I think they should read their own rules and hit themselves with a fine of 10 million or 2% whichever is greater and distribute it among those who were effected.
Edit: or at least consider that their rules are ridiculous.
The European court fines countries all the time. Poland and France have been fined for not following air quality legislation. Denmark has been fined for 'processing' farming subsidies incorrectly. I wouldn't surprise see fines for those that don't pick up the slack. EU bureaucracy is like a glacier. It's slow, but when it gets moving it can grind down mountains.
When they are small. But for example in the runup to the single currency both Germany and France were in violation of the deficit rules and both simply refused to comply.
I don't really understand why this comment would be voted down as it is strictly factual. Germany and France did violate the Maastricht Convergence Requirements -- this is not a matter of opinion. They did not pay fines required by the Stability and Growth Pact. The question was about national governments' obligation to pay fines.
You can think what you like about the Euro, its implementation, the Maastricht treat in general. But let's not downvote actual data.
It is not "themselves". This article is about government websites in member states. That is not the same thing as the EU itself. Although in this case they will not be fining anybody, since governments are exempt from GPPR. (The article doesn't say it is illegal either, just that it is disgraceful.)
> Although in this case they will not be fining anybody, since governments are exempt from GPPR.
That depends on how the GDPR is implemented within the country. E.g. above is factual for Belgium, but _not_ factual for The Netherlands. "Autoriteit Persoonsgegevens" has been notifying everyone to comply, government website or not. It's a steep learning curve though, there's also an multi-year effort to have government websites make use of TLS/certificates.
On phone, so can’t type much. Please have a look at article 83: list of conditions to consider when determining the corrective measures (fines or other measures).
EU law does not work with exact codified procedures, which I understand is more common in US. So indeed, you will find guidance but not exact procedure (though it seems to be clear enough to me)
Nothing in the “guidance” you provided disincentivizes large/maximum fines, or actually limits the fines from being the maximum in any way. Downvote this all you like, that won’t change what they have (or more accurately, have not) written into the law.
Courts have discretion when deciding on penalties. This is the case for the vast majority of laws you can think of. You might argue that not having a "first-offender" concept is unfair, but that stops courts from being able to punish really egregious first offenses. It might also incentivise companies to try to work around the repeat-offender rules so they can continue to violate GDPR without any serious penalty.
> Indeed they can impose the maximum fines for a first offense, and are fully incentivized to do so
And yet they didn't when they first fined Google[1], where the fine was 50 million euros -- which was only 1% of the maximum fine they could've imposed. It's almost as if the maximum penalty is the upper ceiling and not the default.
A lot of people in industry especially at larger companies are preparing for the 4% global revenue fine the first time a very large company fucks up GDPR in some way because they are anticipating being made examples of
It really says more that most people don't assume the EU to enforce GDPR in good faith and to just opportunistically use it as a way to take money out of the tech-company piggy bank. Everyone I know takes GDPR seriously. Of course at a big organization it potentially only takes one dumbass out of tens of thousands to screw up catastrophically
No, it takes bad faith/intent to circumvent to screw up catastrophically. And shoving third party trackers down the visitors throats using dark patterns to avoid them not accepting them is absolutely bad faith. These offending news sites need to be fined the hell out of the internet.
The EU actively despises American tech companies. Go back and watch Zuckerberg at the EU Parliament. I can totally see them bringing down the hammer for minor infarctions when it's popular to hate a certain company.
I was referencing their attitude. When Zuckerberg was at the EU Parliament an MEP asked him to name an EU competitor for Facebook implying that if he can't name one then Facebook is a monopoly. That is the attitude we show to American tech companies in Europe.
Maybe it’s a matter of perspective? Because the way I see it, only the EU is willing to hold companies accountable and remind them that are aren’t in fact top dog.
> It really says more that most people don't assume the EU to enforce GDPR in good faith and to just opportunistically use it as a way to take money out of the tech-company piggy bank.
Funny, considering that there already are cases going on and not a single one is close to those maximums.
> Everyone I know takes GDPR seriously
Wow, what people do you know? Considering that the vast majority of sites doesn't even have opt-in into tracking but opt-out after they started tracking, I think the people you know are some weird exception.
Everyone I know at large tech companies, not podunk shitty websites 2 people have ever heard of. I work at a large multinational company you've definitely heard of. Like I said, we take GDPR extremely seriously because of the magnitude of potential fines
sigh Right, that's why the Dutch authority sent out letters a few weeks ago to some of the biggest offenders in the Netherlands, telling them their practices were not allowed. I don't know if law works differently in the USA, but just based on how panicked American sites seemed to be on May 25th 2018 versus European sites, it sure seems like it. Yes, the law has teeth, but no, they're not out to kill small businesses or even bother big ones if there is no appearance of malintent.
Facebook is an example they seem to just fine, but a big Dutch media company (RTL) having a cookie wall that quite clearly explains what you are consenting to by clicking "continue" but doesn't strictly fall within the correct opt-in mechanism? They send a warning for that, not a fine.
