"makes Google Analytics almost illegal" is an editorialized (biased) title and that's not what the linked article says. Just because use of a product is determined to contravene a country's law doesn't mean that the product itself is made illegal; it can be adapted to be compliant instead.
Speaking of adapting the product, the article explicitely states :
"Is it possible to set the Google Analytics tool so that personal data is not transferred outside the European Union?"
"No."
So right now it is practically impossible to use Google Analytics in a legal way in France.
Equally it's a sorry indictment of our economic times that the meaning of unlawful has been hammered into a understanding that non prohibition is permission. This aggressive and putative new use is refuted by every founding principle of the common law in Anglo Saxon countries and most of the western world. See the argument of letter vs. spirit for a effect.
Ed. cleared up phrasing around new use, replaced meaning with use for .. meaning.
> This aggressive and putative new use is refuted by every founding principle of the common law in Anglo Saxon countries
Which founding principles, exactly? Your comment seems to imply you think we should live in a world where we are only allowed to pick our actions from an enumerated list of approved actions. That world is extremely contrary to the kind of world I would like to live in, but also seems to contradict most of what I know about the history of the western world. Is that really what you mean?
What OP is getting at is that the common law tradition isn't to explicitly spell out all the nuances of when that action is actually disallowed, but rather to set out the general principles, and let case law define the precise limits of that boundary. In contrast, the civil law tradition is very much based on statutory law explicitly setting the boundaries, and case law serving only to disambiguate.
The "aggressive and putative new use" they're referring to is basically taking common law's fuzzy boundaries and pushing a civil law interpretation on top where all the grey areas are assumed to be allowed.
That is exactly how things work. Unless the government goes through the effort of passing a law to prohibit something (and getting approval of the people's elected representatives, and the courts), then the thing is legal. How else do you propose things should work?
Those "pushing the boundaries" always end up using a similar logic. However, there's always going to be a large segment of society whose rules are based around non financially oriented methodologies, such as: "morals", or directly from spiritual texts which disallow certain practices, or historical "customs". Such things are not "illegal" per se, but it's largely held as being reprehensible by a large number of people nevertheless & causes a large amount of friction within society.
Then there's the issue of marketing/propaganda (which the parent mentions as "hammered") whose sole purpose it's to change people's minds in an emotional way. I wish people would learn about Edward Bernays, nephew of Freud, who instituted this. In and of itself, propaganda has never been illegal, but no one likes to admit to being emotionally manipulated. (But when you begin to pay attention to your emotions, you can spot this stuff from a mile away).
I think, what you are addressing is social convention and social norms, which are enforced by social sanctions only. However, while these are soft norms, laws are hard norms and enforced by the legal system, which is an important difference. Therefor (however we may feel about this) something may be intuitively and morally wrong, but still perfectly legal. Still, this may subject to social action, which may be what you are aiming at. This is, what civil society is about.
Not sure what the stance being argued is. Should we require companies run morality polls and submit a pre-rollout court to determine the legality of new products that push the limits of human innovation?
Also, it's important to note that humans are actually quite bad at this sort of judgement. I'm sure if you showed everyone in Germany in 1980 a computer, and how it can instantly store and retrieve files and documents, and asked them 'is this moral?' they would be against it on the grounds that it would put hundreds of office workers out of a job.
That's not exactly how things work, though. Laws aren't deterministic like a computer program. They can be drafted broadly, poorly, incompletely, or simply not take into account things that didn't exist when the law was written.
It's the job of the judiciary to interpret the laws in these situations, and part of that is looking at the spirit of the law and create case law which may alter the powers of government.
This is very much part of the Western tradition of common law, as is a vigorous discussion over how far the judiciary should be able to go. It's fair to say popular sentiment has drifted in a libertine direction over the last 50 years, but the debate is far from settled.
(In fact we can speculate with some reliability about what the future may hold: via one mechanism or another, including the judiciary, governments usually trend more libertine in times of peace and more authoritarian in times of crisis.)
How so? Amazon, Google and Microsoft need access to your unencrypted data in order to provide most of their services (such as databases, analytics, machine learning). There's not much they can do with encrypted data. They can store it. They can pass it through. That's it.
This problem has to be solved on a political level. There is no technical fix and the legal workarounds appear to be exhausted.
My RDS data is stored encrypted on disks with a private key AWS operators has no access to [1] (or at least that's what they tell you), and the application layer connection is controlled by a password transmitted over a TLS-only connection, whose private key - again - AWS has no access to.
You're decrypting data on Amazon's hardware using software provided by Amazon. Of course they can access your unencrypted data if they have to.
It comes down to the details of the legal obligation they have under U.S law. Are there limits to what they have to do to help U.S law enforcement, and what exactly are those limits?
The data in memory in that server is not encrypted. Amazon owning the server can log in it and read whatever part of the memory they want. I don't see how encrypting data at rest helps you in this scenario.
