I dislike Google and their products pretty much universally, but having this sort of thing done by a competitor is not just distasteful, I see it as verging on corporatism.
Make a better product and beat them, don't use the fact that a government is banning them to upsell your own tracking software.
All tracking is bad, from Google or not. I understand the "companies need to make informed decisions" argument but I disagree with it, mainly because tracking software is involuntary and it's in the interest of the tracking software maker and the company using it to make it as stealthy as possible.
Google analytics is against the law because they are American which means that they have to give up any data the us government asks of them. That’s the only illegal thing they do, and they are not better just for being American. They are better because they are better.
There is so much wrong with this. There are legal processes for the US gov't to request that data legally. Any other means of obtaining that data is illegal even if it is done by an entity within the gov't. This isn't the CCP.
Google Analytics isn't better at anything other than their marketing has convinced everyone that it is a must have. If you believe 100% of the data from GA is accurate, then I have a bridge to sell you.
Giving EU customer data to the US government is literally illegal for a company. There's not any process that somehow makes it legal without the collaboration of an EU member state.
The problem is that companies with a presence in the US can be forced to break the law of either the US or the EU. It's illegal to hand over the information to the US government, but it might also be illegal not to.
How does that work exactly if there is no international branch of a company in the EU? If a company is online with a presence large enough to attract European visitors, are they required to open an office in the EU? If not, are they supposed firewall visitors? That's assinine sounding.
Do you mean, who's stopping them from not collecting personal data? No one, that's the point. If you're not collecting personal data none of this applies and you can serve whatever you want to people in the EU.
If you mean, who is stopping them from handing over data to the US government? That's exactly what this court case is about. They can't conduct commerce in the EU unless they have a mechanism to avoid that, and progressively more strict enforcement gets imposed by courts if they keep trying. (Eventually, presumably being detained if they try to enter an EU country, though I seriously doubt it would escalate that far in practice.)
If you have no business in a country then its laws don't apply to you. Google & others specifically break EU law because they have offices and branches across EU yet wipe their asses with consumer/privacy protections.
It depends. Based on your description, it sounds like the company in question wouldn't actually be subject to the GDPR. Simply attracting European visitors isn't sufficient; you have to be clearly intending to offer goods or services to those visitors. What that constitutes isn't black and white, but stuff like providing EU contact details on your website or specifically advertising to EU subjects might count.
Those are consent popups, not cookie popups, and no they’re probably not. (There needs to be a “Reject” option.) But the larger issues with bigger players get pursued first.
Not only there needs to be a reject option, but it must be the same size, weight and color so as not to influence the decision of the user. And be truthful, in most cases there should not be a banner at all: 99% of websites don't need cookies and when you do they're covered by other areas of GDPR (such as providing a requested service) which don't need explicit consent.
In all cases where you see a banner for accepting cookies, the company behind it is doing something nasty to the users. (i have yet to see a counter-example to that)
No, you pretty much can't - not as an US-american company at least. That's what this problem is all about, and why the privacy shield deal between the US and the EU failed.
Google could trivially re-domicile to Ireland if they wanted to. Just do a reverse merger, and have the services within the US provided by Google LLC, which becomes a subsidiary of Google Ireland Limited.
Thanks for pointing that. Don't know how many time have met privacy advocates, etc has made a such a strong point against google, and still embedded youtube video or google font on their site. Is there are github page where one can block all google or fb used domains or ips? Would be very useful!
Lots of different methods but for most the easiest is to just use something like NextDNS or a pihole. Pihole being potentially cheaper long term and NextDNS having the advantage that you can use it when off your home network.
If you want to get extra fancy you need to also worry about Doh and Dot (encrypted DNS) and hardcoded IP's (mainly for actual applications like mobile apps or smart devices). Encrypted DNS is a great thing but companies also use it to bypass things like pihole or NextDNS by hardcoding their DNS IP into an application and then sending all requests to that IP using Doh and Dot so that the end user has no control.
What you can then do is use any kind of edge router / firewall / networking equipment (virtual or physical) to block all the common DNS IP addresses directly and only allow addresses of your choice (such as NextDNS or other). This way when the application tries to make a connection using Doh or Dot to that specific IP address it ensures that it is blocked and everything must fall back to whatever DNS you have setup (which can also be running Doh or Dot for privacy / security). Some home routers have this functionality or you can setup a pfsense box relatively cheaply to achieve this. Unfortunately I have not yet found an easy / cheap solution for mobile devices if anyone has any suggestions.
I believe they are looking for something like PiHole, but a fully software solution. Not sure whether they are looking to go the open-router-firmware route or the route of some ublockOrigin config though.
It's even more ironic that you (and the owners of that website, and PiHole) would then rely on Microsoft's servers (GitHub) to store and work on that code and data !
> I dislike Google and their products pretty much universally, but having this sort of thing done by a competitor is not just distasteful, I see it as verging on corporatism.
Don't shoot the messenger? I think everyone should have the right to voice opinions and point out problems with products, competitors or not. As long as the claims are factual and not FUD and bullshit. (I'm reminded of fud campaigns made e.g. by big corporations against open source, backed by their own shady fudfactory studies)
If a company can -- without lying or twisting facts -- point out that their competitor's product is dangerous/illegal/unsuitable/{whatever is relevant to me}, I'm all open.
Of course, the line between a fud campaign and plain good old information is sometimes very thin.
This is a bad take. The problem with Google analytics is that it allows Google to surveil everyone's movements around the entire internet. This is enabled by the fact that for a long time, Google analytics was the best analytics product and it is free. I've been in the position myself with personal project websites of trying to decide whether I'm just not going to know anything about what my users are doing, whether I'm going to try to hook up some janky open source alternative, or whether I'm going to give in to the surveillance machine.
The competitor that put up this site appears to be a company that provides analytics that are not centrally collected and analyzed to serve ads across the internet. Their entire selling point seems to be that they do not engage in mass surveillance. Equating this to what Google analytics does (if this competitor's claims are accurate) is a false equivalency.
To me, this is no more objectionable than a foam insulation manufacturer capitalizing on asbestos bans.