Yes, it's rather embarrassing that even the government itself doesn't follow the law. But then screaming the 2019 equivalent of "get your pitchforks!" shows how misunderstood the GDPR is. It's supposed to help, not collect extra money.
That's because when American companies break the law in the US they get punished. When they break the law in the EU they get punished. When European companies break the law in the US, they get punished, but when they break the law in the EU they get a slap on the wrist. Just look at Volkswagen and diesel gate.
>It's supposed to help, not collect extra money.
It's supposed to give more leverage over foreign companies to EU countries, because we have somehow managed to create an environment that's very hostile to building tech companies.
If the EU is sued by itself and needs to pay a fine, does that fine count as income and does that need to be factored into the fine? This might be the first case of an infinite payment.
Even if that were the case, the payment wouldn't be infinite. 1% + 1% of 1% + 1% of 1% of 1% ... doesn't converge to infinity, it converges to 1.0101010101...%.
What exactly is crazy in the GDPR? To me it seems like minimal common sense: If you are collecting data about me for your own profit, you should ask me if I'm OK with it before collecting it and you should be responsible with how you are storing it. To have any hope of enforcing this, I should have a right to ask you what data you hold about me and I should be able to withdraw consent if I no longer like your practices.
Businesses that only make sense financially if they can gobble up user data without their consent and sell it to third parties should not exist, just as businesses that can only work financially by not paying their workers should not exist.
The cookie law actually was meant to solve the opt-in consent problem of user tracking that GDPR now solves with much stronger rules -- unfortunately the cookie law was vague enough that websites figured out that the cookie pop-up was sufficient to get around the law.
So really, users should be angry with websites for intentionally working around the spirit of the cookie law (and creating the annoying pop-up which basically requires you to consent to cookie tracking if you want to continue to use the website). The EU's mistake was not making the cookie law far more strict.
Funny, I'm think the opposite. I think GDPR regulation makes sense as front for a cash grab from multinational corporations, seeing as even they cant be bothered to not use said multinational corporations non-GDPR compliant tools.
You're totally right. I think the EU wants to grab a piece of the silicon valley pie since there are very few large tech companies willing to put up with the high European regulation and setup thier home base there. They get their "share" through fines and regulation.
Are you insinuating the EU has implemented GDPR as a means to get some extra funding instead of to protect its citizens? If so, do you think that before GDPR there were no victims, but now, post GDPR there are lots of victims and they are the US IT industry? If so then let me teach you about a concept that might be new to you: human rights. Privacy is one of those.
>Are you insinuating the EU has implemented GDPR as a means to get some extra funding instead of to protect its citizens?
Yes, because its "protection" is just another form of security theatre.
> do you think that before GDPR there were no victims, but now, post GDPR there are lots of victims and they are the US IT industry?
How are you defining victims? People and government agencies (in the EU…hahaha) who blindly continue to use services of non compliant companies (within the US and outside of the US) while putting up superficial barriers against such at the same time?
Sure, humans can have rights, until they end up on the end of metadata drone strike from partially collated data from said institutions supposedly apart of the "protectors".
At the end of the day, governments nor corporates will give anyone privacy esp to those who dont take meaningful practical steps to combat intrusions for themselves in their everday life for whatever reason… though I don't mind having a laugh at those dancing to the tune of this circus of the piper singing what they want to hear.
This idea that EU and US should fare war against each other, commercially or in other ways, I find absolutely ludicrous. It's not we against you. We are allies, remember?
This has nothing to do with EU vs US vs China vs Russia (though, there will be many people willing to sell you which way or another) or whatever demagogue will take the stage to stroke the minds starved from a sense of reality… and everything to do with people saying one thing and doing another… it's what rude awakenings are made of.
I was under the impression anyone tech-savvy enough to understand GDPR thought it was crazy, and the only people for it were non-tech-savvy people that just see it as free money from big tech companies.
On the contrary, I believed that most “tech-savvy” people were ecstatic that not only was the scummy behaviour of some of the largest tech enterprises finally being reined in, but smaller companies were finally incentivised to take our information security seriously.
Many software developers in Europe are supportive of the GDPR, and many don't care either way.
This continent still remembers when Nazi Germany and the Eastern Bloc tracked people to abuse and even kill them. That was never a direct concern in the UK, but people there are still strongly against government databases (see: UK national id card trial, NHS database trial) and in favour of the right to privacy.
How un-original. I'm under the impression that anyone, tech savvy or not, who fails to understand what it is that GDPR regulate think it's crazy that we have it.
You mean the tech companies that repeatedly refuse to follow the laws and regulations of the companies in which they operate, like shitty house guests?
Filling the coffers is just a nice bonus on top of dispensing some much-needed slap-downs.
No Microsoft (for two years now), no Google (for 6 years now), no Facebook (for two years), no Amazon (for a year) services here.
The reason I don't use their services is that I don't want to support shitty companies that have no respect for the people of the countries in which they operate, and I believe these companies are primarily responsible for turning the web into the ad-infested walled-garden shitscape it currently is.