If GDPR makes all the cloud services provided by American companies illegal, what alternatives European companies have? Services like OVH and Hetzner are great as a low cost but they don't provide the same services at all.
How about Netsuite (Oracle), Netsuite, etc.?
My guess is that ~100% of European companies use some kind of US service and there are no realistic alternatives, are they going to rule all companies are doing something illegal?
Creating "competing"* services does not solve the problem of how Europeans can continue to use U.S. services if and when they (we) prefer to do so based on technical merit.
I don't think it's a good idea to let the world (and the internet) fragment into ever smaller jurisdictions that can no longer find a way to trade with each other.
We need a legal agreement to sort this out or everyone will be worse off.
* They wouldn't actually have to compete at all if U.S services were banned.
"(1) Personal data shall be: (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."
No, opening a connection and exchanging IPs falls under "technically necessary" processing of personal data.
But from a legal point of view we, as a European company, are forbidden to use any US infrastructure provider. We can't ask for consent to transfer data to an US based entity if our consent form itself is already hosted by an US based entity. And even if we did find a solution, like hosting the main infrastructure with a European company and asking for consent for some later data transfer, we are most likely forbidden to transfer data to US based entities at all.
This will change soon. From what I heard work is underway to let national data protection offices handle cases without the Irish DPC or force the Irish CPC to work.
It depends how much credence you put in the standard contractual clauses (SCC) added by these companies after the privacy shield was ruled invalid by the EU.
The idea with the SCC is that instead of all data transfers being covered by a single adequacy decision, each company adds SCCs to it's contracts with customers promising that data of EU citizens will be handled in a way that's compliant with GDPR.
Reading this piece from CNIL, I can't see how a US company is going to be able to use SCCs to protect EU citizens from data access by the US government. Non US citizens typically don't have a lot of rights in the eyes of the US gov and they've traditionally been pretty happy to rifle through the data of those people at will.
ed: the point by another commenter about using your own encryption key is a good one. However, the view of CNIL essentially seems to be that transferring any data to the US is risky so to me it feels like you'd be swimming against the tide.
Corporations such as google have legal and financial centers all over the world and these will be structured towards providing the best circumstances for the corporation (tax, legal).
On the other hand, don't all these corporations have data centers all over, that replicate data to provide a better service? Which is to say that pretty much most data is available to all legal jurisdictions. At least as I understand it..
The problem is that frameworks we have with the US keep being shot down by the EU judiciary. First Safe Harbor and now Privacy Shield. For good reason I might add.
IP addresses for starters, which are considered personal data under the GDPR.
Keep in mind that the mere transfer of the IP address (which is inherent in a TCP connection and cannot be avoided in the default setup without proxying it yourself) is enough, regardless of whether Google will actually store said IP or anonymize it (not that you should trust them in any case).
They can be used to track and identify users by the police. Not by third parties, because ISPs won't give out identifying information to those.
That something could potentially be correlated across time and space to link different facts about you, does not or should not make those things personally identifying. Otherwise there's a lot of obvious problems e.g. if you were in the habit of wearing unusually distinctive clothing, or had an interesting bumper sticker on your car, etc, then all those things would become "personally identifying" even if nobody who saw them had any idea who you are. There are also deep moral limits to how blind you can insist other people become.
> That something could potentially be correlated across time and space to link different facts about you, does not or should not make those things personally identifying.
I think the rules are usually though, that when those correlating things are put together, into one system, then the combination of those things are in sum personally identifying. That can actually happen very quickly and in non-obvious ways. You might add something inconspicuous and suddenly that makes users unique and allows to map in any theoretical way to real identities.
I think one also has to consider publicly available information sources. Just to make a silly example:
If there was some public register of favorite foods of people, and you asked your users about favorite foods, which you store in your database. Ooops, it is personally identifying, because anyone with that data in hand could map it to identities using publicly available data.
However, I am not so sure, that the publicly available data is considered for judging whether something is personally identifying information.
But, you can't map to "identities" in most of these cases. That's why these laws don't seem to make any sense. An identity is a powerful thing but, an IP address is not an identity. Just knowing one doesn't tell you anything, nor does it let you look anything up unless you happen to have multiple sites that the user is browsing - and even then, not really, due to IP address re-use.
The conversation was about correlations and not merely about one attribute like IP addresses.
An IP address limits the location of a person significantly, unless they use VPN or so, which most people do not, so it cannot be assumed, but rather one must assume, that they do not use VPN.
Add one more attribute and through correlation you might already be able to map to an actual identity. It can happen very easily and you don't want to be an organization, which suddenly realizes, that some of their data has accidentally become personally identifying, when the next data protection audit happens.
Data also does not stay in one place only. It travels from department to department, often from organization to organization even. It has these tendencies, unfortunately. Each actor might have some data as non personally identifying, but when they sell and combine, suddenly it becomes personally identifying data.
