incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <apa...@robweir.com>
Subject Re: [WWW] Web analytics
Date Sat, 13 Aug 2011 12:55:21 GMT
On Sat, Aug 13, 2011 at 6:21 AM, Eike Rathke <ooo@erack.de> wrote:
> Hi Rob,
>
> On Friday, 2011-08-12 16:42:20 -0400, Rob Weir wrote:
>
>> > The big difference is that with Piwik the data collected stays inhouse
>> > at Apache, whereas with Google it goes to Google that does whatever you
>> > don't know. This again implies that at Apache measures must be taken to
>> > protect the privacy of collected data. The German "Landeszentrum für
>> > Datenschutz Schleswig-Holstein" (center of data protection) has a few
>> > documents about tracking [1], unfortunately only in German, why Google
>> > Analytics doesn't comply with the German data protection law [2] and how
>> > Piwik can be configured to be used in compliance with the law [3].
>> >
>>
>> Does this law matter if the servers are hosted in the US, not in
>> Germany?  (I'm assuming that the Apache servers are in the US).
>
> No, but given that German data protection law is probably one of the
> more strict, setting up an environment that fulfills those requirements
> seemst to be a good approach to me.
>

My understanding is that there were two issues raised by regulators:

1) Google stores IP addresses of visitors.  It does not make the IP
addresses available to users of Google Analytics, but stores it
themselves.  This has been interpreted by one regulator as violating a
ban on storing personally identifying information beyond the duration
of a session.  The interpretation is that an IP address is personally
identifying information.

The odd thing here is that it appears to be ignoring the state of the
art, which is that other information, excluding IP address, is
actually more accurate in tracking users, e.g., "fingerprinting" them
via their browser settings, fonts, etc.  See:
https://panopticlick.eff.org/  In other words, it is the correlation
of basic common facts that makes the user identifiable.  It doesn't
require a single unique piece of data.

2) Google has an opt-out browser plugin, but it is not available for
Opera or Safari.

>> Storing the data ourselves is a double-edged sword.  If we store it,
>> then we are responsible for any problems with that data.
>
> Yes. And configuring Piwik the way described there it does not store
> personally identifiable data.
>

If we think Piwik addresses the IP address and the opt-out issues,
then that sounds like a good solution.  If we think Piwik is well
maintained, etc. I have no objections to Piwik.

>> Google states what they can do with the data, but it is rather broad,
>> as you know.
>
> Yes, but we shouldn't discuss that here. All I said was there is an
> alternative that doesn't store personally identifiable data and also
> doesn't give it away to someone else to process.
>
>  Eike
>
> --
>  PGP/OpenPGP/GnuPG encrypted mail preferred in all private communication.
>  Key ID: 0x293C05FD - 997A 4C60 CE41 0149 0DB3  9E96 2F1A D073 293C 05FD
>

Mime
View raw message