There are alternatives for everything, and some are far better than what the big tech players offer.
The difference is I'm willing to pay for a quality service. Most aren't.
Besides, those companies would never leave the single largest trading bloc on Earth. Their shareholders would crucify them for it.
In that sense, the EU is doing these companies the favour, because they make so much money doing business in the EU that they'll never leave. They'll adapt and fall in line, like everyone else.
Trust me, nothing of what Facebook, Google, Amazon or Microsfot offer is irreplaceable.
You don't seem to understand how businesses work. It's not the U.S. tech companies providing us some kind of 'favor'. The EU is a large market and a significant driver of their profits. They're guests here and WANT to be here, so should follow local laws as a result. If they don't like it, they're absolutely free to leave. They're just not willing to take the hit.
The rules aren't ridiculous. Website developers are just lazy/dumb and generally include shit like GA by default without even thinking of the privacy implications.
What's the problem with GA? I'm kind of left feeling a little puzzled by the hostility towards Google Analytics in the HN comments on the topic. I assumed HNers would be big fans of something like Google Analytics.
I believe Google has made a binding statement that GA tracking data about a site will never be used for Google's commercial benefit outside the GA product.
Who were they addressing when they made this binding statement? How was it binding? Can you prove it? Google's a software company, so without looking at their source code how do you know if they're lying or not?
Let's not forget this same company also promised to "don't be evil", and then changed their mind. What's backing up this "binding statement" and how do we know they won't change their mind again?
> Let's not forget this same company also promised to "don't be evil", and then changed their mind.
I've heard this ridiculous statement so many times. Do you think a company needs to put "don't be evil" to stop itself from doing evil things and then needs to go ahead and remove that phrase because otherwise it simply cannot proceed with evil? Sounds like a joke. We're talking about humans not robots here.
That said, I don't get why Google gets singled out all the time while all other players often play a dirtier game.
> I've heard this ridiculous statement so many times. Do you think a company needs to put "don't be evil" to stop itself from doing evil things and then needs to go ahead and remove that phrase because otherwise it simply cannot proceed with evil? Sounds like a joke. We're talking about humans not robots here.
My point was that Google has a history of making public statements that make themselves look good, and then backing down on them later. Maybe 5 years ago they didn't data mine Google Analytics, but who knows what their policy is now or when they may change it? I'm not saying the OP is wrong, just that I'd like more evidence than "they said so."
> That said, I don't get why Google gets singled out all the time while all other players often play a dirtier game.
Because Google went out of their way to tell everybody they were going to be different.
If Google isn't fully utilizing GA data it's because they tried it but found it had no impact or even a negative impact on their ad revenue so they ditched it.
It's part of the Data Processing Agreement that Google offers to the users/customers of Google Analytics. You can dig through the legalese, but the salient aspect is that Google describes itself as a "Processor" and not a "Controller." This means that they do not use the data for their own purposes.
Google's approach to GDPR compliance is entirely based around the idea that they're a Processor and it's not really their data, they're just the middleman. I would believe them because they have a lot riding on that.
The problem is that it gives an advertising/surveillance corporation detailed data on the web browsing habits of a massive number of unsuspecting users.
And that's fine for generic website developers IMO - however, governments should be held to a higher standard. I mean people fill in some really sensitive, fraud sensitive information - do you really want a 3rd party's JS on there?
Mind you I don't even want to know how much information browser addons have access to. Are there any APIs that forbid any addon from accessing the page? Probably not, that would thwart adblockers.
Article 6.1.e "in the exercise of official authority vested in the controller;" - Wide open door.
Article 9.2.d - exception to prohibition on racial profiling for political parties on their own membership.
Article 9.2.g "processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued" - The "anything we declare acceptable" biometrics exception.
Article 9.2.h - The "no opting out of online medical records" clause.
Article 17.3.b "or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller" - The "if we say it's in the public interest not to delete it then we don't have to delete it" clause.
Article 23.1 - The laundry list of cases where any EU government can throw out all rights the GDPR establishes. Includes the following: "other important objectives of general public interest of the Union or of a Member State" as if that's not a goalpost a mile wide.
Article 49.1.d - Allows transfers of data to countries with inadequate data protections to take place if they are declared to be "in the public interest".
===
Pretty much everything in the GDPR document is untested at this point, and whether government or corporation, quite a lot of cases are going to have to be argued before the courts.
However, this document leaves open many arguments for governments that are not open for others. There is no definition for what might be "in the public interest" in GDPR, nor are there guidelines for interpreting when someone is "exercising official authority". One could argue that police departments are doing that 24/7 and thus large chunks of GDPR don't apply to them at all because processing is always lawful as a result.
By leaving themselves so many fruitful avenues of arguments to present to courts that have not been granted to others, the collective EU governments have created a law that holds others to a higher standard than themselves. Hence, hypocritical.
