Yup. The Illegal Analytics Scanner is deployed to Germany. We then load the website, observe the pixels loaded, run the IP returned through an IP lookup, and see who controls the server. If it's a US cloud provider, it's not lawful in the EU.
That if they're processing EU website visitor traffic, they're in violation of the Schrems II ruling, and violating the GDPR. Very messy situation right now.
The Schrems II ruling occurred back in 2020. Max Schrems & noyb have filed 101 complaints, and we're now going to see DPAs make decisions (meaning the ruling is enforced). What's new now is that a DPA has actually made a decision against Google Analytics (and US cloud providers).
Non-US companies must use a EU-owned servers (not just EU servers controlled by AWS, DigitalOcean) to process EU data subject traffic. If they don't, they're in violation of Schrems II, which makes them in violation of the GDPR.
This summary makes it sound like a protectionist measure but that is not the design. The issue is just the US overreach in that the US expects any company to provide any data it holds, even if that data is stored outside the US, owned by a subsidiary, etc. EU (or Canadian, Russian, Kenyan, ...) data is simply not safe from US security services' reach if it is stored by a company subject to CLOUD. The court decision is only a consequence of this overreach and the EU's sovereign right and attempt to protect its citizens.
This is even more relevant as US data protection seems to only apply to US subjects - so an American using an EU service using a US host would be protected by US law (in theory, though likely not in practice), while an EU citizen using the same EU service is not protected by US law.
Is there a specific ruling or case that says AWS as a provider, regardless of where the actual data processing happens, is prohibited, this out that you can point me to?
I'm confused. Open up Plausible, look for /event in your inspect element (devtools in chrome), look at the IP address that it connects to. Run that IP through ipinfo.io and see which country comes up. If it's the US, it's illegal (as per this entire thread).
What's childish about me not wanting people to potentially get fined?
Yes, I just checked it. It is a testing environment deployed on Cloudflare Workers. What's the problem here exactly? It is the same exact script using the same exact tech behind Plausible.
At what point exactly are they going to get fined? I don't understand so I would love to know, so as long as you actually manage to answer with somewhat of a technical depth.
Maybe you should do one of those "Fathom vs Plausible" pages on your website, then point out that Plausible is using a testing environment and because of that they will be fined.
Sure, happy to explain further. You have found the testing /event but there is another (make sure your ad-blockers are off).
I've put together the details here in an image, so it's easy to follow (https://imgur.com/a/9wEanqD). Hope that explains what I'm talking about.
Sending data from the EU to US-controlled cloud infrastructure is illegal. Please read the noyb article again, read the Schrems II ruling and read the EDPB's advice.
But Plausible doesn't send its data to US-controlled cloud infrastructure? By the looks of it, they're using a self-hosted testing environment through a CDN.
This is unique to Plausible itself and not the services they provide for their customers.
Why do you insinuate misbehavior from a competitive company when you don't have actual proof?
You have the URL of a CDN network that is hosted in the US. What you don't have is the proof of this data being stored in the US. Because it is not. Their FAQ pages clearly state that none of the data is ever stored outside of EU.
Last but not least, you entirely missed my point. Plausible is an extremely successful business, do you really believe they would risk their reputation / livelihood without understanding Schrems II or otherwise?
I honestly have nothing else to say mate. But good luck with Fathom. I am sure it will be a great success.
Yes they do. It's not just about data being stored, it's data processing as a whole. You cannot casually pass EU data subject Personal Data to US-controlled infrastructure.
Your website visitors Personal Data is processed on US-controlled cloud providers. I've provided evidence that folks reading this need to be careful when choosing analytics software, and I'll leave it at that. I hope to see Plausible move to an EU Isolation approach which doesn't involve US cloud providers.
You have not provided a single ounce of technical proof that Plausible processes their customer data in the US. Furthermore, you have somehow managed to overlook the fact that Plausible does Cookieless tracking without actually tracking any "Personal Data" signals.
I wonder what Paul thinks of your attempts to fear monger people into thinking your crappy product is superior to an open-source alternative.
But hey man, good luck with Fathom. It will be a great success.
I have no skin in this game, but Jack clearly demonstrated that data is passing through servers that our controlled by US-owned entities - namely Cloudflare and Digital Ocean ... what am I missing ?
Just posted this thread to a friend and they said I wasn't being 100% clear, so I apologize. I'll clear things up.
Using EU servers that are owned by a US company (e.g. AWS deployed in the EU, DigitalOcean deployed in the EU) is a violation of the Schrems II ruling. The way you check this is by looking at the IP addresses the analytics software are using, seeing where they're located and who they're owned by. You can then run that IP in ipinfo.io to get information about who controls that IP. If it's a US cloud provider, regardless of server location, it's a GDPR violation.
The English translation of the ruling can be found here. They go into detail within the rulings about the transfer of Personal Data (IP & User Agent) to servers that cannot be protected from US surveillance laws: https://noyb.eu/sites/default/files/2022-01/E-DSB%20-%20Goog...
"This is a very detailed and sound decision. The bottom line is: Companies can't use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced."
- Max Schrems
All site data plausible.io stores on behalf of the customers is hosted in Germany on servers owned by Hetzner, a European-owned company. Previously it was hosted by Digital Ocean in Germany but the move to Hetzner was made last year.
For our self-hosted version, you can install it with any cloud provider and in any country you wish. Even in the USA. That's the testing one we had on our site as we're testing the latest release of our self-hosted version on our own website. This has nothing to do with what our customers place on their sites.
Correct. That's absolutely right. I'm not 100% sure how my comment wasn't clear, but I will apologize to everyone if I confused them. Anyway, Plausible updated their analytics to use Bunny yesterday, which is a win for their customers. We wrote more about this solution back in 2021 (https://usefathom.com/blog/eu-isolation) after a lot of work. We spent a lot of time looking into possible options, the law, and are pleased that our innovation is going to help other companies.
You are correct. Fathom Analytics is the only globally distributed provider that offers EU Isolation (keeping EU data completely away from US cloud providers).
https://usefathom.com/features/eu-isolation
Love it, Aaron. I've always felt more confident using Laravel knowing that it's backed by a competent entrepreneur. These paid services ensure the longevity of Laravel. We've paid for Spark and Nova, and we have Vapor & Forge subscriptions.
