Yup, I've been running Altcha on pirsch.io for a while now, and it was super easy to set up, is free, and open-source.
One of the main reasons we've switched from hCaptcha is privacy. The server-side stuff can be self-hosted and there is a Golang integration. Really nice.
Here is the link for anyone who would like to take a look: https://altcha.org/
It's not that hard, but there are a few pitfalls you can stumble into. I currently run three clusters for myself and have set some for clients in the past.
Some of the default config options are weird and SSL is something that needs to be addressed. Overall, still one of the easier DBs to maintain.
I'm still working like crazy on our privacy-friendly web analytics tool Pirsch Analytics (pirsch.io) :) I've been doing this for more than 4 years now and I'm still super motivated, especially because it's challenging from a technical point of view and very rewarding (I live from it now).
There is still a lot to do and learn (especially in the marketing department), but we have plans for a new product in the privacy space. I don't want to say too much about it until we've started working on it, but it's in the compliance space and fits quite well with our existing product. I think it's always a good starting point to solve your own problems.
It's the same for me. I've switched to DuckDuckGo about 2 or 3 years ago and it feels like Google used to. I'm always shocked to see how bad the results are and how cluttered the top section is on Google if I happen to search there on someone else's computer.
LLMs have mostly been useful for three things: single line code completion (in GoLand), quickly translating JSON, and generating/optimizing marketing texts.
Not related to you, but from a description in the first link, in the description for Plausible:
> Because it does not use cookies their is no need to show cookie banner for this service.
This is IMO a rather fundamental misunderstanding of the current situation.
I'd be hesitant to using a product from someone who I think have misunderstood completely what the rules are about. (Again, IMO and also IANAL but I have followed GDPR more closely than most people.)
GDPR is about collection information, as far as I can see, the technical detailsbof how you do it doesn't matter. It could be pure magic and would still be illegal.
I've actually had this discussion with Plausible directly back in 2022[1], and more recently with the lawyer they had write a blog post[2] on the topic. I wrote an article on it, that was recently discussed here on HN [3].
The response from Plausible is essentially "we've checked with legal council, and stand by the statement". The conversation with the lawyer started out well, but he stopped responding when I asked about the ePD, not GDPR.
There generally seems to be a lot of confusion, even in legal circles, about what ePD requires informed consent for. Many think that only PII requires consent, or think that anonymization bypasses it. That amount of confusion makes it very easy for a layman (e.g. Plausible) to find _someone_ willing to back up their viewpoint.
The EDPB released a guideline in 2023 that explicitly states that what Plausible et al. are doing is covered by the ePD's consent requirement, but that's a little too late: the implementations in member countries already differs massively on whether it's covered[4].
> There generally seems to be a lot of confusion, even in legal circles, about what ePD requires informed consent for.
That seems to be true, going by this comment section and the other ones I've seen.
It's hard to get a non-hyperbolic answer to the question: if everyone is so confused, what's the real-world consequence of best-effort implementation?
Some would say it's the ultimate responsibility of the app owner to understand the law, but how much further can you go than hiring a lawyer?
If more diligence needed to be done than that none of us would get anything built, we'd all just be running around researching the laws around these dumb popups.
What are the real-world consequences of making a mistake here? What kind of boundary would you have to trip over to actually get the authorities to prosecute you for not having a consent popup or doing it badly?
That is unfortunate, and seems to be similar to ADA compliance, as far as what is truly compliant and what is not. It seems like it is up to the courts to decide (speaking as an American, I know GDPR is a European law). I try to do as much as possible to keep up to date with ADA compliance and best practices, but when it comes to tooling around scanning for non-compliance, there seems to be differences. I believe that showing that you made an effort to comply is usually enough to avoid a lawsuit, but it would be nice if things like this were spelled out more clearly for those that need to implement these features.
I have recently gone through a conversation with a client that has been told in NY state (in the US) that something similar to GDPR is coming for those that deal with PII. Both the client and the agency I work for have added various scripts to the website for dynamic forms, tracking (Google Analytics), and newsletter functionality. It's at a point where everything that is 3rd party has to be discovered first, then seeing if there is the ability to anonymize everything (either by default, or with a user consent dialog). Even with current laws, it seems intentional to keep things vague.
Agreed. The company I work for has fought off two "ADA trolls" in the past ~3 years. I'm fully behind accessibility, and we design/develop our website specifically to conform with best-practice; I get, and generally accept, that civil remedies are (currently) the only way to enforce any kind of compliance. I nevertheless call the lawyers targeting us trolls, because their technical analysis was beyond incompetent, and their understanding of accessibility issues woefully out of date. It cost a few days of my + developer time, and I don't know how much lawyer-time, to make them go away.
We (I'm in the US) badly need clarifying regulation. Until then, compliance will mainly be about preventing yourself from being low-hanging fruit for opportunistic litigation - which, to be clear, can generate productive results, but is clearly inefficient.
It is not entirely clear who wrote these descriptions. Maybe it was not the vendor. At least their website https://plausible.io/ has a much better wording.
> No need for cookie banners or GDPR consent
>
> Plausible is privacy-friendly analytics. All the site measurement is carried out absolutely anonymously. Cookies are not used and no personal data is collected. There are no persistent identifiers. No cross-site or cross-device tracking either. Your site data is not used for any other purposes. All visitor data is exclusively processed with servers owned and operated by European companies and it never leaves the EU.
Correct, it's not so much about Cookies, but how data is collected and what is stored.
We have done a privacy risk analysis with an external lawyer and data protection officer, and concluded that Pirsch is in line with GDPR as we do not collect nor store personal identifiable information (PII). Processing stuff like IP addresses for example is legal as long as they are not stored and only cached for a reasonable amount of time (a few milliseconds in our case).
