybe managed kubernetes with some
| platform for an easier workflow running on it? Idk yet.
| openplatypus wrote:
| Hi there, not sure how relevant this is, but there appear to
| be few "alternatives" to the firebase. Some open-source [1].
|
| And if you already consider Kubernetes, even better. It
| removes a lot (but not all) of headaches for managing
| infrastructure. I wish there was better market for quality
| k8s operators to automate the management tasks for some
| specialized deployments.
|
| It is open source, the hosted vendors will emerge, so you
| will be able to buy it, if not yet.
|
| That said, I sympathize. Re-doing already done feature rather
| than focusing on new things can feel discouraging.
|
| [1] https://supabase.com/docs/oss - no affiliation
| timeon wrote:
| > you cannot use all the free tools
|
| Aka spyware.
| 7steps2much wrote:
| The "imprint" doesn't necessarily need to show your private
| address though, only an address of "someone responsible for the
| contents of these website."
|
| Do note that "someone responsible" can be a legal entity! Not
| only cooperations but also a "Verein" or a similar legal
| construct.
|
| Also, note that you do not need to list your address, only a
| "Anschrift", which often times is the same thing as an address,
| but really just means "If I write this on a letter it has to be
| delivered to you." So a postal box for example works just fine.
|
| If you are a startup you will have all of these things anyways,
| I don't know a single startup that isn't also a legal entity.
| Indie makers is a bit more tricky, but as mentioned before it
| is pretty easy to get around this requirement via a "Verein" or
| something similar.
|
| As for free tools not being usable, I honestly don't think it
| is that big a problem. Google Analytics doesn't work for you?
| There are other offers out there. Or you could selfhost matomo.
| Or if you want then you can just go ahead and run an awk script
| on your Webserver log.
|
| As for not finding information and on the sites of famous
| European indie makers, I am going to let you on on a secret.
| The "Impressum" was always intended so that consumers could
| have a look at who they are dealing with over the internet.
|
| To this day it is still handled like that. If you aren't
| selling anything or doing anything else that "a classic"
| company would do it is highly unlikely anyone is going to care
| whether or not you have an Impressum.
| TekMol wrote:
| Sure. You can set up an address somewhere. Rent it. Set up
| some kind of mail forwarding or go there regularely to get
| it.
|
| Sure. You can put in a day of work to self host or write your
| own analytics solution.
|
| But this already puts you at a disadvantage. Because of the
| time you have to invest and the sub par solutions. Google
| Analytics is simply better than the alternatives.
|
| And it does not end here. Every website I know uses a
| multitude of international tools. All of them connecting the
| visitor to some international servers which provide the
| service. Cutting European indie makers off from all these
| tools will put them at a _huge_ disadvantage.
| piaste wrote:
| > Sure. You can put in a day of work to self host or write
| your own analytics solution.
|
| > But this already puts you at a disadvantage. Because of
| the time you have to invest and the sub par solutions.
| Google Analytics is simply better than the alternatives.
|
| I am entirely in favour of requiring SaaS creators to put
| in a day of work if they want to analyze their users'
| information without violating their privacy, and forbidding
| them from saying "fuck it I can't be bothered, just send
| everything to Google, it's easier".
|
| If being able to see our aggregate sexual orientations from
| Facebook Analytics is truly such a _huge_ competitive
| advantage, by all means, explain in your sign-up page why
| it 's in your customer's best interest to allow those
| tracking pixel and get their explicit consent.
|
| Alright, I'll drop the sarcasm and state my claim outright:
| if you're creating an actually valuable and worthwhile
| product, using privacy-respectful tools and practices isn't
| going to kill your dreams. Not even close.
|
| If you're creating another useless listicle page or shady
| dating app or would-be "viral" attention black hole, such
| that its business model fails if you can't track and
| profile hapless visitors or sell their data, then I'm
| _glad_ you won 't be able to start such a business in my
| country, and if you're abroad I hope you geoblock my
| country as well.
| jmnicolas wrote:
| The UE thinks it can reinvent the USSR better. I don't
| expect it to survive past 2030.
| heartbeats wrote:
| You're considering moving because you'd have to spend a day
| setting up a post box and new analytics?
|
| You don't think you're being a wee bit dramatic here, homie?
| juanse wrote:
| In Spain is kind of the same. Indeed entrepreneurs often hear
| how countries like Germany make everything cheaper and easier
| to do.
