89 comments

[ 3.1 ms ] story [ 169 ms ] thread
More here:

https://github.com/gorhill/uBlock/blob/e6707fe8b155cc92da1cb...

This screws my efforts to try to optimize my site for increased traffic and to work towards longer user sessions. This hurts my website.

Google Analytics is already blocked by multiple ad blockers. Sorry, those users don't care if you want use 3rd party tracking software.
Sorry about that. But it is more important that Google doesn't store every website I visit to build a better profile of me.
It is against the terms of service of Google analytics to pass any PII such that you can track an event back to any particular person. On top of that, the code for Google Analytics js is available for your review, along with its network requests, such that you can hold them to their word.
In most cases wouldn't it just be enough that you're logged into your Google account recently via the same IP
The section about "personally identifiable" information in the Google Analytics Terms of Service [1] does not limit Google, but the site using GA.

Practically, I'm not sure that can even be enforced, or that Google has any incentive to enforce it. If a site uniquely tags each user via custom variables, or by sending users to a unique resource/goal/interim URL, will Google detect this and obscure/destroy the resulting data? Or is such tracking for the site's own purposes a core feature of GA?

And Google often has its own PII about the same user, from other visits to Google's own sites, anyway.

[1] http://www.google.com/analytics/terms/us.html - section 7 "Privacy"

> It is against the terms of service of Google analytics to pass any PII such that you can track an event back to any particular person.

You need barely any information to construct a personally identifiable profile. The fact that you as the user of google analytics can't do it says nothing about googles ability to do it.

http://arstechnica.com/tech-policy/2009/09/your-secrets-live...

Google's spying hurts your users.

To manage your webserver, use your server logs. If you really think you need more information than those convey, you could get some self-hosted javascript to assist with that.

You need nothing else.

> Use your server logs.

That's hardly useful though. Logs are littered with bot traffic, and several users or sessions can be hiding behind a single IP address. Also, you've absolutely no means to track segments of traffic.

Self-hosted javascript is an only vaguely better option. You then need to worry about the infrastructure needed to write the data in a reasonably scalable way as you get larger, and processing the data in a useful manner isn't necessarily something an average Joe can do.

If you need help to deal with your server logs, hire a professional.

By the time you got large enough to have to worry about scaling an infrastructure to deal with your server logs you should either have grown out of the average joe category or have enough revenue to hire a sysadmin.

The whole point of using a solution like google analytics which is free (to a certain extend) is to not have to hire a professional.

There is no way a single sysadmin (how good he think he is) could write the code required for the analytics of a high volume web site (eg. ranked in the top 1000).

Also, without analytics right from the start, I can guarantee you, your web site will never grow, at least certainly not to a high volume web site.

And here the thing that do happen when your web site have a high volume (you know, in real life and not on a fantasy island), even if you reduce your analytics sampling to 10% your web site traffic can still be bigger than the maximum allowed "for free".

So you decide "let's write our own solution" and you assign it to a team of about 5 devs and it take them a good 6 months to finally be able to track data, and then your pointy hairy boss realise he has no nice visual way to read this data (because he want basically the same thing as google analytics).

so tell me again why I/we should not use ga again ?

As mentioned upthread, even a self hosted solution like piwik is blocked by default.

So great to see what we're sacrificing upon the dubious privacy altar...

Server-side log-analysis solutions are not possible to block.

I assume that piwik is running client-side javascript? Then it's in the interest of the client to block it; it's not a server-side solution anymore. Of course with self-hosted js, that's a cat-and-mouse game that the clients can't win anyway, but in the short-term the mouse has won.

I agree. I understand that people have issues with being retargeted by ad platforms and hate seeing the same ad follow them around, but I don't really seem any downside to users being tracked by 3rd party platforms like Google Analytics. Platforms like GA, don't track first party information and anonymize who you are with a randomly generated ID. This is the only thing that makes your visit unique from the rest. I don't see any harm in providing that information. How do you expect businesses to get insights into what features users like or dislike in their product? I can easily see users of a tool like this complain about a change in one of their favorite products, but by preventing them from any insights how does the business figure that out?
> How do you expect businesses to get insights into what features users like or dislike in their product?

