from Hacker News

Is Google Analytics illegal in your country?

by james_impliu on 1/19/22, 2:44 PM with 236 comments

by yessirwhatever on 1/19/22, 3:23 PM
I dislike Google and their products pretty much universally, but having this sort of thing done by a competitor is not just distasteful, I see it as verging on corporatism.
Make a better product and beat them, don't use the fact that a government is banning them to upsell your own tracking software.
All tracking is bad, from Google or not. I understand the "companies need to make informed decisions" argument but I disagree with it, mainly because tracking software is involuntary and it's in the interest of the tracking software maker and the company using it to make it as stealthy as possible.
PS: What adds salt to injury is that you're using Google Fonts on this website. If you were privacy-conscious, you'd self-host at least. Read here: https://developers.google.com/fonts/faq?hl=en#what_does_usin...
by schleck8 on 1/19/22, 3:22 PM
> PostHog is the only open source product analytics platform where customer data never leaves your infrastructure
That's wrong. I can give you 3 other open source selfhosted options off the top of my head: Offen, Counter, Matomo.
Edit: I just saw that their "alternatives to google analytics" page shows posthog's competitors as well and you can submit prs to add further options, fair play!
https://isgoogleanalyticsillegal.com/alternatives
by sdoering on 1/19/22, 3:36 PM
> This message is brought to you by
> PostHog is the only open source product analytics platform where customer data never leaves your infrastructure.
Hosting my own Matomo installation I beg to differ. Matomo is open source and my visitors data never leaves my own server.
Except they only do backend tracking and see https traffic from website frontend tracking reaching my analytics server as it "leaves your infrastructure".
But they at least made one thing obviously clear to me. I would never consider using them in the future.
Also they are wrong factually. Google Analytics is not illegal in Austria. The court made this clear. Transmitting the IP without anonymizeIp is. Also transmitting PII data unencrypted to GA us (but GA does forbid that in their TOS as well).
So not caring about the law when implementing GA and doing it just wrong is forbidden in Austria. Who would have thought. Using it correctly and adhering to data privacy best practices is just fine with GA.
by TekMol on 1/19/22, 4:22 PM
The EU and especially Germany make it harder and harder for startups and indie makers to survive.
Now when you start a project in Germany, not only do you have to have an "Imprint" on your site which shows your private address (if you work from home or are a digital nomad) but you also are at a disadvantage because you cannot use all the free tools that startup founders outside of the EU can use.
Has anybody here in Europe considered moving to another country or setting up a company in another country because of this?
How do all the famous indie makers from Europe handle this? I never find any information on their sites with an address and they all use Google Analytics.
by kmeisthax on 1/19/22, 3:34 PM
Note that this isn't purely "do not use Google Analytics"; it's "do not export EU data". For context, there used to be a trade agreement to ensure EU companies were still allowed to use US server hosts, called US Privacy Shield; but that was torpedoed by other legal rulings.
TBH, I personally do not understand how it is legal to provide a single shared service in the face of data localization requirements, especially if other countries were to adopt similar rules. Is it just a matter of having separate shards for each jurisdiction? Or do we need to instance the entire application so that US users don't even see EU users and vice-versa? Most off-the-shelf/FOSS webapps aren't built to be sharded this way, they assume One Big Database that has everything. That would include some of the GA alternatives they list; which, again, is a problem if those apps don't shard users by jurisdiction.
I suppose for now, just hosting everything in the EU is fine, if only because the other jurisdictions with data localization requirements[0] pretty much can't be served with a shared application anyway. I'm imagining that's what the person who built this was figuring it would be used for. But if the US starts demanding data localization, the Internet is fucked.
[0] China, AFAIK
by melissalobos on 1/19/22, 3:08 PM
I like the scrolling banner on the side reminiscent of a news ticker being used for static data, it adds some vibrancy to the presentation. It might be nice to have more of the globe shown on the front, since it isn't "isgoogleanalyticsillegalintheEU". I really like the color scheme too, nice job!
by cardosof on 1/19/22, 5:02 PM
In the old world, a company would build the television, another would broadcast shows, another would measure the audience and another would measure sales to compare with media investments.