|
| Personally I use the self-host version of plausible, and I
| remove this cookie banner that is sooo invasive and by the way
| improve page-size and UX.
|
| I use a virtual server precisely in Germany for less than 3EUR
| a month and had it by my own subdomain like
| analytics.mydomain.eu
| vladharbuz wrote:
| I've started three businesses in the EU and I can't say I share
| your feelings.
|
| Regarding the Impressum ("imprint"), the information you need
| to put on your website is already public, since the address of
| your company is recorded in the commercial register when you
| incorporate it. It can be annoying to have to use your home
| address, I agree, but there are plenty of coworking spaces or
| even just mailbox services that can solve this problem.
|
| Regarding Google Analytics, I don't find it a competitive
| disadvantage to have to host analytics software that is less
| detrimental to user privacy.
|
| Are there any other issues or annoyances you ran into that
| contribute to the impression you stated?
| TekMol wrote:
| Most indie makers build their product first and only
| incorporate if it becomes big. If ever.
| nerdawson wrote:
| Indie maker is a nice label, but if they're attempting to
| make money, they're acting like a business and should
| operate with a certain degree of transparency. Self-
| employed or a separate legal entity is a technicality.
| mrweasel wrote:
| That's just making thing needlessly complicanted in some
| countries. Registering a business is something you can do
| rather easily, I know people who have a company registered,
| just in case. It makes everything easier, less troubles
| with taxes and better legal protection (as in: a failed
| project won't cost you your home).
| amelius wrote:
| Why isn't France in red? IIRC, the French started the whole EU
| anti-Google campaign since they have the presidency of the EU.
| Also, Germany used to be far ahead almost anyone else when it
| comes to privacy, so why aren't they in red? This map seems
| wrong.
| jhoelzel wrote:
| Welp Technically yes everywhere and it has been that way since
| the gdpr
|
| Practically this is the number one reason for our nice
| "attention, do not resits, we are using cookies on your
| electronic machinery" popups.
|
| For quite a few sites its the only cookie you actually accept.
|
| Its a s**t show really. Every single client ever now needs to
| have a cookie popup because google is going to punish you in your
| rankings if you do not use their integrations too.
|
| And if you do use their integrations... you need a popup.... and
| dont even get me started about "legitimate interest".
|
| But this is the way... I opt out as much as I can and block
| through the router as well as ublock.
|
| The most interesting thing that i noticed is that if you block
| third party cookies in safari on your phone, some sites will show
| you a blank screen. Timescale does this (I have reported this as
| a bug month ago but never received feedback).
|
| Its an amazing feature by now:
|
| - the page loads and you can see the content
|
| - the page trys to show you the cookie popup
|
| - since i dont have any cookies allowed, the script will just
| completly blank out my page
|
| welp. welcome to the future. Its not neccesarily better, but I
| can see them all now, which i guess is at least a step in the
| right direction.
| Volker_W wrote:
| > Every single client ever now needs to have a cookie popup
| because google is going to punish you in your rankings if you
| do not use their integrations too.
|
| Source/proof?
| [deleted]
| morelisp wrote:
| > For quite a few sites its the only cookie you actually
| accept.
|
| If true, they don't need to show the popup.
|
| > google is going to punish you in your rankings if you do not
| use their integrations too.
|
| If you have evidence of this it would be the basis of a massive
| antitrust case. (I'm not disagreeing and would not be too
| surprised, but - real evidence is thin unless you include the
| AMP carousel which is not technically part of "rankings".)
| sneak wrote:
| I frequently wonder what sort of tracking, if any, is happening
| via fonts.google.com and gstatic.com which are used widely across
| the web. Many sites break if you block resources from
| gstatic.com, as they depend on javascript libraries from it.
|
| The shortsightedness of using remote static assets on your own
| site is amazing to me.
| kmeisthax wrote:
| Note that this isn't purely "do not use Google Analytics"; it's
| "do not export EU data". For context, there used to be a trade
| agreement to ensure EU companies were still allowed to use US
| server hosts, called US Privacy Shield; but that was torpedoed by
| other legal rulings.
|
| TBH, I personally do not understand how it is legal to provide a
| single shared service in the face of data localization
| requirements, especially if other countries were to adopt similar
| rules. Is it just a matter of having separate shards for each
| jurisdiction? Or do we need to instance the entire application so
| that US users don't even see EU users and vice-versa? Most off-
| the-shelf/FOSS webapps aren't built to be sharded this way, they
| assume One Big Database that has everything. That would include
| some of the GA alternatives they list; which, again, is a problem
| if those apps don't shard users by jurisdiction.