Collect the data you need yourself. If you don't want to do that (it's really easy) then the data can't be that useful/important to you. Another way would be to, you know, ask your users.

What bugs me is that people seem to think it's okay to send my data to another company (usually many, in all kinds of different jurisdictions) without even considering to ask for my consent. That's not nice, is it?

You could ask me, on first visit, if I'm okay with you sending my (anonymous) data set to Google. It's really not that hard, is it? Just ask. But you don't. Not only does nobody do that, I'm pretty sure most people don't even consider doing it. That's the most offensive part.

So what am I left with? I could stop using the WWW all together, I suppose, or, I could block Google Analytics and the likes before hand, and then, if I feel comfortable doing it, opt in to sharing my data because I like your service and I want it to improve.

You and Google don't ask for my consent, but Ghostery does. That's why I (have to) use it.

---

bhouston said: "This type of stuff should be opt-in." (blocking GA, that is)

I hope the people reading my comment can appreciate the irony.

[By the way, the hypothetical guy I'm yelling at — not you]

---

One hour later. Can't make this up.

https://www.eff.org/deeplinks/2015/01/healthcare.gov-sends-p...

https://news.ycombinator.com/item?id=8920294

The reason "nobody does that" is because it's a stupid question that only a tiny minority of people actually care about.

It's like the EU cookie law, the net result of which is that a handful of websites are required to post obnoxious warnings.

Great. Your solution means even more obnoxious warnings internet wide. "Hey, the person running this website wants to see what its users are doing. Allow Y/N?" This is a future I literally cannot wait to see. </s>

Do you really think it's stupid to consider asking a client whether they're okay with you sending their personal data to another company? Just assuming that only a tiny minority of them actually care seems a bit careless.

I don't like the EU cookie law either, but that's a completely different thing. The only thing they do have in common is that they make UX designer's lives a bit harder, but that's really no excuse.

Considering "their personal data" in this case consists of "what you clicked on my website", no, I don't think that should require any special permission.

I think you and I have different definitions of personal data. When I hear that phrase, I think things like addresses, income, contacts, and so forth, but not email or phone numbers (both of which are basically public info), and certainly not what you clicked on my site.

What someone clicks on websites is extremely sensitive private information. Extremely private sensitive matters of peoples' lives is directly observable in the things they click on websites.
How about asking your customers, instead of stalking them by default?

Even telephone hotlines warn you that the calls may be recorded and give you (at least) a way to opt out. No site ever gave me such an option, but my browser has it - so I'm using it indiscriminately.

If you want my trust, give me an (opt in and later opt out) button, limit your tracking as much as you can (time, do not correlate with others, personal info, etc.) and as much information about your tracking as you can and what you use it for. In fact, give me an easy way to see what you have profiled and give me an option to clea(n/r) it.

I guess that sounds like hard work. Maybe Piwik can be extended to provide such things? Does it already do some of that?

> I don't really seem any downside to users being tracked by 3rd party platforms like Google Analytics. Platforms like GA, don't track first party information and anonymize who you are with a randomly generated ID.

But thats not your call to make for your users if they happen to have a different opinion on the topic.

Google is an advertising company. It is not unreasonable to not want to tracked at all by advertising companies. Neither they nor you have any sort of right to this information.

It sucks for you that it is harder to grow your business. But since when has that ever been easy?

It's unfortunate so many people are downvoting you apparently just because they don't agree. I'm not sure I agree, but you have a totally valid and reasonable point of view.
Your user sessions should be short, preferably. If I take a long time to find what I need, you have a badly designed website (or an uninteresting one).

Unless you're trying to make a time-sink website like imgur, that is.

If you read https://github.com/gorhill/uBlock/#philosophy then that's not surprising at all. Disconnect.me also blocks Google Analytics.
Blocking standard analytics on small websites who do not server ads is being dick. Now I do not know who is using my website. I can not optimize it for longer user sessions, I can not figure out which are the most popular pages, I can not record client-side errors, I can not track caching and page load time.

Basically this screws over those want to create good website experiences. Blinding us in this way is pretty useless.