> Pretty much everything in the GDPR document is untested at this point, and whether government or corporation, quite a lot of cases are going to have to be argued before the courts.
Why would a law be needed to be argued in court? There's been various improvements related to privacy already. Various big (national) companies have been ignoring the GDPR (disallow visitors unless they agree); this practice is now being investigated. Simplified: Netherlands asked the EU to clarify if the practice is ok according to the GDPR or not. There's been no court case. There has been discussions between companies, government as well as the EU.
By the grace of living in a democratic society and not a despotic dictatorship, it is in essentially every western nation the right of any legal person who is accused of breaking a law to request judgement on the matter by the courts.
Talking about how to implement or write a law and going to court to fight against a fine you get for breaking that law is two different steps far removed from each other. It is in the last one the courts decide if/how the law should be upheld and where democracy lives.
What you are implying would make judges politicians.
That's a difficult one; if the GDPR's law exempts them from the same responsibilities, you probably have to look higher - like a constitution of sorts.
This is a good question to which there are a lot of good answers that are often poorly received on HN so you’re unlikely to get a solid answer.
I’ll take the hit though.
It’s not just pageview logs, but GA has great tools to analyze those logs, do reporting on some decent set of actions and to bring it all together in a simple to use interface.
You can take your server logs and then what will a non technical person do with them? Not much.
That said, you can deploy GA while opting out of behavioral data and ad network features, and even fuzz ip addresses.
Analytics has the stigma of ad networks because they historically existed to validate ad spend. We’re past that point and they are often used with strict first-party intent.
There’s nothing preventing us from imagining all the malicious things any analytics tool could do, and imaginations run wild.
Disclosure: I work for an analytics company that doesn’t want to own your data, but I understand why folks have a knee jerk reaction to analytics of any kind.
> That said, you can deploy GA while opting out of behavioral data and ad network features, and even fuzz ip addresses.
How useful is the information without this? If they aren't tracking you then they don't have your profile data, ASL is usually the most useful data but only the L is sort of available.
> You can take your server logs and then what will a non technical person do with them? Not much.
IME this is exactly what usually happens with analytics. It's one of those things that management is convinced they just have to have for it's pretty charts and feeling of empowerment, but when ask them what changes they've made based on the data they won't have a lot of examples.
I'm sure they're valuable in the right hands, but for the vast majority it's just it's a waste of time, similar to most reporting.
> ASL is usually the most useful data but only the L is sort of available
you are thinking in term of ads.
If instead what you want to know is, what parts of the sites do visitors stop navigating. Or which pages are seen by recurring visitors vs other pages seen mainly by new visitors. What pages are almost never visited.
Those informations don’t need ASL, the goal is not to target individuals but to profile the site and see what brings value and what might not.
> management is convinced
I think analytics are not a tool for management though, except perhaps in very broad stokes. I see it more for product owners who need a feedback tool so see the impact of what they do or have a vision of how the user uses their product.
It’s like asking management what decisions they make based on NewRelic. None surely. That’s not their job.
I'm thinking in terms of demographics of visitors. Who's visiting, who's not visiting, why are we so big in japan, that sort of thing. My objection to analytics isn't just ads, it's sending information to a a third party behind the backs of users.
> If instead what you want to know is, what parts of the sites do visitors stop navigating. Or which pages are seen by recurring visitors vs other pages seen mainly by new visitors. What pages are almost never visited.
Those examples can be handled just fine by some trivial processing on server logs. Only the first needs a way to identify users (which analytics will also need) and the second 2 don't even need a user id in the logs. I'll give you the benefit of the doubt and assume they were just simple examples and you want a lot more detailed information and in real time and output prettier than graphviz, why aren't you setting up a locally hosted alternative? If the data collected is truly worthwhile then it's surely worth this minimal time investment?
> That’s not their job.
That's kind of what I'm getting at, it will be mandated by someone in management or marketing but IME it's usually no ones job and nothing happens with it. Google is the only winner.
> Who's visiting, who's not visiting, why are we so big in japan, that sort of thing.
I misread your focus on ads, is it more about user aquisition perhaps ?
Government sites for instance have less of these issues IMO, as they’ll have other means, usually in person or by mail survey, to directly ask why people are not coming to the site (do they know about it ? Do they have a computer ? Can they read in the language etc)
More than anything, these sites have a captive audience so the focus can really be on improving the access to the relevant information.
> processing on server logs
I think it’s overestimating the cost and technical competency of the agency handling these websites, but also the time it would take to reimplement a log parser that surfaces all these informations user session by user session.
It definitely can be done, it’s not trivial in any way though. Compared to what some of the government websites do (they’re basically glorified wordpress sites) building a log analyser + the associated dashboard would cost more than the site itself.
> You can take your server logs and then what will a non technical person do with them? Not much.
Can this analysis be done offline? Data collection can be done without third-party accesses, and any analysis on that data can be done offline using separate tools, isn't it? That removes the third-party script surface of attack.