Totally agree. I really don't have any objections to analytics that are run solely by the website provider, as long as those analytics are only used to investigate usage and issues on that website. I don't have any problem with coffeegrinders.com knowing all about how I use their site to find good coffee grinders, but I DON'T want that correlated with my choice of mildly NSFW Tumbler videos. It's pretty inherent to the way the web works in any case, where you're not just being broadcasted to but are having a back-and-forth conversation with the website.
The primary problem with surveillance capitalism is when your movement across the entire Internet is gobbled up, sliced, and aggregated for the largest bidder.
I don't have objections to that, similar to how I don't have objections to a search engine showing me ads solely based on what I've typed in to the search engine.
Indeed, I really feel that Google and Facebook turned "evil" (whatever that means) when the huge amount of customer data available to them from their own sites was no longer enough, but they demanded on vacuuming up your actions on every single corner of the Internet to add to their already gargantuan piles of dough.
This kind of marketing is pretty common on HN. Provocative title and a blog post (written as if they're an independent observer) that presents a 'problem' and conveniently their product is perfect for solving it. The worst is these things get tons of upvotes.
The readers of HN are human after all, unless you're all bots and I'm the last human. Oh gawd, what if I'm not human either. Oh crap, now I'm going to be fretting over that all day.
If you see a title, you have no idea it is from a 1st party or 3rd party until you read the article. Or, you could just come to the comments an diatribe away. That's the internet way, and claiming to be morally better than the internet is the HN way.
It's really hard to make that claim when Google is known for anticompetitive behaviour, including crippling GA competitors [1].
We should probably acknowledge that Google is in the terminal phase where only forced split and divesture will help, and in the meantime, every action from competitors is fair game.
Unless the message is misleading I don't understand why you would find it distasteful. As mentioned elsewhere in the thread, a competing product being illegal is an excellent selling point. Why would you withold that important information from your customers?
The thing is, that site is misleading, a product that is legal in pretty much the whole world (currently) but against the law in two countries, does not make the product illegal anywhere else, and it seems more likely that the fault would be on the companies implementing it in those countries, not in the global service that is being provided.
Then again, even though this is google, I'm not big on localized countries attempt to create laws that dictate the behavior of the internet as a whole, admittedly this is a different issue.
The website does not say Google analytics is illegal everywhere in the world. Only that it might be in parts of Europe. I don't think this is insignificant enough to be considered misleading.
It's clearly marketing. But marketing can be helpful. If GA does conflict with GDPR it is far from unlikely that more countries in the EU will ban or restrict it. This might be insignificant to an American company using GA but it certainly is not for a company operating in Europe.
If you can look at the domain, isgoogleanalyticsillegal.com and tell it's marketing, then good for you. I don't think it's very obvious. Posting it as a "Show HN" with its own domain name is purposely deceptive. Most of the "Show HN" posts are from individuals posting their own small projects. Sometimes a company will post one, but at least they link to their own domain.
After you click to the article, again there's no indication until you scroll to the bottom (after you've already read or skimmed the site). This is deceitful. Furthermore, it doesn't really follow the spirit of ShowHN, which is supposed to link to a tool that people can try out.
You're right that marketing can be helpful, but introducing your company through a bait and switch is a major red flag. This post could've easily been presented honestly: "Show HN: Host your own analytics data to comply with GDPR - posthog.com" or something along those lines.
I assume companies that try stuff like this don't even realize the negative feelings such a campaign can engender. They probably see thousands of new visitors to their bogus site and call it a success, all the while not even seeing the thousands of people who saw this deceptive tactic for what it was and have now filed "PostHog" in their mental file cabinet of dishonest companies.
To add, it might not even be illegal; the Netherlands quote is:
> The Dutch Data Protection Authority warns that the use of Google Analytics 'may soon no longer be allowed', after a ruling by the Austrian privacy regulator. A definitive conclusion is said to come at the beginning of 2022.
As for the Astria ruling, this is part of it:
> The fact that Google LLC argued that Google Analytics was allegedly provided by Google Ireland Ltd since April 2021 was not considered relevant, as the violation occurred in August 2020.
So it might be illegal to have used GA before April 2021, but it very well might now be legal given that GA is now provided by 'Google Ireland Ltd', which was a move explicitly done by Google to comply with GDPR.
> If you were privacy-conscious, you'd self-host at least. Read here:
That page explicitly notes that cookies aren't sent and these requests aren't used for the ad machine. Is using Google Fonts at all the issue just on the chance they're using IP address matching for ads/is them having your IP too much of a risk?
Interesting, I have always assumed that Google and FB would use any request sent to them for tracking and profile building. Probably a safe assumption to be honest.
Just dump all request logs in a giant Data Lake - seems like promotion material idea. (sarcasm).
That your competitors product is illegal is an excellent point to showcase for potential users. We're not even talking real mudslinging, just pointing out reality. Being offended over this is baffling to me.
Yeah, fight with whatever tool you have including going negative.
I don’t for a second think Google would hold back if their own behemoth was in under mortal threat and their main competitor had been found guilty of illegal acts.
The invisible hand of the market (fwiw) relies on free flow of information. Educating the public about Google’s illegal acts is an act of service, though self serving.
Allowing yourself to engage in immoral/shady activity just because your competitor is doing it actually helps your competitor by legitimizing their methods, it's an endless cycle of "but they did it first".
How’s it immoral to make sure the public knows that a product they are planning to use has been declared illegal in a certain jurisdiction?
In fact, given the state of regulatory capture, it’s a public service to educate consumers locally about how a competitor’s actions are perceived abroad.
The title of this post is just the website url - there's no indication it's actually an advertisement. The whole thing is designed to trick people, and I'd say most people don't like being tricked by marketers
Nor is there any indication that whoever posted it here had anything to do with PostHog (which, to be clear, is apparently an open source project, not a paid service like everyone seems to have assumed).
How do you compete fairly with somebody that engages in monopoly abuse and anti-competitive behaviour?
It has been more than 3 and a half years since GDPR was implemented, yet it took concentrated efforts of non-profits and individuals to come to this extremely obvious interpretation that EU–US Privacy Shield is nonsense.