An IP address is a very critical part in the data about users and ISPs are not to be trusted to never give their data to another actor. Many ISPs are shady businesses.
The article also makes it pretty clear that it would be illegal (in the US) for Google to offer a version that is legal in the EU, barring some major technological and algorithmic breakthrough, or changes to the law.
I don't see there's a difference. Say they lowered the speed limit, making driving at current top speed illegal. You could say that speed's not illegal, it just needs modifying, but that would seem a strange point to make.
I think that's a strange way of arguing actually, you would say the speed is illegal and the car and driver behavior just needs modifying. Google analytics would by analogy be closer to a car that can go a certain speed.
But the question is if the law says that any car that can go that speed is no longer street legal, then it is a problem because it is probably difficult to modify the car. Just as there are structural issues about Google Analytics where GDPR is concerned that makes altering it really difficult if not impossible, and if you can't fix GA to make it legal it is de facto illegal.
better analogy is if they decreased the weight limit of vehicles your license allows you to drive, you could say your suv hasn’t become illegal, it just needs modifying (that is, changing the bodywork & the wheels)
The product cannot be adapted as the concern is specifically that Google can be legally compelled to violate GDPR. Schrems II is very explicit that EU companies cannot send data to the US for as long as the US CLOUD Act is on the books.
"Banning Google Analytics" actually downplays it. Even Google Fonts is actually illegal now; and it will continue to be illegal until the US does the smart thing and copypastes GDPR into local law.
No. This part of the rules only applies to EU businesses. If an EU citizen deals with a US business, the US business still has to follow GDPR, but not the export rules. EU businesses do have to follow said rules.
Correct. Also note that IP address are counted as PII, so even sending an IP address (as required by any TCP/IP request) to a US-located or US-controlled server is illegal without getting consent beforehand.
I'm not sure that's how it works. Couple of things (IANAL):
1. I don't think ip address alone constitutes PII but needs to be combined with other data to be applicable
2. Even if it were, I would imagine it falls under article 6 provisions where ip is required information to fulfill a contract which in case of HN as an example means delivering the web page to the browser
> 1. I don't think ip address alone constitutes PII but needs to be combined with other data to be applicable
According to courts just the IP is considered enough:
The decision says IP addresses represent personal data because it's theoretically possible to identify the person associated with an IP address, and that it's irrelevant whether the website or Google has actually done so.[1]
> even sending an IP address (as required by any TCP/IP request) to a US-located or US-controlled server is illegal
Nope. Having the IP for making a TCP/IP connection is a technical requirement, one of the exceptions of GDPR (this also applies for logging, etc as long as you don't keep it forever, etc)
Let's not make up requirements where they don't exist
That is not true. IP addresses are explicitly stated as personal data. That they are a technical requirement for a connection only has repercussions on how you are allowed to store and process this data and the consent you need to get from the user for your data processing.
You are not allowed to send IP addresses (even if they are a technical requirement for connection set up) to companies under US government control before you get full consent from the EU user.
The "technical requirement" exception (to process data without consent) only applies to GDPR complaint data processors which US companies can't be because of the Cloud Act.
There is a huge difference between using your IP address in the course of the technical implementation of the IP protocol and the subsequent logging and re-transmission of that address to others, effectively you are agreeing with the GP while starting your comment with 'that is not true'. It is true. And you confirmed it.
"(1) Processing shall be lawful only if and to the extent that at least one of the following applies: (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;"
"(1) Personal data shall be: (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."
Email can be personal information but does not have to be, and no, you don't have to register with an email at all for HN, that's just nonsense, and your own account is pretty much proof of this.
The US isn't going to copy and paste any foreign laws and codify them as US law. So it is likely the EU and US will have to forge a different path or the EU can ban everything.
I think it's quite clear by now that the US never codifies any laws that didn't originate nationally, not even if they are international accords or treaties. A US signature on an international treaty is basically worthless.
This details the changes Google Analytics users must make to be complient. After making all these changes is there any value left in using Google Analytics. Why bother. Honest questions.
Almost everything bar the absence of query parameters could be implemented in a useful privacy-conscious server-side GTM implementation, but without query parameters, none of the advertising integration works, which is the most important part for most businesses (demand generation through Google Ads, Facebook, etc).
There are any number of things you can have that are not technically illegal to acquire or possess per se, but would almost certainly be illegal to use in any expected capacity. I think it's reasonable to describe those as "almost illegal". Google Analytics is, apparently, in that category.
Considering that all uses of GA are illegal under GDPR except for a handful of specific derogations that do not constitute its main usages, an apt comparison would be heroin, which is illegal, except in a very few regulated cases.
The “similar way to these organisations” is because their ruling was in specific cases (this is just advice). If you read the previous paragraphs, it is obvious that the “similar way” is putting the Google Analytics scripts on a webpage.
