I recently removed Google Analytics from my websites and set up the self-hosted umami (https://umami.is/) analytics. One of the best things about it is how fast it opens, while GA is so laggy.
Is there something like umami, except it does collect valuable data about users? I would actually like self hosted analytics so that it's on my domain and effectively not blockable, and also to know valuable insights about them.
An important question to ask yourself: _what_ insights?
Want to know which of your pages are popular? Server logs will tell you that.
Want to know how the users move across your website? Server logs can tell you that, albeit in a limited fashion.
Want to know where your users come from? Server logs.
For more advanced use-cases, you may need javascript on the frontend (which you can serve from your own domain, making it harder to block, but still needing to be GDPR compliant, if you serve to GDPR affected users).
Google Analytics is outclassed by many other tools, but it has two features that make it essential (along with its brethren, Google Ads tracking) for most enterprises.
One is the Search Console integration, which is the only way to see what Google search queries led people to your site.
The second is Google Ads conversion tracking and remarketing, which is de facto required to advertise with Google because it can easily 10x your Return On Advertising Spend, which is a key metric for digital marketing teams.
Without those two features, Google Analytics would be easy to drop. Many big companies already have other first- or third-party analytics tools they prefer.
Search Console is reporting how many Google searches have resulted in page impressions or clicks to your site, with what ranking on the respective search query (keywords/phrase) etc.; works without ga.
How can that be if companies don't get a good ROI from online advertising? So that means you need to get Google Adwords in order not to waste practically all your ad spend?
Some yes, some not. Im using https://umami.is/ that is free (but I’m hosting it DigitalOcean VPS for few $/month). Better than pay a fine for using Google Analytics.
If there is some value in analytics, then paying for it shouldn’t be a problem. If the amount you are willing to pay is zero, then the value is so low that collecting the data probably doesn’t make any sense.
And for those that don't want to dive in to VPS/Dedis there are services like PikaPods[1] that spin up services for a good price. I've been running a Matomo instance for a couple months and didn't have to do any backend command line stuff
On some apps they also give a percentage back to the developer so you'd be supporting them.
Actually there's a broad spectrum of alternatives out there covering different bits of functionality. GA4 particularly is a much broader product than the original Google Analytics.
Yea but most of us only need a very basic feature set. Therefore all these other competitors you say aren#t actual competitors are competing and taking users away from Google.
I keep seeing these and wondering why Google isn't doing anything about this. Surely it should at the very least tell Google Analytics users based out of the EU that they need to stop using its services? Isn't Google in hot water here for not doing this?
Google's position (https://blog.google/around-the-globe/google-europe/its-time-...), which broadly aligns with my own understanding of the situation, is that this is a proxy battle and the only real solution is to negotiate a new EU-US privacy shield. The premise of these decisions isn't that Google itself has any known privacy or security issues, but that any servers which are physically located in the US can't be trusted under EU privacy laws.
The GDPR doesn't require that foreign law enforcement agencies should never be allowed to access personal data. There just have to be equivalent legal protections to what a EU citizen would get from their local law enforcement agencies. There are already a solid handful of countries (https://gdpr-info.eu/issues/third-countries/) where data transfer is considered secure and I don't see any reason it should be impossible to negotiate a US return to the list.
More people that actually use GA, the less bad it will be. If everybody does it, it becomes De Facto legal, and makes it clear how little authority the Danish government has.
Laws that aren't enforced, or that have little bite, aren't really laws.
I removed GA from all my websites a few months ago. It didn't provide any interesting information anyway. I actually get better data with Webalizer and a couple of custom scripts.
People were naive to think the Internet would exist outside sovereign borders. The law is catching up to regulating what is, ultimately, just another communications medium.
Just like international phone calls, don't expect the Internet to solely operate in a border, but do expect nations to care what traverses the boundaries.
Segregation is the easiest path here, similar to how centralization is simpler than a peer-to-peer system. But it's just an incentive among the many, so there's no reason to reach that extreme. For example with GDPR, some American news sites just flat-out deny serving the pages to European IPs, but not all of them - many show a different presentation (like NPR), or otherwise tailor the website to make it compliant.