If you're interested, we have extensive documentation on this. You can reach out to support@pirsch.io to get it :)
If anyone is interested in doing something similar. This did cost us about 8,000 € in Germany.
The apparently extensive legal assessment you just described costed just 8'000 euro?
I am sorry but that had to be some hasty review at best. Do you take the full legal risk in case any of your customers would be found in violation of privacy laws because of using your service?
For reference, with similar hourly rates as Germany, reviewing a standard apartment-purchase contract cost me ~3500 euro.
We had someone with a lot of experience in this field working for very large German corporations and got a discount/startup bonus. I wouldn't call it cheap.
Imagine starting a business in Germany. How are you suppose to pay 30-50k for legal questions before selling anything?
The moment someone sues your customers, or some European agency will gets onto them, that 8000 euro opinion is all you're basing your company's legal security on. In that context, yes, this is being very cheap.
Analytics and other forms of tracking are not required to do do business. Don't try to skirt the law and you won't have as many legal questions to answer.
You need consent for (not functionally necessary) cookies because of the ePrivacy Directive (the "cookie law"). Additionally, you also need consent for processing, storing or sharing personally identifying information (PII) because of the GDPR. Usually you do both in the same consent popup.
Plausible doesn't store visitor's IPs or any other PII, and doesn't set any cookies. The reasoning given in the quoted paragraph is incomplete, but the result is correct. You only need to mention them in your privacy policy, they don't require any opt-in popups
PII isn’t a concept in GDPR. GDPR talks about personal data, which on its own might not be identifying, but which in combination with other personal data can successfully identify a person.
I'm curious: running a static website with no JS-based analytics whatsoever — only Apache logs in standard format (so including IP address and user agent string) — does GDPR require consent banners in this case? If so, doesn't essentially every website require consent banners due to the way websites work?
GDPR does not require a consent banner. If you want to process the user's personal data outside what is strictly necessary, you need permission. One way to get that permission is for the user to specifically consent to it. It does not have to be a banner. (In fact, many banners out there are probably not enough for informed consent anyway, as they provide no information about what data is collected or any reasonable way to opt out.)
Personally identifiable information has nothing to do with javascript, or analytics. Do you have GET requests with parameters containing enough to identify a specific individual? Then your logs are sensitive and you must have a valid contract, informed consent, or provide some important service where this information is necessary.
There are gray areas which can make this difficult, but you the basic idea is enough information to identify an individual. A basic website where you log that IP address A viewed home.html is not enough. The knowledge that a 55 year old woman with particular name on a particular street address has an interest in photograhy and shoe size 9 probably is. The line is somewhere in between.
GDPR is about collecting personally identifiable information, which is distinct from aggregate data that you can't trace back to the individua. Recital 26:
> The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
So details definitely matter. Some self-hosted analytics do this by getting rid of the last octet of the IP address, though I doubt that's been tested in courts.
I posted a quotation straight from the recital of the GDPR that says anonymised data does not matter. I even gave a reference that you can look up. The recital even ends with this:
> This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.
There is no ambiguity here, aggregate data is completely fine as long as I can't trace it back to you with a reasonable amount of effort.
A DPO would disagree with you depending on the circumstance; if you know a user is unique then you have a fingerprint; if you keep that fingerprint forever, when the user comes back to the site, it's trivial to know it is that user.
If I install the Apache web server and accidentally expose the machine to the internet, am I violating GDPR by not having a cookie banner on the "Apache Default Page"?
Yeah, not using cookies is irrelevant if you use other means to track user. Also people like to think they need to show the "cookie banner" for all cookies regardless of how they are used.
No, they are comparable, but it's an independent tool. When we started, Plausible wasn't as big as it now is. We also had a focus on deeper integrations via API from the get go, a nicer dashboard, and a few other minor details.
I basically started this for my personal use as a library for Go, which it still is:
how do you calculate the session duration? is it the delta between two page hits or similar events?
i tried a couple of the smaller analytics tools, like plausible, simpleanalytics, umami etc... and one thing that i always disliked was the way the session duration was calculated - i have a lot of longer articles where the visitor stays for a long time and then leaves. most of these tools will count that as a bounce, as there is no two hits to calculate the delta between. but for me it is a very important metric to get accurate numbers on, which is impossible with that implementation for sites like mine (very few but long page visits, not a lot of navigation between pages).
do you handle this the same way? that would be a feature i'd be willing to switch my current tool out for.
Yeah, we also use the delta. However, you can send a custom event on close to update the session duration. The session won't be counted as bounced in our system then and the time is updated.
They simply don't work as well as non-web apps. People continue to insist that they do, but from my experience, they just don't have the same smoothness as a native app to show that it's not a web app.
sure for something you're spending hours on like instagram. for my business data analytics, I don't care. If I'm doing any serious work I'm on laptop anyway, mobile is just for casual checks
a native mobile app is a gigantic time, productivity, and cash investment. if a business can get most of the value from a PWA, they will be far better off investing that time and innovation into other parts of their business than building a native app for the "smoothness"
There are lots of ways to make it cross platform pretty easily if you plan to do so from the beginning, such as React Native and Flutter. Even now, if the site is in React, it is not too difficult to port it all to RN, which also has a web version that is quite similar to React proper. Plus, RN and Flutter have PWA support already too.
Try something simple like Instagram via the browser versus as an app, it's simply smoother on the app. I would have to dig up more examples but IG immediately comes to mind as a recent experience.
> Our S3-compatible Object Storage provides you with storage capacity for saving data in "Buckets". Any data you save in your Bucket is saved in a Ceph cluster.
reply