Which of those steps Google does today? All of them, from browser to YouTube to shopping to audience data and sales measurements. This is not a case of "old people ranting about how the old world was simpler and better", it's a case of conflict of interest. But this isn't something new, everyone in the industry has been seeing that for two decades now, it's just something no one cares enough to pick a fight.
by ianbutler on 1/19/22, 5:05 PM
So the reason people do emotionally charged marketing like this is because it generally works. We on HN are probably not (entirely) the same group that this is getting sold to, we may see the BS here a little more clearly or have a more principled view on things like this.
BUT most people do not have the same distaste towards this type of marketing so -- don't hate the players, hate the game. If you want things like this to stop then it's probably up to government regulation to curtail it otherwise, for smaller competitors where it's already difficult enough to establish a market position, they would just be hamstringing themselves by not playing to the same emotionally charged marketing style.
If you're a business and you deliberately stay away from marketing like this -- that's great, honestly I'm personally more likely to try your product and I'd like to think I'd do the same in my own work but I really can't blame companies who take this route either.
by tupac_speedrap on 1/19/22, 4:03 PM
The detail is quite interesting. The Austrian interpretation seems to hinge on the US intelligence agencies having access to data as a third-party at any time because their surveillance laws are so broad and the fact that UUIDs are being used between cookies and therefore the anonymised data is actually not very anonymous if you slurp data like the NSA and can combine that with IPs addresses.
by ritmatter on 1/19/22, 3:22 PM
This site seems like a great example of how the EU forces productive folks to jump through all kinds of regulatory hoops. Hopefully it’ll help them navigate the complex legislation.
by GranPC on 1/19/22, 3:11 PM
Meta: this website consistently crashes my browser (Firefox on Linux) if I move the mouse in and out of the map a couple of times. Does this happen to anyone else?
(edit: demo video url: https://dabbleam.com/jesus/Screen%20record%20from%202022-01-...)
Edit 2: doesn't crash on a fresh Firefox profile. Crashes upon enabling gfx.webrender.all, gfx.webrender.compositor and gfx.webrender.compositor.force-enabled. Very intriguing stuff, I'll file a bug.
by paulgb on 1/19/22, 3:23 PM
Funny enough, ublock (stock install) completely breaks the “alternatives” page. It must do some pattern matching on "component---src-pages-google-analytics-alternatives-js-8d1eb2b4c6482dba3dfd.js" and decide it's suspicious enough to deny it, even though it's a first-party request.
by Cenk on 1/19/22, 3:31 PM
Brought to you by PostHog. See also this tool by Fathom: https://illegal.analyticsscanner.com
by skilled on 1/19/22, 4:06 PM
This article[0] also has a solid list of open-source alternatives.
[0]: https://stackdiary.com/open-source-analytics/
by l30n4da5 on 1/19/22, 4:02 PM
Years ago, I remember using GA on a project. Was unhappy with GA's realtime availability, so we wrote our own backend for it and stored all the analytics on our own infrastructure.
Worked without any real issues. Didn't have to stop using GA on the frontend, either. Just had to point the frontend GA at our own endpoint.
Theoretically, this would make usage of GA compliant with GDPR, too, I beleive.
by coding123 on 1/19/22, 4:57 PM
This is absolutely not a "Show HN"
https://news.ycombinator.com/showhn.html
by hericium on 1/19/22, 3:25 PM
Very specific domain name. Is Tag Manager different from Analytics? Have you seen Fonts' TOS?
by 101008 on 1/19/22, 5:18 PM
I have a few blogs with visitors from around the world hosted in NYC in a shared hosting. What's a legal alternative to Google Analytics that would be as easy to setup? I dont want to host anything myself, just replace the JS that Analytics provide and that's all. If I can import my historic data from GA to the new service that would be perfect. Does such a service exist? We can't ask bloggers who install Wordpress to run a instance of Matomo, PostHog, Plausible or whatever.
by sneak on 1/19/22, 4:37 PM
I frequently wonder what sort of tracking, if any, is happening via fonts.google.com and gstatic.com which are used widely across the web. Many sites break if you block resources from gstatic.com, as they depend on javascript libraries from it.