Seriously, in terms of a 'segregated' network, we already see giant walled gardens and their pseudo-kin everywhere, and web3's sole focus seems on monetization of anything online, which won't help that one iota.
It is inevitable. The only question is to what ends. EU is very focused on a maximalist vision of privacy. US is focused on security with a touch of woke censorship. China couldn’t care less about privacy but is obsessed about keeping out foreign influence and heavily censoring cultural and political content.
> US is focused on security with a touch of woke censorship.
The US couldn't care less about security. Their approach is "we buy and sell your data and if you are in the US the government can use any and all data at any point for any reason".
European view isn't maximalist in the least. Europe, thankfully, still still remembers lessons learned from data exposure to Stasi police.
Hopefully European VPN providers can capitalize on this. Even if it is just a tiny boost to the local economy, always nice when a populace is rewarded selecting reasonable politicians.
For who needs a summary of what is happening in the EU [1]
1. Since 2020, it's illegal to send personal data to the US because of the invalidation of the Privacy Shield [2]
2. Google said it was okay in the EU to use anonymized IP addresses
3. The Austrian Data Protection Authority (DSB) [3] ruled differently and waived most of the arguments raised by Google. The DSB ruled that even anonymized IP addresses are personal data.
4. The Data Protection Authority of The Netherlands followed by implying that the use of Google Analytics might be banned in the future [4]
5. In February 2022 The Data Protection Authority of France (CNIL) followed [5]
6. In June 2022 the Data Protection Authority of Italy (Garante) followed [6]
7. Now, September 2022, Denmark – after already banning Google Workspace for municipalities [7] – considers Google Analytics unlawful as well [8]
This is a sound decision, but not a new one. It's a confirmation of what has been ruled in July 2020, but now it seems to have more impact.
PS: I'm the founder of Simple Analytics [9] - the privacy-first analytics tool that, unlike other privacy tools, does not use any identifiers.
Thanks for you summary! I, for one, needed it. Can you comment on why the BSB found that anonymized IP addresses are personal data (3rd point). Is it because the anonymization is too weak?
Edit: seems GA only masks the last octet of an IP4 address.
See the PDF from Google as a response to Austrian DPA [1]. See heading "Technical and Organizational Measures" on page 23 and "Optional Technical Measure" on page 26.
More you can find in the NOYB blog post [2]. NOYB is the organization who imitated the complaints towards Google (Analytics).
> While Google has made submissions claiming that has implemented "Technical and Organizational Measures" ("TOMs") [1], which included ideas like having fences around data centers, reviewing requests or having baseline encryption, the DSB has rejected these measures as absolutely useless when it comes to US surveillance (page 38 and 39 of the decision):
> "With regard to the contractual and organizational measures outlined, it is not apparent, to what extent [the measure] are effective in the sense of the above considerations."
> "Insofar as the technical measures are concerned, it is also not recognizable (...) to what extent [the measure] would actually prevent or limit access by U.S. intelligence agencies considering U.S. law."
> Max Schrems: "This is a very detailed and sound decision. The bottom line is: Companies can't use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced."
Wow, nice overview! This is worthy of a submission of its own (perhaps in prose with the links inlined), this shouldn't be at the bottom of some other thread.
GA4 seems to be a big shot in the foot too. I’m sure it’s powerful, but by default it doesn’t show me what I need to know.
The old GA did.
And now I’ve moved to paid, but basic products (plausible) which do show me those important details, instantly. Traffic trends, sources, referrers, goals.
The right to privacy isn't just about the potential for harm. I wouldn't want a stranger watching me have sex, even if they were a completely passive observer.
We know from scandals and leaks that google has access to citizens sensitive data from multiple nations, with privileged access that handles medical, military, political, commercial, and legal information.
Like the whole privacy ship has sailed. The mark of the beast has been deeply imprinted. Tattooed on the forehead, like slaves in Ancient Rome. It doesn't mean we're all fucked. On the contrary. Game has changed. Poker into chess.
