Google Analytics is free because you’re giving your visitors’ data over to Google. The GDPR has outlawed using it without getting prior explicit consent. How do you get that consent? It’s complicated.

I’m not going to have cookie banners. They are ugly, intrusive, and just leave a lingering feeling of “Why do they need my data? I just want to read this stupid blog post.”

I feel very uncomfortable giving away personally identifiable information to Google, who could use this data to track users across the web. Google says they are not doing this, but their incentives are just too high for me to be ok with it. I don’t want to feel filthy.

Companies already had to pay up for the use of Google Analytics and the subsequent transfer of user data across EU borders and rightfully so. This was with the use of cookie banners if I understand correctly. It appears even consent doesn’t make this behavior ok.

So I had to find a way to do analytics right. With my limited use of social media (for reasons I should elaborate on at some point) and the avoidance of far-right platforms like X, writing things on here is like writing into the void. I like to know if an article is performing well, but do so without gaining any knowledge on the person visiting this site.

Before this, I had a simple measurement of page views extracted from nginx access logs. My script would run once a month and just write a number into a text file. I’m not a developer so the script was hacked together, but it worked and at least gave me some data. Data I needed because I licensed fonts which need me to calculate monthly page views. This number was very inaccurate though because so many hits to this site are bots and intrusion attempts (it’s insane how many folks out there are probing for WordPress installations).

I could have self-hosted a tool like Matomo but this would add overhead to my hosting setup that I simply don’t accept. This site is static for a reason, and hosting a PHP application with potential security issues increases my attack surface substantially.

I could have analyzed server log files with a tool like GoAccess but this turned out to be clumsy. My nginx installation is writing log files with IP addresses anonymized so I don’t store personally identifiable information in the file system at any point in time. This makes the analytics very inaccurate, but most of all, GoAccess doesn’t filter out intrusion attempts and bots effectively. It was a nice idea, but yielded unusable results for me personally.

I ended up with Plausible.io. Plausible is an EU company with just the right stance on privacy. In order to differentiate unique visitors, a daily rotating salt is used together with the domain name, IP address, and user agent in order to create a hash and only this hash is stored. After a day, each returning visitor would count as unique again, so there’s no way to identify returning users past 24 hours.

A battle against technology

Look. When you use the Internet, you leak personally identifiable information left and right, starting with your IP address. This differs by access method, country, and device to some extent, and it can be mitigated by using tools like iCloud Private Relay. But even that doesn’t protect you fully. Are you logged into a Meta or Google account? Nice. Every site using social or login integrations with Facebook, Instagram, and Google now allows those companies to merge together your browsing habits, despite you using iCloud Private Relay or a VPN1.

That’s how the Internet was built. The GDPR doesn’t protect you from the reality of technology, nor does it demand that the technology changes. You have to protect yourself. GDPR isn’t going to do it. It’s a legal framework that over decades will fine big companies some pocket change here and there, but your privacy is still on you. Sorry.

Every single website and service out there can do their part in making sure privacy rights are protected. You have the choice of who you do business with. Start small. Look for those who do right. We need more of the Small Web and less of the Big Web.

I’m just trying to do my part, and with intent. The next step for me is moving off of a bigger cloud provider like Linode (I am hosting in Frankfurt, Germany) to a smaller hosting company that wasn’t slurped up by Akamai. Small steps. I’ll probably write about it when that is done.

Oh, no one paid me to write this by the way.

  1. A VPN doesn’t protect you at all. As long as you’re logged into a service by big tech, they still know who you are. All that changes is your IP address. Sure, your Internet Service Provider now knows less about you, but those are not your prime enemy. Google and Meta are. A VPN does not protect you from them. ↩︎