This type of stuff should be opt-in. Most people install uBlock to remove Ads. But now we are making them invisible to websites at the same time, which is not what most people signed up for.

I think a fair portion of the people who are consciously blocking GA might think that beaming back a ton of information to the Google mothership is also "being dick," because they don't want ad-tracking profiles to be built for them based on their browsing habits across millions of websites.

If you want to balance the desires of your privacy-savvy users and your craving for analytics, why not use Piwik and self-host it on your own domain? No external requests, and no information back to Google.

It block self-hosted Piwik by default too!
Thanks. Knowing that, I'll probably go out of my way to whitelist 'piwik.js', etc. I'd be willing to trade some personal information to any host wanting to use a self-hosted Piwik instance over a big analytics platform.
this is unfortunate. i think anything that's same domain should be allowed through, even 2nd-level might be okay. it's third-party tracking that should be disabled because of cross-domain tracking capability.

it's completely unreasonable to expect websites not to do something as simple as tallying unique visitors or recognizing returning customers via cookies/fingerprinting on their own properties.

To be fair, "recognizing returning customers via cookies/fingerprinting" by itself doesn't require JavaScript. It's the tracking of the user's activity once the page has loaded which does.
That seems pretty unreasonable. I can see providing an option for it, but blocking it by default is bordering on paranoid.
Well, take it to the easyprivacy guys, µBlock only has their list enabled by default.
It shouldn't be enabled by default -- that is the problem. It should be opt-in to start blocking non-ad related things.
The Piwik block comes from the AdBlock ruleset.

It blocks the piwik.js. When you check the statistics and hover the red filter symbol for the Piwik line you will see which rule blocked it.

Nothing stops you from doing analysis yourself.
uBlock might stop you. It's certainly consistent with their philosophy to block all analytics, even homegrown and not shared across sites.
I think the parent comment is referring to the idea that the web server, by necessity, is aware of a client connection. Webserver logs reveal a lot of information.
That might be useful for fingerprinting visitors but, perhaps ironically, it's much worse than javascript & cookies for actually seeing big picture trends on your site. There are many, many bots that request files off your server but only a relative handful execute javascript.
How many of the bots that don't execute JavaScript bother to download the URLs referenced in <script> tags? You can filter all the others easily.
I don't think this is such a big issue. Only a small minority of people use uBlock. Whatever data you measure on the 90% of your visitors that don't block GA can, most likely, be extrapolated to the remaining 10% as well.

I'm a lot more concerned about the revenue I am losing due to the decrease in ad views/clicks than I am about a slight decrease in GA hits...

>> Whatever data you measure on the 90% of your visitors that don't block GA can, most likely, be extrapolated to the remaining 10% as well.

Agreed.

I think we as tech people tend to assume everybody is as tech savy as we are - when in fact, it's not even close. Also, when you talk about an aging baby boomer population who didn't grow up with Facebook and Instagram, they could care less about being tracked.

Most small adverticers see it the opposite way. We don't want to pay you money to show the ads to someone that is not interested in our products anyway and never will click the link. Or even worse, click the link just to support you, stealing money from us instead. There are always two sides to a coin.
I think it's a mistake to think that people who visit your site somehow 'owe you' and should permit third-party tracking code from your site to run in their browser. I understand your points about wanting metrics to learn from, but when you bring in a third party all bets are off and individual visitors (like me) will choose not to run that tracking code.

Don't forget there are other ways of achieving what you want too - you can use something simple like GoAccess[0] or even run a Piwik install off your server logs[1] for a nice pretty GUI experience if you prefer.

As more and more people become privacy-conscious I hope you will see this as an opportunity to learn how to do more yourself and outsource less to Google. They don't even give you all the data they collect from site visitors, you are giving them free data for little in return!

[0] http://goaccess.io/ [1] http://piwik.org/log-analytics/

Apparently Piwik is blocked too. I think that's a shame, as in my opinion self-hosted tracking solutions should be acceptable.
The Piwik use-case I was referring to is to run it from your imported logs, not the default JS tracking. Because the visitors can't circumvent server logging, you get analytics and also boost page speed.
Once upon a time people and web hosting companies knew how to parse access logs into beautiful analytics systems with software like JAWStats (http://www.jawstats.com/).