When the CNIL makes a statement saying it is impossible to legally use Google Analytics a title like "Q&A on the CNIL's formal notices concerning the use of Google Analytics" is simply not going to cut it.
The fact that the title hasn't been edited even though the post is over 16 hours old seem to support the above hypothesis.
It's been known for years - and hardly takes a lawyer to understand - that sending user data to US-owned companies is illegal according to GDPR. The US laws are simply incompatible.
Yet everyone (including government entities) have been dragging their feet on and on hoping for some divine intervention to help them continue using Google, Amazon and Microsoft. And those companies have kept the hopes high by incorrectly claiming to be GDPR compliant.
It's been embarrassing to witnes how little willingness there's been shown towards protecting user data. Especially compared to the amount of whining over how difficult it is to comply.
Hopefully these - very predictable - rulings will finally start to get the ball rolling.
I think it's because over 40% of EU business use the cloud[1] and 70% of those use AWS, Azure, or GCS.[2] Enforcing the law consistently would devastate tons of EU businesses as you would suddenly eliminate all of their tech infrastructure overnight with no real alternatives.
It is not possible to comply with this law as a small or even fairly large business if it prevents you from using the only viable major cloud services which are required for the operation of your business. Do you want the EU to delete the rest of their already behind tech industry?
Do these EU hosting companies also have servers available in other continents like North America? Could you operate a sufficiently global website from these hosting companies?
Do they have S3-style or Pub/Sub-style features or do you have to build those in-house or maintain something off-the-shelf?
If you're a small website maybe you can get by but if you get large you'll probably find you don't have many other options.
and others. The european cloud providers clearly don’t have as many features or market share as the GAFAM (they also tend to be more specialized), but contrary to what a lot of people here seem to believe, they have enough for most uses
Let's compare some costs then. As a random example, but not an unreasonable one, we have 100 1GB files stored for one year, and we want to deliver each of them 10000 times.
With Cloudflare R2, this will cost roughly $16.
With upcloud, this will cost roughly $10,000.
You see how this can easily be the difference between a business being viable and... not?
You're taking a specific case (low amount of data, high egress) and comparing an offer specialized for that use case (r2) with a general-purpose offer. Amazon S3, for example, would not perform better than upcloud here (I calculated $50,000), and that comparison may be more adapted.
Though I agree that neither ovh nor upcloud have an offer tailored to that use (I think in that case using a CDN instead may be the more adapted). That offer may or may not exist on the EU market but I'm too lazy to search for it
On a sidenote, I didn't know about r2, thanks for the tip
I don't think any offer exists that competes with R2 currently, if you want to deliver large amounts of data. That's why I consider access to this service critical for business.
The closest you can get is renting servers with unmetered 1-10gbit connections and serving it yourself, but because you don't have the economy of scale that Cloudflare does, it will still be much more expensive than R2. You can't balance out your costs against those of hundreds of other customers that don't serve as much data, or against customers serving data at different times where your unmetered bandwidth would be wasted.
Starting up a service with pricing like R2 is only really possible at Cloudflare scale too, so it's not like it's possible for someone like us to see this gap in the market and... fix it?
CNIL and other GDPR enforcement agencies do not ban products directly; they fine companies infringing GDPR. The article above is about orders to companies using Google Analytics.
Regarding browsers and operating systems, the companies selling them will be fined until they either comply with the law (ie. either by removing any "phone american home" task, or by using any of the alternatives provided by article 6 paragraph 1) or stop doing business in the EU.
Most businesses affected by this would have gone bankrupt if they had pre-emptively complied. Compliance means being unable to effectively use any of the major online advertising services.
So while you could theoretically migrate from US cloud services (although where to is the question. Hertzner for cloud compute? Open Office for Office 365?), there’s no search engine or social network controlled in a country with a data adequacy decision.
That means effectively no online advertising. If a company followed that route while all their competitors did not, their demand generation would have plummeted and they'd be out-of-business.
In practice, it does. It's impossible to use any of the major ad networks effectively without conversion tracking (which is what I'm assuming you're calling selling out? I disagree with that sentiment, given it amounts to sending a single pseudoanonymous ID with user consent).
Edit: To be clear, most European enterprise companies would happily dump Google Analytics if not for Google Ads and the Search Console integration. Almost all will be already be using another tool for user analytics, but most online B2C companies are reliant on Google for demand generation, and Google Ads is only effective with conversion tracking.
Does conversion tracking require you to track your users (a la google analytics), or is it actually just a pseudo'anonymous' parameter when visiting a website (like referrer could be, if advertisers hadn't killed it).
And even then, advertising without tracking worked just fine without internet.
It requires getting consent and sending the value of a query parameter that was appended to the ad link the user clicked (GCLID for Google, FBCLID for Meta, etc) with some random (but now pseudonymous, because Google/Facebook/etc can link the session ID to the click ID to a user account) session ID and then sending that same session ID when the user converts/does the thing you want.