And you know why they hold that much power? Nobody else made a search engine worth a fuck. That's it. Secondly, integrity. Google actually debugs. Meaning until there's no bugs left. I've seen bugs in everything except Google's software, mostly, don't accuse bugs but can't vouch they have none, either. Makes perfect sense their use of Yubikey led to no account compromises among like 100000 accounts, that and the bug-free software are the fruits of integrity. I mean I'm sure I've seen bugs in Google's software but I don't remember them off the top of my head, unlike Apple since like 2021, whom else, well the whole Solarwinds bitch story, American second-tier tech getting fucked wholesale. What happened to "don't share needles"? Everybody is sharing one needle. That needle is the internet. Like if you must share it like burn the tip very carefully with a lighter and pump drano through it. So that's what Google did. And they're doing it as a public service basically, like not exactly but pretty much, today at least I do buy their argument that it's free so it's not harmful to the consumer. But other days I know it hurts businesses, and everybody gets their money from businesses or taxes on businesses, so harm to business is harm to the consumers who earn their money from that business ultimately.
We probably won't find out until decades after, when it comes out that the reason someone was denied entry to the US or got their bank account frozen was because a US agency incorrectly identified them based on some data that they secretly pulled out of Google Analytics.
Do you think Google has ever been served a court order requiring them to share information on a user and not inform the user? If so, then probably some people have been harmed.
That doesn't follow, and it seems doubtful whether it ever happened.
Google has received court orders about other user data like Gmail, but have they ever gotten a court order about Google Analytics? That data isn't associated with Google accounts, and I doubt law enforcement would know what to ask for.
> This has been particularly relevant as Google, following the first Austrian decision, has begun to provide additional settings in relation to what data can be collected by the tool. However, our conclusion is that the tool cannot, without more, be used lawfully.
Even though Google has branches in Europe, again the website owners will get in legal trouble and not Google for offering a product which cannot be used legally.
Is there any other industry where the client is responsible for making sure the service or product is legal and not the producer?
Its easy to buy car parts online that are illegal for road use. Same concept applies - you can build whatever kind of car, or website, you want. But there are rules about how that car or website must be used when around the general public.
They don’t have to advertise that they are legal for road use to sell them to people intending to use them on the road. Another example: a number of e-bike suppliers sell parts that are explicitly described as not road-legal. People may buy them precisely because they are advertised as being faster or more powerful than what is sold in retail stores.
> a number of e-bike suppliers sell parts that are explicitly described as not road-legal.
That's fair play. The user knows exactly that he is breaking the law, and he can be punished. Google advertises Analytics for online-shops, websites etc. Cases in which the product can't be used legally and the user doesn't know it.
The website owner is the end user of Analytics, but even if not: Why should the distinction matter?
For example: I'm also responsible for my car but if it's (by design) not road legal, why should I be responsible to be sure of that and not the carmaker?
Idk where you live, but I'm responsible for making sure that my car stays road legal. And I would be responsible to make sure it was from the start if I had built it myself winkwink
In the UK, if you want to use a vehicle on the roads it's your responsibility to get it taxed and insured and so on. In the process of doing that you'll find out whether it's legally usable on the roads.
There are various kinds of agricultural, recreational and construction vehicle that can't be driven on the roads: you put them on a trailer for moving them from site to site.
You are missing my point, or I'm unable to convey it: If your brand-new car comes with a by design defective (and illegal) airbag or a by design frame which breaks after a few hundred miles and this results in a death, you won't be responsible. You also are not responsible to check whether your car was designed to legal norms and standards. If it's sold to you as road legal you can expect it to be road legal.
As far as I know they never explicitly say that - they give you all the details you need to make the determination yourself, but never explicitly give you the answer.
I don't think that distinction legally matters (in Europe). Every product or service in Europe has to "ensure that your products meet the EU requirements to protect human and animal health, the environment and consumers rights." [1]. This means every consumer buying a product in Europe (from a European entitiy) can assume that the product or service is legal.
There's nothing wrong with Google allowing a website to use GA. The problem only arises if that website then serves end-user traffic to EU citizens. Many European websites may choose to only use GA if the traffic is coming from outside the EU.
> Is there any other industry where the client is responsible for making sure the service or product is legal and not the producer?