Maybe if EU and member countries actually made any enforcement efforts, a viable competitive space would emerge.
What is corporatism in the sense that this is verging on it?
> Make a better product and beat them, don't use the fact that a government is banning them to upsell your own tracking software.
Google Analytics is not a good product if it can't legally be used. The competitor in this case is offering a better product because it can legally be used.
Using Google Fonts on this is hilarious and bad, otherwise though this post makes no sense. Pointing out your competitors flaws is part of competition and, I’d guess, an important driver for fixing or eliminating those flaws market wide.
In industries that successfully self-regulate we find that good products that follow regulations out compete those that don't. In those cases politicians also tend to avoid adding regulations in order to not disrupt a working system.
In industries that don't successfully self-regulate we get politicians that force a regulation in order to have good product out compete bad ones. It is especially common with lemon markets where information asymmetry between buyers and sellers is a significant reason of good products being unable to fairly compete with bad ones.
The value of personal information is a notoriously lemon market where the buyer, ie users, are not aware of the actually cost to themselves or to whom they are selling their information. One of the first requirements in GDPR is fixing part of this by forcing companies to disclose to whom the information is sent to. Secondly it partially address the cost aspect by forcing companies to disclose how the information get used and thus what the real cost to the user is. A bit like how banks need to disclose what the interest of a loan actually will be before the consumer signs the contract.
What makes privacy issues an even bigger issue is that the cost is not carried by the party who decide and benefits from the choice of analytic software. This is similar to environmental issues where the cost of a decision is not carried by the company that made it, but rather by those around them. Environmental issues is a typical example where self-regulations do not seem to work, as the end consumer has no information if a certain clothing item is made from child labor or by a eco friendly operation. A regulations job there is to put down some minimum standards that everyone need to follow, including information disclosure so that end users can actually know what they are paying for and how much.
If it pushes all companies to be clear about their potential GDPR issues, I'm all for it. Let them compete on ease of compliance.
As it is, it's very difficult to tell if something you're using is gathering data that you don't intend to gather (e.g. your hosting provider logging IP addresses for your hand-coded blogging software). I don't want to have even the tiniest possibility of being on the receiving end of one of those theoretically huge GDPR fines just by self-publishing some code and putting it on the internet.
If their product does not violate the GDPR, their product is a better product.
It's just that website creators were defaulting to "just use Google Analytics" because it's convenient and they didn't care about their user's human right to privacy, and were thus externalizing human rights violations onto them.
The government is simply preventing externalization of harm, which even libertarians will agree if the governments job (of course agreeing on what level of spying is harmful is where the debate will be).
Even the quote on their homepage is made me roll my eyes
> PostHog is what I always wanted a Product Analytics SaaS to be. Private cloud option so GDPR becomes way more manageable, features built based on direct community feedback, focus on simplicity and usefulness over vanity features...Great job people!
Mmm I dream of [Private cloud options] to make [needlessly complicated government legislation] easy!
Yay privacy, I guess? Just add 3 more needlessly complicated middlemen.
> PS: What adds salt to injury is that you're using Google Fonts on this website. If you were privacy-conscious, you'd self-host at least.
I get what you're saying, but i feel like that's probably a sliding scale of how much people actually care about these things vs how much they want to just easily get things done.
For example, right now my personal website serves the following files, just to get Open Sans working:
Of course, depending on the browsers that you want to support and how efficient you want things to be, you might end up using more than just the WOFF2 format or just adding a TTF font and calling it a day, which will further inflate the amount of configuration that you need.
While we're on the topic of fonts, it's a shame that we don't think more about how heavy the fonts we choose to use are, since right now serving my own fonts eats up around half of the bandwidth on my non-image-heavy site. The single article that i've found on the topic so far as been this, "Smallest (file size) Google Web Fonts": http://www.oxfordshireweb.com/smallest-file-size-google-web-...
In my opinion, those sizes should also be readily available in the web UI of Google Fonts, or most other sites that recommend fonts out there!
Distasteful sure, but why would a company let distaste stand in the way of profit? This is corporate realpolitik. The only bad move is to leave opportunity on the table.
The linked page is closer to https://lobste.rs (or maybe ProductHunt) hosting a scary-looking webpage with the words "Hacker News is Illegal" on the front of it.
Why? Because Hacker News does not indicate that the login cookie provided to you with be persistent.
> Persistent login cookies which store an authentication token across browser sessions are not exempted under CRITERION B. This is an important distinction because the user may not be immediately aware of the fact that closing the browser will not clear their authentication settings. They may return to the website under the assumption that they are anonymous whilst in fact they are still logged in to the service. The commonly seen method of using a checkbox and a simple information note such as “remember me (uses cookies)” next to the submit form would be an appropriate means of gaining consent therefore negating the need to apply an exemption in this case.
I think this situation is much closer to what's going on in the original post. No one's life is threatened, but the letter of the law has been broken.
> I think this situation is much closer to what's going on in the original post. No one's life is threatened, but the letter of the law has been broken.
I strongly disagree.
First, it's not just the letter of the law which is violated. The basic intent of the law is at odds with the actions of Google Analytics.
Starting with Safe Harbour, Privacy Shield and now the standard contractual clauses, the courts consistently decided that no matter how precisly it is formulated, data is just not sufficiently protected by current US laws to allow sharing.
Also the important difference with Hacker News is that Hacker News violating these rules mostly affects Hacker News itself, while GA violating the rules leads to liability risks for web developers who keep transmitting third party personal data to it.
> PostHog is the only open source product analytics platform where customer data never leaves your infrastructure
That's wrong. I can give you 3 other open source selfhosted options off the top of my head: Offen, Counter, Matomo.
Edit: I just saw that their "alternatives to google analytics" page shows posthog's competitors as well and you can submit prs to add further options, fair play!
Self hosted docker and it is not blocked by adblocker (nginx custom js filename).
Only thing I miss at the moment is extensive GA history which is gone now, but Plausible is so much faster and simpler and maybe they implement history import someday.