If you get consent, you can also set a longer-lived cookie to determine if a user converts in a future visit.
> And even then, advertising without tracking worked just fine without internet.
There is even now a form of online advertising without any tracking (except in the most opt-in form of a discount code) which is sponsorships of videos, podcasts, articles, etc.
However, for search and display ads, which drives a huge amount of traffic to EU businesses, there's no effective way to run ads without conversion tracking. Obviously you can just throw money at Google/Facebook, but without conversion tracking, the average return on advertising spend will be 1-10% of what it would be otherwise and you will pay for a lot of junk traffic.
It's not unusual for B2C companies in the EU to make 80%+ of their online revenue from forms of ads that require conversion tracking, so it's impossible to expect businesses to refrain from online advertising unless all their competitors are required to also.
This all relies on getting consent as a lawful basis for processing, and is currently acceptable under the GDPR except that the major networks are all US companies who could be compelled to transfer the data to US authorities.
Even now, it is much more likely that a US CLOUD carve-out or other work-around for an adequacy decision with the US will be made than the CNIL interpretation will be followed to its logical conclusion, which is that EU businesses process personal data with any US-controlled vendor, even if it occurs in the EU.
Sorry for asking so many questions, but I don't know much about this and you seem knowledgeable.
> However, for search and display ads, which drives a huge amount of traffic to EU businesses, there's no effective way to run ads without conversion tracking. Obviously you can just throw money at Google/Facebook, but without conversion tracking, the average return on advertising spend will be 1-10% of what it would be otherwise and you will pay for a lot of junk traffic.
1. Can you not track conversion in aggregate by running X number of ads and checking how much extra traffic you got? It's obviously noisy and you can't run multiple campaigns at the same time, but conceptually I don't see why it wouldn't work?
2. I'm assuming you put links in your ads, so if you run ads for lander.example.com, can you not put the URL in google/facebook as lander.example.com?src=g and src=fb? Or, if you can't use query params, g.lander.example.com and fb.lander.example.com? Tracking stats for those and seeing how much ads you ran should give you conversion, similar to 1. but better?
> 1. Can you not track conversion in aggregate by running X number of ads and checking how much extra traffic you got? It's obviously noisy and you can't run multiple campaigns at the same time, but conceptually I don't see why it wouldn't work?
You can and many companies will have a first-party (or partly first-party, feeding into PowerBI or Tableau or something) system for this kind of reporting completely independent of the ad networks (to independently verify the numbers the ad networks claim, to include other data that a company would never share with Google, and for fraud detection).
However, without conversion tracking, Google Ads' "Smart Bidding" and "Remarketing" targeting features don't work. For a lot of businesses, being unable to, for example, stop advertising to existing customers or to use a certain bidding strategy means that the Return On Advertising Spend (ROAS - the big metric for enterprise marketing departments) goes below 1.
> 2. I'm assuming you put links in your ads, so if you run ads for lander.example.com, can you not put the URL in google/facebook as lander.example.com?src=g and src=fb? Or, if you can't use query params, g.lander.example.com and fb.lander.example.com? Tracking stats for those and seeing how much ads you ran should give you conversion, similar to 1. but better?
Companies often do this, with Google Analytics-compatible UTM parameters, custom source IDs, and very often unique marketing landing pages for each ad campaign.
As above, though, reliable reporting of conversions/revenue isn't the difficult part. It's being able to reliably target the ads/campaigns without conversion tracking.
Right now, targeted search and display advertising can be 10-100x more effective (in terms of Return On Advertising Spend) than keyword- or context-only targeting. That's not an advantage a company can forgo unless the entire market is forced to simultaneously.
> devastate
Not having AWS/Azure/GCS is not devastating. It's just a little bit different. Those platforms quite simply don't add many interesting features and the reason people use them in the EU is largely based on cargo-culting.
I'm still annoyed that gov.uk, all the while being praised for great web design, happily recorded all interactions between UK citizens and UK government, and sent them off to google.
And refused to engage on why that might be a bad idea, because hey, we find it useful, and Google pinky-swear they anonymise everything.
Ireland is a sucker for big tech interests though. Because so many of them use the country for tax avoidance they have a really big influence on politics. Like when the EU made Apple actually pay the small amount of tax they should have, Ireland jumped up to oppose. They were opposed to receiving a billion euros.
This answer is accurate but no one seems to realise it. Under standard contracts users waive their rights including privacy rights under GDPR. Their are no user agreements anymore, only contracts.
You can absolutely choose to share your data with an US company, but you can also withdraw consent five seconds later, making it illegal for them to further process the data. The point is, that it is your personal data, and only you get to say what can and can't be done with it. That right can't be signed away.
European laws have a different approach regarding most individual rights. They are socially defined and distinguished from ownership.
Your body for instance is probably better protected in terms of chemical additives, healthcare and now pregnancy choices, but you can't easily sell body parts or be a surrogate.
