
GoatCounter – Simple web statistics, with no tracking of personal data - WinonaRyder
https://www.goatcounter.com/
======
WinonaRyder
Source code:
[https://github.com/zgoat/goatcounter](https://github.com/zgoat/goatcounter).

The author also gives a rationale for choosing the EUPL (EUROPEAN UNION PUBLIC
LICENCE) here:
[https://www.arp242.net/license.html](https://www.arp242.net/license.html).

EDIT:

ksec posted this link:
[https://github.com/zgoat/goatcounter](https://github.com/zgoat/goatcounter),
but, at the time of writing, my comment is higher...

It provides rationale for why GoatCounter exists and comments about _why not_
other solutions like Fathom, Open Web Analytics, KISSS, Ackee, Countly,
Analysing log files, Google Analytics, statcounter, Simple Analytics,
getinsights.io, statcounter.com. plausible.io/.

~~~
pavon
I can't say that I agree with that rationale. One of his major requirements
is:

> Have a “strong” copyleft, including the so-called “network protection”,
> which mandates that people submit changes even if they operate the code as a
> service (rather than sending people binaries).

However the EUPL allows you redistribute under other "compatible" licenses[1]
most of which don't provide that "network protection". Effectively, the EUPL
is only as strong as the weakest "compatible" license listed in the appendix.

[1] These "compatible" licenses wouldn't otherwise be compatible, except that
the EUPL explicitly allows re-licensing to them instead.

~~~
zaarn
The EUPL only allows relicensing if the covered work is part of a larger work,
so you can't simply take EUPL code and distribute it as LGPL just like that.
It has to be some part of a larger work.

~~~
thom
Could one then extract the originally-EUPL subset under the new license and go
from there though?

~~~
zaarn
No, the subset is still EUPL licensed, the larger work sublicenses it under a
different license.

------
ctoth
First time I've ever seen a comment about accessibility on the homepage of a
mainstream product like this. As a blind developer this was just awesome, made
me really feel like somebody out there is listening.

Thank you for making this

~~~
wnevets
Does anyone know of a good resource for this?

~~~
cglong
A lot of accessibility issues have to be taken on an individual basis, so
good, publicly available resources tend to be hard to come by. The
authoritative (albeit very terse) resource for web accessibility is WCAG:
[https://www.w3.org/WAI/WCAG21/quickref/?versions=2.1&levels=...](https://www.w3.org/WAI/WCAG21/quickref/?versions=2.1&levels=aaa)

One tool I'd suggest looking into when getting started is Accessibility
Insights for Web. A team at Microsoft developed a free, OSS browser extension
for automatically detecting most common accessibility issues on your site:
[https://accessibilityinsights.io/docs/web/overview](https://accessibilityinsights.io/docs/web/overview)

Disclaimer: I do work at Microsoft, but my only affiliation with Accessibility
Insights is as a happy customer :)

~~~
alwillis
I was trying out the beta and canary versions of the new Edge and installed
Accessibility Insights and was pretty impressed.

I immediately thought: how come none of the other browser vendors have
something like this after all of this time?

~~~
Vinnl
Firefox has an accessibility inspector: [https://developer.mozilla.org/en-
US/docs/Tools/Accessibility...](https://developer.mozilla.org/en-
US/docs/Tools/Accessibility_inspector)

Google develops Lighthouse, which, although an extension, I believe includes
some a11y checks:
[https://developers.google.com/web/tools/lighthouse/](https://developers.google.com/web/tools/lighthouse/)

Similarly, Mozilla also promoted Webhint:
[https://webhint.io/](https://webhint.io/) (which is cross-browser)

I'd also recommend Khan Academy's tota11y, which just works as a bookmarklet:
[https://khan.github.io/tota11y/](https://khan.github.io/tota11y/)

------
doomrobo
Nice work! Off-topic but remember that you can get a surprising amount of
analytics using just your web server logs and no JavaScript at all
[https://goaccess.io/](https://goaccess.io/)

~~~
yodon
Thanks for the goaccess.io suggestion. GoatCounter looked really cool but
their crazy decision to go with a GPL-style license for code you run on your
website is a pretty serious deal-breaker for me. GoAccess looks much more
usable.

~~~
Carpetsmoker
Why is it "crazy"?

The reason it uses copyleft is to prevent people from taking my work and
operating a competing SaaS with it; I don't think that's very "crazy" IMHO.

~~~
yodon
It's crazy because the use of the EUPL license forces all your customers to
copyleft their website code, which almost no business wants to do, blocking
any potential customers from adopting your product. No adoption means no
usage, no pull requests, and no revenue. You are free to license your code
however you want, but I think you'll find the tremendous effort you put into
developing this great project will end up being essentially unused by others
simply because of your licensing choice. Monetizing open source projects is
incredibly difficult, and simply pasting a GPL or EUPL license text into the
project doesn't make them easier to monetize, it makes them harder to
monetize.