We're working on GA import at the moment[1], it will be the next big feature we land.
As with everything we will integrate and test with our large customer base on the hosted version and then release it for self-hosted as well. Next release is planned in Q2.
Just that their support rubbed me the wrong way. I wanted to use their commercial offering but it had a bug which stopped my site returning any telemetry. They basically refused to do anything about it, and that was a big red flag. With Javascript analytics you need to know that it is returning for 100% of compatible clients with JS enabled, otherwise you are missing valuable metrics.
Google Analytics worked fine on my site. Plausible's script causes a script error which killed it dead. It's only a bug in their commercial system. I spent hours debugging it myself and found the bug in their system. Seeing as it's a bug only in their commercial offering (not their open source one) I said "throw me some free credit for my time" and they said "no thanks, I'm sure we'll figure it out ourselves one day, don't worry about it". After that I didn't want to touch their product.
I also pinged Marko (co-founder) on Twitter and no response there either. So, honestly can't recommend their paid service at all.
> PostHog is the only open source product analytics platform where customer data never leaves your infrastructure.
Hosting my own Matomo installation I beg to differ. Matomo is open source and my visitors data never leaves my own server.
Except they only do backend tracking and see https traffic from website frontend tracking reaching my analytics server as it "leaves your infrastructure".
But they at least made one thing obviously clear to me. I would never consider using them in the future.
Also they are wrong factually. Google Analytics is not illegal in Austria. The court made this clear. Transmitting the IP without anonymizeIp is. Also transmitting PII data unencrypted to GA us (but GA does forbid that in their TOS as well).
So not caring about the law when implementing GA and doing it just wrong is forbidden in Austria. Who would have thought. Using it correctly and adhering to data privacy best practices is just fine with GA.
> Also they are wrong factually. Google Analytics is not illegal in Austria. The court made this clear. Transmitting the IP without anonymizeIp is. Also transmitting PII data unencrypted to GA us (but GA does forbid that in their TOS as well).
"The specific IP address used can no longer be determined by the
complainant either. However, this is irrelevant, since the UUID in the cookies is already clearly linked
to a person."
I've been skeptical of the "just turn on anonymizeIp" approach for this reason; xxx.xxx.xxx.0 plus, say, the user agent, is likely plenty to identify me.
Probably. I tried to read the translated ruling but I have to admit that I find it difficult. Need to search the German version to better understand the fine details.
And yes the User ID/cookie ID is PD and one needs consent to transmit that. As one needs consent to store a non essential, non functional cookie.
If I read the ruling correctly (and I might be wrong here) the defendant didn't ask for consent.
> Also transmitting PII data unencrypted to GA us (but GA does forbid that in their TOS as well).
There is a BIG issue here which is usually splitting hairs, but in this case is super-relevant.
Google's TOS forbids storing PII. GDPR forbids transferring Personal Data (PD). These are nowhere near the same thing. Pseudonymous identifiers are not PII, but are often PD.
Google Analytics requires a pseudonymous identifier to work (the "client ID," by default randomly generated value stored in a cookie). This may on its own constitute a GDPR violation, despite not counting as PII for Google's ToS or any other American law.
It's possible for a developer to disable GA cookies and/or provide a different client ID to GA, which would make cross-site user tracking and identification of individuals more difficult.
Google would still always get the IP and user-agent though, so maybe that's not enough. Proxying calls to GA and stripping anything which could contribute to a fingerprint should logically make it "legal" everywhere, I would have thought?
Hopefully though, this will make the otherwise so risk aware management layers think again, before they demand adding GA to websites from their developers. Hopefully will even make them avoid it, as an unnecessary risk.
> Also they are wrong factually. Google Analytics is not illegal in Austria. The court made this clear. Transmitting the IP without anonymizeIp is. Also transmitting PII data unencrypted to GA us (but GA does forbid that in their TOS as well).
That's some very interesting information. So, the real answer to the question of whether it's illegal in Austria or not is a "MAYBE", and it is quite easy to make it legal? If so, that should be on this site.
That's not my understanding of the ruling. My interpretation is that even with those GA settings in place (anonymize IP), GA still does not comply with GDPR.
Above is the official guidance from the dutch privacy authority. It basically documents the best practice since 2018: anonymize IP and how to configure several other privacy-friendly settings in GA.
Exactly one week ago they added an explicit note to the very top of the document. It says that soon GA (as a whole) may no longer be allowed. No matter how you configure it. They go on to explain that they're in the process of investigating two other complaints and will come to a final conclusion early this year.
The EU and especially Germany make it harder and harder for startups and indie makers to survive.
Now when you start a project in Germany, not only do you have to have an "Imprint" on your site which shows your private address (if you work from home or are a digital nomad) but you also are at a disadvantage because you cannot use all the free tools that startup founders outside of the EU can use.
Has anybody here in Europe considered moving to another country or setting up a company in another country because of this?
How do all the famous indie makers from Europe handle this? I never find any information on their sites with an address and they all use Google Analytics.
The "imprint" doesn't necessarily need to show your private address though, only an address of "someone responsible for the contents of these website."
Do note that "someone responsible" can be a legal entity! Not only cooperations but also a "Verein" or a similar legal construct.
Also, note that you do not need to list your address, only a "Anschrift", which often times is the same thing as an address, but really just means "If I write this on a letter it has to be delivered to you." So a postal box for example works just fine.
If you are a startup you will have all of these things anyways, I don't know a single startup that isn't also a legal entity. Indie makers is a bit more tricky, but as mentioned before it is pretty easy to get around this requirement via a "Verein" or something similar.
As for free tools not being usable, I honestly don't think it is that big a problem. Google Analytics doesn't work for you? There are other offers out there. Or you could selfhost matomo. Or if you want then you can just go ahead and run an awk script on your Webserver log.
As for not finding information and on the sites of famous European indie makers, I am going to let you on on a secret. The "Impressum" was always intended so that consumers could have a look at who they are dealing with over the internet.
To this day it is still handled like that. If you aren't selling anything or doing anything else that "a classic" company would do it is highly unlikely anyone is going to care whether or not you have an Impressum.