|
| I suppose for now, just hosting everything in the EU is fine, if
| only because the other jurisdictions with data localization
| requirements[0] pretty much _can 't_ be served with a shared
| application anyway. I'm imagining that's what the person who
| built this was figuring it would be used for. But if the US
| starts demanding data localization, the Internet is fucked.
|
| [0] China, AFAIK
| ximm wrote:
| GDPR doesn't rule out using servers in other jurisdictions. It
| just rules out using servers in jurisdictions with shitty
| privacy laws, e.g. the US. If all countries were to adapt
| similar laws there wouldn't be a problem.
| lmkg wrote:
| Exactly. As far as I can tell, the only problem that most
| European courts cite is the CLOUD Act. If that law were
| updated, I suspect many of these rulings would get reversed.
| kmeisthax wrote:
| You are correct that the US copypasting GDPR into it's own
| law would be an absolute triumph. But that's not what I'm
| worried about. The problem I'm worried about is multiple
| countries having _conflicting_ data localization
| requirements.
|
| One of the specific cited concerns with off-site hosting is
| that it exposes user data to foreign intelligence agencies.
| This is a valid concern, but it's not unique to the US. It's
| not like EU member states don't have their own spymasters:
| they absolutely do, and they are just as atrocious to
| democratic norms as American ones are. In fact, most EU
| member states would rather trust the US than each other,
| that's why their politicians negotiated the Privacy Shield
| agreement that ultimately got shot down.
|
| If the US were to have a data localization requirement, it
| would almost certainly be incompatible with the EU's data
| localization requirement. Then everything I mentioned in my
| prior comment would apply: the need to shard users at best,
| and a need to firewall users off from one another at worst.
| falcolas wrote:
| > But if the US starts demanding data localization, the
| Internet is fucked.
|
| Not... really? The internet (defined as the infrastructure and
| non-commercial websites) will be fine.
|
| Corporations that collect and monetize data will just have to
| jump through more hoops (and many already do this _because_ of
| the GDPR and Europe 's general feelings about personal data).
| So they'll be fine too, even if they gripe a bit about it.
|
| The only folks who would really be hurt would be small
| developers, because their potential audience will be limited
| until they take advantage of foreign hosting and segmenting
| their user's data. In the end, they'll probably be fine to,
| even if their growth is stunted while they comply with laws
| (and ultimately, the wishes of their customers).
| rileymat2 wrote:
| " But if the US starts demanding data localization, the
| Internet is fucked."
|
| The the demands that tiktok be sold?
| kmeisthax wrote:
| TikTok is an unusual case, because the US was determined to
| ratfuck Chinese social media apps a few years back. The
| executive orders in question only applied to a handful of
| companies in one country. There was no concomitant demand
| for, say, EU companies or anyone else to shard off US users
| on domestically-hosted infrastructure.
|
| A general data localization requirement in US law would mean
| an end to self-hosting one website and serving two
| jurisdictions for the majority of web users.
| pyrale wrote:
| > There was no concomitant demand for, say, EU companies or
| anyone else to shard off US users on domestically-hosted
| infrastructure.
|
| US claims are wider in scope, since they demand services
| operating in the US to hand over data, wherever it's
| located, and wherever the users it's about are located.
| GordonS wrote:
| Anyone have suggestions for a _lightweight_ , OSS Google
| Analytics alternative, preferably using a Postgres backend, and
| preferably server-side so no cookies or JavaScript are required?
| Only needs to handle max 10K visitors a day, which is nothing
| really.
|
| I had a quick look at PostHog, but it seems to need all of these
| in addition to the web UI: - Postgres -
| Redis - ClickHouse - ZooKeeper - Kafka
|
| That's... a lot. I realise there is a Docker Compose file
| available, but it's the amount of resources used that is
| concerning, and given my very modest requirements I was hoping
| for something very light.
| skilled wrote:
| This article[0] also has a solid list of open-source
| alternatives.
|
| [0]: https://stackdiary.com/open-source-analytics/
| cblconfederate wrote:
| Europe celebrating for becoming a regulatory minefield is not a
| good sign.
| sdoering wrote:
| > This message is brought to you by
|
| > PostHog is the only open source product analytics platform
| where customer data never leaves your infrastructure.