It's really a shame that Google Analytics has become the only way to handle traffic analysis.

Parsing access logs in 2015? Really? You mean those logs that are cluttered with bot traffic and that only have IP addresses instead of real user sessions, and do not contain valuable information about for instance exit pages, banner clicks, page load times, and so on?
Your knowledge of what can be extracted from server logs is a little bit out of date.

Also, server logs are the only tracking system that can't be disabled by visitors.

nope, there are number of ways to track visitors even when everything is blocked (like ga.js or whatever) and all cookies disabled.

With user-agent header, ip address, etc. you can uniquely identify a user because there is enough entropy, see https://www.eff.org/deeplinks/2010/01/primer-information-the...

and that basically allows you to emulate a session id without cookies and without appending it to the URL

You can also use the cache to know if the user already visited some content or not, explained here http://joshduck.com/blog/2010/01/29/abusing-the-cache-tracki...

And finally, you can use CSS custom styles to know if the user already visited some web sites or not, see spyjax http://davidwalsh.name/ajax-evil-spyjax

granted, the user can disable JS, change the user-agent, but I would argue they are still trackable

There isn't always enough entropy to uniquely identify a user - you can't rely on that to provide accurate tracking. If people are coming from a corporate environment using terminal servers then every single browser will identify as one user by that method.

Most browsers are now taking steps to stop the CSS custom styles hack working - for example this doesn't work in Chrome anymore. The website can show you which websites you've visited with the change in colour for the link state however it can no lonqer query it.

it would be as accurate as the server logs, the only difference is I don't need to analyse those logs I can keep using google analytics.

that's my whole point: "yadda yadda yadda ublock or adblock or whatever block ga.js on the client side haha you can not track the visitors anymore"

nope I can still track them and I don't need to even bother analysing the server logs

server side:

  1. I can detect if there is a _ga cookie
  2. if not, I can generate a UUID based on the user-agent and IP
  3. and I send my pageview from the server side
it is not perfect, I would certainly not use that UUID to identify a login session but it does work without me having to stop using google analytics.

> "There isn't always enough entropy to uniquely identify a user"

there is, read the EFF link it explains all that nicely

TL;DR

  - you can not send tracking client side anymore
  - OK, I can send tracking server side, go ahead try to ublock that
Can't you simply use your server logs?
Sure you can. Quit using Google. You think they are the only with a tool that provides these answers? Also, I think you are wrong: If people understood how FB, Twitter and Google can track your moves across websites, then I believe most WOULD want this.
(comment deleted)
Sure you can. All you need to manage your site's performance is in your server's log file. There are many free tools for analyzing those logs. If you're getting client-side errors, run a site analyzer to check your site for dead links and such.

You don't need Google for any of this.

I've used ad blockers since ad started to appears on the web because ads are annoying sure but the real reason is that it is a severe privacy intrusion. This is exactly why I installed µBlock as soon as I heard about it, because contrary to ad blockers it states clearly that it is about privacy and shows that the author actually gets it.

I could not care less about stupid justification for spying on me and sending all this data about me to google, either use piwik or learn to apply analytics to your web server logs.

Anyways I was already invisible to you because I have js disabled by default, and a few extension dedicated to blocking trackers and google spefically, with fanboy's lists to block trackers.

> I can not optimize it for longer user sessions, I can not figure out which are the most popular pages, I can not record client-side errors, I can not track caching and page load time.

Sure you can. You can do all of those things still.

If I like a site, and they don't show obnoxious ads I often white-list it. It's up to you convince me.
Good. So does Ghostery, for that matter. It'd be a pretty poor blocker if it didn't block one of the biggest trackers out there.
Little nitpick - the line linked to is /googleanalytics.js, which I believe in most situations will do absolutely nothing. It's the lines referring to "analytics.js" and "ga.js" that actually matter.

EDIT: For clarification, analytics.js and ga.js are in indeed listed, as are many other analytics services, bugsnag and kissmetrics to name a few.

The smallest violin in the world is playing a tune while I cry crocodile tears.

It's just doing what it's supposed to do.