~~~
Carpetsmoker
That is not my interpretation of the EUPL, which defines "Derivative" as
software "based upon the Original Work or modifications thereof". I don't
think that including this could reasonable be considered as that.

I could add a clause about it to make it unambiguous, perhaps, but it strikes
me as rather redundant as it seems fairly clear to me, unless I missed
something?

> Monetizing open source projects is incredibly difficult, and simply pasting
> a GPL or EUPL license text into the project doesn't make them easier to
> monetize

Sure, I don't disagree with that. But as mentioned non-copyleft includes the
risk of a certain kind of abuse that I don't really want to take, either.

~~~
yodon
You have to do what you feel is best in the face of uncertainty, just as
potential adopters of your software have to do what they feel is best in the
face of uncertainty about the detailed legal interpretation of how GPL-like
language applies to libraries included by or bundled with a website. The
interpretation of what is or is not a derivative work in this context is a
subject that is legitimately complex enough to be the domain of actual lawyers
and actual court cases not of armchair opinion-stating by developers. Even a
tiny bit of uncertainty over whether ones entire web operations might end up
GPL'd or EUPL'd is more legal risk than 99% of your potential customers will
be willing to take on. A paragraph of "explanation" written by a non-lawyer
and posted next to the formal license is not going to reassure your customers
as to how a court will interpret the formal license component. But again how
you chose to license your software is your choice, just as whether to allow
EUPL'd or GPL'd software into their website is your customer's choice. The
business of software is hard, frequently much harder than the writing of
software.

~~~
belorn
Have you read the copyright license for google analytics? Their license and
EULA has not been tested in court either. There is nothing that proves that
google can't claim copyright infringement for all sites using their web
products.

"You will not (and You will not allow any third party to) (i) copy, modify,
adapt, translate or otherwise create derivative works of the Software"

As you typed, The interpretation of what is or is not a derivative work in
this context is a subject that is legitimately complex. Its not tested, beyond
the fact that the companies of 1/3 of the largest websites has had their
lawyers green light to use software with such language in the license. So far
the bet that a website does not constitute a derivative work of the analytic
software it is using is holding.

~~~
yodon
Again, it's your call. You'll hear lots of input from customers and potential
customers. Some of it you should listen to, others you should not. The one
thing that's rarely worth doing is trying to convince an individual customer
they're wrong, because even if they have a demonstrable misconception it
doesn't scale to try to convince your customers one-by-one that they are
wrong. You need to do that at scale, and sometimes that means buying into how
they view your product even if it's not how you view it. In the meantime I,
like many others, will continue to not integrate GPL code into my website,
even if google analytics uses the words derivative product in their EULA.

~~~
Carpetsmoker
Note that it was someone else who replied to your last comment, not me.

I actually have a local branch that I made after you last comment to change
the license of count.js to MIT, but then I thought about it some more and
wasn't sure if that was the correct thing to do. My concern is that "EUPL with
clarifications/exceptions" would be more complex than "just EUPL".

While "telling customers they're wrong" would not be good, changing stuff at a
whim after singular complaint would not be best for the product, either.

Also, providing feedback by calling stuff "crazy" is probably not the best way
to get people to listen ;-)

~~~
yodon
Whatever you decide, you're on the right path in realizing that listening is
good even if you think the speaker is crazy

------
chadlavi
If this tool could also show you anonymized aggregates of click trails through
your site, I'd be down in a heartbeat. Raw visitor counts and some metrics on
where they came from are sometimes useful, but for a web app the much more
useful info comes from the pathways people take through the app.

~~~
Carpetsmoker
Yup, that's definitely a goal, just need to build it. Check back in a few
months :-)

~~~
chadlavi
nice

------
AndrewStephens
I applaud anyone one makes an effort to avoid thirdparty analytics products.
Analytics in general does nothing to help the users of your site while pushing
additional work onto the client and leaking information.

But looking at data is fun so I ended up creating my own super light counter
that I run on my site so I can see hits. My goal was to store as little
information as possible - only hit counts as stored, and no cookies are used
at all.

[https://sheep.horse/2019/11/visitlog_-
_sheep.horse_analytics...](https://sheep.horse/2019/11/visitlog_-
_sheep.horse_analytics.html)

I don't have any fancy graphs but the numbers are interesting

[https://sheep.horse/visitor_statistics.html](https://sheep.horse/visitor_statistics.html)

EDIT: all I discovered is that my blog gets pathetically few hits.