|
| Hosting my own Matomo installation I beg to differ. Matomo is
| open source and my visitors data never leaves my own server.
|
| Except they only do backend tracking and see https traffic from
| website frontend tracking reaching my analytics server as it
| "leaves your infrastructure".
|
| But they at least made one thing obviously clear to me. I would
| never consider using them in the future.
|
| Also they are wrong factually. Google Analytics is not illegal in
| Austria. The court made this clear. Transmitting the IP without
| anonymizeIp is. Also transmitting PII data unencrypted to GA us
| (but GA does forbid that in their TOS as well).
|
| So not caring about the law when implementing GA and doing it
| just wrong is forbidden in Austria. Who would have thought. Using
| it correctly and adhering to data privacy best practices is just
| fine with GA.
| lmkg wrote:
| > Also transmitting PII data unencrypted to GA us (but GA does
| forbid that in their TOS as well).
|
| There is a BIG issue here which is usually splitting hairs, but
| in this case is super-relevant.
|
| Google's TOS forbids storing PII. GDPR forbids transferring
| Personal Data (PD). These are _nowhere near_ the same thing.
| Pseudonymous identifiers are not PII, but are often PD.
|
| Google Analytics requires a pseudonymous identifier to work
| (the "client ID," by default randomly generated value stored in
| a cookie). This may on its own constitute a GDPR violation,
| despite not counting as PII for Google's ToS or any other
| American law.
| sanitycheck wrote:
| It's possible for a developer to disable GA cookies and/or
| provide a different client ID to GA, which would make cross-
| site user tracking and identification of individuals more
| difficult.
|
| Google would still always get the IP and user-agent though,
| so maybe that's not enough. Proxying calls to GA and
| stripping anything which could contribute to a fingerprint
| should logically make it "legal" everywhere, I would have
| thought?
| ratww wrote:
| _> Also they are wrong factually. Google Analytics is not
| illegal in Austria. The court made this clear. Transmitting the
| IP without anonymizeIp is. Also transmitting PII data
| unencrypted to GA us (but GA does forbid that in their TOS as
| well)._
|
| That's some very interesting information. So, the real answer
| to the question of whether it's illegal in Austria or not is a
| "MAYBE", and it is quite easy to make it legal? If so, that
| should be on this site.
| ceejayoz wrote:
| > Also they are wrong factually. Google Analytics is not
| illegal in Austria. The court made this clear. Transmitting the
| IP without anonymizeIp is. Also transmitting PII data
| unencrypted to GA us (but GA does forbid that in their TOS as
| well).
|
| I've only got a machine translation of the ruling (https://noyb
| .eu/sites/default/files/2022-01/E-DSB%20-%20Goog...), but it
| includes:
|
| "The specific IP address used can no longer be determined by
| the complainant either. However, this is irrelevant, since the
| UUID in the cookies is already clearly linked to a person."
|
| I've been skeptical of the "just turn on anonymizeIp" approach
| for this reason; xxx.xxx.xxx.0 plus, say, the user agent, is
| likely plenty to identify me.
| sdoering wrote:
| Probably. I tried to read the translated ruling but I have to
| admit that I find it difficult. Need to search the German
| version to better understand the fine details.
|
| And yes the User ID/cookie ID is PD and one needs consent to
| transmit that. As one needs consent to store a non essential,
| non functional cookie.
|
| If I read the ruling correctly (and I might be wrong here)
| the defendant didn't ask for consent.
| zelphirkalt wrote:
| Hopefully though, this will make the otherwise so risk aware
| management layers think again, before they demand adding GA to
| websites from their developers. Hopefully will even make them
| avoid it, as an unnecessary risk.
| StreamBright wrote:
| I hope it will be soon.
| spankalee wrote:
| I don't understand how sending analytics data to your own host is
| supposed to solve the legal problem here. Do the GDPR
| requirements not apply in that case?
|
| And how is anyone supposed to build any kind of global data
| dashboard now? Do you have to have separate sites for EU
| analytics data vs the rest of the world? How do you do statistics
| to see where your visitors come from? How much time visitors from
| which countries, languages, etc., spend on your sites?
| coding123 wrote:
| This is absolutely not a "Show HN"
|
| https://news.ycombinator.com/showhn.html
| schleck8 wrote:
| > _PostHog is the only open source product analytics platform
| where customer data never leaves your infrastructure_
|
| That's wrong. I can give you 3 other open source selfhosted
| options off the top of my head: Offen, Counter, Matomo.