If a service operator decides they don't want you using their service, they don't have to let you use it. That only gets murky around protected characteristics (race, sex, gender, orientation, etc) which "privacy" is not.
They could make access contingent on being allowed to process your data.
Adblockers can still (and do) protect against server-side GTM, as the requests are not obfuscated in any way. That may change in the future, but it’s not the case now.
Besides, the CNIL ruling already applies to server-side GTM implementations.
Once server-side analytics get implemented widely, we've lost. We'll keep chasing each other with tricks like renaming the api endpoints, randomizing the javascript hash, etc. for a while but if we end up having to run an ML model in the browser to attempt to detect when our data is being stolen we've lost a long time before.
Might be better to shame any website caught using it with some crowd-sourced list of some kind - then at least we'd know who the bad actors are and force their content through an isolated container / proxy / VPN, or simply stop using them altogether.
But happily, in the EU - the market I operate in - server-side analytics is seen as an avenue towards compliance.
Obviously server-side GTM will be abused in the absence of regulation, but that was also true of the existing technologies. Strong and consistent enforcement can and is bringing companies into compliance.
In the long run analytics will be on the losing side though - because it's possible to jam with patterns generated by other humans, just mashed together, and there is no way to reliably detect that without also making it possible for humans to use it masquerade as generated traffic.
The ecosystem is much too advanced for that kind of tactic. Fraud in ad networks has been an issue for decades and the fraud detection systems will identify that immediately.
However, if you just want to avoid tracking, uBlock Origin will do the job or simply reject the tracking on the cookie pop-up. Reputable companies in the EU almost always respect those choices because no-one wants to face the wrath of a DPA (at least not without plausible deniability - hence all the dark patterns).
That tactic has already worked a couple of times, and the usual problem was that it was used for fraud, ie against the law, not because it was defeated by technical means. Besides... how exactly would it be detected? Keep in mind that you can replay actual traffic gathered from humans.
uBlock can only defeat client-side tracking - which has so far been _the_ tracking, sure, but I believe it is in the process of being replaced by server-side, which can't be defeated this way.
> Keep in mind that you can replay actual traffic gathered from humans.
Do you mean by replaying the HTTP requests of other humans? You can only do this against the most naive analytics tools. Most modern analytics will use nonces and unique event IDs to deduplicate/trash any junk. Already in competitive markets/industries (looking at you, travel) it's common for 95%+ of analytics data to be junk/fraud/poison.
I can assure you that, except in the very rare cases of people stupid enough to launch poisoning attacks from Western countries, the law has not stopped or slowed junk analytics data. It is purely a technical defence, and it works very well.
> uBlock can only defeat client-side tracking - which has so far been _the_ tracking, sure, but I believe it is in the process of being replaced by server-side, which can't be defeated this way.
For the most part, the current form of server-side analytics just means relaying data through a proxy you control so that you can control exactly what the downstream services get and they never see the user's IP address, user-agent, etc. The most popular service by far, Google Tag Manager, still uses a very obvious and blockable client-side Google Analytics tag (that you serve via the same proxy) to actually collect the data in the browser.
>Do you mean by replaying the HTTP requests of other humans?
No, that would be too obvious. I’m thinking more of replaying human interactions with a browser within a VM, or perhaps replaying them using some sort of hidden tabs, so the user session cookies stay as they were, but the behavior that can be associated with them would be jammed.
As for server analytics - it’s not very relevant now, because there’s no need, but once google is prevented from exploiting it they will inevitably switch to tracking all the client details on the (google’s) server side.
Right now, because the requests are identical to the same requests sent to Google Analytics but with a different hostname. It's trivial to identify and block them, and current ad blockers already do.
> same requests sent to Google Analytics but with a different hostname
There are instructions out there to also modify the path of the requests[1]. Consider this paragraph in the Summary section:
> Cynics could say that this is an improved way to circumvent ad blockers. And they’d be right! This does make it easier to circumvent ad blockers, as their heuristics target not just the googletagmanager.com domain but also the gtm.js file and the GTM-... container ID.
You can do that, and you can also proxy encoded requests which obfuscates all data, but you could also do that with the previous version of Google Analytics via the Measurement API.
In practice - in the EU, at least - I haven't seen any examples of this, and it would be unlawful without consent anyway, thanks to the GDPR.
It's also still fairly easy to classify requests (if you have access to the unencrypted request in the browser) based on heuristics. That's partly what the company I work for does.
Separately, thank you for your contribution to the Internet - it's as big and important as all the behemoths, but unfortunately will never be rewarded in the same way.
We need stronger protections at all levels of social organization. Every group has incentives to exploit each other. The ever-evolving trick is to arrange the balance of power to minimize each faction's capacity for overreach.
> ... be it corporations, governments, or individuals.