There are tools for analyzing server logs. I played with a CLI tool for that, but here's first result for regular folks from Google search on "server logs analytics":
All of this could just be a post-processing-step on offline logs which any non-technical person could do.
Then you wouldn't need to imagine what else is done with the data. To imagine that your users data is exploited behind your back should not be a stretch of anyone's imagination.
Server logs are simply not powerful enough for most types of analysis, even basic analysis. Also, tools don’t exist to do the basic analysis in a meaningful way. It’s a catch 22, I’d love to see useful tools that work on server logs, but it’s not 1999 any more.
I keep repeating myself, but there is goaccess [1] which is powerful enough for most use cases. It creates a nice realtime, html report of your apache or nginx logs. It can even show you a report inside the terminal.
That's actually a much more reasonable answer than the one I had imagined. The unfortunate part is that I don't trust anyone not to misuse the data, especially not government employees.
Interesting, the 'especially from government employees' bit feels like a very US-centric reaction. In many other places in the world people just kinda trust their governments. I have no problem with any European government collecting analytics data.
I disagree, as always the US is just 10 years ahead (so it will come to us as well, just later) and there are numerous law initiatives that show to what extent your privacy and freedom of expression is a concern of politicians.
>I disagree, as always the US is just 10 years ahead
At the same time the US is 10 years behind. GDPR is far ahead of anything the US has. Gun control is 50+ years ahead and lets not try to count years in social security nets or healthcare for the non-rich (or health in itself for that matter). In average I'd say the US is behind the curve and falling further by the day, especially now China has become a semi-great soon to be superpower.
Yeah it’s just analytics data. I trust every shady website I’ve ever visited with what I click on, why should a government service (provided by the government to me in the public good) be any different? What could they possibly get from that the census bureau doesn’t have? The tax authority?
Europe has a long and recent history of not being worthy of trust. Francoist Spain just ended in 1975. We had communist Europe fairly recently. The Nazis weren’t that long ago. We’ve had actual genocide in Europe within the past 30 years. It’s a mistake to “trust” any government beyond what can be immediately audited and verified. However to your point about analytics: that’s pretty benign unless those analytics are personally identifiable.
Yeah and they can't cross reference it with which newspaper stories you read, for example, like google can, will and do then selling that information you did not agree to provide to google and google's customers.
Sure, I don't trust government bureaucracies either.
However, they can easily get lots of compromising data from their own servers. Both from standard web server logs, and from their own scripts and tools.
Once you involve third-party analytics, though, there's another party to worry about. And not just about what they do with the data, but also about how carefully they manage it. That's arguably a key thing in GDPR.
GA is a tie in to validate AdWords spend primarily. If you scale up it costs $120k/year. It costs more if you pay someone to implement it custom for your use case.
Where / when exactly this is happening? If on Google side, then G already knows real IP, exactly what is to be avoided, especially on Gov and Health websites.
On tangent note, what is it with health data that many, in US at least, find so sensitive seemingly more than their bank account login information.
I genuinely don't understand. Is it that the majority have some secret pre-existing conditions and are afraid the insurance companies might realize?
Every time I visit a new doctor I need to spend ~ 10 minutes to fill out a long multi page form on paper listing all my medical history which could've been loaded from some database. I want my data to be analyzed and used to derive insights and help future patients.
Job applicant screening services would love knowing your health. Credit rating companies would love that too. Google is doing anything it can, free email, free photos/docs storage, free GA to get all possible data. They are capable of ML processing it all together, with their resources.
> what is it with health data that many, in US at least, find so sensitive seemingly more than their bank account login information.
It's not US specific, the privacy of health information goes back to at least the Hippocratic oath.
> Is it that the majority have some secret pre-existing conditions and are afraid the insurance companies might realize?
A lot of people do. Not just embarrassing conditions but they keep notes on mental health, drinking habits, illicit drug use, etc. If that information leaked out you could expect everyone from future employers to dates to be taking a look.
As far as I’m aware it’s totally on the google side. It’s not possible to do before that. As the request to the server is made directly from the client. Gov and Health can likely be ok if they trust the data isn’t being stored. This is a similar concern my health vertical customers have tackled.
Where does it say it does not? I found opposite statement in Data Access: "Internal access to data (e.g., by employees) is limited ... to only those with a business need to access it."
> Where customers use Google Analytics Advertising Features, Google advertising cookies are collected and used to enable features like Remarketing on the Google Display Network.
If you just use GA on a site, without ads, none of the data is funneled into Ad targeting for the user.
I noticed the same for my bank too. Wrote a blog post complaining about it and got a call from them. Essentially their argument was that "we have a confidentiality agreement with Google and that is sufficient to ensure that your data won't be compromised."
I might be wrong but I think Ublock origin does not block google analytics, atleast with default settings. I have installed ghostery for that.