|
| Edit: I just saw that their "alternatives to google analytics"
| page shows posthog's competitors as well and you can submit prs
| to add further options, fair play!
|
| https://isgoogleanalyticsillegal.com/alternatives
| deepstack wrote:
| Got a 404 when going to the link.
| schleck8 wrote:
| They might have changed it just now, or I copied the wrong
| one.
|
| Either way I replaced it with the correct url
| timgl wrote:
| Sorry! Had to rename it because of issues with uBlock
| ironically [0]. New URL is
| https://isgoogleanalyticsillegal.com/alternatives/
|
| [0] https://news.ycombinator.com/item?id=29994768
| [deleted]
| kingcharles wrote:
| "Plausible" is another, even if I don't like their support.
| Volker_W wrote:
| Why don't you like plausible?
| sccxy wrote:
| Just replaced my Google Analytics with Plausible.
|
| Self hosted docker and it is not blocked by adblocker (nginx
| custom js filename).
|
| Only thing I miss at the moment is extensive GA history which
| is gone now, but Plausible is so much faster and simpler and
| maybe they implement history import someday.
| buf wrote:
| I just got off a zoom call with the cofounder of
| simpleanalytics.com. Humble, worked with my startup on pricing
| options, and cares a lot about privacy which was the reason why I
| set up the call.
|
| Shame on PostHog for this. You can do better than PostHog.
| ritmatter wrote:
| This site seems like a great example of how the EU forces
| productive folks to jump through all kinds of regulatory hoops.
| Hopefully it'll help them navigate the complex legislation.
| iso1210 wrote:
| I'm sure in your country you can catch rats and serve them in
| "special stew", not bother about basic hygine, have under-
| counter cameras taking pictures up skirts, have no requirement
| to ensure that customers don't get electrocuted, etc, and you
| love it.
|
| Most countries in the world though has governments which ensure
| basic rights, and if you want to do business in those countries
| you follow those laws, no matter how it may reduce your
| profitability
| amelius wrote:
| You're only on the watchdog's radars when you are a large
| company, in which case you should have an entire department
| devoted to complying to legislation anyway.
| foxfluff wrote:
| Even private individuals have been smacked with GDPR fines.
| erinnh wrote:
| Considering GDPR is not legislation that applies to private
| individuals, Im rather confused what you are talking about.
| lmkg wrote:
| Dunno where you're getting that idea. Per Article 2
| "Material Scope" (https://gdpr-info.eu/art-2-gdpr/):
|
| > 2. This Regulation does not apply to the processing of
| personal data:
|
| > (c) by a natural person in the course of a purely
| personal or household activity;
|
| There is an exemption for private individuals _conducting
| their personal affairs_. But it still applies to private
| individuals acting in a public space. Article 4 also
| reinforces that a Controller may be a natural person.
| Volker_W wrote:
| Do you have good examples?
| lmkg wrote:
| Go to https://www.enforcementtracker.com, which collects
| and publishes GDPR fine information. Type in "Private
| Individual" as a filter in the "Controller/Processor"
| column. I see twenty-ish results, mostly from Spain. My
| Spanish is rusty and non-technical, but I _think_ some of
| those fines are about posting videos to social media.
| amelius wrote:
| Illegal postings to social media by individuals are a
| different class of violations, of which I don't see the
| relevance here.
| Rilfeu wrote:
| The automotive industry has safety regulations. Why shouldn't
| IT have some regulation as well?
| tobyhinloopen wrote:
| At least we're attempting to improve the privacy of people. If
| companies keep abusing their power, stupid laws will continue
| to be added.
| Volker_W wrote:
| Google analytics is one of the worst privacy offenders.
| marginalia_nu wrote:
| This has been inevitable for years.
|
| The fact that 'productive folks' have been engaged in a chicken
| race with the regulators since GDPR came along in 2016 is
| entirely on them.
|
| The second shoe dropped with Schrems II in 2020, and the race
| to find plausible technicalities to keep doing the same thing
| continued. Still no real attempt at fixing the problems.
|
| If they had followed the spirit of the law rather than trying
| to get away with dubious technicalities, there would be no mad
| scramble to fix things now when it turned out those
| technicalities were in fact hopeful thinking at best.
| wobblybubble wrote:
| Productive is a meaningless word in this context. You can
| productively work for or against the best interests of society
| at large.
___________________________________________________________________
(page generated 2022-01-19 23:01 UTC)