Sure. You can set up an address somewhere. Rent it. Set up some kind of mail forwarding or go there regularely to get it.
Sure. You can put in a day of work to self host or write your own analytics solution.
But this already puts you at a disadvantage. Because of the time you have to invest and the sub par solutions. Google Analytics is simply better than the alternatives.
And it does not end here. Every website I know uses a multitude of international tools. All of them connecting the visitor to some international servers which provide the service. Cutting European indie makers off from all these tools will put them at a huge disadvantage.
> Sure. You can put in a day of work to self host or write your own analytics solution.
> But this already puts you at a disadvantage. Because of the time you have to invest and the sub par solutions. Google Analytics is simply better than the alternatives.
I am entirely in favour of requiring SaaS creators to put in a day of work if they want to analyze their users' information without violating their privacy, and forbidding them from saying "fuck it I can't be bothered, just send everything to Google, it's easier".
If being able to see our aggregate sexual orientations from Facebook Analytics is truly such a huge competitive advantage, by all means, explain in your sign-up page why it's in your customer's best interest to allow those tracking pixel and get their explicit consent.
Alright, I'll drop the sarcasm and state my claim outright: if you're creating an actually valuable and worthwhile product, using privacy-respectful tools and practices isn't going to kill your dreams. Not even close.
If you're creating another useless listicle page or shady dating app or would-be "viral" attention black hole, such that its business model fails if you can't track and profile hapless visitors or sell their data, then I'm glad you won't be able to start such a business in my country, and if you're abroad I hope you geoblock my country as well.
If an European indie want to access the European market they got to follow European law.
This argument of being at an disadvantage seems similar to that of app developer using the iphone market and paying a 30% tax to apple. That is a huge disadvantage compared to side loading the app on android which has 0% tax. The only problem of using side loading is that you have to leave the apple market space, or hope that places like EU put in laws that changes the regulations for the EU market space for phones. In that case it will be up to apple to decide how much access to the market space is worth.
How does it happen that in such discussions there is always at least one person who ends up equating everything they don't like to socialism? Are "socialism" and "communism" the only words they know? Clearly, they don't know very well the meaning of these words.
And regarding the "EU won't survive past 20XY". I've heard this argument almost non-stop from anti-EU politicians since 2007. Financial crisis, Greek debt crisis, Brexit, now coronavirus - every bad event is a good one to predict the collapse of the EU.
I didn't mention communism nor socialism (except in the name USSR).
I compare the EU to the USSR because they're both top down bureaucracies that think they knows best and can erase nations under their rule. It works for a time but when it inevitably collapses, wars are almost a certainty.
You hear about the Euro and the UE collapse since 2007 because the process started back then.
Eastern countries don't share the liberal ideology of the west. They're in as long as money flows. Once it stops why would they let the west tell them how to think?
Then there are the southern countries (PIGS + France) that are bankrupt, the north don't want to pay. What do you think will happen when Covid can't be used to throw money at the problem any more?
Lastly look at the average European banks leverage. They won't survive another 2008.
FWIW I have skin in the game: I'm French, living in France.
I've started three businesses in the EU and I can't say I share your feelings.
Regarding the Impressum ("imprint"), the information you need to put on your website is already public, since the address of your company is recorded in the commercial register when you incorporate it. It can be annoying to have to use your home address, I agree, but there are plenty of coworking spaces or even just mailbox services that can solve this problem.
Regarding Google Analytics, I don't find it a competitive disadvantage to have to host analytics software that is less detrimental to user privacy.
Are there any other issues or annoyances you ran into that contribute to the impression you stated?
Indie maker is a nice label, but if they're attempting to make money, they're acting like a business and should operate with a certain degree of transparency. Self-employed or a separate legal entity is a technicality.
That’s just making thing needlessly complicanted in some countries. Registering a business is something you can do rather easily, I know people who have a company registered, just in case. It makes everything easier, less troubles with taxes and better legal protection (as in: a failed project won’t cost you your home).
So because you want it to be easier to start a business, you want users to have less privacy and less legal protection?
Google Analytics is free for businesses, but not because Google feel line they need to help small business get started.
Also consider that starting a business in countries like Denmark is easier that starting one in the US. Ease of doing business isn’t the only thing holding back EU startups.
you have to have an "Imprint" on your site which shows your private address
That's been the law in the EU since 2001.[1]
1. In addition to other information requirements established by Community law, Member States shall ensure that the service provider shall render easily, directly and permanently accessible to the recipients of the service and competent authorities, at least the following information:
(a) the name of the service provider;
(b) the geographic address at which the service provider is established;
(c) the details of the service provider, including his electronic mail address, which allow him to be contacted rapidly and communicated with in a direct and effective manner;
(d) where the service provider is registered in a trade or similar public register, the trade register in which the service provider is entered and his registration number, or equivalent means of identification in that register;
The definition of "service provider" is (b) "any natural or legal person providing an information society service".
This is a basic requirement of European Union trade. It's intended to encourage cross-border trade, by insuring that, if there is a problem, the customer can find the seller. So, anonymous online businesses are illegal in the EU.
I'm generally in support of website owners having to publish a certain amount of information about who operates the site. Especially when the site is commercial in nature or collects visitor data.
If you're publishing ads, sending people to affiliate links, selling products, whatever, you're operating a business. All businesses should be held to a minimum standard of accountability.
Germany is making it hard, but on tax level. Not even talking about the amount you pay, but the complexity of the system. But that's it.
EU/Germany might not encourage a haphazard hodgepodge of poorly vetted services as squashed into a start-up. And it is a good thing.
Some regulation might have got a bit extreme. Granted. I think they will be revisited as the time goes by. But really, this feels like a reaction to contempt that many businesses have towards protecting their users.
Not using SASS services (e.g. Firebase) just really sucks though.
We still use it (started with it before privacy shield was demolished) but we will have to migrate eventually. Don't know what we'll use exactly, maybe managed kubernetes with some platform for an easier workflow running on it? Idk yet.
Hi there, not sure how relevant this is, but there appear to be few “alternatives” to the firebase. Some open-source [1].