The emphasis on only one/some of these is a matter of country culture. Some countries have more reasons to distrust corporations far more than the government, some distrust the government and idolize corporations and individuals, and others have had bad experiences with all three.
I don't understand the "almost." The title is editorialized -- as commented elsewhere. There is no almost. It is illegal the way they act and store data. That nobody is going to come and place you on handcuffs doesn't make something legal...
The document states that there is a way to use Google analytics using an anonymizing proxy. While that way of using it effectively renders it useless, it is authorized. Hence "almost"
It is impressive how many people don’t understand the actual stakes of that law in this thread.
Let’s look at a similar situation by changing the country names. Right now, most advanced microchips used in the US are made in Taiwan.
Imagine for two seconds what would happen if Taiwan passed a bill that all produced microchip must contain a non-removable tracker that sends all data processed by that chip to the Taiwanese intelligence agency (pretend it’s technically possible)
Do you think the US would continue importing chips from Taiwan? Sure banning them might hurt the tech industry and all, but if they don’t, in a strategic standpoint, it’s hybris at best, stupidity at worst.
Well that’s pretty much what the US is doing with cloud act. Of course their products are going to get forbidden. You just don’t engage in overt mass spying on your allies, that’s in bad taste.
I don't even want your data. I use no Google Analytics, don't collect anything not required for operation of the services, and also don't sell the non-existent data to anyone.
But the thing is these laws keep escalating. Now it's apparently illegal for EU companies to use any American services _at all_ because your IP must be protected? Even though that's required for basic operation of any web based service? Even though there is little to nothing dangerous the other side can actually do with this information?
For example, Cloudflare services are absolutely essential for cost-effective delivery of content. As far as I'm aware, there are no EU based competitors with pricing in the same order of magnitude. It'd make my company non-viable if I couldn't use it.
It's more subtle than that. There are six possible bases for processing personal data, one of which is:
> processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
So you can use the IP address to serve a webpage, operate a proxy, etc. You just can't use the IP address for any other purpose unless there's a lawful basis for it (ie, you can't send it to Google Analytics without first getting user consent).
It does force a change in mindset, but it's not the burden you might think.
Ironically, the legislative problem we're facing now is not the GDPR, it's the US CLOUD Act, which allows the US Government to be able to force US-controlled companies to transfer data from anywhere in the world.
This applies to you processing the personal data, but not you transferring it to an American provider, which is entirely illegal even if necessary for the operation of your service.
The "trans-atlantic data privacy framework" can't come soon enough to finally end this farce. In the mean time, it seems like the most useful thing to do is just ignore all this.
Ain't nobody got time for all this uncertainty. And chance of any of these regulators suddenly caring about your particular company before it's solved for good is quite low.
> This applies to you processing the personal data, but not you transferring it to an American provider, which is entirely illegal even if necessary for the operation of your service.
At worst unlawful, not illegal, but even then, there's subtlety. Most transfers to the US rely on Standard Contractual Clauses, which are being invalidated, but on a case-by-case basis.
No, using an american service provider is not illegal. However, feel free to ignore all this, be one more line in https://www.enforcementtracker.com/, it brings europeans great joy.
Insane parts like being unable to use any American services, even though there are no EU based competitors that are viable to use, don't. Or perhaps it's now actually impossible for an American company to be compliant, in which case oh well. Good luck enforcing that against half of the internet.
I quite like the spirit of the original GDPR, but some of the more recent execution is just bad.
> perhaps it's now actually impossible for an American company to be compliant
If they store and process PII, then this has been the case since the CLOUD Act.
They can be compliant by not dealing with PII.
> I quite like the spirit of the original GDPR, but some of the more recent execution is just bad.
This particular bit of it is fantastic IMO. I'm still waiting for big fines or other punishments to happen though. Hopefully soon but I'm not holding my breath.
> even though there are no EU based competitors that are viable to use
Hopefully this will open up the market for companies based everywhere to compete against the US giants. Not just in the EU -- like I said, this is not about where the company is based, except in the case of the US where the CLOUD Act exists. That would be very healthy for the Internet.
Sure, if your company provides no web services, and doesn't actually have any customers, this is possible. For everyone else however, that is a ridiculous suggestion.
Of course every country prefers their own companies etc., but countries like France just take it to another level. The USA is not going to force a radio station focused on Japanese anime music to play music made in America at least 40% of the time.
You are talking about the « French Cultural Exception » which, like its name implies, is an exception to protect French culture and arts from the free markets.
We know that we will never be as strong as US majors in cinema, music, arts, … so what this exception is trying to achieve is to preserve the French culture and values (including moral values) through arts. While implementation is falling apart those days and the rules are clearly abused by a lot of companies, I truly think it was a great idea when it was imagined.