~~~
wastedhours
> Analytics in general does nothing to help the users of your site

I find this really interesting, and am amazed that more sites and services
don't surface some of their analytics data to users. Look at the success of
yearly "wrap up" campaigns (disclosure: I work for a company with one of the
most famous versions of that mechanic, but don't work on it).

You'll get users opting into some data and tracking if there's some tangible
benefit to them on the other end. It seems like people love learning about
their usage of products, and there's a lot of data that people would be happy
to share if they got some benefit too.

For example, I know Google tracks when I click a link in a SERP - but now that
they surface the "you've visited this X times, last time on Y", I'd happily
opt into that data collection because of the pseudo-utility/interest factor of
it.

~~~
AndrewStephens
I like seeing general analytics about a site because I am nosy so I enjoy
seeing "This blog post was visited 300 times" type information.

But I would hate to start seeing "You, personally, have visited this site 14
times" start cropping up because it would remind me how much information on me
is available. Intellectually I know this data exists in Google Analytics, but
actually seeing it would creep me out.

~~~
6510
I use to keep a cookie that was only used client side with the previous pages
the visitor visited. It grew a menu in the side bar. I never got around to it
but it could be interesting to generate a tiny tag cloud for the visited pages
and say 3 article suggestions based on those. I didn't build it because the
"visited = interesting content" doesn't seem real to me. Its more of a top 10
of click bate headlines.

------
intrepidhero
Can someone explain the attraction of embedded JS for analytics, what exactly
does it buy you versus log parsing?

Log parsing seems like the logical choice for the static site crowd but it
seems like there's little interest there. I must be missing something.

~~~
WinonaRyder
The most obvious one I miss (I don't currently only use server-side analytics)
is something like screen size. You can do user-agent sniffing to _guess_ what
the size of a mobile device is, but it doesn't tell you whether or not you can
stop wasting time making your content responsive on a tiny screen that no-one
uses anymore.

~~~
RL_Quine
You can do this with only media queries in CSS, most likely.

~~~
bransonf
The disadvantage there is that sometimes you want to give the user a totally
different site if their client is mobile. CSS queries are indiscriminate in
that a smaller browser window may trigger the “mobile” css. Likewise, many
tablets have similar screen sizes to some laptops, yet often you don’t want to
present the same UI to a tablet and laptop.

------
astuyvenberg
This seems like a perfect solution for a portfolio, blog, or new project. I
like that it's open-source, lightweight, and has a self-hosted option!

Elevator pitch from `rational.markdown`

GoatCounter aims to give meaningful privacy-friendly web analytics for
business purposes, while still staying usable for non-technical users to use
on personal websites. The choices that currently exist are between freely
hosted but with problematic privacy (Google Analytics), hosting your own
complex software or paying $19/month (Matomo), or extremely simplistic "vanity
statistics" (Fathom).

GoatCounter attempts to strike a good balance between various interests. Major
features include a free hosted version so people can easily add analytics to
their personal website, an easy to run hosted option, an intuitive user
interface, and meaningful statistics that go beyond "vanity stats" but still
respect your users' privacy.

------
kareemm
Looks nice. I’m somewhat surprised we haven’t seen an obvious alternative to
Google Analytics yet. It’s got a wide and deep surface area. But feels like
for the majority of eg B2B SaaS apps there’s a much simpler solution to be
built. Something that conves mainline scenarios like:

\- what channels / sites / campaigns is my traffic coming from?

\- what pages are people landing on?

\- what pages are driving conversions?

\- what do my conversion goals look like (percentage and total conversions)

~~~
dudus
For enterprises Adobe Analytics is actually the industry leader, and there are
a few other options as well.

For startups there's plenty of options, mixpanel is probably my favorite.

Google Analytics probably has more users because of ease of use for small
business but I wouldn't say it's a space without competition.

~~~
kareemm
Mixpanel's more product usage. The most valuable part of GA is imho the
marketing piece. Eg:

\- "Show me where my visitors are coming from"

\- "Show me what landing pages are most popular... at driving conversion... by
channel"

etc

~~~
dudus
Mixpanel also has traffic source attribution. Including Google ads out of the
box.

------
jlelse
I should have waited a few more months before coding my own statistics tool
(KISSS [1]) (which is also mentioned in GoatCounter's rationale document [2]).
:D

GoatCounter seems really promising, I especially like the simple web
interface, the selected programming language (Go) and that it should work with
a simple SQLite database.