And if you already consider Kubernetes, even better. It removes a lot (but not all) of headaches for managing infrastructure. I wish there was better market for quality k8s operators to automate the management tasks for some specialized deployments.
It is open source, the hosted vendors will emerge, so you will be able to buy it, if not yet.
That said, I sympathize. Re-doing already done feature rather than focusing on new things can feel discouraging.
Note that this isn't purely "do not use Google Analytics"; it's "do not export EU data". For context, there used to be a trade agreement to ensure EU companies were still allowed to use US server hosts, called US Privacy Shield; but that was torpedoed by other legal rulings.
TBH, I personally do not understand how it is legal to provide a single shared service in the face of data localization requirements, especially if other countries were to adopt similar rules. Is it just a matter of having separate shards for each jurisdiction? Or do we need to instance the entire application so that US users don't even see EU users and vice-versa? Most off-the-shelf/FOSS webapps aren't built to be sharded this way, they assume One Big Database that has everything. That would include some of the GA alternatives they list; which, again, is a problem if those apps don't shard users by jurisdiction.
I suppose for now, just hosting everything in the EU is fine, if only because the other jurisdictions with data localization requirements[0] pretty much can't be served with a shared application anyway. I'm imagining that's what the person who built this was figuring it would be used for. But if the US starts demanding data localization, the Internet is fucked.
TikTok is an unusual case, because the US was determined to ratfuck Chinese social media apps a few years back. The executive orders in question only applied to a handful of companies in one country. There was no concomitant demand for, say, EU companies or anyone else to shard off US users on domestically-hosted infrastructure.
A general data localization requirement in US law would mean an end to self-hosting one website and serving two jurisdictions for the majority of web users.
> There was no concomitant demand for, say, EU companies or anyone else to shard off US users on domestically-hosted infrastructure.
US claims are wider in scope, since they demand services operating in the US to hand over data, wherever it's located, and wherever the users it's about are located.
> But if the US starts demanding data localization, the Internet is fucked.
Not... really? The internet (defined as the infrastructure and non-commercial websites) will be fine.
Corporations that collect and monetize data will just have to jump through more hoops (and many already do this because of the GDPR and Europe's general feelings about personal data). So they'll be fine too, even if they gripe a bit about it.
The only folks who would really be hurt would be small developers, because their potential audience will be limited until they take advantage of foreign hosting and segmenting their user's data. In the end, they'll probably be fine to, even if their growth is stunted while they comply with laws (and ultimately, the wishes of their customers).
GDPR doesn't rule out using servers in other jurisdictions. It just rules out using servers in jurisdictions with shitty privacy laws, e.g. the US. If all countries were to adapt similar laws there wouldn't be a problem.
You are correct that the US copypasting GDPR into it's own law would be an absolute triumph. But that's not what I'm worried about. The problem I'm worried about is multiple countries having conflicting data localization requirements.
One of the specific cited concerns with off-site hosting is that it exposes user data to foreign intelligence agencies. This is a valid concern, but it's not unique to the US. It's not like EU member states don't have their own spymasters: they absolutely do, and they are just as atrocious to democratic norms as American ones are. In fact, most EU member states would rather trust the US than each other, that's why their politicians negotiated the Privacy Shield agreement that ultimately got shot down.
If the US were to have a data localization requirement, it would almost certainly be incompatible with the EU's data localization requirement. Then everything I mentioned in my prior comment would apply: the need to shard users at best, and a need to firewall users off from one another at worst.
Exactly. As far as I can tell, the only problem that most European courts cite is the CLOUD Act. If that law were updated, I suspect many of these rulings would get reversed.
I like the scrolling banner on the side reminiscent of a news ticker being used for static data, it adds some vibrancy to the presentation. It might be nice to have more of the globe shown on the front, since it isn't "isgoogleanalyticsillegalintheEU". I really like the color scheme too, nice job!
I'm usually the first to complain about things like that as well as I'm very easily distracted, but in this case I think it's not that bad and looks kinda nice.
I still wish websites would not only respect the disabled autoplay setting but also stop animations completely in that state. But right now it seems crashing video player UIs are the best we can get.
There's prefers-reduced-motion[1] but I don't think many sites actually implement anything for it. This one is open source though so someone that cares could submit a PR
In the old world, a company would build the television, another would broadcast shows, another would measure the audience and another would measure sales to compare with media investments.
Which of those steps Google does today? All of them, from browser to
YouTube to shopping to audience data and sales measurements. This is not a case of "old people ranting about how the old world was simpler and better", it's a case of conflict of interest. But this isn't something new, everyone in the industry has been seeing that for two decades now, it's just something no one cares enough to pick a fight.
So the reason people do emotionally charged marketing like this is because it generally works. We on HN are probably not (entirely) the same group that this is getting sold to, we may see the BS here a little more clearly or have a more principled view on things like this.
BUT most people do not have the same distaste towards this type of marketing so -- don't hate the players, hate the game. If you want things like this to stop then it's probably up to government regulation to curtail it otherwise, for smaller competitors where it's already difficult enough to establish a market position, they would just be hamstringing themselves by not playing to the same emotionally charged marketing style.
If you're a business and you deliberately stay away from marketing like this -- that's great, honestly I'm personally more likely to try your product and I'd like to think I'd do the same in my own work but I really can't blame companies who take this route either.
The detail is quite interesting. The Austrian interpretation seems to hinge on the US intelligence agencies having access to data as a third-party at any time because their surveillance laws are so broad and the fact that UUIDs are being used between cookies and therefore the anonymised data is actually not very anonymous if you slurp data like the NSA and can combine that with IPs addresses.
This site seems like a great example of how the EU forces productive folks to jump through all kinds of regulatory hoops. Hopefully it’ll help them navigate the complex legislation.
I'm sure in your country you can catch rats and serve them in "special stew", not bother about basic hygine, have under-counter cameras taking pictures up skirts, have no requirement to ensure that customers don't get electrocuted, etc, and you love it.