The shortsightedness of using remote static assets on your own site is amazing to me.
by amelius on 1/19/22, 4:05 PM
Why isn't France in red? IIRC, the French started the whole EU anti-Google campaign since they have the presidency of the EU. Also, Germany used to be far ahead almost anyone else when it comes to privacy, so why aren't they in red? This map seems wrong.
by GordonS on 1/19/22, 6:37 PM
Anyone have suggestions for a lightweight, OSS Google Analytics alternative, preferably using a Postgres backend, and preferably server-side so no cookies or JavaScript are required? Only needs to handle max 10K visitors a day, which is nothing really.
I had a quick look at PostHog, but it seems to need all of these in addition to the web UI:
```
  - Postgres
  - Redis
  - ClickHouse
  - ZooKeeper
  - Kafka
```
That's... a lot. I realise there is a Docker Compose file available, but it's the amount of resources used that is concerning, and given my very modest requirements I was hoping for something very light.
by taubek on 1/19/22, 3:10 PM
If it is illegal in one country does it make illegal in all other EU countries as well or is this left to individual law systems of each EU member state?
BTW. your site looks great. I like the running ticker on the side.
by mfer on 1/19/22, 4:34 PM
> The safest solution is to use an analytics provider that keeps data on your own infrastructure.
People don't want to run their own infrastructure anymore. Everything outside of their own business differentiator they want to outsource. Whether they "should" do it debatable and a long conversation with context like business value, cost effectiveness, velocity, and other non-technical things as part of the conversation.
This would be a great advertising moment for an EU based analytics provider. A SaaS.
by no_time on 1/20/22, 11:57 AM
"nooooo I have to put extra effort into loading up my saas grifting operation with the required amount of spyware"
I'm not gonna lie, these tears are delicious.
by calpaterson on 1/19/22, 3:57 PM
How do they decide to pick what towns to show in maps like this? Aberdeen is neither the capital not the largest town in Scotland and anyway is smaller than Cardiff which is the capital and largest town in Wales. Republic of Ireland doesn't get a single town but NI gets Belfast? There has to be a reasonable explanation, surely?
by jhoelzel on 1/19/22, 3:34 PM
Welp Technically yes everywhere and it has been that way since the gdpr
Practically this is the number one reason for our nice "attention, do not resits, we are using cookies on your electronic machinery" popups.
For quite a few sites its the only cookie you actually accept.
Its a s**t show really. Every single client ever now needs to have a cookie popup because google is going to punish you in your rankings if you do not use their integrations too.
And if you do use their integrations... you need a popup.... and dont even get me started about "legitimate interest".
But this is the way... I opt out as much as I can and block through the router as well as ublock.
The most interesting thing that i noticed is that if you block third party cookies in safari on your phone, some sites will show you a blank screen. Timescale does this (I have reported this as a bug month ago but never received feedback).
Its an amazing feature by now:
- the page loads and you can see the content
- the page trys to show you the cookie popup
- since i dont have any cookies allowed, the script will just completly blank out my page
welp. welcome to the future. Its not neccesarily better, but I can see them all now, which i guess is at least a step in the right direction.
by jbergens on 1/20/22, 6:32 AM
The bigger issue in my view is that Azure, AWS and GCP may be illegal. What should we use instead? How much will it cost to switch?
by kennu on 1/21/22, 6:32 PM
My country was cropped out even though it's part of the EU. Silly website.
by blibble on 1/19/22, 3:49 PM
I for one am overjoyed that the <marquee> tag seems to be coming back
by cblconfederate on 1/19/22, 8:09 PM
Europe celebrating for becoming a regulatory minefield is not a good sign.
by StreamBright on 1/19/22, 7:51 PM
I hope it will be soon.
by tobyhinloopen on 1/19/22, 4:17 PM
Nice clickbait url with misleading information on the website.
by vorticalbox on 1/19/22, 3:47 PM
that side bar gives me <marquee> nostalgia.
by adhesive_wombat on 1/19/22, 10:26 PM
Nice to see something happening in the GDPR compliance areas, because well over 90% of cookie banners are noncompliant with GDPR because they don't give "allow" and "reject" equal prominence (or they load cookies before you click accept).