Will check and confirm.
kaiser permanente (doctor) has not only google analytics but doubleclick links on their online health services. Even the pages to communicate with your doctor or view test results. kp.org
I complained about this (and blocked everything), but at one point they required I accept an onerous terms of service to continue to use the site. So I requested they delete my account. Well, apparently they cannot delete an account, only inactivate it. They didn't do that and I still
California DMV has not only google analytics, but will log you into google when you use their site. dmv.ca.gov
Doubleclick, just means they're running ad campaigns on Google, targeting pages on kp.org. It's standard practice for health insurers' websites, like kp.org.
Google Analytics does not transmit page content like your account balance. It can see that you viewed the account balance url but knows nothing about what is displayed.
There are however other trackers that could send such information if they are not configured correctly.
What it does or what it does not is of no consequence to me. What it could do is what matters because I don't have the time to check whether or not someone at Google or some US agency decided that they want to know. The easy solution is to make sure that it can't happen, which is to stop using GA tags on logged in parts of the website.
They would need to remove GA from all pages on the same origin. JavaScript in any page can perform an AJAX request to read HTML, and those requests will send cookies.
So I am supposed to check the script Google sends me every time I access the page that this script does not now (only in an A/B test! Only in beta! It was a human error!) send all the page content to Google as well? Ridiculous.
You can't get at the $ but you can get at the individual transaction data. They really should not have third party js on banking and medical sites, especially not for logged in users.
Are you absolutely sure about this (would love a reference)? Letting another party running code removes at least many layers of defence. I would not trust a bank which is doing that it's just a sign of gross incompetence.
I have a hardware token and a chipcard to stop that from happening, still, there may be some way to do it that I'm not aware of. One way I can think of is to display one set of destination details for a transfer to the user and use another for the actual transfer.
From my banks web site? Effectively zero. Nothing will happen unless you validate the transactions using two factor authentication (user id + code app/single use paper code)
(In my experience all bank web sites work like above here in Finland)
One possible attack is to change the details of a transaction before the page post it. To the user it would appear as she's transferring money to Bob, but it'd go to Eve.
My bank has two-factor using some special applet thingy on my phone (not a regular app, it's tied into the SIM card somehow). It shows me the details (amount and destination account) which I have to confirm using my password (in combination with a key from the SIM).
Much more difficult to circumvent, assuming the user pays attention...
Then, the malicious script can just pop up an official looking dialog box with a message saying that they are 'testing' the confirmation system, and please accept/agree to the next sms/alert from the app.
Having direct control of the user interface is very powerful.
The banks I've used in Canada allow you to send transfers (uip to $3000) to other domestic bank accounts without reautenticating. Fortunately, they don't seem to use any third-party JavaScript.
Nothing. That is not how online banking works. At all. Payments need validation, check and balances (quite literally) at multiple stages before any money changes hands.
What are y'all using for self-hosted analytics? I have used Google Analytics and Mixpanel out of sheer convenience, but I know many users are uncomfortable sharing their data with those sites.
To relate this to the article: what should these government agencies be using? Or should they not be looking for Javascript errors, A/B testing, etc. at all?
I've actually switched to an old school "counter" that I wrote myself. I just couldn't find anything that was modern and that I was sure provided privacy. I also don't need much.
I look at the data in Google Sheets.
On the page I want to track I paste a script tag that includes a few lines of JS from my counter site. That JS script hits a PHP script with the URL the user requested. I don't track ANY user details. No browser info, no IP address, no fingerprinting, etc. It would be trivial to track those things though. The PHP script logs the data to a CSV file (which I plan to change to an SQLite DB soon).
I have a Google Sheet setup where the first field of data is '=IMPORTDATA("https://example.com/data.csv")'. Google Sheets automatically fetches that data every time you open the sheet; no API integration required. Then I have a simple bar chart on the data.
The GP commenter makes it clear that the CSV file is written to on the server-side (using PHP) as a consequence of request handling, not on the client side. There is no place that the CSV URL is visible, other than in the PHP source (that clients cannot access) and in the Google Sheet (which is presumably internal to the GP's GSuite domain.)
It's security-by-obscurity, maybe (as all public "secret token" URLs are) but it's better than what you're implying.
As a learning exercise, I tried to find it too, but I wasn't able to get it from the domain in the js file, could you explain how you got to the final file?
This is strictly as a learning exercise, no malicious intent on my part.
In a way this is actually the only "solution" to ensure privacy. A lot of ensuring privacy is knowing down to a very precise detail exactly what data is sent where and what happens to it. The only way to know this realistically is if you wrote the darn thing yourself. Otherwise you have to trust someone that the thing does what it says it does.
We as a society haven't agreed precisely on what "privacy" means so it is effectively impossible to know is a particular service's handling of data provided to meats you definition unless you just don't hand it the data in the first place.
> Otherwise you have to trust someone that the thing does what it says it does.
I mean, this is always going to be the case with modern computers. No one writes EVERYTHING themselves, so they have to trust someone else. You are trusting the microcode on the CPU, the system calls on your OS, your compiler/interpreter, your standard library.... I get that this is a different sort/level of trust than trusting a third party metrics system, but it isn't fundamentally different. It is all about trusting someone else's work.