Most countries in the world though has governments which ensure basic rights, and if you want to do business in those countries you follow those laws, no matter how it may reduce your profitability
The fact that 'productive folks' have been engaged in a chicken race with the regulators since GDPR came along in 2016 is entirely on them.
The second shoe dropped with Schrems II in 2020, and the race to find plausible technicalities to keep doing the same thing continued. Still no real attempt at fixing the problems.
If they had followed the spirit of the law rather than trying to get away with dubious technicalities, there would be no mad scramble to fix things now when it turned out those technicalities were in fact hopeful thinking at best.
You're only on the watchdog's radars when you are a large company, in which case you should have an entire department devoted to complying to legislation anyway.
Somebody has been fined for reporting illegal parking to the city. Yes really, they say he has no legitimate interest in reporting people who park on the sidewalk in a way that's endangering pedestrians.
Go to https://www.enforcementtracker.com, which collects and publishes GDPR fine information. Type in "Private Individual" as a filter in the "Controller/Processor" column. I see twenty-ish results, mostly from Spain. My Spanish is rusty and non-technical, but I think some of those fines are about posting videos to social media.
> 2. This Regulation does not apply to the processing of personal data:
> (c) by a natural person in the course of a purely personal or household activity;
There is an exemption for private individuals conducting their personal affairs. But it still applies to private individuals acting in a public space. Article 4 also reinforces that a Controller may be a natural person.
I cant think of anything other than personal or household activities.
Unless youre talking about one-person companies. But then, I consider them companies, even if they are only one person.
This is one of those things where different countries take different approaches (or at least have different pointes of emphasis). But the classic example is a security camera you install on your own house (or these days, a doorbell camera). If it can only see your own property, that's a household activity and is not covered by GDPR. If it records video of people walking on the public sidewalk outside your house, then GDPR applies to that recording.
As noted elsewhere, most of the fines against private individuals have been issued by Spain. And my mediocre Spanish literacy leads me to believe several of those fines are for posting videos on social media.
Meta: this website consistently crashes my browser (Firefox on Linux) if I move the mouse in and out of the map a couple of times. Does this happen to anyone else?
Edit 2: doesn't crash on a fresh Firefox profile. Crashes upon enabling gfx.webrender.all, gfx.webrender.compositor and gfx.webrender.compositor.force-enabled. Very intriguing stuff, I'll file a bug.
Funny enough, ublock (stock install) completely breaks the “alternatives” page. It must do some pattern matching on "component---src-pages-google-analytics-alternatives-js-8d1eb2b4c6482dba3dfd.js" and decide it's suspicious enough to deny it, even though it's a first-party request.
It will block anything with google analytics string in it I think. We had a small google analytics image/link on an internal website that linked to some relevant GA dashboard and the image was blocked / hidden by ublock and possibly others. Changing the name fixed it.
Years ago, I remember using GA on a project. Was unhappy with GA's realtime availability, so we wrote our own backend for it and stored all the analytics on our own infrastructure.
Worked without any real issues. Didn't have to stop using GA on the frontend, either. Just had to point the frontend GA at our own endpoint.
Theoretically, this would make usage of GA compliant with GDPR, too, I beleive.
I have a few blogs with visitors from around the world hosted in NYC in a shared hosting. What's a legal alternative to Google Analytics that would be as easy to setup? I dont want to host anything myself, just replace the JS that Analytics provide and that's all. If I can import my historic data from GA to the new service that would be perfect.
Does such a service exist? We can't ask bloggers who install Wordpress to run a instance of Matomo, PostHog, Plausible or whatever.
Frankly, "hosted in NYC" probably has the same issues as "uses Google Analytics". Data on EU citizens is leaving the EU for a country without similar privacy protections.
In that case, you probably don't have to respect GDPR, as personal or household activities are exempted from its scope [1].
In any case, I would recommend looking up how to make sure your users' privacy is respected, it's always nice to make sure that, should their data be leaked, people are safe.
Under a strict interpretation of the law, yes.* (GDPR does apply to blogs, even if they're private) In practice removing analytics for EU visitors would probably be enough.
* Note that the physical location of the data won't matter for you because you are located in the US and are the data processor.
I frequently wonder what sort of tracking, if any, is happening via fonts.google.com and gstatic.com which are used widely across the web. Many sites break if you block resources from gstatic.com, as they depend on javascript libraries from it.
The shortsightedness of using remote static assets on your own site is amazing to me.
Why isn't France in red? IIRC, the French started the whole EU anti-Google campaign since they have the presidency of the EU. Also, Germany used to be far ahead almost anyone else when it comes to privacy, so why aren't they in red? This map seems wrong.
Anyone have suggestions for a lightweight, OSS Google Analytics alternative, preferably using a Postgres backend, and preferably server-side so no cookies or JavaScript are required? Only needs to handle max 10K visitors a day, which is nothing really.
I had a quick look at PostHog, but it seems to need all of these in addition to the web UI:
That's... a lot. I realise there is a Docker Compose file available, but it's the amount of resources used that is concerning, and given my very modest requirements I was hoping for something very light.
If it is illegal in one country does it make illegal in all other EU countries as well or is this left to individual law systems of each EU member state?
BTW. your site looks great. I like the running ticker on the side.
As mentioned in another thread on this subject: EU privacy law is harmonized, there may be local exceptions but these are increasingly rare and over time I would expect them to fade away completely.
Note that the ruling confirms the GDPR, the EU legislation.
As a USAian, my rough impression is that it's similar to circuit splits in Federal courts. GDPR is a Regulation (not a Directive), so it's law in all EU states. But each country's court may interpret its requirements slightly differently. A ruling from the Court of Justice of the European Union (CJEU) would be binding on all member states. And in fact most rulings around Google Analytics are dealing with the boundaries of a CJEU ruling, Schrems II.
this kinda depends. I'm not 100% sure what kind of "law" the GDPR, but if it's a directive (which I think it is?), then each member state must implement a law that satisfies the GDPR requirements. Member states may chose to pass stricter laws than the GDPR technically requires, which could make something illegal in one EU country but not all the others.
Also, enforcement may be very inconsistent, since it is mostly left to each member state to handle.