For instance, Hollywoodian cinema (and don’t get me wrong, we love most of it as an art) naturally promotes US values such as paid education, paid healthcare, free carrying of weapons, strong Christian values, neoliberalism, the idea that US is the center of the civilized world … (I randomly chose those ideas with no judgment whatsoever, just because we have different visions on those topics, so don’t blame me). Those ideas are clearly infusing into young generation as the normality so I do think the idea of this exception was genius. The idea was not to ban anything US (we love US arts) but to keep it in the context of « this is US art, so that’s why [insert_something_different] » instead of « this is mainstream art depicting the world as is should be ».
Maybe it’s hard to see it from the US side because you are in the powerful side but imagine if China invested billions in (good) arts and surpassed Hollywood with (really good) movies promoting the Chinese system moral values. I’m pretty sure the US would react immediately and I think it would be normal.
But this is just … an exception. And don’t be afraid, our current government is really happy to play the free markets game, including in healthcare.
This is great news! For far too long, Website owners have been collecting data on their users at no benefit to the users themselves. When website owners try to collect data on their users (for any and all reasons) it just violates the privacy of those people and needs to be put to an end. Those French website runners should really create their own, CNIL and GDPR compliant anonymized data storing, rather than using off the shelf, low cost alternatives. After all, things have been a bit too easy for them. (Running a website is pretty easy, I would know!). In fact, The fact that other, compliant-data aggregators, offer fewer features and lower reliability is actually a good thing. Trying to improve your website or even pester me with whatever you made is just irritating spam; I can't believe those independent owners would even dare. They should just be flushed out of existence.
HEY! Why is everything being centralized to just a few services? Why is the web dying?!
How does this authority contravene the private agreement between the website and the user?
Assume the user is well informed and agreed to it and everyone is acting in good faith - I don’t see where any government has the legit power to contravene a private contract
What makes it illegal is that the visitor data is available to US law enforcement without any safeguards.
The scenario that you posit, the most troublesome part is AWS because Amazon is also subject to US law enforcement. It depends on a few specifics, most significantly 1) does the user connect directly to an AWS service, exposing their IP address? 2) does AWS manage the keys to your database?
If you were to instead self-host your DB or use an EU-located hosting provider, then the problems would not apply. You still have some homework to achieve GDPR compliance, but the tools don't require obtuse work-arounds.
If you are a US based company how could it ever be possible to operate since you will be collecting data like IPs and therefor have a way to get access to it?
Have a holding company outside US jurisdiction that owns both a US subsidiary and an EU subsidiary, then make sure the US subsidiary never gets EU users’ data.
The CLOUD act is not the only problem. FISA itself would also need to change.
There is essentially a level of control over its citizens that the US government would need to cede to ever become compliant, but that it certainly never would.
That’s fine then. They’ll just have to deal with the consequences of chunks of the world with better privacy legislation cleaving away from the US, with the consequent loss of business. And, presumably, data, unless they want to go on a hacking spree.
Even that is not enough, as the US reserves the right to extraterritorial personal jurisdiction over companies on a case-by-case basis, depending on the nature of the company's dealings with the US and business interests in the US.
Yeah, you’d definitely have to be willing to close the US subsidiary in that situation.
This is similar to the FATCA situation, where it’s extremely difficult for US citizens to get bank accounts in Europe.
(Edit: if you’re not aware: FATCA is a US law that forces non-US banks to provide info about US citizens banking with them on request to US authorities. The threat is the removal of US banking licenses for any subsidiaries of the bank’s owners. Rather than providing info to the US, most banks are taking the safer route of asking if a person is a US citizen up front, and refusing to open an account if they say yes.)
But why do you collect IP addresses, what's the point in doing so. Your services can most likely be configured to not log IP addresses, so simply turn it off?
It truly saddens me that we're going this route. This pseudo fight for 'privacy' is frustrating and will only bring us closer to a splinternet situation.
> the data of European Internet users is therefore illegally transferred through this tool.
This isn't a devilish situation to me. We're talking about a tracking pixel, not healthcare records or trade secrets.
All that is because we aren't capable of fighting US big tech with innovation. Only with regulation. Appalling. Hopefully, Google finds a legal way around it.
You know where these tracking pixels are? Everywhere, doctors websites, ecommerce checkout pages,... - you can get a lot of very private information about someone by correlating these data points.
I believe the way around it would be to create an "full" EU subsidiary that stores the data within EU and cannot take directives from the U.S parent <- US gov. To be honest I'm really surprised that the stock market had no reaction to the recent Digital Markets Act and GDPR. Currently most of the U.S companies are in illegality. They need to restructure their business significantly. That being said I think EU is right. Why would we want our data shared with the U.S government?
I'm not sure that's really possible, is it? If your legal control over your subsidiary is sufficiently tight that your subsidiary cannot turn rogue on you (and if it doesn't turn rogue on you despite not having sufficiently close legal ties, you might effectively be forming an illegal cartel, wouldn't you?), it's presumably also sufficiently tight for the US government to act through those ties.