Pretty much all of them? Let's say you buy a humble walkie-talkie. It is your responsibility to operate it in regions where the specific RF bands it uses are legal.
No, that's not true, if you buy a walkie-talkie, the seller has all kinds of obligations to ensure that it follows the requirements.
Radio devices are a good example where it fact is illegal to make, sell or import transmitters that do not conform to permitted RF bands.
IIRC in USA there is an exemption in FCC rules if you're importing a device for personal use by e.g. buying it online from abroad (and then you're responsible to use it properly), but if you'd want to resell that device, you can't just transfer the liability to the user, you are responsible for ensuring that the transmitter follows FCC rules.
Not true - you can easily buy unlocked Baofeng radios in EU and nobody cares. FCC cared because American manufacturers couldn’t really compete on market terms.
The fact that nobody cares is a lack of enforcement (and exemptions for import for personal use) due to low priority, but it does not mean that it is legal to sell unlocked/unrestricted walkie-talkies in EU - it is not, at least not in all EU countries.
For example, last year there was an explicit prohibition on sales of Baofeng UV-5R in Germany (https://www.bnetza-amtsblatt.de/download/72) and Poland and probably other countries due to out of band emissions causing radio interference.
And you as a customer are clearly informed about such limitations. No walkie-talkie would advertise themselves as free to use anywhere. Also, no walkie-talkie sold which by design uses the wrong frequencies would be allowed and would make the user liable and not the producer.
> Is there any other industry where the client is responsible for making sure the service or product is legal and not the producer?
Let's remember, for context, that the EU is saying that the US is an "unsafe" third party country. While this is certainly true under a given definition of safe/unsafe, I doubt (m)any European citizens can point to harm as a direct result of their data being subpoenaed under the US CLOUD act. I am not saying there isn't a real problem but as I mentioned in another comment, the US and EU have agreed "in principle" on a third privacy shield to satisfy concerns on both sides and we are now waiting for it to be codified and tested in courts.
ECJ has declared "Privacy shield" as well as "Safe Harbor" null and void, since those were merely agreements, which never side codified into actual law. So I don't think there will be any new court decisions regarding those.
I also don't think most Europeans are really worried about US government intrusions into their privacy, thoug I don't know the legal implications the CLOUD act would have in this context. Honestly, I think anybody takes US government intrusions for granted after the Snowden leaks. It's the companies people are worried about. Facebook, Google have a scary amount of power and lack of oversight.
You can use google analytics legally in all of these areas that have deemed it illegal, because they're just saying it is illegal for common public-facing internet usage. You can still use google analytics for, say, corporate intranet sites in Denmark if you'd like.
Sure, but that is not what Google is advertising, and it should be Google's responsibility to inform users about that.
Exaggerated example: If I would buy a car which by design isn't road legal, and this design flaw would cause an accident killing someone. Normally the carmaker would be responsible. The carmaker couldn't say, well technically, it's only for use in your backyard, but you have to be a lawyer to know that, and our advertising isn't reflecting that at all. Somehow, Google get's away with such logic.
I doubt you can. If the data collection is illegal under the GDPR (or it’s incarnation under danish law), then it won’t help if you don’t use it in a public facing context. The GDPR doesn’t make any difference between subjects that are employed by the entity collecting the data and others.
The issue is whether US law enforcement has unrestricted access to the data. They are considered to have unrestricted access to any data on Google's servers (even their EU servers). But if re-identification requires a piece of data which only lives outside of US jurisdiction, and accessing that data requires going through appropriate channels, then the data is considered safeguarded.
No, the specific problem is that Americans can't comply with GDPR because they are American.
This will be the state of EU law until America either repeals the CLOUD Act and shuts down the NSA, or copypastes GDPR into local law. I would prefer either to be honest.
The CLOUD act is one thing, but Section 702 of the Foreign Intelligence Surveillance Act is a far bigger problem. Allowing the FBI, CIA and NSA full access to all data regarding every non-American without a warrant required on every US internet service is a massive breach of privacy, and will always be a GDPR breach.
I'm not sure this is correct. The EU and US agreed "in principle" on a new privacy shield in the spring of this year [0]. Maybe third time is the charm? (I think this is the third attempt.)