EDIT: NVM, GDPR is a Regulation, not a Directive, so it's automatically law everywhere in Europe.
> The safest solution is to use an analytics provider that keeps data on your own infrastructure.
People don't want to run their own infrastructure anymore. Everything outside of their own business differentiator they want to outsource. Whether they "should" do it debatable and a long conversation with context like business value, cost effectiveness, velocity, and other non-technical things as part of the conversation.
This would be a great advertising moment for an EU based analytics provider. A SaaS.
There are many alternatives. Some are purely EU enterprises, some use hosting by US entities. But it appears that more than ever, there is a lot of to choose from.
Just search in your search engine of choice and you will find plenty. Lots of comparison online. Some are more, some are less complete or accurate. With advent of affiliate marketing among vendors, the reviews start resembling VPN market.
Not listing anything specific. My company has a product in this space, but I will spare you self-promotion.
How do they decide to pick what towns to show in maps like this? Aberdeen is neither the capital not the largest town in Scotland and anyway is smaller than Cardiff which is the capital and largest town in Wales. Republic of Ireland doesn't get a single town but NI gets Belfast? There has to be a reasonable explanation, surely?
Welp Technically yes everywhere and it has been that way since the gdpr
Practically this is the number one reason for our nice "attention, do not resits, we are using cookies on your electronic machinery" popups.
For quite a few sites its the only cookie you actually accept.
Its a s**t show really. Every single client ever now needs to have a cookie popup because google is going to punish you in your rankings if you do not use their integrations too.
And if you do use their integrations... you need a popup.... and dont even get me started about "legitimate interest".
But this is the way... I opt out as much as I can and block through the router as well as ublock.
The most interesting thing that i noticed is that if you block third party cookies in safari on your phone, some sites will show you a blank screen. Timescale does this (I have reported this as a bug month ago but never received feedback).
Its an amazing feature by now:
- the page loads and you can see the content
- the page trys to show you the cookie popup
- since i dont have any cookies allowed, the script will just completly blank out my page
welp. welcome to the future. Its not neccesarily better, but I can see them all now, which i guess is at least a step in the right direction.
> For quite a few sites its the only cookie you actually accept.
If true, they don't need to show the popup.
> google is going to punish you in your rankings if you do not use their integrations too.
If you have evidence of this it would be the basis of a massive antitrust case. (I'm not disagreeing and would not be too surprised, but - real evidence is thin unless you include the AMP carousel which is not technically part of "rankings".)
> Every single client ever now needs to have a cookie popup because google is going to punish you in your rankings if you do not use their integrations too.
Nice to see something happening in the GDPR compliance areas, because well over 90% of cookie banners are noncompliant with GDPR because they don't give "allow" and "reject" equal prominence (or they load cookies before you click accept).
For example, OneTrust gets it right on their website, but I have never seen a client of theirs get it right. So either OneTrust doesn't use their own software, or all their clients are specifically configuring it in a non-compliant way.
I have yet to hear of any general enforcement of this, despite noyb.eu's reporting of hundreds of websites to regulators.
I don't understand how sending analytics data to your own host is supposed to solve the legal problem here. Do the GDPR requirements not apply in that case?
And how is anyone supposed to build any kind of global data dashboard now? Do you have to have separate sites for EU analytics data vs the rest of the world? How do you do statistics to see where your visitors come from? How much time visitors from which countries, languages, etc., spend on your sites?
they are listing PostHog as a valid alternative that would be GDPR-friendly but as per their terms of use PostHog is based in the US and they would be bound by the same Cloud Act as Google Analytics.
We have the Schrems II ruling that made some countries think they could not use services like Cloudflare and Azure. Still Cloudflare and Azure are widely used within EU. (Germany is an outcast). One should as always be transparent about what data is collected. From the GA projects I been involved in (in EU) GDPR has never been a concern.
Firebase client libraries silently import and enable Google Analytics in apps [0]. Then your app silently sends a lot of user behavior data to Google [1].
Android apps which use push notifications must use the Firebase Cloud Messaging library. I think many app developers don't realize that adding that library also adds and enables analytics.
For example, adding the `firebase_messaging` module [2] to a Flutter app causes the Android build to import [3] the `com.google.firebase:firebase-bom` Java dep which includes `firebase-analytics` [4]. Once the Java library is included in the build, it starts working automatically [0].
To disable Google Analytics in an app:
* Firebase > Docs > Engage > Configure Analytics Data Collection and Usage [5]
GDPR has gone too far. Privacy yes. Encryption yes. Data portability yes. Permissionless selling of personal data no. But the rules are nonsensical at this point.
I just got off a zoom call with the cofounder of simpleanalytics.com. Humble, worked with my startup on pricing options, and cares a lot about privacy which was the reason why I set up the call.
Shame on PostHog for this. You can do better than PostHog.
Your connection is not private
Attackers might be trying to steal your information from isgoogleanalyticsillegal.com (for example, passwords, messages or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALID
For me, the cert has a fingerprint of
8C:5A:9F:E3:03:A2:C5:31:0D:42:C0:AF:41:E6:61:48:8A:C4:EF:91:CD:41:83:90:D1:86:AF:DA:47:47:00:16
signed by
67:AD:D1:16:6B:02:0A:E6:1B:8F:5F:C9:68:13:C0:4C:2A:A5:89:96:07:96:86:55:72:A3:C7:E7:37:61:3D:FD
signed by
96:BC:EC:06:26:49:76:F3:74:60:77:9A:CF:28:C5:A7:CF:E8:A3:C0:AA:E1:1A:8F:FC:EE:05:C0:BD:DF:08:C6
and gets accepted.
Make a better product and beat them, don't use the fact that a government is banning them to upsell your own tracking software.
All tracking is bad, from Google or not. I understand the "companies need to make informed decisions" argument but I disagree with it, mainly because tracking software is involuntary and it's in the interest of the tracking software maker and the company using it to make it as stealthy as possible.
PS: What adds salt to injury is that you're using Google Fonts on this website. If you were privacy-conscious, you'd self-host at least. Read here: https://developers.google.com/fonts/faq?hl=en#what_does_usin...