Keep up the great work!

If you need some ideas for features that are currently implemented into KISSS
but not into GoatCounter (AFAIK):

\- Request stats from multiple domains (e.g. see the number of page views for
all domains combined)

\- Request stats by different criteria (e.g. only show stats with referrer of
Hacker News or Browser Firefox)

\- Reports: Daily email or Telegram message with stats

\- Telegram bot: Request stats via Telegram

There's definitely a need of privacy-respecting analytics services that don't
collect personal data. I hope you can succeed with your project!

[1]: [https://kis3.dev/](https://kis3.dev/)

[2]:
[https://github.com/zgoat/goatcounter/blob/master/docs/ration...](https://github.com/zgoat/goatcounter/blob/master/docs/rationale.markdown)

~~~
giansegato
Great job! I love the TG integration! It's so often about Slack and not about
TG :-(

------
gurgus
I just tested this out on my website and it worked exactly as instructed which
is always a plus. Super easy to set up and a clear set of analytics :)

------
ksec
This document [1] describes the rationale for developing GoatCounter, its
goals, and a comparison with existing solutions.

[1][https://github.com/zgoat/goatcounter/blob/master/docs/ration...](https://github.com/zgoat/goatcounter/blob/master/docs/rationale.markdown)

------
dbrgn
Can it also run in "server log parsing" mode so that no JS scripts are
required? This makes it even easier to avoid processing personally
identifiable information (if you don't collect the full IP) and it works even
if people have JS disabled (or if the clients are automated scripts).

Matomo is quite good at this.

~~~
Carpetsmoker
No, but this wouldn't be too hard to add. I'm not planning to work on it soon,
but I'll be happy to review PRs/provide guidance on how to build it.

I will add docs on how to run it in "server mode", where instead of using a JS
script you add a HTTP request in your apps middleware. This is an idea I had
the other day and I did some research on it, and it should work quite well
(haven't started work on it yet though).

~~~
dbrgn
Nice idea! Won't work for static pages though.

Regarding log analysis, it can be tricky to get right due to logrotate edge
cases.

------
michaelbuckbee
There's no definitive answer to this as it would take a court ruling (that
hasn't happened), but my own I am not a lawyer but deal with GDPR/CCPA
professionally understanding does not match the "You don't need to deal with
GDPR" pitch of these services.

Say you run a SAAS and install this on your marketing site. You're still
sending IP address and potentially identifiable information to a third party
processor.

We (on HN) don't consider IP addresses as PII, but from a purely practical
standpoint ad data brokers are selling/bidding on IP addresses all the time
which makes them more than nothing.

You (as the controller) also need to validate that processors (services that
you are using) are in fact doing what they're saying. You'd still need a Data
Processing Agreement in place with GoatCounter because otherwise Goat could
start collecting additional information without your knowledge, start
generating more metadata (GeoIP/Company) from the IP, etc.

I'm just saying it's not only about not collecting data, but the processes
that surround it and safeguarding users and their privacy.

------
muchbetterguy
Nice work. I'm currently in the process of building something similar to this
and Fathom - mostly out of curiosity - I will ping a link up here when it's
ready for a test-drive.

The current setup is similar to Fathom in that I temporarily track a user
session by generating a unique hash for the user, then, if that hash has
already been seen in the past 30 mins, we move hash to the latest page view
instance and can increment a pages viewed counter for the session. We can't
tell which pages you've been on in the past, only that you started a session
at X time, and viewed N pages, with the last view at Y time.

Incidentally, I had a PoC for the data ingest running as a Cloudflare Worker
using their KV storage. What could be interesting about that is that there'd
be zero third-party widget code to inject into a webpage: You'd log the
pageview in the worker and pass on the request.

But the market for those Wordpress users who want to paste a few lines of JS
snippet into their site would be lost. And it would add a few 100ms to each
request you want to log.

------
galfarragem
The only thing that stops me from switching from Google is pricing. I have 2
niche blogs (does that count as commercial?) as a side project that barely
makes any money and paying $180/year is completely unrealistic. I would switch
without blinking with a more friendly pricing.

~~~
Carpetsmoker
I'm not too fussy about it; if you have a small side project with a reasonable
amount of traffic that earns you a little bit of pocket money then that's just
"personal" as far as I'm concerned. It's really hard to codify these kind of
things, so I just made it "commercial/non-commercial" which is simple and
clear.

Hit me up on email and we can arrange something: support@goatcounter.com

------
arendtio
Sounds great.

I like privacy-aware analytic tools. So far I have been using
[https://www.privalytics.io](https://www.privalytics.io)

Similar functionality-wise from what I can tell, but different in style.