As an exercise, I have been building my own computer from scratch. Started as an adder made in transistors. Became a simple three instruction nand cpu (add, sub, jump). Currently building a very minimalistic copy of a 6502 out of ttl. Goal is to create a machine capable of hosting a website with my dev log and schematics for its own creation. I will have developed every piece of software running on it.
good on you, but hearing "google sheets" was a bit of a downer. you're still giving data to google, albeit much less.
if you've got php running already, it's straightforward to code up a bar chart from the weblogs you already have (bypassing, csv/sqlite and google sheets altogether). that is, after all, how google analytics started (as urchin).
Unluckily it cannot give you directly the search string used by people that ended up on your site because search engines don't forward it anymore because of the whole privacy movement that happened some years ago (I am still against it as I don't see why, as website owner selling e.g. clothes, I shouldn't know that a person landed on my website by searching e.g. "yellow pants" => this fake privacy just concentrates all power/knowledge in the search providers, but this is just my personal opinion), but here they sell a plugin ($/year) which apparently can do that: https://plugins.matomo.org/SearchEngineKeywordsPerformance
(I guess that it retrieves directly the search keywords from the search provider, but I did not read the docs nor I tried it out)
> I don't see why, as website owner selling e.g. clothes, I shouldn't know that a person landed on my website by searching e.g. "yellow pants"
That doesn't really matter. But if you set up a content farm / honeypot, you shouldn't be able to tell that the search term that brought the person to you is "how to deal with my XXX infection"
The business argument for Google: they still have the information, and can use it in their analytics, and potential competitors or customers don't have it.
>But if you set up a content farm / honeypot, you shouldn't be able to tell that the search term that brought the person to you is "how to deal with my XXX infection"
Why not? How else are you going to 1) provide information on dealing with an XXX infection, or 2) recognize enough people are landing at your site looking for advice on their XXX infection that you should provide some answers?
Ok, that's fair, but maybe only for a tiny percentage of the cases?
Setting up such a "content farm / honeypot" and making it reach the top results of Google/Bing/Yandex/etc... used to be simple but is nowadays probably successful in only very few cases (as search engines are nowadays more and more context-aware), and Google/Bing/Yandex/etc... can still see & use "how to deal with my XXX infection", but whoever doesn't use directly their services cannot.
What I mean is that, in my opinion, the privacy measures in this case centralized even more power in the hands of few companies with very little added/improved privacy.
In my case, running a small techy website, the search keywords were very useful because they allowed me to understand e.g. which keywords forwarded the users to my website by mistake or correctly, to then correct appropriately the contents of my articles to make it more clear what my articles were talking about, or to see that the users had a very specific problem that I did not take into consideration when I wrote a certain article, etc... . Now I cannot see those infos anymore without using Google Analytics which I don't want to use (or, by using the plugin mentioned above, which is good, but for which I would still have to pay $/year, which is bad as it increases fixed costs).
I understand where you are coming and I agree it gives Google (or Bing) more power, but ... it was the user's choice to give Google (or Bing) that information by using it as a search engine.
If they gave the information to you too, it likely goes to you, but also to the other 50 .js files you include from various sources of dubious trustworthiness which every site these days includes.
Furthermore, what you are saying is "this admittedly private information used to be available to all and it was useful for some, now it's only available to the entity the user specifically gave it to, and that's bad because the few who actually used it for good don't have it". But the whole idea of GDPR (and similar) laws is to put the control back with the user, which is a good thing.
I think some standard with which the user explicitly lets the website know "yes, the search engine query that brought me here is X and I allow you to have it" would be good, but I don't think dropping this info from the referer (sic) is bad.
the main problem with piwik (tried it a year or two ago) was that they had crippled the installer so that automating updates to cloud platforms was quite difficult (to encourage you into their paid hosted solution). maybe that's changed now, but that put me off on piwik/matomo.
I actually created a small self-hosted analytics tool myself, but it's more for qualitative feedback during the early days of the product and it's missing a lot of features that Google Analytics (for example) offers, it's more like a self-hosted Hotjar. I like using it from time to time to see if there's something wrong with a specific page or functionality. You can check it out here if you want, but it's not open source https://www.usertrack.net/
This assumes Google is trustworthy. Their business being based on advertising and stealing as much data as possible off everyone, would you trust them to keep their word and work against their bottom line?
Because the consequences of claiming these things but actually not doing them would be both prohibitively large and impossible to avoid in a large company with a history of whistleblowing employees.
I use some GNU tools (like awk and uniq) on my access log file occasionally, after posting a new blog post or so. Otherwise, I don't even look at the data the web server collects.
You could probably implement most of what they do without JavaScript.
But just thinking about my tax return can think of a few features that would have to be dropped, or would become more clunky, like some of the client-side validation, and the auto-saving of drafts.
It's actually super possible. Today's web is still 100% compatible with forms and cgi. I just signed into amazon with 2FA and checked out with javascript disabled. Healthcare.gov OTOH won't let me past the 'choose your state' drop down.