For example, OneTrust gets it right on their website, but I have never seen a client of theirs get it right. So either OneTrust doesn't use their own software, or all their clients are specifically configuring it in a non-compliant way.
I have yet to hear of any general enforcement of this, despite noyb.eu's reporting of hundreds of websites to regulators.
by spankalee on 1/19/22, 4:25 PM
I don't understand how sending analytics data to your own host is supposed to solve the legal problem here. Do the GDPR requirements not apply in that case?
And how is anyone supposed to build any kind of global data dashboard now? Do you have to have separate sites for EU analytics data vs the rest of the world? How do you do statistics to see where your visitors come from? How much time visitors from which countries, languages, etc., spend on your sites?
by thinkindie on 1/19/22, 5:35 PM
I think this page is pretty misleading https://isgoogleanalyticsillegal.com/alternatives/
they are listing PostHog as a valid alternative that would be GDPR-friendly but as per their terms of use PostHog is based in the US and they would be bound by the same Cloud Act as Google Analytics.
by AtNightWeCode on 1/19/22, 7:44 PM
Is this accurate?
We have the Schrems II ruling that made some countries think they could not use services like Cloudflare and Azure. Still Cloudflare and Azure are widely used within EU. (Germany is an outcast). One should as always be transparent about what data is collected. From the GA projects I been involved in (in EU) GDPR has never been a concern.
by keewee7 on 1/19/22, 4:49 PM
>PostHog
lol that is funny. "post hog" is a term that originated from the radical left r/ChapoTrapHouse subreddit.
Are there other tech companies founded by openly anti-capitalist leftists?
by mleonhard on 1/20/22, 3:19 AM
Firebase client libraries silently import and enable Google Analytics in apps [0]. Then your app silently sends a lot of user behavior data to Google [1].
Android apps which use push notifications must use the Firebase Cloud Messaging library. I think many app developers don't realize that adding that library also adds and enables analytics.
For example, adding the `firebase_messaging` module [2] to a Flutter app causes the Android build to import [3] the `com.google.firebase:firebase-bom` Java dep which includes `firebase-analytics` [4]. Once the Java library is included in the build, it starts working automatically [0].
To disable Google Analytics in an app:
* Firebase > Docs > Engage > Configure Analytics Data Collection and Usage [5]
* dart > firebase_analytics > FirebaseAnalytics > setAnalyticsCollectionEnabled method [6]
* Be sure to check the logs to make sure your change took effect. See "Firebase Google Group > Disabling analytics for iOS has no effect?" [7]
[0] https://support.google.com/analytics/answer/9353532
[1] https://support.google.com/firebase/answer/9234069
[2] https://pub.dev/packages/firebase_messaging
[3] https://github.com/FirebaseExtended/flutterfire/blob/a9562ba...
[4] https://mvnrepository.com/artifact/com.google.firebase/fireb...
[5] https://firebase.google.com/docs/analytics/configure-data-co...
[6] https://pub.dev/documentation/firebase_analytics/latest/fire...
[7] https://groups.google.com/g/firebase-talk/c/rved9bIBT0g/m/YN...
by hrdwdmrbl on 1/19/22, 3:18 PM
GDPR has gone too far. Privacy yes. Encryption yes. Data portability yes. Permissionless selling of personal data no. But the rules are nonsensical at this point.
by buf on 1/19/22, 4:27 PM
I just got off a zoom call with the cofounder of simpleanalytics.com. Humble, worked with my startup on pricing options, and cares a lot about privacy which was the reason why I set up the call.
Shame on PostHog for this. You can do better than PostHog.
by freshpots on 1/19/22, 3:10 PM
Your connection is not private Attackers might be trying to steal your information from isgoogleanalyticsillegal.com (for example, passwords, messages or credit cards). Learn more NET::ERR_CERT_AUTHORITY_INVALID
No thanks.