------
geddy
Just set this up on my little side-project site, as I was curious if anyone
was actually finding / using it. Wish I found this a month ago when I launched
it!

For anyone interested, the site is
[https://www.videogamesbyyear.com](https://www.videogamesbyyear.com), and if
you want to see the statistics screen, I made them public here:
[https://videogamesbyyear.goatcounter.com/](https://videogamesbyyear.goatcounter.com/)

------
masonwear
This reminds me of [https://usefathom.com/](https://usefathom.com/)!

Both solving an important problem in my eyes.

~~~
Carpetsmoker
It was actually written as an alternative to Fathom! My original plan was to
contribute to Fathom until it suited my needs, but the Open Source version of
Fathom is on indefinite hiatus and the maintainers are working on a (closed)
rewrite. I decided that starting from scratch would be better, as there were
some things I would have preferred to do fundamentally different. What I
really wanted was to add analytics to another idea I was working on, and while
it's a cool idea that everyone I pitched it to seems to like, it doesn't have
any good monetisation options, so I decided to work on this first.

~~~
nathancahill
Oh no! What's the source on the indefinite hiatus? I use Fathom for all of my
sites. Haven't heard about any of this. Can you point me to anything?

~~~
Carpetsmoker
See this issue:
[https://github.com/usefathom/fathom/issues/268](https://github.com/usefathom/fathom/issues/268)

~~~
nathancahill
Thanks

------
ASlave2Gravity
Took about 3 mins to get working with my jekyll github pages site. Very
simple, informative backend panel too. Thank you very much. Shall be donating!

------
sdfjkl
What's wrong with just parsing the webserver logfiles like we used to do (I
still do this)? Is that too old-fashioned now or something? Doesn't require
any account or paying anything or setting any cookies (and therefore you don't
need to have that annoying cookie warning your users hate so much).

~~~
bobx11
If I remember correctly, even having the user IP address in your log files
means you need to warn the user for some of the regulations.

------
owenshen24
I've been a happy user since you demoed this here last August or so. Have also
been pitching it to some friends for their personal sites. I donated for the
free tier. Really appreciated your writeup and rationale for providing a free
alternative to GA. Thank you for your efforts!

------
rawrmaan
Looks like the first direct competitor for
[https://simpleanalytics.com](https://simpleanalytics.com), which I’ve been
using and enjoying.

------
make_install
Finally a simple counter with no tracking. Most companies use Google
Analytics, because the current alternatives are lacking. Piwik is a good
alternative but harder to configure.

------
mad182
Top tier "Business Plus" with up to 1M pageviews/month seems kinda low. I
currently have 3 separate personal side projects with more views than that :D

~~~
Carpetsmoker
The numbers are more or less similar to various competitors, but it's not a
problem if you need pageviews, just need to get in touch.

------
mech1234
Would a site with this be required to give a GPDR disclaimer?

------
m3adow
This looks really nice. My blog is rather small and Matomo always seemed to be
too big for it. I'll test this one as an alternative.

------
radiKal07
I don't like the UI. Does this also provide a REST API so I can make my own UI
and just use this as a backend?

~~~
Carpetsmoker
There is no API, and unless a lot of people ask for it I'm not planning to
build it any time soon either. Making an API isn't too hard, but providing a
_stable_ API would slow down development quite a bit as this project is really
still in its early days. I don't think it's worth it right now. Sorry :-(

Better data export facilities is something that I intend to do soon-ish, and
you could build your own UI with that, but it'll be based on data/DB sync
rather than querying an API, which is quite a different workflow.

------
agacini
Thank you for the service. I have just added my website here. Hopefully it
will be longlasting for all us.

------
seancork
Will test this out tonight on my site, want to move away from google
analytics.

------
odc
Nice to see we're going back to simple counters like in the 90s.

------
brainlessdev
Just set this up for my blog [https://fnune.com/](https://fnune.com/)

Thank you!

------
adnjoo
nice! I just added this to my personal site :) will see if its good :P

------
saikiran91
What is so special about this?

~~~
Carpetsmoker
All the servers run on goats. True story.

------
mrgreenfur
How do you know it doesn't need a consent notice? Anything that tracks people
uniquely, via a personal identifier, is in-scope and counts as personal data.
Is the assumption here that it counts as 'legitimate interest'?

~~~
Carpetsmoker
There is no "unique personal identifier"; I have some ideas on how to track
recurring visits without such an ID, but that's something for the future.

Perhaps I should clarify the README on this a little bit.

~~~
pat-leahy
The referrer header which is stored may contain a unique personal identifier.