Like what? I run with JavaScript off whenever I can. Most of the time when I enable it to access a site, it's obvious the site could be made to work (for the visitor) without JavaScript.
I just started my blog (no content yet) and I spun up a Countly server on digital ocean. So far so good, and installing was super easy seeing as it had a pre-configured container you can deploy, but seeing as there haven’t really been visitors yet hard to say how valuable it actually is.
Google Analytics does not have a self-hosted version, even the paid version (GA360). With the paid version it's possible to download the data after it goes through Google via BigQuery, but the data still lives in Google in the meantime.
I have been using Piwik/Matomo for years, and have never experienced this.
That being said, ultimately it's a frontend on a MySQL database, so there's lots of ways it could theoretically be slow -- MySQL isn't configured/tuned properly, the database server isn't resourced appropriately for the amount of data it's hosting, etc. But this is going to be the case for any self-hosted solution.
Although it was about five years ago, yes, my potato server (still running the same one today) couldn't handle that by a long shot. Same with Wordpress, Owncloud, and other web-based things that became a little oversized.
Yes, I worded that poorly. I meant loading Piwik's UI; it was cripplingly slow and often timed out. I had little luck in narrowing down the cause, but it was hardly a thorough investigation on my part, IIRC.
Assuming that your disks, DB, CPUs and RAM were all ok, maybe you did not set up PiWik's jobs that are supposed to aggregate the metrics every XX hours/days... ?
I doubt most government legislators would be aware of this sort of thing (the components, libraries, and platforms that make up a given government entity's web presence).
That's the major problem. A person writing regulation to deal with this problem would need to know what a CDN is, why they are required in modern web development, the pros and cons of self-hosted vs. cloud-based analytics solutions, etc.
I really wouldn't want to be the person tasked with explaining these issues to the average politician (although some rare exceptions obviously apply).
If you step back further, this is just one example of many where regulators don't understand the consequence of their laws. You can extend this to any policy like gun control/rights, abortion, etc.
Some facts:
* We will never know the full ramifications regulation has on a market. It is impossible to calculate objectively the _full_ effect.
* Regulation _always_ has unintended side effects. (Alcohol prohibition and violence, etc)
* A regulator that doesn't understand the entire problem will likely increase the unintended side effects.
I totally agree with you that it is not possible for a regulator to predict the future with respect to how their decisions impact a market. However, I think that is only an argument against hasty regulation, as opposed to regulation in general.
I agree that hasty regulation would probably have more unintended side effects; however the other points still stand. Prohibition, for example, is always accompanied by a black market. There is _always_ an unintended consequence of any regulation. GDPR will likely add a tax on individuals as large companies pass through compliance expenses to us. Real privacy threats (INCLUDING THE EU) GDPR is meant to block will still continue to operate.
This is only partially true. If you import common libraries or fonts from a CDN, it is likely that the user's browser has already downloaded those previously, leading to reduced loading times because the resource is retrieved from the cache.
I'm not saying that we always have to use them, but there are cases where they can be useful.
Isn't it a little disingenuous to call analytics tools "adtech". Yes, you can integrate analytics with adtech platforms, by even in isolation, knowing how your users use your own site and how they arrived there, allows you to better serve them.
In a physical place of business, for example, a retail store or restaurant, keeping track of what times or parts of the store were busiest, or where people spent the most time, would allow you to eliminate waste from your business, and sometimes that involves knowing how many unique customer foot traffic you're getting.
Is it possible to use google analytics without the resulting data being accessible by google ads or search teams? I would assume that they don't let you opt out of org-internal data sharing.
There are also ways to configure Google Analytics to fuzz IP addresses, essentially de-anonymizing them, as well as setting up explicit data retention periods.
EDIT (responding to grandparent comment): Even so, I'm not sure it's disingenuous to call products adtech which are provided by a company whose main business is advertising, and which are often configured to contribute to the advertising business, even if it's possible to use them for purposes other than advertising. At that point, maybe it's just adtech that's being repurposed.
Thanks for bringing this to attention, so it can be fixed. Who would have thought that HN would become such a great advocate for the privacy of EU citizens?
I took it differently, personally. To me it’s a double standard, we spent so much time going after the private companies with this law, that to have so much of the government’s own groups fail to even do a review of their own damn sites? Ugh.
Since the governments are not subject to the GDPR, it doesn’t have teeth, and I would not be surprised if it fails to get resolved.
A lot of them will be technically not in breach, claiming anonymisation etc gets them out of it. This is the line I have always had from Gov.uk, for instance.
But it's pretty crappy that they haven't tried to follow the spirit of the law. And it's pretty crappy that all my interactions with the government, as a UK citizen, are reported back to the Google mothership.
Thankfully we as savvy users are able to strip away information we don’t want sent to companies, via browser extensions and what have you. I’m concerned about the less savvy users who, frankly, never have even thought about this being an issue.
Edit: or at least consider that their rules are ridiculous.