Maybe it will balance out all of the false positives from bots? I get so much fake traffic, I don't know the real numbers anyhow.
Fake traffic? I have access to a few mid/high-traffic sites on GA. We do a lot of event tracking, so unless these are very sophisticated bots I imagine I would pick up on a lot of bot traffic.

Mind expanding on the fake traffic you're getting?

Yes, but not because of EasyPrivacy. As I found out at one point, EasyPrivacy does not block everything from Google Analytics. [1]

The one that does the job is Peter Lowe's [2]

I wish you would see how convoluted is your suggestion "to let users opt-in to not be tracked by Google Analytics". (paraphrased) [3]

[1] https://www.diffchecker.com/r7v1cq6x

[2] https://github.com/gorhill/uBlock/blob/master/assets/thirdpa...

[3] https://github.com/gorhill/uBlock/issues/564

Edit: "being" => "be"

That is awesome!
it is pretty easy to unblock

  1. host the analytic js on your own domain
  2. and/or rename it
at the very worst you can do the analytic tracking server side, I know that because I had to do it to track RESTful API usage as json/xml can not allow you to embed the ga.js

eg.

  1. read a _ga cookie, if it does not exists create it
  2. not fan of it but you can make it more persistent with a session (I know, opposite to the idea of stateless with REST)
  3. and use the measurement protocol (universal analytics) server side which is trivial to implement
here an example in PHP http://pastebin.com/PQCRcJXq
The Panopticon approach of "I am entitled to everything about you and your browsing activity because I technically CAN get it" is very troublesome and I'm glad that µblock takes a small step to revert that.

If some guy followed you around a store with a clipboard literally writing down microsecond-level details of your time spent in the store, you wouldn't be OK with that just because "I promise I didn't write down your name!" There's no reason to suffer LESS privacy online.

uBlock's philosophy is to, by default, block crash reporters (bugsnag, newrelic) and all forms of analytics (customer.io, optimizely, kissmetrics, mixpanel, newrelic, pingdom, piwik) because it can.

This is a stupid policy that hurts independent website developers because now I have to write my own version of these tools because if I use third-party services they will be listed in uBlock and blocked by default.

It is stupid but these are not used to run ad-networks, but rather improve the quality of the website you are on.

You could always respect your users and continue using Google Analytics etc. knowing that some of your users won't be tracked.

Does missing out on the few people who use these tools actually have a meaningful effect on your ability to run your business?

I understand how the crash reporters help you but do you really need Optimizely/Analytics/MixPanel etc. running on 100% of your client browsers?

uBlock is going to become very very popular. It isn't just going to be a small percentage of users. It is going to be the majority of tech savvy users. That is the problem.

ublock isn't Ghostery or NoScript. It is being sold to most has an ad blocker, but really it blocks everything.

wait so now your saying that ublock will be used by lots of people who presumably know what it does and therefore you are saying that they are wrong?

IF you want to track my data you should be asking me.

> ublock [...] is being sold to most has an ad blocker, but really it blocks everything.

This is the first sentence on the project page:

> µBlock is not an ad blocker; it's a general-purpose blocker.

And toward the end:

> Free. Open source. For users by users. No donations sought.

It's not "being sold".

Are any of these blocked services self-hosted? I sort-of agree with you if that is the case, but otherwise I'd say that it's entirely fair that a user use uBlock to keep these third parties from tracking their behavior.
Fantastic, I decided to install this extension and give it a whirl and it works as expected with zero configuration. Loving it!

I appreciate the fact that this is blocking everything about my usage to spying companies/individuals.

So does "no google analytics"[1]. It seems I'll soon be able to replace several extension by µBlock which is a good news.

I've long wished firefox would actually block ads and trackers by default, but it seems they'd rather make money instead.

[1] : https://github.com/erikvold/no-ga

I don't see any problem with this.
Serious: Why are people surprised to find this? I know GA is not ads, but it's tracking. Not the same category, but the same idea.
Thanks for finally convincing me giving uBlock a try. And for those crying web developers here -- if you respect your visitors, learn how to use server side analysing and profiling without a use of 3rd party tools by companies known to use privacy violations as a part of business model.